SRX

Expand all | Collapse all

OSPF Export Policy assistance

Jump to Best Answer
  • 1.  OSPF Export Policy assistance

     
    Posted 08-22-2018 00:21

    Hello all,

     

    I'd like some help in understanding an OSPF Export Policy we have. I don't understand how and when they should be used. We use OSPF throughout our network with just a single area i.e. 0. Can someone explain what the following is actually doing please?

     

    policy-options {
        policy-statement to-ospf {
            term default {
                from {
                    protocol static;
                    route-filter 0.0.0.0/0 exact;
                }
                then {
                    external {
                        type 2;
                    }
                    accept;
                }
            }
        }
    }

     

    Is the policy actually being exported to a location? Should there be a corresponding import policy somewhere?

     

    Thank you!



  • 2.  RE: OSPF Export Policy assistance
    Best Answer

    Posted 08-22-2018 00:34

    Hi,

     

    If the export policy "to-ospf"  is applied in ospf, it will advertise the static route 0.0.0.0/0  as a type 2 external route to other ospf peers. There is no need to apply import policy in other peers.

    It can be verified using below mentioned commands:

     

    show route protocol ospf 0/0 exact

    show ospf database external

     



  • 3.  RE: OSPF Export Policy assistance

     
    Posted 08-22-2018 00:44

    @Nellikka

     

     "it will advertise the static route 0.0.0.0/0  as a type 2 external route to other ospf peers. "

     

    What is a type 2 external route and how does it differ from a type 1, say for example?

     

    Essentially then, is a given router with the above policy saying to other routers that it can be used for access to the internet? Is it only saying this to its closest neighbour(s)?

     

    Thank you for your reply!

     

     



  • 4.  RE: OSPF Export Policy assistance

    Posted 08-22-2018 00:49


  • 5.  RE: OSPF Export Policy assistance

     
    Posted 08-22-2018 01:27

    Ok, thank you, that helps.

     

    I have a site (A) which does not have local access to the internet. The site is connected via a private link to another site (B) that also does not have local access to the internet. Site A currently has the following route: 0/0 [OSPF/150] to an IP address on the router at site B. Site (B) has a route to 0/0 via interface ge-0/0/0.0 and an I.P. belonging to a neighbouring router (site C) with internet access.

     

    How can I provide internet access to site A? Perhaps an OSPF policy is needed, but what exactly?



  • 6.  RE: OSPF Export Policy assistance

    Posted 08-22-2018 01:41

    Hi,

     

    Since the Site A is learning the default route via OSPF, it should have internet access.  There is no need of additional ospf policy. If Site A is using private ip, Site C which is having internet access should do source NAT for the Site A IP ranges.  Who is doing NAT in your scenario? Site C router or firewall? I hope Site C is having Public Ip address.

     



  • 7.  RE: OSPF Export Policy assistance

     
    Posted 08-22-2018 01:48

    You are right. I can ping and traceroute directly from the SRX at site A, but I cannot ping or traceroute from a PC connected to the SRX - we use static IP config. only, which I've checked i.e. correct gateway, DNS etc. Can you think of any reason why the SRX migth not be allowing traffic from connected devices?



  • 8.  RE: OSPF Export Policy assistance

    Posted 08-22-2018 01:58

    Hi,

    I hope you have configured source nat and security policy to allow internet from the connected devices. If not, please configure nat and security policy.  Please refer the page number 5 of 'Junos_NAT_Examples.pdf' file to configure source nat using interface IP.

    https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

     



  • 9.  RE: OSPF Export Policy assistance

     
    Posted 08-23-2018 14:25

    It was a missing firewall policy to allow the traffic, all sorted now, thank you for your help!