SRX

Hello

I use prefix-list in the FBF to forward the listed destinations toward the tunnel, like this:

interfaces {
    vlan {
        unit 0 {
            family inet {
                filter {
                    input FBF-ROUTE-MAP;
                }
                address 10.2.2.2/24;
            }
        }
    }
}

policy-options {
    prefix-list FBF-Prefixes {
        213.1.1.1/27;
        213.2.2.2/32;
        213.3.3.3/27;
    }
}

firewall {
    family inet {
        filter FBF-ROUTE-MAP {
            term 0 {
                from {
                    destination-prefix-list {
                        FBF-Prefixes;
                    }
                }
                then {
                    routing-instance FBF-REDIRECT;
                }
            }
            term 1 {
                then {
                    accept;
                }
            }
        }
    } 
}
routing-instances {
    FBF-REDIRECT {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop st0.0;
            }
        }
    }
}

I wanted to maintan the prefix-list in one device and circulate this prefix-list onto other hundreed devices. I tried to use BGP for that however I do not realize how to get the local prefix-list from BGP.

Here is BGP config I try to use for my goal:

Source device:

routing-options {
    router-id 10.1.1.1;
    autonomous-system 65500;
}
protocols {
    bgp {
        local-address 10.1.1.1;
        export BGP-LIST;
        group INTL {
            type internal;
            neighbor 10.2.2.2;
        }
    }
}
policy-options {
    prefix-list 65500-LIST {
        213.1.1.1/27;
        213.2.2.2/32;
        213.3.3.3/27;
    }
    policy-statement BGP-LIST {
        term 1 {
            from {
                prefix-list 65500-LIST;
            }
            then accept;
        }
        term 2 {
            then reject;
        }
    }
}

Neighbor device:

routing-options {
    router-id 10.2.2.2;
    autonomous-system 65500;
}
protocols {
    bgp {
        group INTL {
            local-address 10.2.2.2;
            type internal;
            neighbor 10.1.1.1;
        }
    }
}

How to check if BGP is working and "export BGP-LIST" is working?

How to check if prefix-list is received on the neighbor device 10.2.2.2 ?

How to use (apply) the received prefix-list in the FBF on neighbor device 10.2.2.2 ?

Maybe BGP is wrong way at all to achieve my goal?

Thank you in advance, 

Dmitry

I am not sure I understand your goal.

I think your are trying to use FBF to create the routes for distribution in BGP.

This is more typically done by having the static routes on the edge device facing the subnets and then using BGP to distribute them.

Or better to have the connected device with those active subnets do the initial injection into BGP.

If this is an aggregation point then you might use a generate or aggregate route to create the larger prefix.

FBF is typically used to sort traffic by some source or port criteria to send some one direction while the main path is in another.

To check your BGP setup you would use these commands

See what is being advertised to a neighbor ip address

show route advertising-protocol bgp 1.1.1.1

see what is being received from a neighbor ip address

show route receive-protocol bgp 2.2.2.2

See what is in the FBF routes

show route table FBF-REDIRECT.inet.0

Hi Steve,

Thank you for reply. I try to explain what I have and what I want.

There is about 100 remote offices with SRX devices. Each device forwards all traffic from LAN toward the tunnel (actually 2 tunnels - primary and backup) to hub. Also traffic to some destinations must be routed via local ISP instead of tunnels. Till now this exeption was small list of prefixes. But now I have to implement a huge prefix-list on each SRX and make changes 1-2 times monthly on each SRX. There is a high risk to make mistakes and this is just not efficiently.

Hence I want to make changes on just one device and make distribution to all other devices automatically. Why I think to distribute the prefix-list - because each device has different next-hop to their own ISP. And prefix-list is good method to make exeptions in FBF.

Is BGP suitable method to do distribution of the prefix-list?

Thanks

Addon

show route advertising-protocol bgp <ip> 

 shows nothing

Hi,

To advertise routes using BGP, you should have exact routes mentioned in your prefix-list  in the local routing tables . To test this functionality, you may add a dummy route with next-hop of reject.

e.g:-

set routing-options static route 213.1.1.0/27 reject

Modify your prefix-list to match exact subnet: (for host routes use /32)

policy-options {
    prefix-list 65500-LIST {
        213.1.1.0/27;
        213.2.2.2/32;
        213.3.3.0/27;
    }

Check the route exist in local routing-table, then check bgp advertised routes:

show route 213.1.1.0/27

show route adverising-protocol bgp <peer ip>

Hi Nellikka,

Thanks, it is working! Key words are: you should have exact routes mentioned in your prefix-list  in the local routing tables. I missed this...

Can I use the dummy routing instance instance-type virtual-router (for exanple VR-BGP)? I guess inside of VR-BGP I should define the protocol BGP, AS, router-id and policy-options? Will it works?

Yes, it works. Policy-options are defined globally and then you can refer them in routing-instances.

you may create a seperate instance for prefix list listing (i.e. VR-BGP) however you need to do export import of prefixes between inet.0 and vr-bgp.inet.0 for the reachability. However, it may depend on the topology and packet flow how are you acheiving the same.

Ok, thanks for your help!

Now the target device is able to receive prefixes from source device. Received prefixes now in the inet.0 table.
How to "transform" these received routes to the prefix-list in order to use this prefix-list in the filter?

You might want use similar export policy which will aggregate your prefixes while exporting to any routing protocol.

Since it is using orlonger, you may not need to add up the statement their again and again as it is covering from /8 till /32.

[edit policy-options policy-statement test]
root# show
from {
route-filter 1.1.1.0/8 orlonger;
}
then accept;

I've made export policy:

    policy-statement TEST {
        term 0 {
            from {
                route-filter 10.0.0.0/8 exact; # <= to exclude 
            }
            then reject;
        }
        term 1 {
            from {
                route-filter 0.0.0.0/0 orlonger;
                protocol static;
            }
            then accept;
        }
    }

and all needed routes now are exported to neighbor.

Next, on neighbor I have to use these rotes as mach criteria in the firewall filter. Do you have an idea how to do that?

At the moment I use named prefix-list as match criteria:

        filter TEST {
            term To-Local-break-out {
                from {
                    destination-prefix-list {
                        Prefix-TEST;
                    }
                }
                then accept;
            }
            term Rest-to-Tunnel {
                from {
                    destination-address {
                        0.0.0.0/0;
                    }
                }
                then {
                    routing-instance REDIRECT-TO-HUB;
                }
            }
        }

Update:

Finally I've managed with this. A bit amended filter now is working properly.

Couple of questions because it is my first time with BGP:

1) BGP speaker will send about 200 prefixes to 100 neighbors. Is it hard task for SRX210 or it is acceptable task?

2)How to be sure that destination device will select the right next-hop for received BGP routes?
Now I use a trick when in export policy I change the next-hop to non-existent address 1.1.1.1
In this case device selects next-hop from 0/0 in inet.0
However I am not sure that I use correct trick. Maybe there is any normal method to do that instead of using the fake address 1.1.1.1 ?

Thank you