Juniper MX VRF – Leaking Routes from RIB into VRF on Juniper MX

juniperjuniper-mxvrf

Aim

We have a firewall terminating IPSec VPNs to AWS. These are used in the event of failure of a pair of AWS Direct Connects. Currently, the VPNs are routed to AWS over the same Direct Connects that they are backing up – if the Direct Connects stop routing traffic for some reason, the VPNs break also.

Proposed Solution

Create a VRF on Juniper MX into which we import AWS routes learned from Transit and not those learned from the Direct Connects.

Implementation

phil@mx# show routing-instances
be-fw-tunnels {
    instance-type virtual-router;
    interface ae0.336;
    routing-options {
        instance-import vrf_be_fw_tunnels;
    }
}

phil@mx# show policy-options policy-statement vrf_be_fw_tunnels
term no_aws_direct {
    from {
        instance master;
        community Direct;
    }
    then reject;
}
term aws_indirect {
    from {
        instance master;
        as-path aws-indirect;
    }
    then accept;
}
term no_more {
    then reject;
}

phil@mx# show policy-options as-path aws-indirect
".* (14618|16509)$";

Problem

The solution works to the extent that some Amazon routes are leaked into the VRF however only for prefixes which are not advertised by Amazon on the Direct Connect at all. This is, I presume, because instance-import imports from the FIB and the routes of interest installed in the FIB are all from the Direct Connect peering.

Question

Is it possible to import into a VRF from the RIB, such that all possible routes are considered for import… not just the currently active ones?

Best Answer

The solution seems to be to use rib-group. I always assumed rib-group and instance-import were interchangeable though, as the name suggests, rib-group works in the RIB whereas instance-import only works on the FIB.

Syntax is significantly more complex but it's nice in such that you can apply rib-group to individual BGP peers which avoids the need to explicitly filter out the routes you don't want.

phil@mx# show routing-instances
be-fw-tunnels {
    description "VRF importing specific DFZ routes for use by BE FW tunnels";
    instance-type virtual-router;
    interface ae0.236;
}

phil@mx# show routing-options rib-groups
/* Export some IPv4 routes from the main table into the be-fw-tunnels table */
be-fw-tunnels-v4 {
    import-rib [ inet.0 be-fw-tunnels.inet.0 ];
    import-policy vrf_be_fw_tunnels;
}
/* Export some IPv6 routes from the main table into the be-fw-tunnels table */
be-fw-tunnels-v6 {
    import-rib [ inet6.0 be-fw-tunnels.inet6.0 ];
    import-policy vrf_be_fw_tunnels;
}

phil@mx# show policy-options policy-statement vrf_be_fw_tunnels
term aws_indirect {
    from as-path aws-indirect;
    then accept;
}
term no_more {
    then reject;
}

phil@mx# show groups
/* Apply to BGP groups from which you want to export certain routes to the be-fw-tunnels VRF */
aws-to-vrf-v4 {
    protocols {
        bgp {
            group <*> {
                neighbor "<[0-9]*.[0-9]*.[0-9]*.[0-9]*>" {
                    family inet {
                        unicast {
                            rib-group be-fw-tunnels-v4;
                        }
                    }
                }
            }
        }
    }
}
/* Apply to BGP groups from which you want to export certain routes to the be-fw-tunnels VRF */
aws-to-vrf-v6 {
    protocols {
        bgp {
            group <*> {
                neighbor <*:*:*> {
                    family inet6 {
                        unicast {
                            rib-group be-fw-tunnels-v6;
                        }
                    }
                }
            }
        }
    }
}

phil@mx# show protocols bgp group Transit
apply-groups [ aws-to-vrf-v4 aws-to-vrf-v6 ];
...

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

There is no reason to limit customer to blackhole only /32, allow them to blackhole anything from them.

Something like this:

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            prefix-list-filter AS42 orlonger;
        }
        then {
            community add NO-EXPORT;
            next-hop 192.0.2.1;
            accept;
        }
    }
    term advertise {
        from {
            prefix-list AS42;
        }
        then {
            community add ADVERTISE;
            next-hop peer-address;
            accept;
        }
    }
    term reject {
        then reject;
    }
}

Remember to set 'accept-remote-nexthop' under BGP settings, so that the next-hop can be changed to something else than link address.

I also strongly support that providers start to support different blackhole communities than just 'full blackhole'. Especially if you operate in more than one country usually attack is from transit and often customer actually mostly wants to access domestic peerings, so it's useful to implement several levels of blackhhole:

Full
Outside local country (local IXP, whole own AS + customers seen)
Outside local area (if applicable, like for me it could be 'Nordics')
Include/Exclude specific peering router in blackhole

I'm happy to give example how to implement something like this with JNPR DCU/SCU, provided your peering routers are JNPR, but it's possible with just communities, just bit more awkward.

If you absolutely want to limit your customer's options you can add this:

policy-statement /32 {
    term /32 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /32-/32;
        }
        then accept;
    }
    term reject {
        then reject;
    }
}

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            policy /32;
            prefix-list-filter AS42 orlonger;
        }
..
}

This way it should be logical AND. But I really don't see the value in creating complexity to reduce expressiveness of configuration.

JUNIPER: Why is OSPF adjacency breaking when I enable FBF on an OSPF interface

So, after working with JTAC yesterday, "I", as in I really didn't need JTAC since I figured out the issue on my own.. realized that my firewall filter was a bit redundant and was lacking a "permit any" statement.

OSPF adjacency was breaking because the firewall filter was taking the "else" traffic (term DEFAULT) and sending it to routing-instance PATH-2, which didn't help either way since it was sending traffic right back to SW-2, something a "then accept" statement would have done easily

So, to repair the issue..

New SW-2 & RTR-2 corrected configlets:

delete routing-instances PATH-2
delete firewall family inet filter FBF-TEST term DEFAULT
set firewall family inet filter FBF-TEST term PERMIT-ANY then accept

New config snips for SW-2:

routing-options {
    nonstop-routing;
    interface-routes {
        rib-group inet STAGING-RIB;
    }
    static {
        route 10.100.190.0/24 next-hop 10.100.100.2;
        route 10.100.191.0/24 next-hop 10.100.100.2;
    }
    rib-groups {
        STAGING-RIB {
            import-rib [ inet.0 PATH-1.inet.0 ];
        }
    }
    router-id 10.100.254.1;
}
firewall {
    family inet {
        filter FBF-TEST {
            term TERM-1 {
                from {
                    source-address {
                        10.100.190.0/24;
                        10.100.191.0/24;
                    }
                }
                then {
                    routing-instance PATH-1;
                }
            }
            term PERMIT-ANY {
                then accept;
            }
        }
    }
}
routing-instances {
    PATH-1 {
        instance-type forwarding;
        routing-options {
            static {
                route 10.100.30.0/24 {
                    next-hop 10.100.254.2;
                    qualified-next-hop 10.10.10.1 {
                        preference 100;
                    }
                }
            }
        }
    }
}

New config snips for RTR-2:

routing-options {
    interface-routes {
        rib-group inet STAGING-RIB;
    }
    rib-groups {
        STAGING-RIB {
            import-rib [ inet.0 PATH-1.inet.0 ];
        }
    }
    router-id 200.200.200.2;
    autonomous-system 1;
}
firewall {
    family inet {
        filter FBF-TEST {
            term TERM-1 {
                from {
                    source-address {
                        10.100.190.0/24;
                        10.100.191.0/24;
                    }
                }
                then {
                    routing-instance PATH-1;
                }
            }
            term PERMIT-ANY {
                then accept;
            }
        }
    }
}
routing-instances {
    PATH-1 {
        instance-type forwarding;
        routing-options {
            static {
                route 10.100.30.0/24 {
                    next-hop 200.200.200.1;
                    qualified-next-hop 10.100.254.1 {
                        preference 100;
                    }
                }
            }
        }
    }
}

Aim