Screen OS

Hi guys,

I've got question regarding how to reject default route from being advertise to BGP.

I've configured access list and route map but if I issue command get route, I still can see the default route being advertise to the neighbor:

IPv4 Dest-Routes for <trust-vr> (82 entries)
--------------------------------------------------------------------------------
------
ID IP-Prefix Interface Gateway P Pref Mtr
Vsys
--------------------------------------------------------------------------------
------
* 12 0.0.0.0/0 serial1/0 202.146.x.x S 20 1
Root
906 0.0.0.0/0 serial1/1 10.185.117.25 eB 40 0
Root
14 0.0.0.0/0 serial3/0 202.75.x.x S 20 1
Root

Does anyone knows how to solve this problem?

TQ

Hi,

You can enter the BGP context and enter the following command:

unset [ ipv4 | ipv6 ] advertise-def-route

still can't..

here is my config

--------------------------------------------------------------------------------------------------------

CBC_HQ_NERA-> get vrouter trust-vr prot bgp config
set protocol bgp 65084
set enable
set neighbor 10.185.117.25 remote-as 9534
set neighbor 10.185.117.25 enable
set ipv4 reject-default-route
set ipv4 neighbor 10.185.117.25 activate
set ipv4 neighbor 10.185.117.25 reject-default-route
set ipv4 neighbor 10.185.117.25 route-map "test" in
exit
set protocol bgp
set redistribute route-map "test" protocol connected
exit
set interface serial1/1 protocol bgp

---------------------------------------------------------------------------------------------------------

is there anything wrong with my config?

Hi,

I would temporarly remove set ipv4 neighbor 10.185.117.25 route-map "test" in to be sure that the route-map  does not override the reject rule.

Do you use the same route map for the advertised and incoming routes?

Hi,

Could it be possible that you configured the 'reject default route' option after the BGP neighbourship was already established and def route was on the device.

If so, could you please try reseting the BGP neighborship so that BGP Rib-in is refreshed.

Or else, could you please share the Rib-in table from the device

get vr trust proto bgp rib-in

And the brief topology.

Hi Edouard,

I did try as per your mentioned but still nothing happened, and I do not use any route map for incoming routes.

Hi Sarab,

Basically I have one incoming internet link, one BGP (MPLS link) and LAN connection to my office.

LAN segment needs to able to access internet and MPLS at the same time.

Right now everything is fine except for the default route which I don't want to advertise it to the BGP.

Could it be possible that you configured the 'reject default route' option after the BGP neighbourship was already established and def route was on the device. 

YES.

If so, could you please try reseting the BGP neighborship so that BGP Rib-in is refreshed.

I tried but when I show route, the default route still there.

Attached file is for your reference.

TQ. 

Attachment(s)

get route.txt   5 KB 1 version

Hello.

the output is of the BGP Rib-in table.  It would list all prefixes learned via BGP neighbor, 10.185.117.25.

does this default route also make it to the main routing table (get route) ?  I think that would be the bigger question.

Regards,

Sam

Hi Sam,

Thanks for your inputs on this !

With this Reject def route config in place, the default shouldn’t even make it to Rib-in. However here if we look at the very first update in the thread this is making it to routing table.Though it is inactive because of other lower metric static defaulte route.

I am short of ideas on this now, could you think of any possibe reasons for this.

Ian :

Could you pls let me know the Screen OS version that u r running ?

version 6.2.0r4.0..

Guys,

I found the info in this website https://www.corelan.be/index.php/2009/04/19/juniper-screenos-default-route-manipulations-and-redistributions/

It's been said that, "In fact, in some/most routers, 0.0.0.0/0 refers to “all networks”, while “default-route” or “default” refer to the default route only. It depends on the router OS and configuration area where you are using the statement.  For example : 0.0.0.0/0 in a static route refers to the default route, where 0.0.0.0/0 in a route-map refers to all networks, either containing or not containing the default route. It’s fundamentally important to find out how your OS version behaves.  Based on that knowledge, you can start manipulating and redistributing the default route."

So, what do you think?

I had tried similar thing once and I remember 'Reject default route' blocked it too.

I'll see if I get some time tomoro will test it and update you.

I did the test with following topology

FW1 ---- EBGP --- FW2  ------ EBGP -- FW3

I redistributed a default route in FW1 instead of the command "advertise default route".

Even then as I had mentioned in my earlier update FW3 blocked this default route when I configured 'reject def route' command. ( Output for FW1 and FW3 attached.

I would suggest open a case with JTAC for further troubleshooting as to why this default route is propagated to routing table.

Regards

Sarab

Attachment(s)

BGP Test.zip   1 KB 1 version

It's working now.. I just simply add set reject default route and suddenly it works.

weird huh!

Anyways, thanks guys for your effort.