Junos is a very powerful networking operating system, and by harnessing it we can perform more unusual tasks than we could with other alternatives. Today I will discuss a more unusual scenario to utilize conditional router advertisements and NAT to provide access to services. When the network is unavailable then the SRX will automatically disable its advertised routes.

Conditional Route Advertising allows a network engineer to put in criteria on route advertisements before they are installed in the route table or advertised to peers/neighbors. More information on this can be found here. In the example below I will configure conditional route advertisement on an SRX.

In the scenario above the SRX must advertise the route 1.1.1.0/24 to AS1111 if the route 192.168.1.0/24 exists on the SRX which is advertised from the iBGP neighbor. Moreover the SRX will NAT 1.1.1.1 to 192.168.1.1 to make a Web Application available publicly. Below is the basic configuration for interfaces, zones, and BGP:

interfaces { ge-0/0/4 { description Untrust; unit 0 { family inet { address 200.200.200.2/30; } } } ge-0/0/8 { description Trust; unit 0 { family inet { address 172.16.0.1/24; } } } } protocols { bgp { group partner { export conditional_route; peer-as 1111; neighbor 200.200.200.1; } group wan { peer-as 65100; neighbor 172.16.0.2; } } } routing-options { autonomous-system 65100; } security { zones { security-zone untrust { interfaces { ge-0/0/4.0 { host-inbound-traffic { protocols { bgp; } } } } } security-zone trust { interfaces { ge-0/0/8.0 { host-inbound-traffic { protocols { bgp; } } } } } } }

Let us take a look at the export policy conditional_route:

policy-options { policy-statement conditional_route { term 1 { from { route-filter 1.1.1.0/24 exact; condition check_route; } then accept; } then reject; } }

As you can see above the SRX will advertise 1.1.1.0/24 based on the condition labeled check_route. Let us take a look into the condition:

policy-options { condition check_route { if-route-exists { 192.168.1.0/24; table inet.0; } } }

From here, we need to add 1.1.1.0/24 into the route table somehow. In this case I used a discard route to install it in the routing table:

routing-options { static { route 1.1.1.0/24 discard; } }

The condition will look for the route 192.168.1.0/24 exists in the table inet.0, and if it exists then the condition is true. Since the condition is true the route will be advertised:

root@SRX-1> show route protocol bgp 192.168.1.0/24 inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.1.0/24 *[BGP/170] 11w1d 04:31:28, MED 1376000, localpref 100 AS path: ? > to 172.16.0.2 via ge-0/0/8.0 root@SRX-1> show route advertising-protocol bgp 200.200.200.1 inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 1.1.1.0/24 Self I

If we stop receiving the 192.168.1.0/24 route for whatever reason, then advertised route to AS1111 will disappear:

root@SRX-1> edit Entering configuration mode [edit] root@SRX-1# set interfaces ge-0/0/8 disable [edit] root@SRX-1# commit configuration check succeeds commit complete [edit] root@SRX-1# exit Exiting configuration mode root@SRX-1> show route protocol bgp 192.168.1.0/24 root@SRX-1> show route advertising-protocol bgp 200.200.200.1

When I roll back the configuration the route reappears:

root@SRX-1> edit Entering configuration mode [edit] root@SRX-1# rollback 1 load complete [edit] root@SRX-1# commit configuration check succeeds commit complete [edit] root@SRX-1# exit Exiting configuration mode root@SRX-1> show route protocol bgp 192.168.1.0/24 inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.1.0/24 *[BGP/170] 11w1d 04:31:28, MED 1376000, localpref 100 AS path: ? > to 172.16.0.2 via ge-0/0/8.0 root@SRX-1> show route advertising-protocol bgp 200.200.200.1 inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 1.1.1.0/24 Self I

From here, let’s configure the NAT and policies:

security { nat { static { rule-set untrust { from zone untrust; rule app { match { destination-address 1.1.1.1/32; } then { static-nat { prefix { 192.168.1.1/32; } } } } } } proxy-arp { interface ge-0/0/4.0 { address { 1.1.1.1/32; } } } } policies { from-zone untrust to-zone trust { policy allow-app { match { source-address any; destination-address server-192.168.1.1/32; application any; } then { permit; } } } } zones { security-zone trust { address-book { address server-192.168.1.1/32 192.168.99.1/32; } } } }

In a typical Junos-based router, usually setting the discard route would drop all traffic in the 1.1.1.0/24 network. So why does it work on the SRX? The key point here is to review when flow-based Junos performs the route lookup:

Route lookups are performed after the Static NAT is applied. In this case the SRX will first NAT to the destination address of 192.168.1.1, and then perform the route lookup! Because of this the packet is treated as routable, and the SRX will forward the packet.

Please feel free to leave comments and questions below.