Quick Series 30 – Advertising specific OSPF address when intf has multiple secondaries – Juniper

No Comments

Hi,

Here is the below configuration that I have an interface , how would you make sure that 9.9.12.2/24 is only advertised.

————————

labroot@R# show interfaces lt-7/0/0.21
encapsulation ethernet;
peer-unit 12;
family inet {
address 9.9.12.2/24;
address 9.9.112.2/24;
address 9.9.212.2/24;
}

————————–

we can call individual address after ‘interface’ knob in ospf just like IOS. see the below reference

Normal Definition

labroot@R:r2# show protocols ospf
area 0.0.0.0 {
interface lt-7/0/0.21;
}

————————–

This is how an address can be defined

area 0.0.0.0 {
interface 9.9.12.2; ————————> INSTEAD OF INTERFACE NAME ADDRESS
}

[edit]
labroot@R:r2# run show ospf neighbor
Address          Interface              State     ID               Pri  Dead
9.9.12.1         lt-7/0/0.21            Full      9.9.1.1          128    37

 

——————————

 

Regards

Rakesh M

 

BGP FLOWSPEC – ALLOWING TELNET AND BLOCKING ICMP VIA BGP ?

2 Comments

Hi,

BGP within Juniper Implementation has a address family Flow. Interestingly, this is implemented by Juniper (or atleast Documented so) much before the BGP FLOWSPEC RFC standardization. The Crux of the topic is to mitigate DDOS.

Two Main Perspectives – Proactive and Reactive (from Service Provider Perspective)

a. Customer Informing DDOS automatically to SP Through Routing Updates

b. Customer Informing DDOS and then Service Provider acting on it on their own

Juniper Documentation:

http://www.juniper.net/documentation/en_US/junos15.1/topics/example/routing-bgp-flow-specification-routes.html

Coming to the sample topology – INTERDOMAIN DDOS MITIGATION EXAMPLE

Topology

 

Requirement / ASK – Customer finds that 3.3.3.3/32 has a Massive hit for ICMP and wants to Block it temporarily while other services like TELNET should still be operative and functional.

Lets Quickly look at current state of operations at their defaults

BGP Between R1 , R2 AND R2 , R3 looks fine and ping is reachable as well as telnet, no problems there

1_vmx_bgp

Enabling Family Flow between SP routers R1 and R2 and PE-CE R2 and R3

2_bgp_flow

Enabling Flow on Customer Router  under Routing Options

3_routing_options

Advertising Route

4_advertising_routes

Lets test the Result on R1

5_view_on_r1

As we can see the ping is blocked now , you can see the communities also the protocol 1 is advertised in Inet-flow which indicates ICMP blockage

6_ping_block_telnet

Lets see the final view on R2, we can see that there is a firewall Filter automatically installed for Control plane for R1/R2/R3 on all incoming interfaces blocking the requirement

7_fw_filter_on_controlplane

 

This is an Attempt to understand Flow-Spec Feature, this is vast and has many Knobs to deal with.

 

Regards

Rakesh M

 

Quick Series 26 : MPLS INSTALL PREFIX – JNPR Usage

1 Comment

Hi,

The post gives a perspective on usage of Install Prefix keyword. We all know Juniper has Different set of tables.

  1. inet.0 – igp populated
  2. inet.3 (ldp/rsvp) populated (used by BGP for Routing-Lookups)

Below is the Topology

 

Topology.png

I have extensively used Groups and Logical-systems  on VMX and Frankly i have not tried to include that as that will even more bore-you down

Lets see the behavior from R1 to R4, if you watch closely, see the NH lookup for inet.0

1_route_lookup

Lets change things a bit and see what happens

2_command

Lets see lookup table now

3_final_verification

As we can see the Push Label now and also the Route gets Installed as RSVP route into inet.0 table.

Regards

Rakesh M

 

 

 

 

 

 

 

Close Bitnami banner
Bitnami