SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
luiz.guimaraes@ish.…
Visitor
luiz.guimaraes@ish.com.br
Posts: 6
Registered: ‎09-05-2011
0

SRX650 - OSPF routes learned export

Options

‎02-01-2012 10:06 AM

Hey Guys!!

I have a topology like that attached to the topic and I have some doubts about:

How to export routes learned from Router 1 to Other routers 2 and 3 ?
I receive some routes from all the routers into OSPF area 0.

Is it possible to do ? If yes, will I have problem with this when all routers are in the same area?

Is possible export only routes learned from router 1 to others router with routing policy ? Or I need export my routing table with all the routes to all the adjacency OSPF?


Thank for all!
Regards,

Luiz Ricardo

Attachment example-topology.jpg ‏55 KB
Message 1 of 7 (698 Views)
 
Reply
Distinguished Expert
Distinguished Expert
keithr
Posts: 810
Registered: ‎09-10-2009
0

Re: SRX650 - OSPF routes learned export

Options

‎02-01-2012 12:49 PM

If I understand your question correctly, you actually don't need to do any of those things.

 

OSPF is a link-state protocol.  By default, all participating routers are going to maintain link state databases for all links within the OSPF domain.

 

With your 3 routers and SRX650 all in area 0, Routers 2 and 3 will learn about the routes from Router 1, and vice versa.  No exporting or other magic needs to be done, unless you're looking to take routes from other protocols (BGP, static, etc.) and put them in the OSPF domain as well.

-kr
JNCIS-SEC, JNCIA-ER, JNCIA-EX

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Message 2 of 7 (677 Views)
 
Reply
Trusted Contributor
michael.saw
Posts: 826
Registered: ‎09-26-2011
0

Re: SRX650 - OSPF routes learned export

[ Edited ]
Options

‎02-02-2012 12:29 AM - edited ‎02-02-2012 12:31 AM

What if we use RIP, instead of OSPF?

We need to advertise the routes, right?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT, JNCIS-SEC
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Message 3 of 7 (667 Views)
 
Reply
luiz.guimaraes@ish.…
Visitor
luiz.guimaraes@ish.com.br
Posts: 6
Registered: ‎09-05-2011
0

Re: SRX650 - OSPF routes learned export

Options

‎02-02-2012 02:40 AM

Hey guys thanks for the reply!

 

So I thought like you but it didn't happen.

 

Look the actual SRX650 configuration, I think with this configuration it's need to worked.

 

set interfaces reth5 description UNTRUST-VLAN2001
set interfaces reth5 redundant-ether-options redundancy-group 1
set interfaces reth5 unit 0 family inet address 10.1.191.238/29
set interfaces reth1 description UNTRUST-VLAN2000
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 10.1.191.246/29
deactivate interfaces reth1
set interfaces reth2 description REDE-CLIENT
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 10.1.191.250/29
set protocols ospf area 0.0.0.0 interface reth2.0
set protocols ospf area 0.0.0.0 interface reth1.0 metric 40
set protocols ospf area 0.0.0.0 interface reth5.0 metric 50
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust host-inbound-traffic protocols ospf
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone untrust interfaces reth5.0
set security zones security-zone rede-client host-inbound-traffic system-services ping
set security zones security-zone rede-client host-inbound-traffic system-services traceroute
set security zones security-zone rede-client host-inbound-traffic protocols ospf
set security zones security-zone rede-client interfaces reth2.0

 

It's my first time configuring OSPF. My actual scenario is: The SRX650 will replace a Enterasys S8 Swtich L3 with the same IP address from these interfaces and when I do the change, the firewall learned all routes but all traffic with destination-address behind router 2 or router 3 forwarded by the SRX but did not back except when I applied a security nat policy. With this policy all traffic works fine.

 

Sorry about my english I'm learn that and use some google translator help!

 

Regards,

 

-Luiz Ricardo

Message 4 of 7 (662 Views)
 
Reply
luiz.guimaraes@ish.…
Visitor
luiz.guimaraes@ish.com.br
Posts: 6
Registered: ‎09-05-2011
0

Re: SRX650 - OSPF routes learned export

Options

‎02-02-2012 08:55 AM

Sirs, I think I know what is the point!

Look:

With the points what "kr" said I think the router 2 and 3 received all routes but it didn't know how to come there. Because I didn't propagate the direct routes connected to SRX650. I think after I create a policy and propagate that all will works fine.

What do you think??

 

 

Thanks again!

 

-Luiz Ricardo

Message 5 of 7 (647 Views)
 
Reply
rapplebee
Regular Visitor
rapplebee
Posts: 9
Registered: ‎03-15-2011
0

Re: SRX650 - OSPF routes learned export

Options

‎02-06-2012 11:06 AM

Yes, I wanted all of the directly connected (DMZ zones) on one of our SRX-650's, with one exception, to be advertised to our core routers. I did the following:

 

set policy-options policy-statement direct-to-OSPF term t1 from route-filter a.b.c.0/21 exact
set policy-options policy-statement direct-to-OSPF term t1 then reject
set policy-options policy-statement direct-to-OSPF term term1 from protocol direct
set policy-options policy-statement direct-to-OSPF term term1 then accept

 

along with

 

set protocols ospf export direct-to-OSPF

 

results in all the directly connected routes, except a.b.c.0/21, showing up in our core routers as OSPF E2 routes.

 

Hope this helps.

 

 

Richard

Message 6 of 7 (600 Views)
 
Reply
Distinguished Expert
Distinguished Expert
keithr
Posts: 810
Registered: ‎09-10-2009
0

Re: SRX650 - OSPF routes learned export

[ Edited ]
Options

‎02-06-2012 12:10 PM - edited ‎02-09-2012 03:19 PM

luiz.guimaraes@ish.com.br wrote:

 

With the points what "kr" said I think the router 2 and 3 received all routes but it didn't know how to come there. Because I didn't propagate the direct routes connected to SRX650. I think after I create a policy and propagate that all will works fine.

If you want your direct/connected routes from a router or the SRX650 to be advertised in OSPF, you can add the interfaces to your OSPF area.  It's quite simple.  You can specify them as type "passive" interfaces so that they do not send "hello" packets and will not accept neighbor adjacencies.  This will advertise your direct/connected routes as OSPF Internal routes.

 

If you set up a redistribution rule for your direct/connected routes, then the routes will be advertised in OSPF as external (E2) routes, and will cause your router / SRX to behavse as an ASBR.

 

-kr
JNCIS-SEC, JNCIA-ER, JNCIA-EX

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Message 7 of 7 (592 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.