Quantcast
Channel: All Routing posts
Viewing all 8688 articles
Browse latest View live

Re: Default route question

June 27, 2016, 3:31 pm
$
0
0

Hi, 

 

Do you want the return traffic from this source range only to go via AS200?

If not, you can do this with BGP import and export policies and as-path prepend.

I tested this in a lab. Config below:

AS100:

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 172.16.0.1/30;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.16.0.9/30;
}
}
}
}
routing-options {
autonomous-system 100;
}
protocols {
bgp {
group AS200 {
type external;
local-address 172.16.0.1;
export EXPORT-AS200;
peer-as 200;
neighbor 172.16.0.2;
}
group AS300 {
type external;
local-address 172.16.0.9;
import IMPORT-AS300;
export EXPORT-AS300;
peer-as 300;
neighbor 172.16.0.10;
}
}
}
policy-options {
policy-statement EXPORT-AS200 {
from {
protocol direct;
route-filter 10.0.0.0/24 exact;
}
then accept;
}
policy-statement EXPORT-AS300 {
from {
protocol direct;
route-filter 10.0.0.0/24 exact;
}
then {
community set AS100:300;
as-path-prepend "100 100 100";
accept;
}
}
policy-statement IMPORT-AS300 {
term AS300 {
from {
protocol bgp;
as-path AS300;
route-filter 192.168.1.0/30 exact;
}
then {
as-path-expand last-as count 2;
accept;
}
}
}
community AS100:300 members 300:100;
as-path AS300 "300 .*";
}

 AS200:

interfaces {
ge-0/0/2 {
unit 0 {
family inet {
address 172.16.0.2/30;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.16.0.5/30;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
bgp {
group AS100 {
type external;
local-address 172.16.0.2;
peer-as 100;
neighbor 172.16.0.1;
}
group AS300 {
type external;
local-address 172.16.0.5;
peer-as 300;
neighbor 172.16.0.6;
}
}
}

AS300:

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.1/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 172.16.0.6/30;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.16.0.10/30;
}
}
}
}
routing-options {
autonomous-system 300;
}
protocols {
bgp {
export EXPORT;
group AS100 {
type external;
local-address 172.16.0.10;
peer-as 100;
neighbor 172.16.0.9;
}
group AS200 {
type external;
local-address 172.16.0.6;
peer-as 200;
neighbor 172.16.0.5;
}
}
}
policy-options {
policy-statement EXPORT {
from {
protocol direct;
route-filter 192.168.1.0/30 exact;
}
then accept;
}
}

Traceroute shows traffic going via AS200:

root@AS100# run traceroute 192.168.1.1 source 10.0.0.1
traceroute to 192.168.1.1 (192.168.1.1) from 10.0.0.1, 30 hops max, 40 byte packets
 1  172.16.0.2 (172.16.0.2)  2.753 ms  1.926 ms  1.190 ms
 2  192.168.1.1 (192.168.1.1)  2.288 ms  2.564 ms  2.017 ms

root@AS300# run traceroute 10.0.0.1 source 192.168.1.1
traceroute to 10.0.0.1 (10.0.0.1) from 192.168.1.1, 30 hops max, 40 byte packets
 1 172.16.0.5 (172.16.0.5) 1.398 ms 1.100 ms 1.638 ms
 2 10.0.0.1 (10.0.0.1) 2.210 ms 1.863 ms 1.983 ms

BGP Routes:

root@AS100# run show route table inet.0 192.168.1.0

inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/30     *[BGP/170] 00:18:13, localpref 100
                      AS path: 200 300 I, validation-state: unverified
                    > to 172.16.0.2 via ge-0/0/2.0
                    [BGP/170] 00:18:13, localpref 100
                      AS path: 300 300 300 I, validation-state: unverified> to 172.16.0.10 via ge-0/0/3.0


root@AS300# run show route table inet.0 10.0.0.0

inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/24        *[BGP/170] 00:20:54, localpref 100
                      AS path: 200 100 I, validation-state: unverified
           > to 172.16.0.5 via ge-0/0/2.0
                    [BGP/170] 00:20:54, localpref 100
                      AS path: 100 100 100 100 I, validation-state: unverified> to 172.16.0.9 via ge-0/0/3.0

The AS-PATH prepend or expand can be done at either end and can match communities as well.

Did not need a static route on AS200 as the 192.168.1.0/30 was exported in BGP.

 

Not sure if this helps.

I believe if only default route is available, then FBF is the solution.

 

Cheers,

Ashvin

Search

Re: Default route question

June 27, 2016, 5:41 pm
$
0
0

You mention that the addresses involved are configured as /30 addresses on the AS300 router.  

 

And that what you want is source based routing for these addresses.

 

You might be able to build the filter addresses then automatically using a prefix list and the apply groups match condition for the interfaces.  I have a similar filter build using this basic pattern.

 

InterfaceAddresses is the name of the list

 

The <*> matches all of that criteria, in this case all interfaces and all units.  You can make this narrower like:

 

interfaces ge-1/2/<*>

 

So that only certain fpc or pic are covered where your client interfaces will be configured.  

 

this will then pull all those /30 subnets into the prefix list as the interfaces are configured automatically.

 

set policy-options prefix-list InterfaceAddresses apply-path "interfaces <*> unit <*> family inet address <*>

 

Then instead of using from source-address you would use from prefix-list in the FBF example filter.  So the filter  is automatically updated as the interfaces are added to the system.

Re: How much firewall filter (ACLs) MX80 & MX240 can handle

June 29, 2016, 4:24 am
$
0
0

Hi,

 

I can confirm that the command works on MX5

 

root@MX5-R2002> show chassis hardware detail 
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                                   MX5-T
root@MX5-R2002> start shell pfe network tfeb0 


TFEB platform (1000Mhz MPC 8548 processor, 1024MB memory, 512KB flash)

TAZ-TBB-0(MX5-R2002 vty)# show jnh 0 pool usage
EDMEM overall usage:
[NH////////|FW////////|CNTR///////////|HASH////////////|ENCAPS////|------------------]
0          4.0        8.0             14.0             20.7       24.8               32.0M

Next Hop
[**************|--------|RRRRRRRRRRRRRRRRRRRRRRRR] 4.0M (30% | 70%)

Firewall
[|----------------------|RRRRRRRRRRRRRRRRRRRRRRRR] 4.0M (<1% | >99%)

Counters
[*************************|---------------------------------------------] 6.0M (35% | 65%)

HASH
[********************************************************************************] 6.7M (100% | 0%)

ENCAPS
[************************************************] 4.1M (100% | 0%)

Shared Memory - NH/FW/CNTR/HASH/ENCAPS
[--------------------------------------------------------------------------------] 7.2M (0% | 100%)

DMEM overall usage:
[-]
0 0.0M

Regards

Rakesh

Re: Sending default route to IBGP neighbors

June 29, 2016, 4:34 pm
$
0
0

Turned out the bigger issue was a misconfiguration on the providers side. Fixed and all is now working. 

Re: Default route question

June 30, 2016, 1:14 am
$
0
0

@spuluka my problem is about IP list 

 

http://www.juniper.net/documentation/en_US/junos15.1/topics/example/firewall-filter-option-filter-based-forwarding-example.html

 

set firewall filter classify-customers term sp1-customers from source-address 10.1.1.0/24

 

I don't want to do any config change from AS300. I need to do it with remotely.

 

BGP is best way to do this but I don't see any filter option about community.

 

For example. If it possible with community, I going to add community to all subnet from coming AS200.

Re: Default route question

June 30, 2016, 2:54 am
$
0
0

Sorry, perhaps I misunderstand the routing request.

 

I thought you needed to use SOURCE based routing.  When the source address is from these particular /30 then the next hop should be the AS200 router.  This is what filter based forwarding does.

 

BGP can only inject DESTINATION routes into the peer relationship.  And the peer will then forward to AS200 if the DESTINATION you inject is the target of the forwarding.

 

Is your need for SOURCE or DESTINATION based routes on AS300?

Re: J-Flow on MX104

June 30, 2016, 5:37 am
$
0
0

Hi there

 

I have configured per the forum suggestions.

We are running MX104

 

the problem is the collector is receving no flows ?

 

The logical system inet.0 has a full set of routes with static routes to the collector inside the DC.

tested comms with a basic telnet from the logical system and it works.

 

I understand that the collector must be reachable via the master or default logical system

 

is this correct ? as see from upwards of version 13 support for version 9 and IPFIX is done for logical systems

 

I also am doing sampling on 3 or 4 interfaces in the logical system

 

show configuration logical-systems lon-mx104-internet-sec interfaces xe-2/0/0
unit 0 {
family inet {
no-redirects;
filter {
input Protect-Interfaces-MX104;
}
sampling {
input;
output;
}
address x.x.x.x.;
}
}

 

Example :

 

 

++++++++++++++++

 

set chassis afeb slot 0 sampling-instance 1to1
set chassis afeb slot 0 inline-services flow-table-size ipv4-flow-table-size 5

 

show configuration logical-systems lon-mx104-internet-sec forwarding-options
sampling {
family inet {
output {
flow-server 91.109.255.6 {
port 2055;
source-address 91.109.255.227;
}
}
}
}

 

show configuration forwarding-options
sampling {
traceoptions {
file ipfix.log size 10k;
}
input {
rate 1;
}
instance {
1to1 {
input {
rate 1;
}
family inet {
output {
flow-server 91.109.255.6 {
port 2055;
autonomous-system-type peer;
version-ipfix {
template {
ipv4;
}
}
}
inline-jflow {
source-address 91.109.255.227;
}
}
}
}
}
}

 

 

Re: Default route question

June 30, 2016, 7:31 am
$
0
0

Hi, 

 

I believe BGP community is to influence routing protocol decisions as to what to do with the BGP routes being exchanged.

FBF is about forwarding decision whereby it can influence the forwarding of a packet by looking inside the packet and matching certain conditions.  Since an IP packet would not contain any BGP community field, FBF filter cannot match this.

 

I looked into the possibilities of creating and maintaining a dynamic prefix-list which gets updated based on BGP communities. I could not find any method of relating those two like what you are trying to achieve.

 

Cheers,

Ashvin

Search

Re: Default route question

June 30, 2016, 8:01 am

Reg : IOS to JUNOS conversion

June 30, 2016, 11:39 pm
$
0
0

Dear All,

 

                I am new to the junos , We have a MX-104 router with two ISP links . MX104 will replace the cisco 7206 router . Any one please help me in converting the IOS configuration to the JUNOS. I have done configuration on juniper mx104 . Herewith i have attached the BGP configuration on IOS and JUNOS. Need your help in BGP configuration on the MX104.

 

 

Thanks & Regards

Maheswaran

s.mahes85@gmail.com

Re: Reg : IOS to JUNOS conversion

June 30, 2016, 11:45 pm

Re: Reg : IOS to JUNOS conversion

June 30, 2016, 11:54 pm
$
0
0

Dear Suraj,

 

                 Thank you for your response , I have done the configuration based on the I2J output . Now BGP got up and working fine with out issues but the reverse path for all the network is passing through ISP-2(TATA) . Please have a look at the attached cisco configuration , while cisco in place the traffic for network 203.223.188.0/24 is coming through ISP-2(TATA)  and reverse path for all other network is coming through ISP-1(AIRTEL).

 

Thanks & Regards

Maheswaran

Re: How much firewall filter (ACLs) MX80 & MX240 can handle

July 1, 2016, 12:57 am
$
0
0

Thank Alex,

 

I also try to use this command with EX9200 and it works fine. But when I config two EX9200s to form to a virtual chassis, I cannot use "start shell pfe network..." or "request pfe network..." commands, it seems pfe network not found or other name? Please help!

 

Thanks,

 

Trung

Re: Default route question

July 1, 2016, 1:32 am
$
0
0

@spuluka

 

I need source based routing for AS300 for return traffic. I do it with filter but I need to do this with remotely. Because junos has a bug and some times devices rebooting itself on commit!

 

 

Re: Reg : IOS to JUNOS conversion

July 1, 2016, 1:39 am
$
0
0

Hi,

 

It might be easier if you could describe the desired output/behavior.

I assume by reverse path, you mean inbound traffic.

 

What I gathered from the Cisco config is you are applying local-preference of 500 to specific prefixes towards TCL [To-TCL] and AES [To-AES out]. However, since this eBGP I doubt local-preference would be the method to influence your inbound traffic, unless I missed something..

 

I believe the export policies could have been simplified by rewritting them.

 

You can use "show route table inet.0 advertising-protocol bgp x.x.x.x" to view the routes being announced to the neighbors. If you have a similar capture before the migration, you could compare against as well.

 

Cheers,

Ashvin

Search

Trigger for activating qualified-next-hop

July 1, 2016, 3:23 am
$
0
0

Hi folks!

I have a configuration like:

static {

route 192.168.1.0/24 {
   next-hop 10.255.32.1;
   qualified-next-hop 10.111.11.1 {
     preference 6;
}}

I want that the preferred route was 10.255.32.1 and alternative 10.111.11.1. And as I can see it works so now.  10.255.32.1 is reacheble only through interface xe-0/0/0, and 10.111.11.1 only through xe-0/0/1. The question is, if 10.255.32.1 will become unreachible, but xe-0/0/0 will stay UP. Will the qualified-next-hop be activated? If not, how can I do that?

Thank you in advance!

Re: Trigger for activating qualified-next-hop

July 1, 2016, 3:51 am
$
0
0

Hi,

 

With this config I believe if the next-hop is not reachable but the direct interface [xe-0/0/0] is stil Up the static route will remain active with the next-hop preferred.

Using BFD [if next-hop supports BFD] or RPM with the static route config to monitor the next-hop may be the solution.

 

Some links:

http://www.juniper.net/techpubs/en_US/junos14.2/topics/example/policy-static-routes-bfd.html

http://kb.juniper.net/InfoCenter/index?page=content&id=KB25052&smlogin=true&actp=search

 

Cheers,

Ashvin

Re: Trigger for activating qualified-next-hop

July 1, 2016, 4:03 am
$
0
0

Thank you for your suggestion, i also was thinking about BFD.

Re: Reg : IOS to JUNOS conversion

July 1, 2016, 10:51 pm
$
0
0

Hi Ashvin,

 

             Thank you for your reply . I am mentioning about inbound traffic only . I have attached the "show route table inet.0 advertising-protocol bgp x.x.x.x " output , In that we could see all the networks are advertised in both TCL and AIRTEL. Can you please guide me for changes in Juniper bgp config which is attached earlier . I dont have the output of the route table before migration .

 

Thanks & Regards

Maheswaran

Re: Default route question

July 2, 2016, 6:32 am
$
0
0

Unfortunately, source based routing requires that the filter be installed at the AS300 router then.

 

Since these are /30 and I assume from your notes you are adding prefixes over time.  Maybe these prefixes are being allocated from a larger pool?

 

Perhaps you could build the source filter once with the /26 or /27 prefix that all of the /30 are taken out of?

 

Then you need only one commit and when they add additional sites they will automatically be covered by the filter because th overall range is already in there.

Viewing all 8688 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>