Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

On an interface that has multiple ip addresses configured, how to advertise selective ip via OSPF on the SRX?

0

0

Article ID: KB24565 KB Last Updated: 05 Jun 2012Version: 1.0
Summary:
- There are multiple ip addresses configured on an interface.
- The goal is to advertize only one or more of those subnets via ospf and not the other.
Symptoms:
- If that interface is configured under "protocol ospf area" stanza then both ip addresses are advertised, which is not the requirement.
- This article will describe a method on how to advertise selective addresses from the same interface via ospf.
Cause:
 
Solution:
- In this setup, two SRX devices have established ospf neighbor relationship over VPN;


HQ# run show ospf neighbor 50.50.50.1
Address Interface State ID Pri Dead
50.50.50.1 st0.0 Full 50.50.50.1 128 34


Branch1# run show ospf neighbor
Address Interface State ID Pri Dead
50.50.50.10 st0.0 Full 50.50.50.10 128 31


- Let's look at the interface configuration on the Branch;

Branch1# show interfaces lo0
unit 0 {
family inet {
address 192.168.1.1/24;
address 192.168.6.1/24; <<<<< This address should NOT be advertised via OSPF.
address 172.16.10.5/16;
}
}

- The goal is to block 192.168.6.1/24 from being advertised via ospf from the Branch to the HQ.

- If the lo0 interface is defined under ospf at the Branch location then all the ip addresses will be advertised so we can't do that. Here is an example of what should NOT be done;


[edit]
root@D10_31-SRX650-Branch1# show protocols ospf | display set
set protocols ospf area 0.0.0.0 interface st0.0 neighbor 50.50.50.10
set protocols ospf area 0.0.0.0 interface lo0.0 passive <<<<<<<<<<<< Notice the interface lo0 is defined under ospf.


- Take a look at the HQ site and notice that all the three ip addresses defined on the lo0 are being advertised.


HQ# run show route protocol ospf 192.168.6.0

inet.0: 38 destinations, 42 routes (38 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.6.0/24 *[OSPF/10] 00:00:03, metric 1 <<<<<<<<<<< The address is being advertised.
> to 50.50.50.1 via st0.0


HQ# run show route protocol ospf 192.168.1.0

inet.0: 38 destinations, 42 routes (38 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24 [OSPF/10] 00:00:08, metric 1
> to 50.50.50.1 via st0.0


HQ# run show route protocol ospf 172.16

inet.0: 38 destinations, 42 routes (38 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/16 *[OSPF/10] 00:00:17, metric 1
> to 50.50.50.1 via st0.0


Workaround:
===========


Step#1:
=======


- Delete the interface lo0 configuration from the ospf. This will stop all three ip addresses from being advertised.

Branch1# show protocols ospf | display set
set protocols ospf area 0.0.0.0 interface st0.0 neighbor 50.50.50.10

- Check the HQ site to see if any route is getting received via OSPF from that specific neighbor.

HQ# run show route protocol ospf 192.168.6

inet.0: 33 destinations, 35 routes (33 active, 0 holddown, 0 hidden)

HQ# run show route protocol ospf 192.168.1

inet.0: 33 destinations, 35 routes (33 active, 0 holddown, 0 hidden)

HQ# run show route protocol ospf 172.16

inet.0: 33 destinations, 35 routes (33 active, 0 holddown, 0 hidden)


Step#2:
=======


- Create a policy to allow the selective ip addresses that are supposed to be advertised.

Branch1# show policy-options policy-statement export-ospf | display set
set policy-options policy-statement export-ospf term allow from protocol direct
set policy-options policy-statement export-ospf term allow from route-filter 192.168.1.0/24 exact
set policy-options policy-statement export-ospf term allow from route-filter 172.16.0.0/16 orlonger
set policy-options policy-statement export-ospf term allow then accept


Notice that the "default" term is "reject". So only the ip addresses matching the "from" criteria will be accepted.

- Now "export" this policy in the ospf as follows;

set protocols ospf export export-ospf

- The final ospf configuration on the "Branch" looks like this;

Branch1# show protocols ospf | display set
set protocols ospf export export-ospf
set protocols ospf area 0.0.0.0 interface st0.0 neighbor 50.50.50.10


Verification:
=============


- Let's verify the routes on the HQ site;


HQ# run show route protocol ospf 192.168.1

inet.0: 34 destinations, 37 routes (34 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24 [OSPF/150] 00:03:52, metric 0, tag 0
> to 50.50.50.1 via st0.0

HQ# run show route protocol ospf 172.16

inet.0: 34 destinations, 37 routes (34 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/16 *[OSPF/150] 00:04:00, metric 0, tag 0
> to 50.50.50.1 via st0.0

{primary:node0}[edit]
HQ# run show route protocol ospf 192.168.6

inet.0: 34 destinations, 37 routes (34 active, 0 holddown, 0 hidden) <<<< Notice the route for "192.168.6" is successfully excluded.

	
	
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search