Hello,
Thank you for your reply, and Happy New Year!
To answer your questions as best as I can.
I have checked the firewall policies and even attempted an allow all scenario to make sure that it was not the cause. The issue is wierd as it only seems to affect the dhcp client and not the network infrastructure, as the branch Aruba can ping the firewall and 8.8.8.8 etc. when sourcing the vlan IPs from 510 or 520 I assigned.
Since the site is remote and the time of year is wonderful for tech issues and getting access to devices... I am troubleshooting with the Aruba onsite, the Juniper, and the DC's infrastructure, but all of the tests indicate there's no issue, as the firewall is not blocking any attempts to ping it or through it to 8.8.8.8 from any of the network devices themselves...
Suffice to say it's a different issue when sitting in front of a client laptop on the assigned dhcp address, with no internet access.
I will be onsite at the branch on Monday to do further troubleshooting steps.
My plan is to amend the policy statements to include a term to block the export of the /32 as you mentioned, I am just working on the syntax.
Current policy statement exports look something like this, currently blocking the direct CE ip's from exporting to the provider.
All the routes have been checked end to end from the Branch Aruba, branch Juniper, DC1 and 2, as well as firewall, all the routing seems to be ok, with the exception of the /32 advertisements on the bgp.
From the firewall it is a static /27 and /28 route pointing to the DC Aruba, then to the Juniper's vrrp address also using static subnet cidr.
From the Junipers in the DC's the route's are received on internal core import policies, and exports between themselves with route prefs dictating which is primary.
The branch has dual links with the same ISP on MPLS and using BGP with local prefs on our side and Metric on the isp, dictate which link is active at the time, this then matches the DC setup where the Received route comes into the DC.
The branch is only exporting the internal IPs and now the 2 new segregated subnets, and importing only default route from providers.
As mentioned the DCs both receive the /27 and /28 routes from BGP, and internal between each other and decide priority based on Met and Pref, BUT, the issue is that Both DCs are seeing the dhcp clients /32 IPs in the received routes and because of the * seem to be accepting them on both DC's.
So I will work on the /32 issue as a first step and take it from there.
Regards
Brad
Original Message:
Sent: 12-31-2024 10:14
From: Flashover_
Subject: Branch Juniper advertising DHCP client /32 [Access-internal] into BGP
Hi Brad,
You wrote:
- The firewall can ping the Juniper, as well as the Aruba behind it and also the dhcp client.
- But the client cannot see the further than the Aruba and Juniper and DC2.
Can you share a bit more information regarding that? For the first part to work then both parties (firewall + dhcp client) should have the necessary routes. Can you confirm if they are there, or that possibly the firewall (due to security policies) is blocking traffic? It might be that the routing part is OK but the security part is blocking things. Otherwise I'd find it weird if the Firewall can ping the client, but the client cannot ping the firewall?
You should look at "show route" on all devices and in configuration at "show configuration security" for zones + policies (between the zones) to start the investigation for it.
My questions:
- are DC-1 and DC-2 actual boxes or just placeholders in the drawing to depict a location?
- i guess "Branch Juniper" is an SRX firewall cluster as it has an "reth0" interface
- what are the routes on the other devices?:
- firewall
- DC-1
- DC-2
- do they have the 10.0.22.x prefixes? just a default route? an aggregate route from each location..?
- This is the BGP advertising protocol for the 1 neighbor
- The /27 and /28 are accepted in DC2, but not DC 1 due to local-Preference settings, but we see that the /32 have a * next to the route in Both dc's
Do all 3 locations have a direct BGP session with each other? Or can they be created?
- I understand that I need to somehow block the export of the dhcp clients /32 so the direct subnet remains in bgp, but I am not sure how.
It would be cleaner indeed to only advertise the 10.0.22.0/27 and 10.0.22.64/28 without all the more specifics from "access-internal". But if you advertise all those routes from your list then things should also be able to work, it's just a bit harder to read but reachability should remain the same.
Can you share a part of the configuration of "protocols bgp" and the export policy that was created? Please redact sensitive information (public IP etc..).
You might have a policy there that looks like this:
set policy-options policy-statement ADVERTISE term ALL from family inetset policy-options policy-statement ADVERTISE term ALL then accept
Maybe it has to be changed to something like this:
set policy-options policy-statement ADVERTISE term BLOCK_ACCESS_INTERNAL from protocol access-internalset policy-options policy-statement ADVERTISE term BLOCK_ACCESS_INTERNAL then rejectset policy-options policy-statement ADVERTISE term ALL from family inetset policy-options policy-statement ADVERTISE term ALL then accept
Please be careful making changes to the production network if you have limited (or no?) prior experience with Juniper equipment :) It could be better to get help from a local professional!! I don't want to create any outages :)
Original Message:
Sent: 12-31-2024 03:34
From: Anonymous
Subject: Branch Juniper advertising DHCP client /32 [Access-internal] into BGP
This message was posted by a user wishing to remain anonymous
Hello,
I am new to the community and to Juniper itself. I have been trying to figure out how to resolve an issue we are having in one of our branches.
We have setup 2 new Vlans to provide DHCP for external vendor devices onsite to keep separate from our normal network. The clients do get IP however they cannot get internet access, due to some routing issue's we are seeing. The firewall can ping the Juniper, as well as the Aruba behind it and also the dhcp client. But the client cannot see the further than the Aruba and Juniper and DC2.
The MPLS has a termination point in both DC's
Both vlan's have different ranges on a /27 and /28.
Both ranges are being advertised into our MPLS via BGP, however we also see that the /32 of the clients are being advertised as well, so the DC juniper's are receiving both the /27 and /28 for the branch vlans as well as the /32's.
This is an excerpt from the branch routing table:
10.0.22.0/27 *[Direct/0] 1w1d 09:03:55
> via reth0.520
10.0.22.1/32 *[Local/0] 1w1d 09:03:55
Local via reth0.520
10.0.22.3/32 *[Access-internal/12] 20:40:22
> to 10.0.22.1 via reth0.520
10.0.22.4/32 *[Access-internal/12] 20:24:30
> to 10.0.22.1 via reth0.520
10.0.22.64/28 *[Direct/0] 1w1d 09:03:55
> via reth0.510
10.0.22.65/32 *[Local/0] 1w1d 09:03:55
Local via reth0.510
10.0.22.67/32 *[Access-internal/12] 1w1d 05:19:15
> to 10.0.22.65 via reth0.510
10.0.22.68/32 *[Access-internal/12] 1w1d 00:46:09
> to 10.0.22.65 via reth0.510
10.0.22.69/32 *[Access-internal/12] 20:18:49
This is the BGP advertising protocol for the 1 neighbor
* 10.0.22.0/27 Self 2000 I
* 10.0.22.3/32 Self 2000 I
* 10.0.22.4/32 Self 2000 I
* 10.0.22.64/28 Self 2000 I
* 10.0.22.67/32 Self 2000 I
* 10.0.22.68/32 Self 2000 I
* 10.0.22.69/32 Self 2000 I
The /27 and /28 are accepted in DC2, but not DC 1 due to local-Preference settings, but we see that the /32 have a * next to the route in Both dc's.
I understand that I need to somehow block the export of the dhcp clients /32 so the direct subnet remains in bgp, but I am not sure how.
As I am still new to this system and do not have access to a senior with more experience I am reaching out to ask the community. I have also tried the GPT's, but don't seem to be getting any feasible solution or troubleshooting. Maybe I am asking the wrong way...
Brad