[j-nsp] network engineering

Tore Anderson tore at linpro.no
Fri Feb 6 11:41:09 EST 2009 

* Justin M. Streiner

> There is a common misconception that asymmetric routing is somehow bad.
> Yes, it can make troubleshooting connectivity problems a bit more
> involved, but asymmetry is a perfectly normal condition.  Also, even if
> you were to enforce symmetry within your network, there is no guarantee
> that the path will remain symmetric once it leaves your network.

There's one case where I believe asymmetric routing is bad, and where
I'd very much like to avoid it - I want packets with a source from the
interface address of my transit ports to be sent out to the provider's
router on that interface.

Consider the following network:

    [Transit provider AS123]-123.0.0.1------123.0.0.2-[   My    ]
                                                      [ Juniper ]
    [Transit provider AS321]-321.0.0.1------321.0.0.2-[ router  ]

123.0.0.x is part of AS123's PA space, 321.0.0.x is part of AS321's.
Routes received from AS123 has a higher localpref than those from AS321,
for whatever reason - like simply being cheaper.

If someone on the other side of the internet now sends an ICMP ping or
whatever to 321.0.0.2 I'll end up routing the reply packet out through
AS123, since the route to that particular other side of the internet has
a higher localpref through AS123.  However from AS123's point of view
I'm now spoofing traffic from AS321's PA space, so they might feel free
to drop the packet due to a failing uRPF check or whatever.

So what I'd want is to always route packets with a source of 321.0.0.2
via 321.0.0.1, if the destination isn't found in my IGP.  Likewise for
123.0.0.2.

I suspect it has to be done by using a separate forwarding-type
routing-instance with a static route to 0/0 via 321.0.0.1 combined with
an output filter on lo0 that jumps to that routing instance if the
source address matches, but I was unable to figure out exactly how to
make it work when I played around with it earlier today.  If someone has
an example config to share that accomplishes it, I'd be very grateful.

Regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/

More information about the juniper-nsp mailing list