Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] ARP-trigger is missing in the next-ip feature for FBF (Filter-Based Forwarding) from day one

0

0

Article ID: KB31274 KB Last Updated: 29 Nov 2016Version: 1.0
Summary:

When next-ip is defined as the action and there is no ARP (Address Resolution Protocol) for the IP address specified under next-ip, the traffic is not forwarded. A manual ping needs to be initiated for things to work.

Symptoms:

Example topology



FBF has been applied as input direction on interface ge-1/0/0 of router R2.

user@R2# show firewall 
filter fbf {
    term 1 {
        from {
            source-address {
                15.16.1.1/32;
            }
        }
        then {
            next-ip 15.16.4.2/32;
        }
    }
    term 2 {
        then accept;
    }
}

user@R2# show interfaces ge-1/0/0 
unit 0 {
    family inet {
        filter {
            input fbf;
        }
        address 15.16.1.2/30;
    }
}

Then start ping from R1.
All packets are dropped due to "Destination Net Unreachable":

user@R1# show routing-options static          
route 8.1.1.0/24 next-hop 15.16.1.2;     

user@R1# run ping 8.1.1.1 count 2 
PING 8.1.1.1 (8.1.1.1): 56 data bytes
36 bytes from 2.2.2.2: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 f084   0 0000  3f  01 7212 15.16.1.1  8.1.1.1 

36 bytes from 2.2.2.2: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 fa31   0 0000  3f  01 6865 15.16.1.1  8.1.1.1 

^C
--- 8.1.1.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss  

When these packets arrive in R2, they are dropped because there is no ARP entry of 15.16.4.2 and these packets cannot trigger the ARP process.
Solution:

The next-ip feature works as designed from day one.

Take one of following actions to avoid this issue:
  1. Add a static route of "next-ip" with next-hop to itself, for example:

    user@R2# set routing-options static route 15.16.4.2/32 next-hop 15.16.4.2

  2. Add a static ARP entry of "next-ip" in FBF filter.

    user@R2# set interfaces ge-1/0/1.0 family inet address 15.16.4.1/30 arp 15.16.4.2 mac xx:xx:xx:xx:xx:xx

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search