Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  announcement of ext DIP prefix in BGP

    Posted 06-16-2016 07:05

    Hi,

    I have an ISG2000 (6.3.0) with two L3 external interfaces, running BGP over both for redundancy. Outbound NAT is achieved by having both of these interfaces in a loopback-group, and then utilising a DIP range on the associated loopback interface. This works fine: BGP announces the loopback prefix over both links, and traffic is correctly NATed irrespective of path.

    However when I add a second DIP range on the loopback interface, I need to add it as an ext DIP since it's in a different subnet. My problem is that this new ext DIP prefix is not seen in the routing table, and thus not announced over BGP, and so return traffic does not flow.

    I tried adding a static route in the vr (so that could be redistributed into BGP), however loopback is not a selectable next-hop interface. The only option is null, and although this triggers the neccessary BGP announcement; it obviously just blackholes all the (return) traffic.

    I also tried using a second loopback interface, but it appears the L3 interfaces can only be a member of a single loopback-group.


    It there any way to force the ext DIP to appear the routing table, so BGP can pick it up ?

     

    thanks

    /Pete



  • 2.  RE: announcement of ext DIP prefix in BGP

     
    Posted 06-16-2016 08:06

    Hi,

    Perhaps you could configure the range as a secondary IP address on the loopback interface?

    Cheers,

    Ashvin



  • 3.  RE: announcement of ext DIP prefix in BGP

    Posted 06-16-2016 08:22

    Hi Ashvin,

     

    Thanks for the suggestion. I had thought of that too, but secondary ips cannot be added to loopback interfaces unfortunately.

     

    /Pete



  • 4.  RE: announcement of ext DIP prefix in BGP

    Posted 06-16-2016 18:16

    Have you tried proxy ARP for the return traffic, check if this helps.

     

    set interface interface proxy-arp-entry <ip_min> <ip_max>
    unset interface interface proxy-arp-entry <ip_min> <ip_max>

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB17881&smlogin=true&actp=search

     

    Thanks,

    VIkas



  • 5.  RE: announcement of ext DIP prefix in BGP
    Best Answer

    Posted 06-17-2016 14:23

    I believe you can do this using the manual prefix addition with the "no check" option.

     

    For the above command to work, you need to have one active route for this prefix in
    the local routing table. However, if you do not have any active route for the prefix
    to be advertised, use the following command:

FW(untrust-vr)-> set protocol bgp 
FW(untrust-vr/bgp)-> set network 172.16.1.0/24 no-check

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB5940



  • 6.  RE: announcement of ext DIP prefix in BGP

    Posted 06-18-2016 13:23

    Hi Steve,

     

    Perfect, that did the trick, thanks!

     

    /Pete