JUNOS Routing Policy

在 JUNOS 稱之為 Routing Policy or Filter-Based Forwarding,不過一般我們比較常叫他 Policy Based Route。

Example

以下例子為我要將 port 80 的 traffic 從原本的 routing 裡另外轉送到指定的路由器去,如果以 port 80 為例,通常 ISP 是拿來做 TCS(Transparent Cache Switching),且由於 Cache Server 現在都可以帶原本的 Real Client IP 繼續往外送,回來的時候封包再次經過 Cache Server,就可以達到 Cache 的效果了,且使用者完全不會知道。如果是用於 port 25,則是可以處理類似 Transparent SPAM。

routing-options {
    interface-routes {
        rib-group {
            inet fbf-group;
            inet6 fbf-group-inet6;
        }
    }
    rib inet.0 {
        static {
            route 0.0.0.0/0 next-hop 10.255.31.254;
            route 10.38.0.0/16 next-hop 10.255.255.1;
        }
    }
    rib inet6.0 {
        static {
            route ::/0 next-hop 2001:b030:ffff:31::254;
            route 2001:b030:ffff:38::/60 next-hop 2001:b030:ffff:255::1;
        }
    }
    rib-groups {
        fbf-group {
            import-rib [ inet.0 outgo_to_SLB_inet.inet.0 income_to_SLB_inet.inet.0 ];
        }
        fbf-group-inet6 {
            import-rib [ inet6.0 income_to_SLB_inet6.inet6.0 outgo_to_SLB_inet6.inet6.0 ];
        }
    }
}
firewall {
    family inet {
        filter outgo_inet {
            term outgo_dst_80 {
                from {
                    source-address {
                        10.38.0.0/16;
                    }
                    destination-port 80;
                }
                then {
                    routing-instance outgo_to_SLB_inet;
                }
            }
            term default {
                then accept;
            }
        }
        filter income_inet {
            term income_src_80 {
                from {
                    destination-address {
                        10.38.0.0/16;
                    }
                    source-port 80;
                }
                then {
                    routing-instance income_to_SLB_inet;
                }
            }
            term default {
                then accept;
            }
        }
    }
    family inet6 {
        filter outgo_inet6 {
            term outgo_dst_80 {
                from {
                    source-address {
                        2001:b030:ffff:38::/64;
                    }
                    destination-port 80;
                }
                then {
                    routing-instance outgo_to_SLB_inet6;
                }
            }
            term default {
                then accept;
            }
        }
        filter income_inet6 {
            term income_src_80 {
                from {
                    destination-address {
                        2001:b030:ffff:38::/64;
                    }
                    source-port 80;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
routing-instances {
    income_to_SLB_inet {
        instance-type forwarding;
        routing-options {
            static {
                route 10.38.0.0/16 next-hop 10.255.254.101;
            }
        }
    }
    income_to_SLB_inet6 {
        instance-type forwarding;
        routing-options {
            rib income_to_SLB_inet6.inet6.0 {
                static {
                    route 2001:b030:ffff:38::/64 next-hop 2001:b030:ffff:f4::101;
                }
            }
        }
    }
    outgo_to_SLB_inet {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.255.253.101;
            }
        }
    }
    outgo_to_SLB_inet6 {
        instance-type forwarding;
        routing-options {
            rib outgo_to_SLB_inet6.inet6.0 {
                static {
                    route ::/0 next-hop 2001:b030:ffff:f3::101;
                }
            }
        }
    }
}
interfaces {
    vlan {
        unit 31 {
            family inet {
                filter {
                    input income_inet;
                }
            }
            family inet6 {
                filter {
                    input income_inet6;
                }
            }
        }
        unit 3255 {
            family inet {
                filter {
                    input outgo_inet;
                }
            }
            family inet6 {
                filter {
                    input outgo_inet6;
                }
            }
        }
    }
}