Junos Basics – OSPF

Oh, my.  Another Junos post.  Somebody stop me before I get my JNCIA!

This isn’t hard stuff at all.  I’m sure there are a couple of cool tricks I don’t know yet, but let’s try anyway.  I”m working on an SRX240 here running 11.1 and some change.

Let’s put interfaces ge-0/0/0.0 and lo0.0 in OSPF area 0. If you know the Junos configuration hierarchy, this will be very easy to you. Even if you don’t, you can stare at the config for a little bit and see what we’re doing.

set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0

This is the only OSPF configuration you need, but guess what?  It won’t work.  Since a Junos device is also a firewall, it will drop OSPF packets as they come into the interface; you have to declare that you do indeed want to accept OSPF packets.  You do this by creating a security zone, putting the right interfaces in the right zone, and then enabling OSPF on that zone.

We’ll create a zone called INSIDE for our purposes here.  Note that there are about billion more steps (I counted) to fully configure your security zones, but that’s way beyond our scope here.

set security zones security-zone INSIDE
     interfaces ge-0/0/0.0
set security zones security-zone INSIDE
     interfaces lo0.0
set security zones security-zone INSIDE
     host-inbound-traffic protocols ospf

You can also allow OSPF on specific interfaces like this. These commands will also put those interfaces in the right security zone.

set security zones security-zone INSIDE
     interfaces ge-0/0/0.0 host-inbound-traffic protocols ospf
set security zones security-zone INSIDE
     interfaces lo0.0 host-inbound-traffic protocols ospf

I’m not sure if you need to do this to lo0.0, but it won’t hurt.

Now you can see your OSPF neighbors come up and start exchanging routing information.  That is, of course, assuming you did everything else right.

Send any blog deadlines questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

More Posts - Website

6 comments for “Junos Basics – OSPF

  1. January 31, 2012 at 22:16

    So, just a quick clarification :)

    All JunOS isn’t like that – only the devices operating in flow mode by default (like SRX).

    If wanted the SRX to operate in packet mode (more like a router – M/MX/etc), you can flip it to do so (not that you’d want to, if you got the SRX with the intention of using it as a firewall):

    delete security
    set security forwarding-options family inet6 mode packet-based
    set security forwarding-options family mpls mode packet-based

  2. January 31, 2012 at 23:27

    Hey mate, great post. I would just like to point out one thing that many new Junos converts dont realise (especially if they start out with SRX).

    The problem you state about the firewall rules requirement is because the SRX by default (and later version J-Series) runs in Flow-Mode. In this mode all traffic through the device is subject to security policy.

    This feature can be disabled (and you should if you are studying for the -ENT track) by deleting the security section of the config then creating the “security forwarding-options” as per http://juniper.cluepon.net/index.php/Enabling_packet_based_forwarding .

    When the SRX is set to packet-mode it will operate like a regular router like we all expect.

  3. RFairclough
    February 1, 2012 at 08:07

    Remember interface specific statements will over-ride your zone configuration.
    Pretty sure your lo0 doesn’t need to be in a zone, however good to make it passive otherwise it does wait out the election period.
    Best thing to do with OSPF is create a group enabling BFD on every interface. Group automation is great!

  4. February 1, 2012 at 09:17

    Andrew and Kurt: Thanks for the input, guys. I had no idea about the packet versus flow modes. Time to go for some training, then, eh? :)

    RFairclough: Thanks for those bits of information. Those are the details that I’m just not sure of since I’ve been doing Junos for just over 2 months now. LOL

  5. Ralph Rye
    February 1, 2012 at 10:45

    Aaron,

    Nice post. Studying for my JNCIE-ENT right now so I am keep an eye out for any Junos blog posts.

    It would also be good to point out to Cisco converts that including a interface under an area injects that connected IP subnet into OSPF and enables that interface to send/receive Hellos to form a neighbor relationship. If you want to include a directly connected subnet into OSPF but not allow the interface to form a neighbor relationship, simply add the passive option.

    protocols {
    ospf {
    area 0.0.0.0 {
    interface ge-0/0/0.0;
    interface ge-0/0/1.0 {
    passive;
    }
    }
    }
    }

  6. February 2, 2012 at 20:08

    Listen man, Uncle Chambers is getting pretty heated about all this J*Nip3r stuff.

    And, it is making me jealous because I don’t get to work with any Juniper kit!

    Anyway – when is the JNICA-JUNOS scheduled? :) I have to recert JNCIA so keep the posts coming.

Leave a Reply

Your email address will not be published. Required fields are marked *