Juniper BGP stop default route from being advertised to Azure

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Roelf Zomerman

Active Member
Jan 10, 2019
147
27
28
blog.azureinfra.com
Hi everyone,

My Juniper is doing an BGP based VPN tunnel to Azure Gateways, but the BGP is also sending the default route to Azure - causing a forced tunneling setup where all Azure Internet based traffic is sent to my on-premises rather than straight to Internet..

In the BGP policy I have the following configuration, but this does not stop the default route.. any hints?

the policy statement does a couple of things..
1. it needs to pick up and forward the BGP advertised routes from my DC's for AnyCast DNS
2. it needs to forward static routes set on the Juniper (in case I have static routes configured for backend services)
3. it needs to filter out 0.0.0.0/0 - so it will not be sent to neighbor 172.16.9.229, and 172.16.9.228 (The Azure GW's)


Code:
root@GW2# show policy-options policy-statement preprend1
term prependterm1 {
    from neighbor [ 172.16.5.120 172.16.5.121 ];
    then {
        preference subtract 10;
        accept;
    }
}
term send-direct {
    from protocol direct;
    then accept;
}
term removeDefault {
    from {
        route-filter 0.0.0.0/0 through 0.0.0.0/32;
    }
    to neighbor [ 172.16.9.228 172.16.9.229 ];
    then reject;
}


root@GW2# show protocols bgp group azure
type external;
multihop {
    ttl 50;
}
local-address 172.16.5.1;
export preprend1;
peer-as 65515;
local-as 65050;
neighbor 172.16.83.254;
neighbor 172.16.160.242;
neighbor 172.16.9.228;
neighbor 172.16.9.229;
But it's still sending 0.0.0.0/0
1646375554999.png
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
it's been a while since I've done policies on junos and I'm half awake but policies are ran through in order and the first match is what gets actioned, I'm assuming your default is matching your #2 term which is an accept, so the last term to deny is never having a chance. move your "
term removeDefault {" to the beginning so it's matched (and denied) first
 

Roelf Zomerman

Active Member
Jan 10, 2019
147
27
28
blog.azureinfra.com
hmm still did not work.. any other ideas?

Code:
root@GW2# show policy-options
policy-statement preprend1 {
    term prependterm1 {
        from neighbor [ 172.16.5.120 172.16.5.121 ];
        then {
            preference subtract 10;
            accept;
        }
    }
    term removeDefault {
        from {
            route-filter 0.0.0.0/0 through 0.0.0.0/32;
        }
        to neighbor [ 172.16.9.228 172.16.9.229 ];
        then reject;
    }
    term send-direct {
        from protocol direct;
        then accept;
    }
}
 

scline

Member
Apr 7, 2016
92
33
18
36
What do your protocols bgp statements look like (just to making sure you're applying the policy)? I would try a few things, but likely move the term removeDefault to the top is all you would need:

Code:
insert policy-options policy-statement preprend1 term removeDefault before term prependterm1
I am not sure about how you have 0/0, in the past I always had it like route-filter 0.0.0.0/0 exact, you can try the following to verify that isn't it.
Code:
delete policy-options policy-statement preprend1 term removeDefault from route-filter 0.0.0.0/0 through 0.0.0.0/32
set policy-options policy-statement preprend1 term removeDefault from route-filter 0.0.0.0/0 exact
Be sure to have this applied on export (not import) as policies are defined both ways.

Ex:
set protocols bgp group <BGP_GROUP> import prependterm1 applies things to ingested routes while set protocols bgp group <BGP_GROUP> export prependterm1 will apply things to exported one's. Generally you would want to have separate policies for each for ease of maintaining the rulesets.

Code:
set policy-options policy-statement defaultDeny term reject route-filter 0.0.0.0/0 exact
set policy-options policy-statement defaultDeny term reject then reject

set protocols bgp group <BGP_GROUP> neighbor 172.16.9.228 export defaultDeny
set protocols bgp group <BGP_GROUP> neighbor 172.16.9.229 export defaultDeny
 
Last edited: