Re: [j-nsp] DHCP interface as next hop
* Aaron Dewell I haven't found an answer to this question (except for Cisco options which doesn't help me). I want to configure a static route to a DHCP interface on an SRX240. Here's the scenario: ge-0/0/0 connected to CX111 (4G modem/DHCP) t1-0/1/0 connected to an L3VPN (with BGP) st0.0 should connect over ge-0/0/0 The t1 is considered trusted, so we do not want to form the IPSec tunnel over it. There is a default route coming in via BGP on the T1. The goal: Statically route the IPSec tunnel endpoint over the 4G modem as a /32 Statically route 0/0 over st0.0 (and set precedence to 170, or set BGP down to 4) Receive 0/0 from BGP over the T1 (or alternately not, with no need to alter precedence, and use two next-hops for one static 0/0) The purpose is to have the tunnel up but not used until the T1 or BGP over it goes away. However, I cannot set ge-0/0/0.0 as the next-hop because it's not a point to point interface. I cannot set an IP address as the next-hop because I don't know when it will change. Any ideas on how to address that? I have no idea if this can be done or will work, but here's a suggestion at least: Configure a static link network (e.g., 192.0.2.10/31) on ge-0/0/0.0 in parallel with the DHCP client. Add a static ARP entry for 192.0.2.11 pointing to the CX111's MAC address. Use 192.0.2.11 address as the next hop for the static route to the remote IPSEC tunnel endpoint. Best regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DHCP interface as next hop
- Original Message - From: sth...@nethelp.no I can understand the choice of not including this functionality. Juniper can avoid the well known of problem of pointing a default route at an Ethernet interface, leading to an ARP for every new/unknown destination. There is a recent post on this board describing this exact problem with ARP for every new/unknown destination https://puck.nether.net/pipermail/juniper-nsp/2012-November/024826.html However, the original issue - 0/0 pointing to DHCP default-router - is scriptable easily enough in SLAX. Should you go this route, make sure your provider has ARP policer in place to withstand a routing loop in your network :-) HTH Rgds Alex ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DHCP interface as next hop
On Wed, Nov 28, 2012 at 4:45 PM, Aaron Dewell aaron.dew...@gmail.comwrote: Hey all, I haven't found an answer to this question (except for Cisco options which doesn't help me). I want to configure a static route to a DHCP interface on an SRX240. Here's the scenario: ge-0/0/0 connected to CX111 (4G modem/DHCP) t1-0/1/0 connected to an L3VPN (with BGP) st0.0 should connect over ge-0/0/0 The t1 is considered trusted, so we do not want to form the IPSec tunnel over it. There is a default route coming in via BGP on the T1. The goal: Statically route the IPSec tunnel endpoint over the 4G modem as a /32 Statically route 0/0 over st0.0 (and set precedence to 170, or set BGP down to 4) Receive 0/0 from BGP over the T1 (or alternately not, with no need to alter precedence, and use two next-hops for one static 0/0) The purpose is to have the tunnel up but not used until the T1 or BGP over it goes away. Not sure about your routing setup and how you tag routes, but what about running DHCP on the modem and letting default point out that path? Then, setup your far end to only announce an internal table (whatever routes are appropriate for your application) via your T1/BGP path. Exclude the IPSec tunnel endpoint space. Setup your IPSec tunnel and run a routing protocol over it, de-preferencing those routes below that of the T1/BGP path routes. That way, under normal operation you'll take the L3VPN path, but should those routes become unreachable, you'll prefer the IPSec-learned routes. --j ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DHCP interface as next hop
On Nov 29, 2012, at 12:53 AM, Tore Anderson wrote: * Aaron Dewell I haven't found an answer to this question (except for Cisco options which doesn't help me). I want to configure a static route to a DHCP interface on an SRX240. Here's the scenario: ge-0/0/0 connected to CX111 (4G modem/DHCP) t1-0/1/0 connected to an L3VPN (with BGP) st0.0 should connect over ge-0/0/0 The t1 is considered trusted, so we do not want to form the IPSec tunnel over it. There is a default route coming in via BGP on the T1. The goal: Statically route the IPSec tunnel endpoint over the 4G modem as a /32 Statically route 0/0 over st0.0 (and set precedence to 170, or set BGP down to 4) Receive 0/0 from BGP over the T1 (or alternately not, with no need to alter precedence, and use two next-hops for one static 0/0) The purpose is to have the tunnel up but not used until the T1 or BGP over it goes away. However, I cannot set ge-0/0/0.0 as the next-hop because it's not a point to point interface. I cannot set an IP address as the next-hop because I don't know when it will change. Any ideas on how to address that? I have no idea if this can be done or will work, but here's a suggestion at least: Configure a static link network (e.g., 192.0.2.10/31) on ge-0/0/0.0 in parallel with the DHCP client. Add a static ARP entry for 192.0.2.11 pointing to the CX111's MAC address. Use 192.0.2.11 address as the next hop for the static route to the remote IPSEC tunnel endpoint. Best regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com/ Ooooh, I like that idea. I'll give that a try. The other idea our SE suggested is a virtual router and configure the static route with next-table. But that requires 12.1R3 to fix the default route installed into inet.0 not the VR issue. I like your idea more than upgrades+VRs. Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DHCP interface as next hop
Hey all, I haven't found an answer to this question (except for Cisco options which doesn't help me). I want to configure a static route to a DHCP interface on an SRX240. Here's the scenario: ge-0/0/0 connected to CX111 (4G modem/DHCP) t1-0/1/0 connected to an L3VPN (with BGP) st0.0 should connect over ge-0/0/0 The t1 is considered trusted, so we do not want to form the IPSec tunnel over it. There is a default route coming in via BGP on the T1. The goal: Statically route the IPSec tunnel endpoint over the 4G modem as a /32 Statically route 0/0 over st0.0 (and set precedence to 170, or set BGP down to 4) Receive 0/0 from BGP over the T1 (or alternately not, with no need to alter precedence, and use two next-hops for one static 0/0) The purpose is to have the tunnel up but not used until the T1 or BGP over it goes away. However, I cannot set ge-0/0/0.0 as the next-hop because it's not a point to point interface. I cannot set an IP address as the next-hop because I don't know when it will change. Any ideas on how to address that? Thanks! Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DHCP interface as next hop
However, I cannot set ge-0/0/0.0 as the next-hop because it's not a point to point interface. I cannot set an IP address as the next-hop because I don't know when it will change. Any ideas on how to address that? Missing functionality in JunOS. Complain to your SE. Other vendors can do this. (Also available in JunOSe, for the E-series.) I can understand the choice of not including this functionality. Juniper can avoid the well known of problem of pointing a default route at an Ethernet interface, leading to an ARP for every new/unknown destination. However, in my opinion Juniper *should* still offer this functionality, leaving the user with plenty of rope to hang himself :-) Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp