{"id":1538,"date":"2009-02-06T20:38:43","date_gmt":"2009-02-06T19:38:43","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/"},"modified":"2009-02-06T20:38:43","modified_gmt":"2009-02-06T19:38:43","slug":"juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/","title":{"rendered":"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP"},"content":{"rendered":"

Introduction<\/h3>\n

As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP).  These protocols can be used to build very powerful and redundant networks,  however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and configuration of your Juniper device.  <\/p>\n

In today\u2019s scenario, we\u2019ll look at setting up the following network topology :<\/p>\n

\"image\"<\/a><\/p>\n

The primary datacenter is the main location where servers, services and resources are hosted. In case of a disaster, the secondary datacenter will take over.<\/p>\n

The primary datacenter and the secondary datacenter are interconnected with a direct link.  Router-A and Router-B use BGP to exchange routing information.  These 2 routers are managed by a third party ISP. The ISP only allows you, the customer, to talk OSPF with these routers.  They have agreed with you to set up OSPF area 0 between their router and your Juniper firewall, in each datacenter.<\/p>\n

Both the primary and secondary datacenter have an internet connection. The internet routers are managed by the ISP.  The ISP uses BGP internally, but they don\u2019t allow you, the customer, to talk BGP with these routers.  The internet connection in the primary datacenter must be the first connection used. When the internet connection in the main site goes down (and only when the internet connection in the main site goes down) the internet connection in the secondary datacenter must be used.  The ISP has agreed to set up OSPF area 1 between their router and your Juniper firewall. They have committed to advertise a default gateway into OSPF area 1 in each site. In the main site, this default gateway will have cost 20, in the secondary site this default gateway will have a higher cost.  If a specific internet connection goes down, they will no longer advertise the default gateway for that link into OSPF.<\/p>\n

The internet ISP does not want you to advertise anything back into OSPF area 1.<\/p>\n

Each datacenter has a connection to a WAN.  At the same time, 2 remote sites are connected to the WAN as well.  All of the WAN routers are exchanging routing information with BGP.  The goals is to make sure the WAN link in the primary datacenter is used first. When this link is down, the WAN connection in the secondary datacenter must be used as route to reach both the primary LAN and secondary LAN.  The ISP has agreed to form eBGP between your firewall and their router, in each site.  They do not want you, however, to advertise a default gateway to them, and you don\u2019t want to a receive a default gateway from them.<\/p>\n

All of the failover and failback scenario\u2019s must happen dynamically and automatically.  You cannot use static routes, all networks must be routed and advertised dynamically.<\/p>\n

There are a couple of ways to get this to work, but in this scenario I\u2019ll use do everything purely based on routing and routing protocols.<\/p>\n

 <\/p>\n

Scope of work<\/h3>\n

First, let\u2019s have a closer look at the primary datacenter :<\/p>\n

\"image\"<\/a> <\/p>\n

 <\/h3>\n

Based on the information from the introduction : this is what we know : <\/p>\n

we must set up OSPF (area 1) between Juniper and internet ISP router, eBGP with the WAN provider router and OSPF area 0 with router-A (connection to the other datacenter). So we need to configure two OSPF areas and one BGP AS on the Juniper firewall.<\/p>\n

The desired functionality for each area \/ protocol is :<\/p>\n

OSPF area 1 : the ISP will advertise a default gateway when the internet connection is up.<\/p>\n

eBGP : remote networks will be advertise to us, and we need to advertise our networks back<\/p>\n

OSPF area 0 : the two routers will advertise all networks (connected and anything that is advertised into OSPF area 0) to all neighbors.  We need to advertise routes coming from eBGP into OSPF area 0, and we need to advertise the default gateways learned via <\/p>\n

OSPF 0 into area 1 as well.<\/p>\n

 <\/p>\n

Sound simple<\/h3>\n

Good news - Juniper screenOS supports all of the above areas and protocols. You can set up multiple areas in one Juniper device and BGP at the same time.  <\/p>\n

But if you put all of it into one vrouter, you will encounter the following problem :<\/p>\n

At a certain point, you will have to redistribute routes learned via eBGP (from the remote locations) into OSPF area 0 and only into area 0. However, you cannot do this. In ScreenOS, you can only redistribute the routes into OSPF without making a differentiation per area. So when you try to add the routes to OSPF area 1, you will add the routes into OSPF area 0 as well, and this is not what we want. In fact, the ISP specifically told us not to do this.  (And it would be a bad bad idea to advertise private ranges to an internet provider.  Most ISPs block private ranges on their perimeter, but some allow private ranges in their internal networks. And if multiple clients would start advertising internal routes into the ISP backbone, it may become messy.  Of course, you could ask your ISP if they could stop routes from being advertised into OSPF area 1, but it is a lot safer not having to rely on the ISP for this.<\/p>\n

 <\/p>\n

Solution ?<\/h3>\n

One way of doing this is by using 2 vrouters. If you had already set up your firewall with one vrouter, you can still change the setup.  If you are still in design phase, then you\u2019re good to go.<\/p>\n

In this scenario, we\u2019ll use the default \u201ctrust-vr\u201d for eBGP and OSPF area 1 (because we need to advertise all internal\/remote networks to each other anyway), and we\u2019ll use a new vrouter called \u201cinternet-vr\u201d for OSPF area 0.  <\/p>\n

This will allow us to properly distribute routes from eBGP into area 0 and routes from area 0 into eBGP, limiting the internal\/remote networks to eBGP\/OSPF Area 0 only.  <\/p>\n

In addition to this, we have to make sure to get the default gateway advertised as well, in a dynamic way. We cannot use a static default route in trust-vr that points to internet-vr (because it is static); and we cannot use the vrouter option to automatically advertise the default gateway to another vrouter either, because that option will result in putting a static route in trust-vr. The  default route would not disappear when the default gateway is not being advertised anymore by the internet ISP.  So we\u2019ll export the default gateway manually.<\/p>\n

So we need 2 vrouters, and we\u2019ll create 3 zones : Public, WAN and LAN (each with one of the interfaces bound to the corresponding zone. Eth0\/0 is LAN, Eth0\/1 is WAN, Eth0\/2 is Internet)<\/p>\n

We need to follow the same steps for datacenter 2, but we need to increase costs\/metrics so routes in datacenter 2 are only used as secondary route. (see later)<\/p>\n

 <\/p>\n

Setup primary datacenter<\/h3>\n

First of all, set up the new vrouter, create a zone and put the corresponding interface in the zone and set up IP addresses :<\/p>\n

\n
set vrouter name internet-vr\n\nset zone name Public\nset zone name WAN\nset zone name LAN\n\nset zone WAN vrouter trust-vr\nset zone LAN vrouter trust-vr\nset zone Public vrouter internet-vr\n\nset int<\/span> eth0\/0 zone LAN\nset int<\/span> eth0\/1 zone WAN\nset int<\/span> eth0\/2 zone Public\n\nset int<\/span> eth0\/0 ip 192.168.0.254\/24\nset int<\/span> eth0\/0 route\nset int<\/span> eth0\/1 ip 192.168.136.1\/24\nset int<\/span> eth0\/1 route\nset int<\/span> eth0\/2 ip 1.1.1.1\/24\nset int<\/span> eth0\/2 route<\/pre>\n<\/div>\n
Set up OSPF with the internet provider (on vrouter internet-vr, via interface eth0\/2). Despite the fact that I\u2019m not using md5-authentication in this example, I would strongly advise you to use md5 authentication in this area (or all areas for that matter)<\/p>\n
\n
set vrouter internet-vr
set preference ospf 20\nset router-id 1.1.1.1\nset proto ospf\nset enable\nset area 0.0.0.1\nexit\nexit\n\nset interface<\/span> eth0\/2 proto ospf area 0.0.0.1\nset interface<\/span> eth0\/2 proto ospf enable<\/pre>\n<\/div>\n
If the ISP has set up their side of the OSPF, a neighborship will be formed and the default gateway is now added into the RIB of vrouter internet-vr<\/p>\n
Now we need to advertise this default route to trust-vr, making sure that this advertisement is dynamic.  In order to do this, we need to use an access-list, route-map and export command :<\/p>\n
\n
set vrouter internet-vr\nset access-list 1\nset access-list 1 permit default<\/span>-route 10\nset route-map name "DefGWToTrust"<\/span> permit 10\nset match ip 1\nexit\n\nset export-to vrouter "trust-vr"<\/span> route-map "DefGWToTrust"<\/span> protocol ospf<\/p><\/pre>\n<\/div>\n
This will make sure the default gateway is added to vrouter trust-vr and if the ISP does no longer advertise the default gateway, it will no longer get advertised to trust-vr either.<\/p>\n
 <\/p>\n
Since we have set the the ospf preference to 20 in the main site (internet-vr), the default gateway advertised by the ISP will have a cost of 20 (in the internet-vr vrouter).  If you look at the routing table of internet-vr, you should see the default gateway, a host route (for 1.1.1.1) and a connected subnet route (for 1.1.1.0).  If we want the default route to have a cost 20 in trust-vr as well, we need to set the preference for imported routes to 20 in trust-vr :<\/p>\n
\n
set vrouter "trust-vr"<\/span>\nunset auto-route-export\nset preference imported 20<\/pre>\n<\/div>\n
 <\/p>\n
If you look at the routing table of trust-vr, you should see a default route, towards vrouter internet-vr, with a cost of 20.  <\/p>\n
\n
get vrouter trust-vr route protocol imported\n\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\nTotal 20\/max entries\n\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*        32          0.0.0.0\/0            n\/a      internet-vr E1I   20     11     Root<\/pre>\n<\/div>\n
Hooray, theoretically, we could start creating policies to allow access to the internet.  Keep in mind : all interfaces are in route mode, so don\u2019t forget to specify \u201cnat src\u201d in your policies between LAN and Public (or WAN and Public if that is what you want to do)<\/p>\n
(I\u2019ve kept the policies-part out of scope for this scenario, I\u2019m sure you can figure this out yourself.)<\/p>\n
Now we are ready to set up eBGP with the WAN provider.  The WAN provider has assigned private AS number 65005 to your primary datacenter and private AS 65010 to the secondary datacenter.  The WAN provider uses AS 65000 on their routers.<\/p>\n
\n
set vrouter trust-vr\nset router-id 192.168.136.1\nset proto bgp 65005\nset reject-default<\/span>-route\nset enable\nset neighbor 192.168.136.2 remote-as<\/span> 65000\nset neighbor 192.168.136.2 md5-authentication BlahBlahBlahChooseAStrongMD5String\nset neighbor 192.168.136.2 reject-default<\/span>-route \nset neighbor 192.168.136.2 enable<\/p>
unset sync\nexit\n<\/p><\/pre>\n<\/div>\n
 <\/div>\n
Next, enable BGP on the WAN zone interface :<\/div>\n
\n
set int<\/span> e0\/1 proto bgp<\/pre>\n<\/div>\n
The eBGP neighbors are now converging. When they are converged, the BGP neighbor should be in state ESTABLISH.<\/p>\n
\n
get vrouter trust-vr proto bgp neighbor \n\nPeer AS Remote IP       Local IP          Wt Status   State     ConnID Up\/Down\n--------------------------------------------------------------------------------------\n  65000 192.168.136.2   192.168.136.1    100 Enabled  ESTABLISH      5 23:45:01<\/pre>\n<\/div>\n
 <\/p>\n
Next, set up OSPF area 1<\/p>\n
\n
set vrouter trust-vr\nset proto ospf\nset enable\nset area 0.0.0.1\n\nset int<\/span> e0\/0 proto ospf area 0.0.0.1\nset int<\/span> e0\/0 proto ospf enable<\/pre>\n<\/div>\n
 <\/p>\n
Route Redistribution<\/h3>\n
First, we\u2019ll redistribute routes learned via eBGP into OSPF (in vrouter trust-vr. Since there is only one area in this vrouter, all routes can and will be redistributed into this area). Since we want to keep the number of access-lists and route maps to an absolute minimum, we\u2019ll also advertise the default gateway (imported from internet-vr) into OSPF at the same time<\/p>\n
\n
set vrouter trust-vr\nset access-list 1 permit 0.0.0.0\/0 10\nset route-map name \u201cInjectRoutesintoOSPF\u201d permit 10\nset match ip 1\nexit\nset proto osp\nset redistribute route-map InjectRoutesintoOSPF proto bgp\nset redistribute route-map InjectRoutesIntoOSPF proto imported\nexit<\/pre>\n<\/div>\n
Note that we do not need to redistribute the connected network in our case, because the provider that manages router-A and router-B is already advertising the connected routes to each other.  If that would not be the case, you could simply add \u201cset redistribute route-map InjectRoutesIntoOSPF proto connected\u201d to the command list as well.<\/p>\n
At this point, both the networks learned via BGP and the default gateway is advertised to OSPF area 1.  <\/p>\n
Now we need to advertise the routes learned via OSPF area 1 into BGP :<\/p>\n
We won\u2019t use an access-list or route-map for this, we\u2019ll advertise the local networks to BGP via the \u201cnetwork\u201d statement :<\/p>\n
\n
set vrouter trust-vr\nset proto bgp\nset network 192.168.0.0\/24\nset network 192.168.1.0\/24\nexit<\/pre>\n<\/div>\n
(you don\u2019t need an access-list to redistribute the routes, however if you want to alter BGP attributes, you will need an access-list and route-map)<\/p>\n
 <\/p>\n
Setup secondary datacenter<\/h3>\n
The setup in the secondary datacenter is almost exactly the same.  The main differences are (assuming that you know that the router-id, neighbor ip\u2019s , interface IP\u2019s, remote-as numbers etc need to be set to the local addresses)<\/p>\n
1. routes advertised from eBGP to OSPF area 1 must have a higher cost than the routes that are redistributed from eBGP into OSPF area 1 in the first datacenter.  You can do this by setting the OSPF preference in vrouter trust-vr on the firewall in the 2nd datacenter, making sure that it has a higher value than the routes that arrrive from the first datacenter.  Review the cost of the routes as they are injected by the provider from BGP to OSPF area 1 in the second datacenter and then make sure the preferences of OSPF area1 is higher than that value.<\/p>\n
2. default route advertised must have a higher cost than the default gateway that is export from internet-vr to trust-vr and then redistributed into area 1. This can be achieved by setting the imported preference in vrouter trust-vr to a higher value than the value on the firewall in the first datacenter<\/p>\n
3. routes advertised to the WAN provider (redistribution into eBGP) must be used as a backup route. This can be achieved by either asking your ISP to prepend the AS path (so the path is at least one AS longer than the path that is advertised via the first datacenter), or to use an access-list\/route map for redistributing the networks into BGP and setting some attributes (a higher metric\/med value) in the route-map. Either way should work.  <\/p>\n
Note : if you want to AS prepend routes yourself, you need to create an as-path-access-list in the bgp instance. so instead of creating an access-list in the vrouter, you need to enter the bgp config and create a as-path-access-list. Suppose you want to prepend 65010 twice to the eBGP redistribution in the secondary datacenter (so the AS_Path becomes larger than the path that is advertised via eBGP in the main datacenter), you can do this :<\/p>\n
\n
set vrouter trust-vr\nset proto bgp 65010\nset as<\/span>-path-access-list 10 permit "65010 65010"<\/span>\nset neighbor 192.168.137.2 remote-as<\/span> 65000\nset neighbor 192.168.137.2 md5-authentication BlahBlahBlahChooseAStrongMD5String\nset neighbor 192.168.137.2 enable\nset neighbor 192.168.137.2 route-map "ASPrependBGP"<\/span> out<\/span>\nset network 192.168.0.0\/24\nset network 192.168.1.0\/24\nexit\n\nset vrouter trust-vr\nset access-list 10 permit ip 192.168.0.0\/24 1\nset access-list 10 permit ip 192.168.1.0\/24 2\nset route-map name "ASPrependBGP"<\/span> permit 10\nset match ip 10\nset as<\/span>-path 10<\/pre>\n<\/div>\n
The last statement refers to the as-path access list.<\/p>\n
Make sure only to prepend your own AS number.  If you are changing an existing neighbor, you may have to disable and enable the BGP instance before you will see the changes.<\/p>\n
When the second datacenter has been set up, there will be 2 default gateways in OSPF area 1 : one with cost 20, pointing to datacenter 1, and one with a higher cost, pointing to datacenter 2.  Furthermore, the routes to the remote networks will be in the routing table twice as well : one with a lower cost and one with a higher cost.  And on the WAN, the networks from datacenter 1 and 2 will be added twice. Depending on the solution you have implemented, one will either have a higher metric or a longer AS path.<\/p>\n
Note : in the example above, the AS prepend will be applied to all outgoing redistributions.  You can also apply the route-map on an individual network instead,  (e.g. set network 192.168.0.0\/24 route-map \u201cASPrependBGP\u201d)<\/p>\n
 <\/p>\n
 <\/p>\n
Test failover<\/h3>\n
What will happen if<\/p>\n
- internet goes down in datacenter 1 ?   <\/p>\n
The ISP no longer advertises the default gateway to OSPF area 0 (internet-vr). This default gateway is no longer exported to trust-vr and thus no longer redistributed into OSPF area 1.  Only a couple of seconds after the internet connection went down, all traffic to the internet is redirected to the firewall in datacenter 2.<\/p>\n
- WAN connection goes down in datacenter 1 ?  <\/p>\n
The 2 local network are no longer advertised via eBGP into the WAN network, and the remote networks cannot be advertised into eBGP to the primary datacenter. The WAN will now use the routes that are advertised from datacenter 2. All traffic between the networks from the two datacenters and the remote networks will use the WAN link in datacenter 2.  This failover process takes a little longer (20 to 30 seconds), but it will work automatically.<\/p>\n
If one of these connections becomes active again, the route advertisements will take place again, and the routing will be restored automatically.  In case of internet traffic, this will happen quite fast. In case of the WAN connection, it will take a little longer. But again, it will work just fine.<\/p>\n
 <\/p>\n
 <\/p>\n
Some Notes on track-ip<\/h3>\n
In case you want to use track-ip, keep in mind<\/p>\n
- to specify a manage-ip on the interface that you want to use to monitor a remote IP address with.  This IP must be different from the interface IP. If you don\u2019t do this, traffic may failover to the backup route, but it may not get back online when the original link is active again.<\/p>\n
- to specify a host route (\/32) towards the IP that you want to monitor, and send traffic for this host towards the gateway that you are using when normal routing is up.  Set the default route static but not permanent, and set the host route \u201cstatic and permanent\u201d.  Sounds complicated, but it makes a lot of sense : <\/p>\n
Suppose eth0\/0 is connected to the internet.  The default route (static, non-permanent) points to the internet router (1.1.1.1).  The firewall has a second default route (with higher cost) that points to another router, in another zone if you want, via another interface. The idea is to bring down the default route when the primary internet link goes down, and to route traffic via the second router.  When the primary link is active again, this original default route must be used again.<\/p>\n
So you have decided to enable track-ip on ethernet0\/0, pinging 3.3.3.3 (a host on the internet). <\/p>\n
When the firewall cannot reach the track-ip IP address anymore (3.3.3.3), this interface will go down, and so will the associated default route.  The second default route comes active and access to the internet is rerouted via the second link. <\/p>\n
At this point, track-ip will also follow the routing table. So you would have 2 possible scenario\u2019s :<\/p>\n
- track-ip can now ping the monitored IP again via the backup link, and the interface will come active again (and so will the associated default route). But if the local internet connection is still down, track-ip will put the interface down again. This process will be repeated over and over again until the local internet connection is up again. So you\u2019ll have a flapping default route, causing a lot of problems.<\/p>\n
- track-ip can no longer ping the monitored IP, because the second route has another firewall that does not allow the monitored IP to be pinged, or the second route does not know how to handle traffic for the public IP on the firewall eth0\/0 interface. EIther way, the original default route is down, the backup default route does not allow ping and track-ip will never be able to bring the interface up again. Result : traffic is rerouted via the backup route, but traffic will not be reverted back to the primary link when the primary link is up. This is a problem as well.  This scenario will always occur if you only have one default route in your routing table.<\/p>\n
Conclusion : you need to put in a static and permanent route.   So if you are monitoring ip 3.3.3.3, and if your primary link uses ethernet0\/0, via internet router 1.1.1.1, you need to add a host route :<\/p>\n
set route 3.3.3.3\/32 interface eth0\/0 gateway 1.1.1.1 preference 20 permanent<\/em><\/p>\n
This will ensure that the local route towards to monitored IP will still be up, even when the interface is down.  Internet will be redirected towards the backup link (if any), and as soon as the local internet connection is up again, track-ip will be able to ping 3.3.3.3 and the interface will be brought online again.  The default route will be put in place again, and traffic will be routed over the primary link again.<\/p>\n
In case you don\u2019t know how to set up track-ip :<\/p>\n
First, set up a separate manage-ip on the interface<\/p>\n
Next, enable track-ip :<\/p>\n
\n
set interface<\/span> ethernet0\/0 monitor track-ip ip 3.3.3.3 interval 5 threshold 7 weight 1\nunset interface<\/span> ethernet0\/0 monitor track-ip dynamic\nset interface<\/span> ethernet0\/0 monitor track-ip<\/pre>\n<\/div>\n
The threshold is the number of pings that must fail before track-ip is in failed state.<\/p>\n
The internal is the number of seconds to wait between two pings.<\/p>\n
In our example, a ping will be performed every 5 seconds. When the ping has failed 7 times, the weight is set to 1 and the interface will go down.<\/p>\n
You can specify multiple IP\u2019s to ping.  The results of all IP\u2019s will be summed.<\/p>\n
The default weight is 255. This means that the sum of the failures of all IP\u2019s that are monitored must reach 255 to put the interface in a down state.  In my example, the weigth is set to 1.<\/p>\n
You can get the status and some statistics on track-ip using<\/p>\n
\n
get int<\/span> e0\/0 monitor track-ip<\/pre>\n<\/div>\n
 <\/p>\n
Final note :<\/h3>\n
This blog post does not intend to be the one-and-only solution for this network scenario. You could use track-ip and some other functionalities within screenOS to build similar redundant networks as well.  It\u2019s just an example of what you can do and how you should design your vrouters, routing protocol parameters, etc<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP).  These protocols can be used to build very powerful and redundant networks,  however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and … Continue reading \"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[554,164],"tags":[3742,3735,1308,1307],"class_list":["post-1538","post","type-post","status-publish","format-standard","hentry","category-juniper","category-networking","tag-networking","tag-juniper-netscreen-screenos","tag-bgp","tag-autonomous-system"],"yoast_head":"\nJuniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP - Corelan | Exploit Development & Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP - Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP).  These protocols can be used to build very powerful and redundant networks,  however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and … Continue reading "Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2009-02-06T19:38:43+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/06\\\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/06\\\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP\",\"datePublished\":\"2009-02-06T19:38:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/06\\\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\\\/\"},\"wordCount\":3238,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"networking\",\"juniper netscreen screenos\",\"bgp\",\"autonomous system\"],\"articleSection\":[\"Juniper\",\"Networking\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/06\\\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/06\\\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\\\/\",\"name\":\"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP - Corelan | Exploit Development & Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2009-02-06T19:38:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/06\\\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/06\\\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/06\\\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP - Corelan | Exploit Development & Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/","og_locale":"en_US","og_type":"article","og_title":"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP - Corelan | Exploit Development & Vulnerability Research","og_description":"Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP).  These protocols can be used to build very powerful and redundant networks,  however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and … Continue reading \"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP\"","og_url":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/","og_site_name":"Corelan | Exploit Development & Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2009-02-06T19:38:43+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP","datePublished":"2009-02-06T19:38:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/"},"wordCount":3238,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["networking","juniper netscreen screenos","bgp","autonomous system"],"articleSection":["Juniper","Networking"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/","url":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/","name":"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP - Corelan | Exploit Development & Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2009-02-06T19:38:43+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/06\/juniper-sreenos-building-redundant-multi-exitpoint-isp-routing-failover-using-multiple-ospf-areas-and-ebgp\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":16378,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=1538"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1538\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=1538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=1538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=1538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}