Security
Security

How-To: Configure conditional route advertising on SRX Series devices

by on ‎01-07-2016 12:58 PM - edited on ‎09-22-2017 03:38 PM by Administrator Administrator (7,682 Views)

Configuring Conditional Route Advertising on SRX Series Devices

 

Conditional route advertising allows a network engineer to add criteria on route advertisements before they are installed in the route table or advertised to peers and neighbors. For more details, click here. The following example shows how to configure conditional route advertisement on an SRX Series device.

conditional_route_advertisement

In this example, the SRX Series device must advertise the route 1.1.1.0/24 to AS1111 if the route 192.168.1.0/24 exists on the SRX Series device that is advertised from the IBGP neighbor. Additionally, the SRX Series device uses a NAT 1.1.1.1 to 192.168.1.1 to make a Web Application available publicly. The following shows the basic configuration for interfaces, zones, and BGP:

 

interfaces {
    ge-0/0/4 {
        description Untrust;
        unit 0 {
            family inet {
                address 200.200.200.2/30;
            }
        }                               
    }
    ge-0/0/8 {
        description Trust;
        unit 0 {
            family inet {
                address 172.16.0.1/24;
            }
        }
    }
}
protocols {
    bgp {
        group partner {
            export conditional_route;
            peer-as 1111;
            neighbor 200.200.200.1;
        }
        group wan {
            peer-as 65100;
            neighbor 172.16.0.2;
        }
    }
}
routing-options {
    autonomous-system 65100;
}   
security {             
    zones {
        security-zone untrust {
            interfaces {
                ge-0/0/4.0 {
                    host-inbound-traffic {
                        protocols {
                            bgp;
                        }
                    }
                }
            }
        }
        security-zone trust {                 
            interfaces {
                ge-0/0/8.0 {
                    host-inbound-traffic {
                        protocols {
                            bgp;
                        }
                    }
                }
            }
        }
    }
}

 

The export policy conditional_route is as follows:

 

policy-options {
    policy-statement conditional_route {
        term 1 {
            from {
                route-filter 1.1.1.0/24 exact;
                condition check_route;
            }
            then accept;
        }
        then reject;
    }
}

 

The SRX Series device advertises 1.1.1.0/24 based on the condition labeled check_route, shown as follows:

 

policy-options {
    condition check_route {                    
        if-route-exists {
            192.168.1.0/24;
            table inet.0;
        }
    }
}

 

You must add 1.1.1.0/24 into the route table. You can use a discard route to install it in the routing table:

 

routing-options {
    static {
        route 1.1.1.0/24 discard;
    }
}   

 

The condition determines whether the route 192.168.1.0/24 exists in the table inet.0, and if it exists, then the condition is true. Since the condition is true, the route is advertised:

 

root@SRX-1> show route protocol bgp 192.168.1.0/24

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[BGP/170] 11w1d 04:31:28, MED 1376000, localpref 100
                      AS path: ?
                    > to 172.16.0.2 via ge-0/0/8.0

root@SRX-1> show route advertising-protocol bgp 200.200.200.1 

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
  Prefix		  Nexthop	       MED     Lclpref    AS path
* 1.1.1.0/24              Self                                    I

 

If the device stops receiving the 192.168.1.0/24 route for whatever reason, then the advertised route to AS1111 disappears:

 

root@SRX-1> edit 
Entering configuration mode

[edit]
root@SRX-1# set interfaces ge-0/0/8 disable 

[edit]
root@SRX-1# commit     
configuration check succeeds
commit complete

[edit]
root@SRX-1# exit 
Exiting configuration mode

root@SRX-1> show route protocol bgp 192.168.1.0/24

root@SRX-1> show route advertising-protocol bgp 200.200.200.1 

When you roll back the configuration, the route reappears:

 


root@SRX-1> edit 
Entering configuration mode

[edit]
root@SRX-1# rollback 1
load complete

[edit]
root@SRX-1# commit     
configuration check succeeds
commit complete

[edit]
root@SRX-1# exit 
Exiting configuration mode

root@SRX-1> show route protocol bgp 192.168.1.0/24

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[BGP/170] 11w1d 04:31:28, MED 1376000, localpref 100
                      AS path: ?
                    > to 172.16.0.2 via ge-0/0/8.0

root@SRX-1> show route advertising-protocol bgp 200.200.200.1 

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
  Prefix		  Nexthop	       MED     Lclpref    AS path
* 1.1.1.0/24              Self                                    I

 

To configure the NAT and policies, enter the following:

 

security {
    nat {
        static {
            rule-set untrust {
                from zone untrust;
                rule app {
                    match {
                        destination-address 1.1.1.1/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                192.168.1.1/32;
                            }
                        }
                    }
                }
            }                           
        }
        proxy-arp {
            interface ge-0/0/4.0 {
                address {
                    1.1.1.1/32;
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy allow-app {
                match {
                    source-address any;
                    destination-address server-192.168.1.1/32;
                    application any;
                }
                then {
                    permit;
                }
            }                           
        }
    }                                   
    zones {
        security-zone trust {
            address-book {
                address server-192.168.1.1/32 192.168.99.1/32;
            }                           
        }
    }
}

 

In a typical Junos OS-based router, usually setting the discard route would drop all traffic in the 1.1.1.0/24 network. So why does it work on the SRX? The key point here is to review when flow-based Junos OS performs the route lookup:

 

session

 

Route lookups are performed after the Static NAT is applied. In this case, the SRX Series device first uses NAT to the destination address of 192.168.1.1, and then performs the route lookup! Because of this sequence, the packet is treated as routable, and the SRX Series device forwards the packet successfully.

'
Comments
Jan 10, 2016
Distinguished Expert

Brilliant article! So when AS1111 sends traffic to SRX, it would still be delivered because it will be static natted to 192.x.x.x, so the discard would not matter in this case!! Brilliant!!