SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Direct and Default Routes are advertised to IBGP neighbor from routing-instance without a policy term

  • 1.  Direct and Default Routes are advertised to IBGP neighbor from routing-instance without a policy term

    Posted 04-28-2023 16:52

    I have a JMX router in the lab with a routing-instance named Guest. MX is getting a default route from an upstream device. It is also having an IBGP neigh with a RR.
    From MX-->upstream device, I'm advertising my directly connected routes and all the routes that i received from the RR with a specific community. 

    Question: RR is receiving the direct connected routes, default route from JMX. Even though i didn't mention it in the export policy. default route that i got is from upstream router. How it will be propagated to another IBGP neighbor (RR).. Because in IBGP, routes received from 1 IBGP peer should not be send to another IBGP peer. 

    This is my config...
    LAB-JUNOS> show configuration routing-instances guest            
    instance-type vrf;
    interface lt-0/1/10.1;
    interface ae1.2023;
    interface lo0.2023;
    route-distinguisher 1.1.1.1:9;
    vrf-import GUEST-VPN-IMPORT-POLICY;
    vrf-export GUEST-VPN-EXPORT-POLICY;
    vrf-target target:2:9;
    vrf-table-label;
    routing-options {
        static {
            route 12.12.12.12/32 next-hop 192.168.1.19;
        }
    }
    protocols {
        bgp {
            group guest {
                type internal;
                hold-time 180;
                export [ direct-routes  ALLOW-GUEST-COMM-TO-UPSTREAM ];
                neighbor 172.16.1.2 {
                    family inet {
                        any;
                    }
                }
            }

    LAB-JUNOS> show configuration policy-options policy-statement GUEST-VPN-EXPORT-POLICY    
    term 1 {
        from {
            protocol direct;
            route-filter 3.3.3.3/32 exact;
        }
        then {
            community add GUEST-TARGET;
        }
    }
    term not-the-private {
        from {
            route-filter 192.168.0.0/16 orlonger;
        }
        then reject;
    }
    term 2 {
        then {
            community add GUEST-TARGET-PE;
            accept;
        }
    }


    LAB-JUNOS> show configuration policy-options policy-statement GUEST-VPN-IMPORT-POLICY    
    term 1 {
        from {
            protocol bgp;
            community GUEST-TARGET;
        }
        then accept;
    }

    term 4 {
        then reject;
    }

    Thanks



    ------------------------------
    BHARGAV K
    ------------------------------


  • 2.  RE: Direct and Default Routes are advertised to IBGP neighbor from routing-instance without a policy term

    Posted 04-28-2023 16:55

    The default final term in a policy is to accept any bgp route.  So you will need to add a reject all term or policy to your chain for export and/or import as desired to restrict routes to just those explicitly called out in policy terms.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------