SRX

Hi Experts

I just want to ask one question. I have site to site route based VPN with remot branch having overlapping IP subnet. I made the VPN and static NAT on both sides and it is working fine. I followed the http://kb.juniper.net/InfoCenter/index?page=content&id=TN68

My question is that if I run OSPF on the tunnel interface then using OSPF how can I advertise the VIP  subnet which I used for the static NAT. Becuase VIP subnet is not assigned to any where in SRX,

Thanks for the reply

Hi

Is there any one to take this?

Thanks

Usually there might be two approaches:

first: 

create static route pointing to null, eg:

set routing-options static route 10.0.0.0/8 discard

Once it's in routing table, then redistribute particular static route  into ospf process.

Second: 

Create loopback interface with VIP subnet

Hi Aigarz

Thats good idea. But since my HO was previously advertising this overlap subnet to other sites through OSPF and after the overlapping subnet remote site added, how can I avoid to send this overlapping subnet from HO to overlapping subnet site? Should I used separate VR and ospf instance for this overlap site?

Thanks

If you are using point to point tunnel interface for each tunnel, keep the overlaping subnet site tunnel interface in different ospf area 0.0.0.1 and restrict the overlapping subnet using route filter while advertising the LSA's throuth st0 over the tunnel. Along with this configure the VIPs on the loop back interface as Aigarz suggested.

edit]
regress@HO# show protocols
ospf {
area 0.0.0.0 {
interface lo0.0;
interface ge-0/0/0.0;   
interface st0.0;
}
area 0.0.0.1 {
network-summary-export ospf-export;
interface st0.1;
}
}

regress@HO# show policy-options
policy-statement ospf-export {
term t1 {
from {
route-filter 192.168.1.0/24 exact;  <overlapping subnet>
}
then reject;
}
term t2 {
then accept;
}
}

Thanks. It really helped !!