Navigation

 

IPv4 142.90/16 change

Objective

Change the routes TRIUMF advertises to BCNET

Motivation

Releasing parts of the TRIUMF IPv4 142.90/16 for sale.

Present State

TRIUMF currently adtvertises 142.90.0.0/16 this will change to 142.90.64.0/18 and 142.90.128.0/18

Procedure

142.90.0.0/16 is used in the following configurations on the EX-9208 and SRX-3400

! EX-9208
! show | display set | match "142.90.0.0/"  

set policy-options prefix-list TRIUMF-142.90 142.90.0.0/16 <-- Not used can be deleted 

set policy-options policy-statement aggregate-route term 1 from route-filter 142.90.0.0/16 exact
set policy-options policy-statement into-iBGP term next-hop-self from route-filter 142.90.0.0/16 orlonger
set policy-options policy-statement into-iBGP-ORAN term next-hop-self from route-filter 142.90.0.0/16 orlonger <-- Not used can be deleted

set firewall family inet filter wan_in_from_bcnet term DENY-SPOOF from source-address 142.90.0.0/16
set firewall family inet filter wan_out_to_bcnet_research term PERMIT-TRIUMF from source-address 142.90.0.0/16
set firewall family inet filter wan_out_to_bcnet_commerial term PERMIT-TRIUMF from source-address 142.90.0.0/16

set routing-instances commodity routing-options aggregate route 142.90.0.0/16
set routing-instances ix routing-options aggregate route 142.90.0.0/16
set routing-instances oran routing-options aggregate route 142.90.0.0/16
set routing-instances westgrid routing-options aggregate route 142.90.0.0/16

! SRX-3400
! show | display set | match "142.90.0.0/"
 
set groups Internet-security-policies security policies from-zone <*> to-zone <*> policy deny-port-20031-netvault match destination-address net-triumf_142.90.0.0/16

set security address-book global address net-triumf_142.90.0.0/16 description "TRIUMF address defined by ARIN"
set security address-book global address net-triumf_142.90.0.0/16 142.90.0.0/16
set security address-book global address net-triumf-trusted_142.90.0.0/17 142.90.0.0/17
set security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.0.0/17

set policy-options prefix-list trusted-subnets 142.90.0.0/17
set policy-options policy-statement into-iBGP term next-hop-self from route-filter 142.90.0.0/16 orlonger

set logical-systems CCS security address-book global address net-TRIUMF-MGMT2 142.90.0.0/23
set logical-systems CCS security address-book global address net-triumf-trusted_142.90.0.0/17 142.90.0.0/17
set logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.0.0/17

set logical-systems CONTROLS security address-book global address net-triumf_142.90.0.0/16 description "TRIUMF address defined by ARIN"
set logical-systems CONTROLS security address-book global address net-triumf_142.90.0.0/16 142.90.0.0/16
set logical-systems CONTROLS security address-book global address net-triumf-trusted_142.90.0.0/17 142.90.0.0/17
set logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.0.0/17


First phase is to advertise two more specific routes 142.90.64/18 and 142.90.128/64

!
! EX-9208 changes
!
set routing-instance westgrid  routing-options aggregate route 142.90.64.0/18
set routing-instance westgrid  routing-options aggregate route 142.90.128.0/18

set routing-instance oran      routing-options aggregate route 142.90.64.0/18
set routing-instance oran      routing-options aggregate route 142.90.128.0/18

set routing-instance commodity routing-options aggregate route 142.90.64.0/18
set routing-instance commodity routing-options aggregate route 142.90.128.0/18

set routing-instance ix       routing-options aggregate route 142.90.64.0/18
set routing-instance ix        routing-options aggregate route 142.90.128.0/18

set policy-options policy-statement aggregate-route term 1 from route-filter 142.90.64.0/18 exact
set policy-options policy-statement aggregate-route term 1 from route-filter 142.90.128.0/18 exact

set policy-options policy-statement into-iBGP term next-hop-self from route-filter 142.90.64.0/18  orlonger
set policy-options policy-statement into-iBGP term next-hop-self from route-filter 142.90.128.0/18 orlonger

!
! These are not really necessary at this phase since they are covered by the existing 142.90/16 
!
set firewall family inet filter wan_in_from_bcnet term DENY-SPOOF from source-address 142.90.64.0/18
set firewall family inet filter wan_in_from_bcnet term DENY-SPOOF from source-address 142.90.128.0/18

set firewall family inet filter wan_out_to_bcnet_research term PERMIT-TRIUMF from source-address 142.90.64.0/18
set firewall family inet filter wan_out_to_bcnet_research term PERMIT-TRIUMF from source-address 142.90.128.0/18

set firewall family inet filter wan_out_to_bcnet_commerial term PERMIT-TRIUMF from source-address 142.90.64.0/18
set firewall family inet filter wan_out_to_bcnet_commerial term PERMIT-TRIUMF from source-address 142.90.128.0/18

!
! SRX-3400 changes
!
set policy-options policy-statement into-iBGP term next-hop-self from route-filter 142.90.64.0/18 orlonger
set policy-options policy-statement into-iBGP term next-hop-self from route-filter 142.90.128.0/18 orlonger

Show what routes TRIUMF is advertising to its eBGP peers.

show route advertising-protocol bgp 207.23.240.14
show route advertising-protocol bgp 207.23.240.18
show route advertising-protocol bgp 134.87.0.22
show route advertising-protocol bgp 134.87.0.94
show route advertising-protocol bgp 142.231.1.54
show route advertising-protocol bgp 134.87.2.70
show route advertising-protocol bgp 206.12.8.5
show route advertising-protocol bgp 206.12.8.9


Second phase remove the 142.90/16 advertisement.

EX-9208 changes 

delete routing-instance ix        routing-options aggregate route 142.90.0.0/16
delete routing-instance oran      routing-options aggregate route 142.90.0.0/16
delete routing-instance commodity routing-options aggregate route 142.90.0.0/16
delete routing-instance westgrid  routing-options aggregate route 142.90.0.0/16

delete policy-options policy-statement aggregate-route term 1 from route-filter 142.90.0.0/16 exact
delete policy-options policy-statement into-iBGP term next-hop-self from route-filter 142.90.0.0/16  orlonger

delete firewall family inet filter wan_in_from_bcnet term DENY-SPOOF from source-address 142.90.0.0/16 
delete firewall family inet filter wan_out_to_bcnet_research term PERMIT-TRIUMF from source-address 142.90.0.0/16
delete firewall family inet filter wan_out_to_bcnet_commerial term PERMIT-TRIUMF from source-address 142.90.0.0/16

! Delete unused statements
!
delete policy-options prefix-list TRIUMF-142.90
delete policy-options policy-statement into-iBGP-ORAN


SRX-3400 changes

set groups Internet-security-policies security policies from-zone <*> to-zone <*> policy deny-port-20031-netvault match destination-address TRIUMF_TRUSTED_NETWORKS

! Delete existing policy define new one
!
delete policy-options prefix-list trusted-subnets
set policy-options prefix-list trusted-subnets 142.90.64.0/18
set policy-options prefix-list trusted-subnets 142.90.128.0/18
set policy-options prefix-list trusted-subnets 206.12.1.0/24
set policy-options prefix-list trusted-subnets 206.12.9.0/24

! Delete /16 from into-iBGP
!
delete policy-options policy-statement into-iBGP term next-hop-self from route-filter 142.90.0.0/16 orlonger

! Delete existing definitions of trusted networks in Global
! 
delete security address-book global address net-triumf-trusted_142.90.0.0/17 142.90.0.0/17
delete security address-book global address net-triumf-trusted_142.90.128.0/18 142.90.128.0/18
delete security address-book global address net-triumf-trusted_142.90.192.0/19 142.90.192.0/19
delete security address-book global address net-triumf-trusted_142.90.224.0/20 142.90.224.0/20
delete security address-book global address net-triumf-trusted_142.90.240.0/21 142.90.240.0/21

! Create new definition of trusted networks in Global
!
set security address-book global address net-triumf-trusted_142.90.64.0/18 142.90.64.0/18
set security address-book global address net-triumf-trusted_142.90.128.0/18 142.90.128.0/18

delete security address-book global address-set TRIUMF_TRUSTED_NETWORKS
set security address-book global address-set TRIUMF_TRUSTED_NETWORKS description "List of trusted TRIUMF network blocks"
set security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.64.0/18
set security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.128.0/18
set security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_206.12.1.0/24
set security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_206.12.9.0/24 

! Delete existing definitions of trusted networks in CCS
!
delete logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.0.0/17
delete logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.128.0/18
delete logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.192.0/19
delete logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.224.0/20
delete logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.240.0/21

! Create new defintion of trusted networks in CCS
!
set    logical-systems CCS security address-book global address net-triumf-trusted_142.90.64.0/18 142.90.64.0/18
set    logical-systems CCS security address-book global address net-triumf-trusted_142.90.128.0/18 142.90.128.0/18

delete logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS
set    logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.64.0/18
set    logical-systems CCS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.128.0/18

! Delete existing definitions of trusted networks in CCS
!
delete logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.0.0/17
delete logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.128.0/18
delete logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.192.0/19
delete logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.224.0/20
delete logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.240.0/21

! Create new defintion of trusted networks in CONTROLS
!
set    logical-systems CONTROLS security address-book global address net-triumf-trusted_142.90.64.0/18 142.90.64.0/18
set    logical-systems CONTROLS security address-book global address net-triumf-trusted_142.90.128.0/18 142.90.128.0/18

delete logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS
set    logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.64.0/18
set    logical-systems CONTROLS security address-book global address-set TRIUMF_TRUSTED_NETWORKS address net-triumf-trusted_142.90.128.0/18



Done.