======= Configuring BGP on Cisco router and Juniper SRX. ======= ==== Introduction. ==== You have [[http://en.wikipedia.org/wiki/Multihoming|multihomed network]] (two and more ISPs) and you need to reliable connection and fixed network address space for your services.\\ **Solution** - [[https://en.wikipedia.org/wiki/Border_Gateway_Protocol|BGP protocol]], PI (Provider Independent) Network, AS (Autonomous System).\\ ==== Preparation. ==== For obtaining PI Network and AS you need to send request to any company with [[https://www.arin.net/policy/nrpm.html#two4|LIR]] status (Usually ISP have a LIR status). This process takes about two-three months. \\ So, you have obtained you AS and PI Network. For example AS - 47668, PI NETWORK - 91.208.39.0/24 and you have two connected ISPs: * ISP-1 8359 * ISP-2 8629 {{:ru:jobs:bgp.jpg?400|400}} Now you need to request your LIR and all of your connected ISPs for adding import/export records to RIPE or ARIN database. All of ISPs using RIPE and ARIN database for routing filters configuration.\\ You can check RIPE database record using this [[https://apps.db.ripe.net/search/full-text.html|link]] and typing your AS (for example 47668) and each ISPs AS (for example AS8359, AS8629).\\ You should see the following import/export records: aut-num: AS47668 as-name: SCANEX-AS descr: LLC "R&D Center ScanEx" org: ORG-SRaD1-RIPE import: from AS8359 accept ANY import: from AS8629 accept ANY export: to AS8359 announce AS47668 export: to AS8629 announce AS47668 ISP-1: aut-num: AS8359 as-name: MTS descr: MTS OJSC descr: former CJSC COMSTAR-Direct descr: Smolenskaya-Sennaya Sq., 27 block 2 descr: 119121 Moscow, Russia org: ORG-ZM1-RIPE import: from AS47668 action pref=105; accept AS47668 export: to AS47668 announce ANY ISP-2: aut-num: AS8629 as-name: MCNTT-AS descr: MCNTT Autonomous System descr: Moscow Center of New Telecommunication Technologies descr: Arbat 46, 121002 Moscow import: from AS47668 action pref=300; accept AS47668 export: to AS47668 announce ANY Now you can start to configure network infrastructure. ==== Configure. ==== This article will observe the process of configuration BGP on Juniper SRX and Cisco Router Let's assume: * EXT_IP_1 - IP address of external interface that connected to ISP-1 * EXT_IP_2 - IP address of external interface that connected to ISP-2 * 91.208.39.1/24 - IP address of intefaces that connected to 91.208.39.0/24 network * ISP_IP_1 - IP address of router of ISP-1 * ISP_IP_2 - IP address of router of ISP-2 * ISP-1 - main ISP * ISP-2 - reserve ISP ==== Configuring BGP on Cisco Router 2911 ==== en conf t **1. Access lists** ip access-list extended SCANEX_IN_ISP1_FILTER deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.255.255.255 any permit tcp host ISP_IP_1 host EXT_ISP_IP_1 eq 179 permit tcp any host EXT_ISP_IP_1 established permit icmp any any deny ip any host 91.208.39.1 permit ip any 91.208.39.0 0.255.255.255 deny ip any any exit ip access-list extended SCANEX_IN_ISP2_FILTER deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.255.255.255 any permit tcp host ISP_IP_2 host EXT_ISP_IP_2 eq 179 permit tcp any host EXT_ISP_IP_2 established permit icmp any any deny ip any host 91.208.39.1 permit ip any 91.208.39.0 0.255.255.255 deny ip any any exit ip access-list extended SCANEX_IN_GL_NET_FILTER deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.255.255.255 any permit tcp any host 91.208.39.1 established permit icmp any any !don't forget to add ssh access to cisco deny ip any host 91.208.39.1 permit ip 91.208.39.0 0.255.255.255 any deny ip any any exit ip access-list standard ISP-in deny 10.0.0.0 0.255.255.255 deny 172.16.0.0 0.15.255.255 deny 192.168.0.0 0.0.255.255 deny 91.208.39.0 0.0.0.255 permit any exit ip access-list standard ISP-out permit 91.208.39.0 0.0.0.255 exit **2. Interfaces** int gi 0/0 ip address EXT_ISP_IP_1 ip access-group SCANEX_IN_ISP1_FILTER in no shutdown exit int gi 0/1 ip address EXT_ISP_IP_2 ip access-group SCANEX_IN_ISP2_FILTER in no shutdown exit int gi 0/2 ip address 91.208.39.1 255.255.255.0 ip access-group SCANEX_IN_GL_NET_FILTER in no shutdown exit **3. Static routes** At starting or reloading of BGP the routing table is empty. The process of downloading full list of global routes takes about two minutes. Solution is set main ISP as static default gateway. ip route 0.0.0.0 0.0.0.0 ISP_IP_1 **4. Route maps** route-map set-as-path permit 10 match ip address ISP-out set as-path prepend 47668 47668 47668 47668 47668 **5. BGP** router bgp 47668 bgp router-id 91.208.39.1 network 91.208.39.0/24 neighbor ISP_IP_1 remote-as 8629 neighbor ISP_IP_1 weight 200 neighbor ISP_IP_1 distribute-list ISP-in in neighbor ISP_IP_1 distribute-list ISP-out out neighbor ISP_IP_2 remote-as 8359 neighbor ISP_IP_2 weight 100 neighbor ISP_IP_2 distribute-list ISP-in in neighbor ISP_IP_2 distribute-list ISP-out out neighbor ISP_IP_2 route-map set-as-path out exit **6. Write configuration** do wr ==== Configuring BGP on Juniper SRX 220H ==== **1. Interfaces** set interfaces ge-0/0/1 set interfaces ge-0/0/1 unit 0 description ISP-1 set interfaces ge-0/0/1 unit 0 family inet address EXT_IP_1 set interfaces ge-0/0/1 unit 0 family inet filter input SCANEX_IN_ISP1_FILTER set interfaces ge-0/0/2 set interfaces ge-0/0/2 unit 0 description ISP-2 set interfaces ge-0/0/2 unit 0 family inet address EXT_IP_2 set interfaces ge-0/0/2 unit 0 family inet filter input SCANEX_IN_ISP2_FILTER set interfaces ge-0/0/3 set interfaces ge-0/0/3 unit 0 description My Global set interfaces ge-0/0/3 unit 0 family inet address 91.208.39.1/24 set interfaces ge-0/0/3 unit 0 family inet filter input SCANEX_IN_GL_NET_FILTER **2. Static routes** At starting or reloading of BGP the routing table is empty. The process of downloading full list of global routes takes about two minutes. Solution is set main ISP as static default gateway. set routing-options static route 0.0.0.0/0 next-hop IP_ISP_1 **3. Security Zones** set security zones security-zone ISPs host-inbound-traffic system-services ping set security zones security-zone ISPs host-inbound-traffic protocols bgp set security zones security-zone ISPs interfaces ge-0/0/1.0 set security zones security-zone ISPs interfaces ge-0/0/2.0 set security zones security-zone SCANEX_GL_NET_LAN host-inbound-traffic system-services ping set security zones security-zone SCANEX_GL_NET_LAN interfaces ge-0/0/3.0 **4. Security Polices** set security policies default-policy permit-all **5. Policy Options** ## term 1 will be used to extend a return path (for secondary ISP) set policy-options policy-statement ASPREPEND term 1 from route-filter 91.208.39.0/24 exact set policy-options policy-statement ASPREPEND term 1 then as-path-prepend "47668 47668 47668 47668 47668 47668" set policy-options policy-statement ASPREPEND term 1 then reject set policy-options policy-statement ASPREPEND term 2 from route-filter 0.0.0.0/0 exact set policy-options policy-statement ASPREPEND term 2 then reject set policy-options policy-statement ASPREPEND term 3 then reject set policy-options policy-statement ISP-in term 1 from route-filter 91.208.39.0/24 exact set policy-options policy-statement ISP-in term 1 then reject ## term 2-4 will be used to defend from possible ISPs mistakes set policy-options policy-statement ISP-in term 2 from route-filter 192.168.0.0/16 exact set policy-options policy-statement ISP-in term 2 then reject set policy-options policy-statement ISP-in term 3 from route-filter 172.16.0.0/12 exact set policy-options policy-statement ISP-in term 3 then reject set policy-options policy-statement ISP-in term 4 from route-filter 10.0.0.0/8 exact set policy-options policy-statement ISP-in term 4 then reject set policy-options policy-statement ISP-in term 5 from route-filter 0.0.0.0/0 exact set policy-options policy-statement ISP-in term 5 then accept set policy-options policy-statement ISP-out term 1 from route-filter 91.208.39.0/24 exact set policy-options policy-statement ISP-out term 1 then accept set policy-options policy-statement ISP-out term 2 from route-filter 0.0.0.0/0 exact set policy-options policy-statement ISP-out term 2 then reject set policy-options policy-statement ISP-out term 3 then reject **6. BGP** set protocols bgp group MTS_BGP type external ## There is no BGP attribute of Weight in the Junos world, since Weight is Cisco proprietary. set protocols bgp group MTS_BGP preference 180 set protocols bgp group MTS_BGP import ISP-in set protocols bgp group MTS_BGP export ASPREPEND set protocols bgp group MTS_BGP export ISP-out set protocols bgp group MTS_BGP neighbor ISP_IP_2 peer-as 8359 set protocols bgp group MCNTT_BGP type external set protocols bgp group MCNTT_BGP import ISP-in set protocols bgp group MCNTT_BGP export ISP-out set protocols bgp group MCNTT_BGP neighbor ISP_IP_1 peer-as 8629 **7. Firewall** set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 10.0.0.0/8 set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 172.16.0.0/12 set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 192.168.0.0/16 set firewall filter SCANEX_IN_ISP1_FILTER term 1 then discard set firewall filter SCANEX_IN_ISP1_FILTER term 2 from source-address ISP_IP_1 set firewall filter SCANEX_IN_ISP1_FILTER term 2 from destination-address EXT_ISP_IP_1 set firewall filter SCANEX_IN_ISP1_FILTER term 2 from protocol tcp set firewall filter SCANEX_IN_ISP1_FILTER term 2 from destination-port 179 set firewall filter SCANEX_IN_ISP1_FILTER term 2 then accept set firewall filter SCANEX_IN_ISP1_FILTER term 3 from tcp-established set firewall filter SCANEX_IN_ISP1_FILTER term 3 then accept set firewall filter SCANEX_IN_ISP1_FILTER term 4 from protocol icmp set firewall filter SCANEX_IN_ISP1_FILTER term 4 then accept set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address EXT_ISP_IP_1 set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address EXT_ISP_IP_2 set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address 91.208.39.1 set firewall filter SCANEX_IN_ISP1_FILTER term 5 then discard set firewall filter SCANEX_IN_ISP1_FILTER term 100 from destination-address 91.208.39.0/24 set firewall filter SCANEX_IN_ISP1_FILTER term 100 then accept set firewall filter SCANEX_IN_ISP1_FILTER term 200 then discard set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 10.0.0.0/8 set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 172.16.0.0/12 set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 192.168.0.0/16 set firewall filter SCANEX_IN_ISP2_FILTER term 1 then discard set firewall filter SCANEX_IN_ISP2_FILTER term 2 from source-address ISP_IP_2 set firewall filter SCANEX_IN_ISP2_FILTER term 2 from destination-address EXT_ISP_IP_2 set firewall filter SCANEX_IN_ISP2_FILTER term 2 from protocol tcp set firewall filter SCANEX_IN_ISP2_FILTER term 2 from destination-port 179 set firewall filter SCANEX_IN_ISP2_FILTER term 2 then accept set firewall filter SCANEX_IN_ISP2_FILTER term 3 from tcp-established set firewall filter SCANEX_IN_ISP2_FILTER term 3 then accept set firewall filter SCANEX_IN_ISP2_FILTER term 4 from protocol icmp set firewall filter SCANEX_IN_ISP2_FILTER term 4 then accept set firewall filter SCANEX_IN_ISP2_FILTER term 5 from destination-address EXT_ISP_IP_2 set firewall filter SCANEX_IN_ISP2_FILTER term 5 from destination-address EXT_ISP_IP_1 set firewall filter SCANEX_IN_ISP2_FILTER term 5 then discard set firewall filter SCANEX_IN_ISP2_FILTER term 100 from destination-address 91.208.39.0/24 set firewall filter SCANEX_IN_ISP2_FILTER term 100 then accept set firewall filter SCANEX_IN_ISP2_FILTER term 200 then discard set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 10.0.0.0/8 set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 172.16.0.0/12 set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 192.168.0.0/16 set firewall filter SCANEX_IN_GL_NET_FILTER term 1 then discard set firewall filter SCANEX_IN_GL_NET_FILTER term 2 from tcp-established set firewall filter SCANEX_IN_GL_NET_FILTER term 2 then accept set firewall filter SCANEX_IN_GL_NET_FILTER term 3 from protocol icmp set firewall filter SCANEX_IN_GL_NET_FILTER term 3 then accept ## don't forget to add ssh access to SRX set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address 91.208.39.1 set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address EXT_ISP_IP_1 set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address EXT_ISP_IP_2 set firewall filter SCANEX_IN_GL_NET_FILTER term 4 then discard set firewall filter SCANEX_IN_GL_NET_FILTER term 100 then accept **8. Commit** commit ==== About author ==== [[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] of the author