SRX

Hello all,

I'd like some help in understanding an OSPF Export Policy we have. I don't understand how and when they should be used. We use OSPF throughout our network with just a single area i.e. 0. Can someone explain what the following is actually doing please?

policy-options {
    policy-statement to-ospf {
        term default {
            from {
                protocol static;
                route-filter 0.0.0.0/0 exact;
            }
            then {
                external {
                    type 2;
                }
                accept;
            }
        }
    }
}

Is the policy actually being exported to a location? Should there be a corresponding import policy somewhere?

Thank you!

Hi,

If the export policy "to-ospf"  is applied in ospf, it will advertise the static route 0.0.0.0/0  as a type 2 external route to other ospf peers. There is no need to apply import policy in other peers.

It can be verified using below mentioned commands:

show route protocol ospf 0/0 exact

show ospf database external

---

@Nellikka

 

 "it will advertise the static route 0.0.0.0/0  as a type 2 external route to other ospf peers. "

What is a type 2 external route and how does it differ from a type 1, say for example?

Essentially then, is a given router with the above policy saying to other routers that it can be used for access to the internet? Is it only saying this to its closest neighbour(s)?

Thank you for your reply!

Hi,

Hope it will help : https://www.juniper.net/documentation/en_US/junos/topics/concept/ospf-routing-external-metrics-overview.html

Ok, thank you, that helps.

I have a site (A) which does not have local access to the internet. The site is connected via a private link to another site (B) that also does not have local access to the internet. Site A currently has the following route: 0/0 [OSPF/150] to an IP address on the router at site B. Site (B) has a route to 0/0 via interface ge-0/0/0.0 and an I.P. belonging to a neighbouring router (site C) with internet access.

How can I provide internet access to site A? Perhaps an OSPF policy is needed, but what exactly?

Hi,

Since the Site A is learning the default route via OSPF, it should have internet access.  There is no need of additional ospf policy. If Site A is using private ip, Site C which is having internet access should do source NAT for the Site A IP ranges.  Who is doing NAT in your scenario? Site C router or firewall? I hope Site C is having Public Ip address.

You are right. I can ping and traceroute directly from the SRX at site A, but I cannot ping or traceroute from a PC connected to the SRX - we use static IP config. only, which I've checked i.e. correct gateway, DNS etc. Can you think of any reason why the SRX migth not be allowing traffic from connected devices?

Hi,

I hope you have configured source nat and security policy to allow internet from the connected devices. If not, please configure nat and security policy.  Please refer the page number 5 of 'Junos_NAT_Examples.pdf' file to configure source nat using interface IP.

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

It was a missing firewall policy to allow the traffic, all sorted now, thank you for your help!