Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to advertise selective IP via OSPF on an interface with multiple IP addresses

0

0

Article ID: KB24565 KB Last Updated: 29 Sep 2020Version: 2.0
Summary:

There are multiple IP addresses configured on an interface. The goal is to advertise only one or more of those subnets via OSPF and not the other.

This article will describe a method on how to advertise selective addresses from the same interface via OSPF.

Symptoms:

If one interface is configured under "protocol ospf area" stanza, then both IP addresses are advertised, which is not the requirement.

Solution:

In this setup, two SRX devices have established OSPF neighbor relationship over VPN:

 HQ# run show ospf neighbor 50.50.50.1
Address          Interface              State     ID               Pri  Dead
50.50.50.1       st0.0                  Full      50.50.50.1       128    34

 Branch1# run show ospf neighbor
Address          Interface              State     ID               Pri  Dead
50.50.50.10      st0.0                  Full      50.50.50.10      128    31

Interface configuration on the Branch:

 Branch1# show interfaces lo0
unit 0 {
  family inet {
   address 192.168.1.1/24;
   address 192.168.6.1/24;   <-- This address should NOT be advertised via OSPF.
   address 172.16.10.5/16;
  }
}

The goal is to block 192.168.6.1/24 from being advertised via OSPF from the Branch to the HQ.

If the lo0 interface is defined under OSPF at the Branch location, then all the IP addresses will be advertised, and we cannot do that. Here is an example of what should NOT be done;

 [edit]
root@D10_31-SRX650-Branch1# show protocols ospf | display set
set protocols ospf area 0.0.0.0 interface st0.0 neighbor 50.50.50.10
set protocols ospf area 0.0.0.0 interface lo0.0 passive  <-- Notice the interface lo0 is defined under ospf.

Notice at the HQ site that all three IP addresses defined on the lo0 are being advertised. 

 HQ# run show route protocol ospf 192.168.6.0    

 inet.0: 38 destinations, 42 routes (38 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

 192.168.6.0/24     *[OSPF/10] 00:00:03, metric 1  <-- The address is being advertised.
      > to 50.50.50.1 via st0.0

 HQ# run show route protocol ospf 192.168.1.0    

 inet.0: 38 destinations, 42 routes (38 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

 192.168.1.0/24      [OSPF/10] 00:00:08, metric 1
       > to 50.50.50.1 via st0.0

 HQ# run show route protocol ospf 172.16         

 inet.0: 38 destinations, 42 routes (38 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

 172.16.0.0/16      *[OSPF/10] 00:00:17, metric 1
      > to 50.50.50.1 via st0.0

Workaround:

  1. Delete the interface lo0 configuration from the ospf. This will stop all three ip addresses from being advertised.

    Branch1# show protocols ospf | display set
    set protocols ospf area 0.0.0.0 interface st0.0 neighbor 50.50.50.10
    1. Check the HQ site to see if any route is receiving via OSPF from that specific neighbor.

       HQ# run show route protocol ospf 192.168.6                    
       inet.0: 33 destinations, 35 routes (33 active, 0 holddown, 0 hidden)
       HQ# run show route protocol ospf 192.168.1    
       inet.0: 33 destinations, 35 routes (33 active, 0 holddown, 0 hidden)
       HQ# run show route protocol ospf 172.16                       
       inet.0: 33 destinations, 35 routes (33 active, 0 holddown, 0 hidden)
  2. Create a policy to allow the selective IP addresses that are supposed to be advertised.

    Branch1# show policy-options policy-statement export-ospf | display set
    set policy-options policy-statement export-ospf term allow from protocol direct
    set policy-options policy-statement export-ospf term allow from route-filter 192.168.1.0/24 exact
    set policy-options policy-statement export-ospf term allow from route-filter 172.16.0.0/16 orlonger
    set policy-options policy-statement export-ospf term allow then accept

     Notice that the "default" term is "reject". So only the IP addresses matching the "from" criteria will be accepted.

    1. Now "export" this policy in the OSPF as follows

      set protocols ospf export export-ospf

    2. The final OSPF configuration on the "Branch" looks like this;

      Branch1# show protocols ospf | display set
      set protocols ospf export export-ospf
      set protocols ospf area 0.0.0.0 interface st0.0 neighbor 50.50.50.10

Verification:

Verify the routes on the HQ site:

 HQ# run show route protocol ospf 192.168.1    

 inet.0: 34 destinations, 37 routes (34 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

 192.168.1.0/24      [OSPF/150] 00:03:52, metric 0, tag 0
      > to 50.50.50.1 via st0.0

 HQ# run show route protocol ospf 172.16       

 inet.0: 34 destinations, 37 routes (34 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

 172.16.0.0/16      *[OSPF/150] 00:04:00, metric 0, tag 0
      > to 50.50.50.1 via st0.0

 {primary:node0}[edit]
HQ# run show route protocol ospf 192.168.6    

 inet.0: 34 destinations, 37 routes (34 active, 0 holddown, 0 hidden)   <-- Notice the route for "192.168.6" is successfully excluded.
Modification History:
2020-09-26: Article verified for accuracy. Article is valid and accurate.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search