Evil TTL - Network Solutions
Evil TTL   >   Enabling ECMP on Juniper SRX

Evil_TTL> show | s

Enabling ECMP on Juniper SRX

Category:Juniper -> Security

The prerequisite for enabling BGP ECMP on Juniper SRX is to have two equal cost paths. By default, only one of them is installed in the routing table. To have both routes installed, a multipath must be configured.

For example:

set logical-systems <LSYS_NAMErouting-instances <VIRTUAL_ROUTER_INSTANCE_NAMEprotocols bgp group <BGP_GROUP_NAMEmultipath 

Before multipath:

0.0.0.0/0          *[BGP/170] 00:20:21localpref 100
     AS path65404 65402 65000 Ivalidation-stateunverified
     to 192.168.1.6 via reth2.101
     [BGP/170] 00:04:31localpref 100
     AS path65404 65402 65000 Ivalidation-stateunverified
     to 192.168.1.2 via reth2.100 

After multipath:

0.0.0.0/0          *[BGP/170] 00:18:11localpref 100
     AS path65404 65402 65000 Ivalidation-stateunverified
     to 192.168.1.6 via reth2.101
     to 192.168.1.2 via reth2.100
     [BGP/170] 00:44:31localpref 100
     AS path65404 65402 65000 Ivalidation-stateunverified 

We just installed the second route into the routing table but there won’t be any ECMP happening yet. These routes must be exported into the forwarding table:

set logical-systems <LSYS_NAMEpolicy-options policy-statement ECMP then load-balance per-packet
set logical-systems <LSYS_NAMErouting-options forwarding-table export ECMP 

NOTE. One has to omit “routing-instance” statement for forwarding-table export because there is no “export” option from under the routing-instance:

test@# set logical-systems <LSYS_NAME> routing-instances <VIRTUAL_ROUTER_INSTANCE_NAME> routing-options forwarding-table ?
apply-groups         Groups from which to inherit configuration data
apply-groups-except  Don't inherit configuration data from these groups
> ip-tunnel-rpf-check  IP tunnel Reverse Path Forwarding Check
unicast-reverse-path  Unicast reverse path (RP) verification


test@# set logical-systems <LSYS_NAME> routing-options forwarding-table export ?
Possible completions:
<value>              Export policy
(                    Open an expression
ECMP
[                    Open a set of values 

Here is forwarding table after enabling load-balancing:

Logical system: <LSYS_NAME>
Routing table: <VIRTUAL_ROUTER_INSTANCE_NAME>.inet
Internet:
Enabled protocolsBridging,
Destination        Type    RtRef        Next hop           Type Index    NhRef Netif
default            user           0                    ulst  1048574    13
0:aa:bb:cc:40:57   ucst      798     4 reth2.101
0:aa:bb:cc:e:77    ucst      797     5 reth2.100 

This will also ensure IP spoofing to allow traffic across both links.

By privilege15