Routing

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Sending default route to IBGP neighbors

    Posted 06-18-2016 21:08

    I have a configuration that is setup as such. Main router in datacenter that has connectivity to AT&T MPLS network and another connection to an ISP. I have several other sites in the MPLS network that need to access the public internet via the ISP that is connected to the datacenter. All sites have this common setup, IBGP AS65001 between the SRX and the CPE Cisco router, EBGP AS7016 between the CPE and PE routers. My question is, how do I advertise the routes from the datacenter such that the default route 0/0 is brought to the datacenter and then routed accordingly. 


    #MPLS
    #routing
    #BGP


  • 2.  RE: Sending default route to IBGP neighbors

    Posted 06-19-2016 06:28

    I'm not sure I completely follow the routing topology.

     

    Does the SRX iBGP peer to all the remote sites have the default route to the ISP in its route table?

     

    If so, you could likely just add an route export term to send this default route down to the iBGP peers.  Just insert this term into your existing route export policy.

     

    set policy-options policy-statement YOUR-EXPORT-POLICY term default-export from route-filter 0.0.0.0/0 exact then accept



  • 3.  RE: Sending default route to IBGP neighbors

    Posted 06-19-2016 08:29

    Neighbor relationship is only setup with the CPE at the site, although the srx's are in the same AS they are not setup as neighbors. The SRX in the datacenter has the default route to the ISP but the site SRX has a default route to the MPLS CPE router. 



  • 4.  RE: Sending default route to IBGP neighbors

    Posted 06-20-2016 03:35

    So if I understand correctly, the remote site SRX will already send all traffic via a default route to the datacenter MPLS router.  Right?  Or does this remote site default go somewhere else?

     

    What routes does this device have for forwarding this traffic?  Is there a default to send this somewhere and where?

     

    I assume there is no neighbor relationship between the datacenter SRX with the ISP default and the datacenter MPLS router?



  • 5.  RE: Sending default route to IBGP neighbors

    Posted 06-20-2016 14:45
      |   view attached

    So here is a map of the basic layout.

    Site SRX has the following static route 0.0.0.0/0 next-hop 172.16.0.110 which is to the AT&T MPLS router.

     

    Site test config

    system {
    host-name TX03-FW-1;
    auto-snapshot;
    time-zone CST6CDT;
    root-authentication {
    }
    name-server {
    66.180.96.11;
    64.238.96.11;
    208.67.222.222;
    208.67.220.220;
    }
    name-resolution {
    no-resolve-on-input;
    }
    services {
    ssh {
    root-login allow;
    protocol-version v2;
    max-sessions-per-connection 32;
    }
    netconf {
    ssh;
    }
    web-management {
    management-url admin;
    https {
    system-generated-certificate;
    interface [ vlan.0 fe-0/0/7.0 fe-0/0/6.0 ];
    }
    session {
    idle-timeout 60;
    }
    }
    dhcp {
    pool 192.168.99.0/24 {
    address-range low 192.168.99.60 high 192.168.99.200;
    maximum-lease-time 86400;
    default-lease-time 64800;
    domain-name psscorp.local;
    name-server {
    10.10.100.40;
    10.10.100.8;
    }
    router {
    192.168.99.1;
    }
    boot-server 10.10.100.10;
    option 160 ip-address 10.10.100.10;
    propagate-settings vlan-trust;
    }
    }
    }
    syslog {
    archive size 100k files 3;
    inactive: user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    inactive: file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
    }
    inactive: file kmd-logs {
    daemon info;
    match KMD;
    archive size 1000k world-readable;
    structured-data;
    }
    file default-log-messages {
    any info;
    match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)";
    structured-data;
    }
    inactive: file web-filter-deny {
    any any;
    match WEBFILTER_URL_BLOCKED;
    archive size 1m files 1 world-readable;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 15;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server 199.204.96.9;
    }
    }
    interfaces {
    interface-range interfaces-trust {
    member fe-0/0/2;
    member fe-0/0/3;
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    fe-0/0/6 {
    description "AT&T MPLS";
    unit 0 {
    family inet {
    sampling {
    input;
    output;
    }
    address 172.16.0.109/29;
    }
    }
    }
    fe-0/0/7 {
    description ISP2;
    unit 0 {
    family inet {
    address 216.215.76.74/30;
    }
    }
    }
    lo0 {
    unit 0 {
    family inet {
    address 192.168.255.3/32;
    }
    }
    }
    vlan {
    unit 0 {
    family inet {
    sampling {
    input;
    output;
    }
    address 192.168.99.1/24;
    }
    }
    }
    }
    forwarding-options {
    sampling {
    input {
    rate 100;
    }
    family inet {
    output {
    flow-server 192.168.99.107 {
    port 2055;
    version 5;
    }
    }
    }
    }
    }
    snmp {
    community switch {
    authorization read-only;
    }
    trap-group switch {
    categories {
    chassis;
    link;
    remote-operations;
    routing;
    rmon-alarm;
    configuration;
    }
    targets {
    10.10.100.29;
    10.10.100.32;
    }
    }
    trap-group space {
    targets {
    10.10.100.29;
    }
    }
    }
    routing-options {
    graceful-restart;
    static {
    inactive: route 10.10.100.0/24 next-hop 172.17.0.1;
    route 0.0.0.0/0 next-hop 172.16.0.110;
    inactive: route 172.16.0.0/24 next-hop 172.16.0.110;
    inactive: route 172.17.0.0/25 next-hop 172.16.0.110;
    }
    router-id 192.168.255.3;
    autonomous-system 65001;
    }
    protocols {
    bgp {
    traceoptions {
    file bgp-trace size 10k files 2 world-readable;
    flag all detail;
    flag keepalive;
    }
    group pss-att-bgp {
    type internal;
    export next-hop-self-policy;
    neighbor 172.16.0.110;
    }
    }
    lacp {
    inactive: traceoptions {
    file lacp-trace;
    flag all;
    }
    }
    stp {
    disable;
    }
    }
    policy-options {
    policy-statement next-hop-self-policy {
    term alter-next-hop {
    from protocol direct;
    then accept;
    }
    }
    }
    security {
    inactive: log {
    mode stream;
    format sd-syslog;
    stream JTAC-TEST {
    host {
    10.10.100.30;
    }
    }
    }
    address-book {
    global {
    address HOUDCTR 199.204.98.226/32;
    address DATA_NET 192.168.99.0/24;
    address-set REMOTE-SITES {
    address HOUDCTR;
    }
    }
    }
    alg {
    inactive: dns {
    maximum-message-length 8192;
    doctoring {
    none;
    }
    }
    mgcp disable;
    msrpc disable;
    sunrpc disable;
    sql disable;
    }
    application-tracking;
    flow {
    inactive: traceoptions {
    file JTAC size 1m;
    flag basic-datapath;
    packet-filter 1 {
    source-prefix 10.11.11.9/30;
    destination-prefix 8.8.8.8/32;
    }
    packet-filter 2 {
    source-prefix 192.168.99.1/32;
    destination-prefix 8.8.8.8/32;
    }
    packet-filter p1 {
    source-prefix 192.168.99.100/32;
    destination-prefix 23.2.199.148/32;
    }
    packet-filter p2 {
    source-prefix 23.2.199.148/32;
    destination-prefix 192.168.99.100/32;
    }
    }
    allow-dns-reply;
    sync-icmp-session;
    tcp-mss {
    all-tcp {
    mss 1350;
    }
    ipsec-vpn {
    mss 1350;
    }
    }
    tcp-session {
    no-syn-check;
    no-sequence-check;
    }
    }
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set nsw_srcnat {
    from zone Internal;
    to zone Internet;
    rule nsw-src-interface {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone Internal to-zone Internal {
    policy Intra-Zone {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone Internet {
    policy Intra-Zone {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internal to-zone Internet {
    policy All_Internal_Internet {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    inactive: application-services {
    utm-policy pss-utm-policy;
    }
    }
    log {
    session-init;
    session-close;
    }
    }
    }
    }
    from-zone Internet to-zone Internal {
    policy All_Internet_Internal {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone Internal {
    host-inbound-traffic {
    system-services {
    all;
    ike;
    }
    }
    interfaces {
    vlan.0 {
    host-inbound-traffic {
    system-services {
    ping;
    https;
    ssh;
    dhcp;
    snmp;
    }
    }
    }
    }
    }
    security-zone Internet {
    interfaces {
    fe-0/0/6.0 {
    host-inbound-traffic {
    system-services {
    ping;
    http;
    https;
    ssh;
    ike;
    traceroute;
    snmp;
    }
    protocols {
    bgp;
    }
    }
    }
    lo0.0 {
    host-inbound-traffic {
    system-services {
    ping;
    }
    protocols {
    bgp;
    }
    }
    }
    }
    }
    }
    }
    firewall {
    inactive: filter all {
    term all {
    then {
    sample;
    accept;
    }
    }
    }
    inactive: filter cflow {
    term 1 {
    then {
    sample;
    accept;
    }
    }
    }
    }
    vlans {
    vlan-trust {
    vlan-id 3;
    l3-interface vlan.0;
    }
    }

     

     

    Attachment(s)

    pdf
    Network.pdf   115 KB 1 version


  • 6.  RE: Sending default route to IBGP neighbors
    Best Answer

    Posted 06-20-2016 15:09

    So in the ATT MPLS setup I assume this is a L3 VPN VRF for your traffic.  

     

    If that is the case you should be able to inject the default route from your data center SRX to the ATT peer at the data center.  This will then become available at the remote site.  

     

    I further assume you added the static default route to the remote peer just to get the internet flowing into the MPLS connection.  But since there was no default route learned from the data center this traffic basically blackholes at the remote MPLS router as a result.

     

    Once you advertise the default route you should be able to remove the static one.



  • 7.  RE: Sending default route to IBGP neighbors

    Posted 06-24-2016 13:21

    Ok. I'm getting the routes, now I have to solve for issues with the SIP phones accross the network and then remove the VPN's from the lproduction sites. I have found that I am not able to remove the route to the default gateway as this makes other routes in the MPLS show up as inactive.



  • 8.  RE: Sending default route to IBGP neighbors

    Posted 06-25-2016 07:00

    For the SIP issues, I assume you have the SRX in flow mode and all the default ALG settings.  You can review the SIP call verification options and configuration examples here.

     

    http://www.juniper.net/documentation/en_US/junos15.1x49/topics/task/verification/alg-security-sip-configuration-verifying.html

     

    http://www.juniper.net/documentation/en_US/junos12.1x47/topics/task/configuration/alg-security-sip-configuring.html

     

    I'm afraid I don't understand the remaining routing issue.  Could you elaborate on what is missing in the remote site route table or what the traffic probem is?



  • 9.  RE: Sending default route to IBGP neighbors

    Posted 06-29-2016 16:34

    Turned out the bigger issue was a misconfiguration on the providers side. Fixed and all is now working.