Messages

Hi,

I managed to get this working with a standard acl. I had been thinking I would have to use a prefix list, and when trying I've probably messed up the logic. but this works so it's all good.

Thanks

Code Select Expand

ip vrf vrf2
rd 20:20
import map DD
route-target export 20:20
route-target import 20:20
route-target import 10:10
!
access-list 99 deny   0.0.0.0
access-list 99 permit any
!
route-map DD permit 10
match ip address 99

It's a Juniper SRX3600.

config below for 2 of the vrf's

Code Select Expand


vrf definition hpc
rd 65000:50
route-target export 65000:50
route-target import 65000:50
route-target import 65000:70
!
vrf definition services
rd 65000:70
route-target export 65000:70
route-target import 65000:70
route-target import 65000:50
!
interface Vlan405
description HPC-VRF-Link
vrf forwarding hpc
ip address 10.254.253.26 255.255.255.252
ipv6 address 2001:630:A5:FFFE::1B/126
!
interface Vlan407
description Services-VRF-Link 
vrf forwarding services
ip address 10.254.253.34 255.255.255.252
ipv6 address 2001:630:A5:FFFE::22/126
!
address-family ipv4 vrf hpc
  redistribute connected
  redistribute static
  neighbor 10.254.253.25 remote-as 64561
!
address-family ipv4 vrf services
  redistribute connected
  redistribute static
  neighbor 10.254.253.33 remote-as 64561


So from what I understand the two vrf definitions are allowing the import/export of routes into each other, we then have two interface vlans that are used for the BGP peering between the firewall and the switch. and the bottom two sections are the bgp neighbour.

the problem we have is through the peerings, the firewall sends default to each vrf and then these vrf's import/export routes with each other, which means you get a default route via vrf 'hpc' in vrf 'services' table and visa versa.

I have seen that link and I believe that was tested and it works, however what we are trying to do it deny default, and when we use a prefix list to deny 0.0.0.0 from being imported, it seems to stop importing any routes from the vrf.

Thanks
Scott

Hi,

Hoping someone can shed some light on a problem we are facing.

We are building a new network that consists of a number of VRF's, There are some import/exports between the VRF's

Each of these vrf's has a BGP peering with our firewall and the firewall is propogating default down to the vrf's. (note, the firewall has no concept of these vrf's, just a peering with different linknets)

The problem we are facing is that due to the import/export the default from other vrf's is being sent around the vrf's and some are prefering default from another vrf over the one they are being sent from the firewall.

We have been looking into route maps / prefix lists to deny default and permit other routes, but when we implement these is seems to just stop all routes being imported. Has anyone had to do something similar to this?

Thanks in advance. 

Doesn't this happen the other way round, as in IGP redistribution into BGP strips info?

VSS is running the campus core but the more I run it the less I like it.

Out of interested why don't you like VSS?

Thanks for the info, we are currently looking to procure a network management/monitoring tools so it could be something to include (we will probably get HP's iMC).

We've done the baseline thing, unfortunately the problem with this is that baseline changes depending on the time of year. When all the students are on campus we have much higher usage than during half-terms/holidays etc where the usage plummets.

This just means our baseline check has to be dynamic depending on the time of year.

I think I already know the answer to this but I'm going to ask incase there is a way to do it.

We are part of a larger network (ring) with other Universities. We all use a common ISP for our connection to the internet. Recently an DDoS attack was targeted at another Univeristy on the ring. This meant that our Internet connection was degraded, however everything internal was running at the speed we would expect.

Is there anyway to monitor for this degredation in service? The only thing I could think of is a simple ping poll out to a server on the internet, however if the connection is just degraded this may not be picked up.

Thanks

We have them at our site, although they are managed by the server team so I don't get any exposure to them. I've heard good things about them though.

We used fastlane for some BCN bespoke training, like others have said the quality depends very much on the trainer. Our guy was called Vassil Nikolov and he was excellent, infact probably the most knowledgable trainer I've come across. I know he does the Nexus courses across europe so I would highly recommend him.

Yeh we use this on a University Campus network and it provides very useful info. I don't think we have tweak it to what we want yet, but have been pleased with it so far.

I think if you look into OSPF superbackbone it might be what your looking for.

Your issue sounds similar to something I was taught on a course and that was the answer, whether your issue is the same I don't know.

Got my CCDA scheduled for Cisco Live at the end of the month. Then hopefully CCNP, possibly a Juniper qualification, and hopefully CCNA:DC as we look to be going cisco in our new design.