SRX

last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  OSPF area-range advertisement doesn't seem to be working

    Posted 11-23-2011 09:56

    I'm working with a Cisco engineer to setup OSPF across a metro-e connection between corporate and our new dataceanter. However, he seemingly cannot see the internal network routes. Any thoughts on why my firewalls are not advertising the internal IPs? Below are some snippets from my config. These are redundant interfaces (hence the rethX). Any thoughts or insights as to what I may be doing wrong would be greatly appreciated. Many thanks in advance.

     

    lo0 {
    unit 0 {
    family inet {
    address 192.168.3.1/32;
    }
    }
    }

    reth1 {
      description REDUNDANT_INTERNAL_INT;
      redundant-ether-options {
      redundancy-group 1;
    }
    unit 0 {
    family inet {
    address 10.64.0.1/24 
    }
    }
    }
    reth2 {
    description REDUNDANT_METRO_INT;
    redundant-ether-options {
    redundancy-group 1;
    }
    unit 0 {
    family inet {
    address 192.168.103.2/24;
    }
    }
    }

     

    protocols {
    ospf {
    area 0.0.0.0 {
    area-range 10.64.0.0/16;
    area-range 192.168.3.1/32 restrict;
    interface reth2.0;
    interface lo0.0 {
    passive;
    }
    }
    }
    stp;
    }

     

    security-zone metro {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    reth2.0;
    }
    }

     

    Also, when I do a 'show ospf database' I'm not seeing the 10.64.0.0/16 network in there. Is this normal?

    admin@pub-fw2> show ospf database

    OSPF database, Area 0.0.0.0
    Type ID Adv Rtr Seq Age Opt Cksum Len
    Router 10.2.5.2 10.2.5.2 0x80000004 406 0x22 0x96e6 36
    Router 192.168.103.1 192.168.103.1 0x8000001c 625 0x22 0x63bd 48
    Router *192.168.103.2 192.168.103.2 0x8000000c 775 0x22 0x63fb 48
    Network 10.2.6.52 192.168.103.1 0x80000002 625 0x22 0xc181 32
    Network *192.168.103.2 192.168.103.2 0x80000002 334 0x22 0x3ab4 32



  • 2.  RE: OSPF area-range advertisement doesn't seem to be working

     
    Posted 11-23-2011 14:10

    hi Derek,

     

    cannot see the internal network routes ... - please be more specific, do you mean 10.64.0.1/24 ? Something else ?

    Simple way to advertise the 10.64.0.1/24 (or any other interface route) is to include the interface as passive under ospf area.

     

    area-range works on ABR routers. You only have single area 0.0.0.0 in your config.

     

    http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-routing/routing-summarizing-ranges-of-routes-in-ospf-link-state-advertisements.html

     

    Example of area-range usage:

    http://books.google.com/books?id=B8NCgJf9leEC&pg=PA228&lpg=PA228&dq=junos+area-range&source=bl&ots=cKEfeJpudm&sig=VbSe96W8-sMIkigTtR-KicXlPY8&hl=en&ei=7mbNTpf4I8GQ4gTpzOgZ&sa=X&oi=book_result&ct=result&resnum=5&ved=0CDwQ6AEwBA#v=onepage&q=junos%20area-range&f=false

     

    jtb



  • 3.  RE: OSPF area-range advertisement doesn't seem to be working

    Posted 11-23-2011 17:29

    Thanks for the reply and links jtb. I'm slowly getting the hand of this and I believe making some progress.

     

    So, would/should I be able to setup a secondary area say 0.0.0.2 and apply the area-range to it? Once I popped on the configuration you suggested: interface reth1.0 passive, I was able to successfully broadcast the subnet for that interface. In this case 10.64.0.0/24. However, I need to broadcast that I have the full range 10.64.0.0/16 network behind this firewall.

     

    Update, I did try to setup a secondary area and things are looking close but now the /16 network is in a discard state.

     

    admin@efw-pub-fw2> show configuration protocols
    ospf {
    area 0.0.0.0 {
    interface lo0.0;
    }
    area 0.0.0.2 {
    area-range 10.64.0.0/16;
    interface reth2.0;
    interface reth1.0 {
    passive;
    }
    }
    }

    admin@pub-fw2> show ospf route
    Topology default Route Table:

    Prefix Path Route NH Metric NextHop Nexthop
    Type Type Type Interface Address/LSP
    10.64.0.0/16 Inter Discard IP 16777215
    10.64.0.0/24 Intra Network IP 1 reth1.0
    192.168.3.1/32 Intra Network IP 0 lo0.0
    192.168.103.0/24 Intra Network IP 1 reth2.0

     

    Am I just pushing the srx 210 beyond its capabilities? That is, its not an ABR router, correct? On the other end of the metro we have some Cisco ASAs and here is the config they have for their side for the networks they are advertising to us. I would like to be able to try and do the same thing. 

     

    router ospf 10

     router-id 192.168.103.1

     network 10.0.0.0 255.224.0.0 area 0

     network 10.32.0.0 255.255.0.0 area 0

     

    Thanks again for your help on this matter.



  • 4.  RE: OSPF area-range advertisement doesn't seem to be working

    Posted 11-23-2011 17:37

    This may be a stupid solution but would I be able to configure my interfaces and ospf something like this:

     

    lo0 {
    unit 0 {
    family inet {
    address 10.64.255.254/16;
    }
    }
    }

    reth1 {
      description REDUNDANT_INTERNAL_INT;
      redundant-ether-options {
      redundancy-group 1;
    }
    unit 0 {
    family inet {
    address 10.64.0.1/24 
    }
    }
    }
    reth2 {
    description REDUNDANT_METRO_INT;
    redundant-ether-options {
    redundancy-group 1;
    }
    unit 0 {
    family inet {
    address 192.168.103.2/24;
    }
    }
    }

     

    ospf {
    area 0.0.0.0 {
    area-range 10.64.0.0/16;
    area-range 192.168.3.1/32 restrict;
    interface reth2.0;
    interface lo0.0 {
    passive;
    }

    interface reth1.0 {

    passive;

    }
    }
    }

     

    I added the highest available IP in the full network range on lo0.0 then advertising that interface out. Would that work? Or could that cause one hell of a mess on the device?

     

    Thanks again for working with me on this.



  • 5.  RE: OSPF area-range advertisement doesn't seem to be working
    Best Answer

     
    Posted 11-24-2011 02:16

    hi,

     

    SRX can be a OSPF ABR, no problem. But there is no need for additional area if you want to send just summary route.

    What's the source of contributing routes  (10.66.x.x/24 ?) Static routes, direct/interface ?

    If 10.66.x.x/24 is direct route, just add the interface as a passive under OSPF. - you already know it works.

     

    The universal solution is it too create OSPF export policy and redistribute any route you want, including summary (aggregate) route 10.66.x.x/16.

     

    Example config,  use it as a template (using routing-instances for testing - VR2 and VR3 as OSPF peers).

     

    // VR2 - interface routes matching 10.64/16

admin@srx> show route table VR2 protocol direct 10.64/16 terse

VR2.inet.0: 18 destinations, 21 routes (18 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 10.64.0.0/24       D   0                       >fe-0/0/4.100
* 10.64.1.0/24       D   0                       >fe-0/0/4.101
* 10.64.2.0/24       D   0                       >fe-0/0/4.102


// create aggregate ('route to null')

admin@srx> show configuration routing-instances VR2 routing-options
aggregate {
    route 10.64.0.0/16 discard;
}

// verifying - please notice  'Contributing Routes' below

admin@srx> show route table VR2 10.64/16 exact detail

VR2.inet.0: 18 destinations, 21 routes (18 active, 0 holddown, 0 hidden)
10.64.0.0/16 (1 entry, 1 announced)
        *Aggregate Preference: 130
                Next hop type: Discard
                Address: 0x13cd8ec
                Next-hop reference count: 12
                State: <Active Int Ext>
                Local AS: 65002
                Age: 14:03
                Task: Aggregate
                Announcement bits (4): 0-KRT 1-BGP RT Background 3-Resolve tree 2 4-VR2-OSPF
                AS path: I (LocalAgg)
                                Flags: Discard  Depth: 0        Active
                AS path list:
                AS path: I Refcount: 3
                Contributing Routes (3):
                        10.64.0.0/24 proto Direct
                        10.64.1.0/24 proto Direct
                        10.64.2.0/24 proto Direct


// policy - what we want to inject into OSPF (external route)

admin@srx> show configuration policy-options policy-statement VR2-exp-aggr
term 10 {
    from {
        protocol aggregate;
        route-filter 10.64.0.0/16 exact;
    }
    then accept;
}


// apply the export policy under OSFP

admin@srx> show configuration routing-instances VR2 protocols ospf
export VR2-exp-aggr;
area 0.0.0.0 {
    interface lt-0/0/0.123;
    interface lt-0/0/0.121;
}


// OSPF LSDB have the  10.64.0.0/16 route now, exported by VR2

admin@srx> show ospf database instance VR2 external lsa-id 10.64.0.0
    OSPF AS SCOPE link state database
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len
Extern  *10.64.0.0        10.64.0.1        0x80000001   611  0x22 0x1904  36

     

    The OSPF peer VR3 got the 10.64.0.0/16:

     

    // the route is seen on a OSPF peer route

admin@srx> show route table VR3 protocol ospf terse 10.64.0.0

VR3.inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 10.64.0.0/16       O 150          0            >lt-0/0/0.132

     

    Please digest it carefully,

    jtb

     

     

     



  • 6.  RE: OSPF area-range advertisement doesn't seem to be working

    Posted 11-28-2011 08:48

    Thanks JTB for all your help. I implemeneted the policy based export as you provided below and all is good and well now. Once again, many many thanks.

     

    Derek