Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Routing Configuration on SRX Series Firewalls

Configure BGP Groups

You can configure BGP (Border Gateway Protocol) and add their BGP neighbors. You can also add and modify peer-based advertisement and redistribution rules

To configure a BGP group:

  1. In the Juniper Mist™ portal, click Organization > WAN > WAN Edge Templates.
  2. Create a new template or click an existing template to modify it.
  3. In the Templates page, scroll down to Routing pane and click Add BGP Group.

  4. In the Add BGP Group window, add details for the BGP group.

    Figure 1: Add BGP Group Add BGP Group
    • Name—Name of the BGP group.
    • Peering Network —Select Peering Network as WAN or LAN.
    • BFD —Select Enabled or Disabled.
    • Type —Select Internal or External.
    • Local AS —Specify the local autonomous system (AS) number.
    • Hold Time —Specify the hold-time value to use when negotiating a connection with the peer.
    • Graceful Restart Time —Specify graceful restart for BGP. Graceful restart allows a routing device undergoing a restart to inform its adjacent neighbors and peers of its condition
    • Authentication Key —Configure an MD5 authentication key (password). Neighboring routing devices use the same password to verify the authenticity of BGP packets sent from this system
    • Click drop-down for Export or Import and select an existing routing policy or click Create Policy.
      • In the Routing Policy window,you can add or edit the policy for the overlay path preference.
        • Name—Enter the name of the policy.
        • Add Terms—Enter the policy conditions such as prefix, autonomous system [AS] path regular expressions, protocols, and community.
        • Then—Select an action (Accept or Reject) to apply when the condition is fulfilled. Enable one of the following preference for the accepted path:
          • Append Community
          • Exclude Community
          • Set Community
          • Prepend AS Path
          • Exclude AS Path
          • Set Local Preference
          • Add Target VRs
        • Click Add to add to save the routing policy.
  5. On the Add BGP Group window, for the Export or Import field, select the routing policy you created from the drop-down.
  6. In Neighbors pane, click Add Neighbors
    Figure 2: BGP Group- Add Neighbors BGP Group- Add Neighbors
    .
    • Select Enabled or Disabled to administratively enable or disable a BGP neighbor.
    • IP address —Enter the IP address of the neighbor device.
    • Neighbor AS —Enter the neighbor node AS.
    • Hold Time —Specify the hold-time value to use when negotiating a connection with the neighbor device.
    • Type —Click drop-down for Export or Import and select an existing routing policy or click Create Policy.
  7. Select the check-box in Add Neighbors pane to add the neighbor.
  8. Click Save.

You can view the BGP neighbors details in BGP Summary section of Monitor > Insights page.

Figure 3: BGP Neighbor Information BGP Neighbor Information

Configure BFD for BGP Sessions

The Bidirectional Forwarding Detection (BFD) protocol is a simple Hello mechanism that detects failures or faults between network forwarding elements that share a link. Hello packets are sent at a specified, regular interval. When the routing device stops receiving a reply after a specified interval, a neighbor failure is detected . The failure detection timers for BFD provide faster detection, as they have shorter time limits than that of the default failure detection mechanisms for BGP.

To enable or disable BFD for the BGP sessions on a Session Smart Router deployed as a WAN Edge device:

  1. In the Mist portal, navigate to Organization > WAN Edge Templates > WAN Edge Name.

  2. From the BGP section, click on an existing BGP Group, or click Add BGP Group to add a new one.

  3. In the Add BGP Group window, Under BFD, select Enabled or Disabled depending on your network needs.

  4. Configure any other necessary setting for your BGP Group, such as the interval, then click Add at the bottom of the window.

Overlay Traffic Steering for BGP-Learned Prefixes

You can specify a preferred path for the traffic traversing from a spoke device to the BGP-learned prefixes by configuring overlay path preferences. You can configure path preferences in the routing policies on the spoke devices. This feature allows you to determine which hub the traffic should pass through.

To configure path preferences:

  1. In the Add BGP Group window, enter the details for the BGP group:

    Figure 4: Add BGP Group Add BGP Group

  2. Enter the following details:

    • Enter a name of the BGP group.
    • Select Peering Network as Overlay.
    • Click drop-down for Export and select an existing routing policy or click Create Policy.
    • In the Routing Policy window,you can add or edit the policy for the overlay path preference.
      Figure 5: Add Routing Policy Add Routing Policy
      • Name—Enter the name of the policy.
      • Add Terms—Enter the policy conditions such as prefix, autonomous system [AS] path regular expressions, protocols, and community.
      • Overlay Path Preference—Enter overlay path preference. Click Add Paths and select an existing overlay hub endpoint.
      • Then—Select an action (Accept or Reject) to apply when the condition is fulfilled. Enable one of the following preference for the accepted path:
        • Append Community—Add a BGP community to the route. A BGP community is a group of destinations that share a common property.
        • Exclude Community—Exclude a BGP communities to the route.
        • Set Community—Set a BGP community in the route. The set option replaces the current communities on a route with the specified community
        • Prepend AS Path—Prepend a AS number to the start of a BGP AS path.
        • Exclude AS Path—Exclude a AS number from the start of a BGP AS path.
        • Set Local Preference—Set preference to assign to routes that are advertised to the group or peer.
        • Add Target VRs— Add virtual Routing and Forwarding (VRF) instances for the intentional sharing of route information across VRF instances.
      • Click Add to add to save the routing policy.
      • On the Add BGP Group window, for the Export field, select the routing policy you created from the drop-down.
  3. Click Save.
Note:

You can create overlay traffic steering for BGP-learned prefixes by selecting WAN Edges in Juniper Mist Portal.

Configure OSPF

Open Shorest Path First (OSPF) is a link-state routing protocol used in IP networks to determine the best path for forwarding IP packets. OSPF divides a network into areas to improve scalability and control the flow of routing information. The following steps explain how you can configure OSPF for your SRX Series Firewall deployed as a WAN Edge device.

You must first define an OSPF Area from the OSPF AREAS tile, then apply that area to the WAN Edge device from the OSPF CONFIGURATION tile.

Note:

You can configure OSPF from the Routing section on WAN Edge templates (Organization > WAN Edge Templates), hub profiles (Organization > Hub Profiles), or the WAN Edge device configuration page (WAN Edges > WAN Edges > WAN Edge Name). The following steps show how to configure OSPF from the WAN Edge Template.
  1. From the Mist portal, navigate to Organization > WAN Edge Templates.
  2. In the ROUTING section, from the OSPF AREAS tile, click Add OSPF Area.
  3. In the Add OSPF Area window, add the following information:
    Table 1: Add OSPF Area Options

    Field

    Description

    Area

    This number indicates the identification area that your OSPF network or SRX Series Firewall belongs to.

    Type

    This is the OSPF Area type. Select one of the following options:

    1. Default (Area 0) — This represents the core of an OSPF network.
    2. Stub — Using this OSPF area type blocks external routes.
    3. Not So Stubby Area (NSSA) — Using this OSPF area type allows redistribution of some external routes and not others.

    For a more in depth explanation of the different area types, see Configuring OSPF Areas.

  4. Click Add OSPF Network, then, in the Add OSPF Network section of the window, enter the following information:
    Table 2: Add OSPF Network Options

    Field

    Description

    Network

    This is the name of your OSPF network.

    Note:

    Check the Passive checkbox if you do not want OSPF to send Hello packets on an interface. This prevents the interface from forming unnecessary neighor relationships, which reduces overhead on routers and ensures that only the crucial connections are being made.

    Interface Type

    • Broadcast — This is the default interface type for an OSPF ethernet interface.

    • p2p (point to point) — This represents a connection between two OSPF routers (one router has one recipient).

    BFD Interval

    This value determines how frequently BFD packets will be sent to BFD peers (in milliseconds).

    Metric

    This is the cost metric used by OSPF to determine the best path between two OSPF-enabled devices.

    Hello Interval

    This interval specifies the length of time, in seconds, before the routing device sends a hello packet out an interface. By default, the routing device sends Hello packets every 10 seconds.

    Dead Interval This interval specifies the length of time, in seconds, that the routing device waits before declaring a neighboring routing device as unavailable. By default, the routing device waits 40 seconds (four times the Hello interval).
    Auth Type

    • None — Selecting this means you are selecting no authentication to be done.

    • md5 (message-digest algorithm) — This is a hashing algorithm that uses a one-way cryptographic function that acccepts a message of any length and returns it as a fixed-length output value to be used for authentication.

    • password — This means that a password will be required for authentication.
    Export (SRX Only)
    • Click drop-down for Export and select an existing routing policy or click Create Policy.
      • In the Routing Policy window,you can add or edit the policy for the overlay path preference.
        • Name—Enter the name of the policy.
        • Add Terms—Enter the policy conditions such as prefix, autonomous system [AS] path regular expressions, protocols, and community.
        • Then—Select an action (Accept or Reject) to apply when the condition is fulfilled. Enable one of the following preferences for the accepted path by clicking Add Action:
          • Append Community
          • Exclude Community
          • Set Community
          • Prepend AS Path
          • Exclude AS Path
          • Set Local Preference
          • Add Target VRs
        • Click the checkbox at the top of the Add Term section to save the routing policy.
      Click Add at the bottom of the window to return to the Add OSPF Area options.
    Import (SRX Only) See above.
  5. When you have entered in the appropriate information, click the checkbox at the top of the Add OSPF Network section.

  6. Click Add at the bottom of the window. You will now see your OSPF area listed in the OSPF Areas tile.
  7. Now that you've created your OSPF area, you need to enable it. In the OSPF CONFIGURATION tile, check the Enabled checkbox. This causes the Enable OSPF Areas button to appear.
  8. Click the Enable OSPF Areas button.
  9. The Enable OSPF Area window appears. Select the Area you just created, then click Add at the bottom of the window.

You will see your area listed in the OSPF CONFIGURATION tile.

See Also