Routing

 View Only
last person joined: yesterday 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Branch Juniper advertising DHCP client /32 [Access-internal] into BGP

    This message was posted by a user wishing to remain anonymous
    Posted 25 days ago
    This message was posted by a user wishing to remain anonymous

    Hello,

    I am new to the community and to Juniper itself. I have been trying to figure out how to resolve an issue we are having in one of our branches.

    We have setup 2 new Vlans to provide DHCP for external vendor devices onsite to keep separate from our normal network. The clients do get IP however they cannot get internet access, due to some routing issue's we are seeing. The firewall can ping the Juniper, as well as the Aruba behind it and also the dhcp client. But the client cannot see the further than the Aruba and Juniper and DC2.

    The MPLS has a termination point in both DC's



    Both vlan's have different ranges on a /27 and /28.

    Both ranges are being advertised into our MPLS via BGP, however we also see that the /32 of the clients are being advertised as well, so the DC juniper's are receiving both the /27 and /28 for the branch vlans as well as the /32's.

    This is an excerpt from the branch routing table: 
    10.0.22.0/27       *[Direct/0] 1w1d 09:03:55
                        >  via reth0.520
    10.0.22.1/32       *[Local/0] 1w1d 09:03:55
                           Local via reth0.520
    10.0.22.3/32       *[Access-internal/12] 20:40:22
                        >  to 10.0.22.1 via reth0.520
    10.0.22.4/32       *[Access-internal/12] 20:24:30
                        >  to 10.0.22.1 via reth0.520
    10.0.22.64/28      *[Direct/0] 1w1d 09:03:55
                        >  via reth0.510
    10.0.22.65/32      *[Local/0] 1w1d 09:03:55
                           Local via reth0.510
    10.0.22.67/32      *[Access-internal/12] 1w1d 05:19:15
                        >  to 10.0.22.65 via reth0.510
    10.0.22.68/32      *[Access-internal/12] 1w1d 00:46:09
                        >  to 10.0.22.65 via reth0.510
    10.0.22.69/32      *[Access-internal/12] 20:18:49

    This is the BGP advertising protocol for the 1 neighbor

    * 10.0.22.0/27            Self                 2000               I
    * 10.0.22.3/32            Self                 2000               I
    * 10.0.22.4/32            Self                 2000               I
    * 10.0.22.64/28           Self                 2000               I
    * 10.0.22.67/32           Self                 2000               I
    * 10.0.22.68/32           Self                 2000               I
    * 10.0.22.69/32           Self                 2000               I

    The /27 and /28 are accepted in DC2, but not DC 1 due to local-Preference settings, but we see that the /32 have a * next to the route in Both dc's.

    I understand that I need to somehow block the export of the dhcp clients /32 so the direct subnet remains in bgp, but I am not sure how.

    As I am still new to this system and do not have access to a senior with more experience I am reaching out to ask the community. I have also tried the GPT's, but don't seem to be getting any feasible solution or troubleshooting. Maybe I am asking the wrong way...


    Brad



  • 2.  RE: Branch Juniper advertising DHCP client /32 [Access-internal] into BGP

    Posted 25 days ago

    Hi Brad,

    You wrote:

    1.  The firewall can ping the Juniper, as well as the Aruba behind it and also the dhcp client.
    2. But the client cannot see the further than the Aruba and Juniper and DC2.

    Can you share a bit more information regarding that? For the first part to work then both parties (firewall + dhcp client) should have the necessary routes. Can you confirm if they are there, or that possibly the firewall (due to security policies) is blocking traffic? It might be that the routing part is OK but the security part is blocking things. Otherwise I'd find it weird if the Firewall can ping the client, but the client cannot ping the firewall?

    You should look at "show route" on all devices and in configuration at "show configuration security" for zones + policies (between the zones) to start the investigation for it.

    My questions:

    • are DC-1 and DC-2 actual boxes or just placeholders in the drawing to depict a location?
      • i guess "Branch Juniper" is an SRX firewall cluster as it has an "reth0" interface
    • what are the routes on the other devices?:
      • firewall
      • DC-1
      • DC-2
      • do they have the 10.0.22.x prefixes? just a default route? an aggregate route from each location..?

    • This is the BGP advertising protocol for the 1 neighbor
    • The /27 and /28 are accepted in DC2, but not DC 1 due to local-Preference settings, but we see that the /32 have a * next to the route in Both dc's

    Do all 3 locations have a direct BGP session with each other? Or can they be created?

    • I understand that I need to somehow block the export of the dhcp clients /32 so the direct subnet remains in bgp, but I am not sure how.

      It would be cleaner indeed to only advertise the 10.0.22.0/27 and 10.0.22.64/28 without all the more specifics from "access-internal". But if you advertise all those routes from your list then things should also be able to work, it's just a bit harder to read but reachability should remain the same.

      Can you share a part of the configuration of "protocols bgp" and the export policy that was created? Please redact sensitive information (public IP etc..).

      You might have a policy there that looks like this:

      set policy-options policy-statement ADVERTISE term ALL from family inet
      set policy-options policy-statement ADVERTISE term ALL then accept

      Maybe it has to be changed to something like this:

      set policy-options policy-statement ADVERTISE term BLOCK_ACCESS_INTERNAL from protocol access-internal
      set policy-options policy-statement ADVERTISE term BLOCK_ACCESS_INTERNAL then reject
      set policy-options policy-statement ADVERTISE term ALL from family inet
      set policy-options policy-statement ADVERTISE term ALL then accept

      Please be careful making changes to the production network if you have limited (or no?) prior experience with Juniper equipment :) It could be better to get help from a local professional!! I don't want to create any outages :)




    • 3.  RE: Branch Juniper advertising DHCP client /32 [Access-internal] into BGP

      Posted 23 days ago
      Edited by Brad M 19 days ago

      Hello, 

      Thank you for your reply, and Happy New Year!

      To answer your questions as best as I can.

      I have checked the firewall policies and even attempted an allow all scenario to make sure that it was not the cause. The issue is wierd as it only seems to affect the dhcp client and not the network infrastructure, as the branch Aruba can ping the firewall and 8.8.8.8 etc. when sourcing the vlan IPs from 510 or 520 I assigned.

      Since the site is remote and the time of year is wonderful for tech issues and getting access to devices... I am troubleshooting with the Aruba onsite, the Juniper, and the DC's infrastructure, but all of the tests indicate there's no issue, as the firewall is not blocking any attempts to ping it or through it to 8.8.8.8 from any of the network devices themselves...

      Suffice to say it's a different issue when sitting in front of a client laptop on the assigned dhcp address, with no internet access.

      I will be onsite at the branch on Monday to do further troubleshooting steps.

      My plan is to amend the policy statements to include a term to block the export of the /32 as you mentioned, I am just working on the syntax.

      Current policy statement exports look something like this, currently blocking the direct CE ip's from exporting to the provider.


      All the routes have been checked end to end from the Branch Aruba, branch Juniper, DC1 and 2, as well as firewall, all the routing seems to be ok, with the exception of the /32 advertisements on the bgp.

      From the firewall it is a static /27 and /28 route pointing to the DC Aruba, then to the Juniper's vrrp address also using static subnet cidr.
      From the Junipers in the DC's the route's are received on internal core import policies, and exports between themselves with route prefs dictating which is primary.
      The branch has dual links with the same ISP on MPLS and using BGP with local prefs on our side and Metric on the isp, dictate which link is active at the time, this then matches the DC setup where the Received route comes into the DC. 

      The branch is only exporting the internal IPs and now the 2 new segregated subnets, and importing only default route from providers.

      As mentioned the DCs both receive the /27 and /28 routes from BGP, and internal between each other and decide priority based on Met and Pref, BUT, the issue is that Both DCs are seeing the dhcp clients /32 IPs in the received routes and because of the * seem to be accepting them on both DC's.

      So I will work on the /32 issue as a first step and take it from there.

      Regards

      Brad





    • 4.  RE: Branch Juniper advertising DHCP client /32 [Access-internal] into BGP

      Posted 19 days ago
      Edited by Brad M 19 days ago

      Hello,

      I made use of your suggestion on the Policy options, I added the Block Access-internal terms to the export statements and it stopped the /32s advertising successfully.

      I did not need to do the advertise all as it's already advertising the locally connected DHCP subnets correctly.

      I am just busy with the local support guy who is now back to test the access through the firewall etc.

      Many thanks for the suggestion, I'll post feedback once resolved.


      Brad



    • 5.  RE: Branch Juniper advertising DHCP client /32 [Access-internal] into BGP

      Posted 24 days ago
      Edited by jsullivan 24 days ago

      One thing to add, assuming you don't need those /32 routes at all in your routing table, you can suppress them with the below command.

      set systems services dhcp-local-server route-suppression destination

      This will cleanup the routing table and make it easier to troubleshoot any future routing issues so that the table isn't clogged with /32 host routes.

      https://www.juniper.net/documentation/us/en/software/junos/dhcp/topics/topic-map/dhcp-access-supressing.html




    • 6.  RE: Branch Juniper advertising DHCP client /32 [Access-internal] into BGP

      Posted 23 days ago
      Edited by Brad M 19 days ago

      Hello and Happy New year, 

      Thanks for your suggestion I will also try and see if this can be done without breaking any prod stuff on the main networks.


      Brad



    • 7.  RE: Branch Juniper advertising DHCP client /32 [Access-internal] into BGP

      Posted 18 days ago
      Edited by Brad M 18 days ago

      Thanks for the assist guys. The Suggestion from Flashover worked.

      set policy-options policy-statement ADVERTISE term BLOCK_ACCESS_INTERNAL from protocol access-internal
      set policy-options policy-statement ADVERTISE term BLOCK_ACCESS_INTERNAL then reject



      Brad