JunOS Config Snippets – Routing Topics

Here are some more JunOS configuration snippets for a few routing related features (RPM, VRRP, VRF’s, and unicast RPF).

RPM

In the Cisco world, a lot of people use IP SLA as a poor man’s multi-homing solution, where you’re not actually doing BGP with your service provider.

IP SLA is used to verify reachability out a connection before using it for a route, essentially, adding a condition to a static route. Juniper has RPM that can be used in a similar fashion (although, like IP SLA it can be used for considerably more advanced things as well).

# Default route to primary ISP
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.2.3.4;
    }
}
services {
# Probes for different addresses
    rpm {
        probe ISP1 {
            test ISP1 {
                # Address to probe
                target address 2.3.4.5;
                probe-count 10;
                probe-interval 5;
                test-interval 10;
                thresholds {
                    successive-loss 10;
                    total-loss 5;
                }
                destination-interface ge-0/0/0.0;
                next-hop 1.2.3.4;
            }
        }
    }
# Links the probes to an action.  When the RPM probe *fails* - the action will be applied
    ip-monitoring {
        policy ISP1 {
            match {
                rpm-probe ISP1;
            }
            then {
                preferred-route {
                    # Static route to backup ISP
                    route 0.0.0.0/0 {
                        next-hop 3.4.5.6;
                    }
                }
            }
        }
    }
}

VRRP

VRRP is an open standard for sharing an IP address between multiple devices for HA purposes.  (Like HSRP in the Cisco world, though most Cisco devices also support VRRP).

under configuration for a specific interface
unit 0 {
    family inet {
	# Normal, non-floating address
        address 192.168.35.2/24 {
            vrrp-group 200 {
		# Floating address.
                virtual-address 192.168.35.1;
                priority 100;
                preempt;
		# Accept data needed for it to accept traffic coming in for the floating address
                accept-data;
            }
        }
    }

Unicast RPF

RPF (reverse path forwarding) plays an important role in multicast.  RPF if also used for unicast traffic in some situations for security reasons to inhibit address spoofing.  It ensures that the route for the source address on incoming traffic points out the ingress interface.  In other words, it prevents someone connected to interface B from spoofing the address of a network that is routed to through interface A.  There are situations where this would be legitimate though…so it should be used with some caution. Also, on Juniper devices some things like DHCP might not work with URPF out of the box…so look at Juniper’s documentation.

routing-options {
    forwarding-table {
		# Consider interfaces used by valid, but not preferred routes
		# as acceptable for ingress traffic from those networks.
		# The alternative to feasible-paths is active-paths.
        unicast-reverse-path feasible-paths;
    }
}
interfaces {
	vlan {
        unit 200 {
            family inet {
				# Uses the urpf-filter firewall filter to allow 
				# specific traffic to bypass URPF check
                rpf-check fail-filter urpf-filter;
                address 192.168.35.1/24;
            }
        }
    }
}
firewall {
    filter urpf-filter {
		# In this case, allows traffic from 192.168.39.21 to send traffic
		# to everywhere, bypassing URPF check.
        term allow-test {
            from {
                source-address {
                    192.168.39.21/32;
                }
                destination-address {
                    0.0.0.0/0;
                }
            }
            then accept;
        }
        term default {
            then {
                reject;
            }
        }
    }
}

VRF’s

VRF’s are used to configure multiple independent routing tables on a single router.  Sort of like VLAN’s are used to create multiple separate bridging / MAC address tables on a switch.  VRF’s are commonly used with MPLS, but can be used without it.

With Cisco, VRF’s without MPLS are called VRF Lite.  They are called virtual routers with Juniper.

In the config below, two separate virtual routers are created SRX-G and SRX-U.  They are both running separate OSPF instances, and will have their own routing tables.  inet.0 is the main routing table used in the default routing instance for unicast traffic.  The main routing tables for these routing instances will be named SRX-G.inet.0 and SRX-U.inet.0.

interfaces{
    ge-0/0/0 {
	# Normal routed interface configuration
        unit 0 {
            description "USER";
            family inet {
                address 192.168.40.2/24;
            }
        }
        unit 10 {
            description "GUEST";
            family inet {
                address 192.168.44.2/24;
            }
        }

    }
}
routing-instances {
    SRX-G {
        instance-type virtual-router;
		# Assigning these L3 interfaces to this VRF
        interface ge-0/0/0.0;
		# Configuring protocol instance under this VRF
        protocols {
            ospf {
                area 0.0.0.0 {
                    interface ge-0/0/0.0;
                }
            }
        }
    }
    SRX-U {
        instance-type virtual-router;
		# Assigning these L3 interfaces to this VRF
        interface ge-0/0/0.10;
        protocols {
            ospf {
                area 0.0.0.0 {
                    interface ge-0/0/0.10;
                }
            }
        }
    }
}

Comments are closed.