Advertise all static route except the default gateway with Juniper SRX firewall
With the following policy, all static routes are advertised via BGP to my neighbor:
root@Nitrogen# show policy-options
policy-statement bgp-export-policy {
term export-statics {
from protocol static;
then accept;
}
}
root@Nitrogen# show routing-instances myinstance
instance-type virtual-router;
interface ...
routing-options {
static {
route 0.0.0.0/0 next-hop ...; # I don't want to send this route
route x.x.x.x next-hop st0.1;
route x.x.x.x next-hop st0.1;
route x.x.x.x next-hop st0.1;
...
}
autonomous-system XXX;
}
protocols {
bgp {
group mygroup {
type external;
export bgp-export-policy;
neighbor XXX {
peer-as XXX;
}
}
}
}
How could I advertise all static routes except the default 0.0.0.0/0 one? Or, if this is easier, how could I advertise all routes that use st0.1
as the next hop?
Thank you in advance for your help.
routing bgp juniper juniper-junos juniper-srx
add a comment |
With the following policy, all static routes are advertised via BGP to my neighbor:
root@Nitrogen# show policy-options
policy-statement bgp-export-policy {
term export-statics {
from protocol static;
then accept;
}
}
root@Nitrogen# show routing-instances myinstance
instance-type virtual-router;
interface ...
routing-options {
static {
route 0.0.0.0/0 next-hop ...; # I don't want to send this route
route x.x.x.x next-hop st0.1;
route x.x.x.x next-hop st0.1;
route x.x.x.x next-hop st0.1;
...
}
autonomous-system XXX;
}
protocols {
bgp {
group mygroup {
type external;
export bgp-export-policy;
neighbor XXX {
peer-as XXX;
}
}
}
}
How could I advertise all static routes except the default 0.0.0.0/0 one? Or, if this is easier, how could I advertise all routes that use st0.1
as the next hop?
Thank you in advance for your help.
routing bgp juniper juniper-junos juniper-srx
add a comment |
With the following policy, all static routes are advertised via BGP to my neighbor:
root@Nitrogen# show policy-options
policy-statement bgp-export-policy {
term export-statics {
from protocol static;
then accept;
}
}
root@Nitrogen# show routing-instances myinstance
instance-type virtual-router;
interface ...
routing-options {
static {
route 0.0.0.0/0 next-hop ...; # I don't want to send this route
route x.x.x.x next-hop st0.1;
route x.x.x.x next-hop st0.1;
route x.x.x.x next-hop st0.1;
...
}
autonomous-system XXX;
}
protocols {
bgp {
group mygroup {
type external;
export bgp-export-policy;
neighbor XXX {
peer-as XXX;
}
}
}
}
How could I advertise all static routes except the default 0.0.0.0/0 one? Or, if this is easier, how could I advertise all routes that use st0.1
as the next hop?
Thank you in advance for your help.
routing bgp juniper juniper-junos juniper-srx
With the following policy, all static routes are advertised via BGP to my neighbor:
root@Nitrogen# show policy-options
policy-statement bgp-export-policy {
term export-statics {
from protocol static;
then accept;
}
}
root@Nitrogen# show routing-instances myinstance
instance-type virtual-router;
interface ...
routing-options {
static {
route 0.0.0.0/0 next-hop ...; # I don't want to send this route
route x.x.x.x next-hop st0.1;
route x.x.x.x next-hop st0.1;
route x.x.x.x next-hop st0.1;
...
}
autonomous-system XXX;
}
protocols {
bgp {
group mygroup {
type external;
export bgp-export-policy;
neighbor XXX {
peer-as XXX;
}
}
}
}
How could I advertise all static routes except the default 0.0.0.0/0 one? Or, if this is easier, how could I advertise all routes that use st0.1
as the next hop?
Thank you in advance for your help.
routing bgp juniper juniper-junos juniper-srx
routing bgp juniper juniper-junos juniper-srx
edited 2 days ago
Nakrule
asked 2 days ago
NakruleNakrule
19716
19716
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You need to add a term to your policy statement which explicitly rejects the default route then, and add that before the export-statics
term:
policy-statement bgp-export-policy {
term reject-default {
from {
route-filter 0.0.0.0/0 through 0.0.0.0/32;
then reject;
}
term export-statics {
from protocol static;
then accept;
}
}
Another, slightly more complex, but also more versatile way is to tag the routes you want to export with a chosen community, and then write an export policy which accepts only routes with that specific community and rejects all others:
routing-options {
static {
route 0.0.0.0/0 next-hop 192.0.2.1;
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
}
}
policy-statement bgp-export-policy {
term export-routes {
from {
protocol static;
community 64496:1000;
}
then accept;
}
term reject {
then reject;
}
}
Having an explicit reject policy at the end of your policy chain is always a good idea, regardless of how you would implement this.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "496"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58011%2fadvertise-all-static-route-except-the-default-gateway-with-juniper-srx-firewall%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You need to add a term to your policy statement which explicitly rejects the default route then, and add that before the export-statics
term:
policy-statement bgp-export-policy {
term reject-default {
from {
route-filter 0.0.0.0/0 through 0.0.0.0/32;
then reject;
}
term export-statics {
from protocol static;
then accept;
}
}
Another, slightly more complex, but also more versatile way is to tag the routes you want to export with a chosen community, and then write an export policy which accepts only routes with that specific community and rejects all others:
routing-options {
static {
route 0.0.0.0/0 next-hop 192.0.2.1;
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
}
}
policy-statement bgp-export-policy {
term export-routes {
from {
protocol static;
community 64496:1000;
}
then accept;
}
term reject {
then reject;
}
}
Having an explicit reject policy at the end of your policy chain is always a good idea, regardless of how you would implement this.
add a comment |
You need to add a term to your policy statement which explicitly rejects the default route then, and add that before the export-statics
term:
policy-statement bgp-export-policy {
term reject-default {
from {
route-filter 0.0.0.0/0 through 0.0.0.0/32;
then reject;
}
term export-statics {
from protocol static;
then accept;
}
}
Another, slightly more complex, but also more versatile way is to tag the routes you want to export with a chosen community, and then write an export policy which accepts only routes with that specific community and rejects all others:
routing-options {
static {
route 0.0.0.0/0 next-hop 192.0.2.1;
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
}
}
policy-statement bgp-export-policy {
term export-routes {
from {
protocol static;
community 64496:1000;
}
then accept;
}
term reject {
then reject;
}
}
Having an explicit reject policy at the end of your policy chain is always a good idea, regardless of how you would implement this.
add a comment |
You need to add a term to your policy statement which explicitly rejects the default route then, and add that before the export-statics
term:
policy-statement bgp-export-policy {
term reject-default {
from {
route-filter 0.0.0.0/0 through 0.0.0.0/32;
then reject;
}
term export-statics {
from protocol static;
then accept;
}
}
Another, slightly more complex, but also more versatile way is to tag the routes you want to export with a chosen community, and then write an export policy which accepts only routes with that specific community and rejects all others:
routing-options {
static {
route 0.0.0.0/0 next-hop 192.0.2.1;
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
}
}
policy-statement bgp-export-policy {
term export-routes {
from {
protocol static;
community 64496:1000;
}
then accept;
}
term reject {
then reject;
}
}
Having an explicit reject policy at the end of your policy chain is always a good idea, regardless of how you would implement this.
You need to add a term to your policy statement which explicitly rejects the default route then, and add that before the export-statics
term:
policy-statement bgp-export-policy {
term reject-default {
from {
route-filter 0.0.0.0/0 through 0.0.0.0/32;
then reject;
}
term export-statics {
from protocol static;
then accept;
}
}
Another, slightly more complex, but also more versatile way is to tag the routes you want to export with a chosen community, and then write an export policy which accepts only routes with that specific community and rejects all others:
routing-options {
static {
route 0.0.0.0/0 next-hop 192.0.2.1;
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
route x.x.x.x {
next-hop st0.1;
community 64496:1000;
}
}
}
policy-statement bgp-export-policy {
term export-routes {
from {
protocol static;
community 64496:1000;
}
then accept;
}
term reject {
then reject;
}
}
Having an explicit reject policy at the end of your policy chain is always a good idea, regardless of how you would implement this.
edited 2 days ago
answered 2 days ago
Teun Vink♦Teun Vink
12k53154
12k53154
add a comment |
add a comment |
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f58011%2fadvertise-all-static-route-except-the-default-gateway-with-juniper-srx-firewall%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown