======= Конфигурация BGP на Cisco роутере и Juniper SRX. ======= ==== Введение. ==== У вас есть [[http://en.wikipedia.org/wiki/Multihoming|multihomed network]] (два и более ISPs) и вам необходим отказоустойчивый доступ в Интернет и фиксированное пространство IP адресов для развернутых сервисов.\\ **Решение** - [[https://en.wikipedia.org/wiki/Border_Gateway_Protocol|BGP протокол]], PI (Provider Independent) Подсеть, AS (Автономная Система).\\ ==== Подготовка. ==== Для получения PI сети и AS необходимо отправить запрос к компанию, обладающую статусом [[https://www.arin.net/policy/nrpm.html#two4|LIR]] (Обычно ISP имеет статус LIR). Данный процесс займет 2-3 месяца. \\ Итак, вам выделили AS и PI Network. Для примера возьмем AS - 47668, PI NETWORK - 91.208.39.0/24 и два подключенных ISPs: * ISP-1 8359 * ISP-2 8629 {{:ru:jobs:bgp.jpg?400|400}} Далее необходимо отправить запрос к LIR (выдавшему вам AS и PI Network) и всем вашим ISPs на внесения import/export записей [[http://www.ripe.net/lir-services/ncc/functions|RIPE]] или [[https://www.arin.net/about_us/index.html|ARIN]] базы данных. Все ISPs используют RIPE и ARIN базу данных записей import/export для создания фильтров маршрутов.\\ Вы можете проверить записи базы данных RIPE по [[https://apps.db.ripe.net/search/full-text.html|ссылке]] набрав в строке поиска (например AS47668) и AS каждого ISPs (например AS8359, AS8629).\\ Вы должны увидеть следующие import/export записи: aut-num: AS47668 as-name: SCANEX-AS descr: LLC "R&D Center ScanEx" org: ORG-SRaD1-RIPE import: from AS8359 accept ANY import: from AS8629 accept ANY export: to AS8359 announce AS47668 export: to AS8629 announce AS47668 ISP-1: aut-num: AS8359 as-name: MTS descr: MTS OJSC descr: former CJSC COMSTAR-Direct descr: Smolenskaya-Sennaya Sq., 27 block 2 descr: 119121 Moscow, Russia org: ORG-ZM1-RIPE import: from AS47668 action pref=105; accept AS47668 export: to AS47668 announce ANY ISP-2: aut-num: AS8629 as-name: MCNTT-AS descr: MCNTT Autonomous System descr: Moscow Center of New Telecommunication Technologies descr: Arbat 46, 121002 Moscow import: from AS47668 action pref=300; accept AS47668 export: to AS47668 announce ANY Теперь можно приступить к конфигурированию устройств. ==== Конфигурирование. ==== В данной статье будет рассматриваться процесс конфигурации BGP на Cisco 2911 и Juniper SRX 220H Положим: * EXT_IP_1 - IP адрес интерфейса вашего роутера, подключенного к ISP-1 * EXT_IP_2 - IP адрес интерфейса вашего роутера, подключенного к ISP-2 * 91.208.39.1/24 - IP адрес интерфейса вашего роутера, подключенного к вашей PI подсети * ISP_IP_1 - IP адрес роутера ISP-1 * ISP_IP_2 - IP адрес роутера ISP-2 * ISP-1 - основной ISP * ISP-2 - резервный ISP ==== Конфигурация BGP on Cisco роутере 2911 ==== en conf t **1. Access листы** ip access-list extended SCANEX_IN_ISP1_FILTER deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.255.255.255 any permit tcp host ISP_IP_1 host EXT_ISP_IP_1 eq 179 permit tcp any host EXT_ISP_IP_1 established permit icmp any any deny ip any host 91.208.39.1 permit ip any 91.208.39.0 0.255.255.255 deny ip any any exit ip access-list extended SCANEX_IN_ISP2_FILTER deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.255.255.255 any permit tcp host ISP_IP_2 host EXT_ISP_IP_2 eq 179 permit tcp any host EXT_ISP_IP_2 established permit icmp any any deny ip any host 91.208.39.1 permit ip any 91.208.39.0 0.255.255.255 deny ip any any exit ip access-list extended SCANEX_IN_GL_NET_FILTER deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.255.255.255 any permit tcp any host 91.208.39.1 established permit icmp any any !don't forget to add ssh access to cisco deny ip any host 91.208.39.1 permit ip 91.208.39.0 0.255.255.255 any deny ip any any exit ip access-list standard ISP-in deny 10.0.0.0 0.255.255.255 deny 172.16.0.0 0.15.255.255 deny 192.168.0.0 0.0.255.255 deny 91.208.39.0 0.0.0.255 permit any exit ip access-list standard ISP-out permit 91.208.39.0 0.0.0.255 exit **2. Интерфейсы** int gi 0/0 ip address EXT_ISP_IP_1 ip access-group SCANEX_IN_ISP1_FILTER in no shutdown exit int gi 0/1 ip address EXT_ISP_IP_2 ip access-group SCANEX_IN_ISP2_FILTER in no shutdown exit int gi 0/2 ip address 91.208.39.1 255.255.255.0 ip access-group SCANEX_IN_GL_NET_FILTER in no shutdown exit **3. Статические маршруты** At starting or reloading of BGP the routing table is empty. The process of downloading full list of global routes takes about two minutes. Solution is set main ISP as static default gateway. ip route 0.0.0.0 0.0.0.0 ISP_IP_1 **4. Route maps** route-map set-as-path permit 10 match ip address ISP-out set as-path prepend 47668 47668 47668 47668 47668 **5. BGP** router bgp 47668 bgp router-id 91.208.39.1 network 91.208.39.0/24 neighbor ISP_IP_1 remote-as 8629 neighbor ISP_IP_1 weight 200 neighbor ISP_IP_1 distribute-list ISP-in in neighbor ISP_IP_1 distribute-list ISP-out out neighbor ISP_IP_2 remote-as 8359 neighbor ISP_IP_2 weight 100 neighbor ISP_IP_2 distribute-list ISP-in in neighbor ISP_IP_2 distribute-list ISP-out out neighbor ISP_IP_2 route-map set-as-path out exit **6. Запись конфигурации** do wr ==== Конфигурация BGP на Juniper SRX 220H ==== **1. Интерфейсы** set interfaces ge-0/0/1 set interfaces ge-0/0/1 unit 0 description ISP-1 set interfaces ge-0/0/1 unit 0 family inet address EXT_IP_1 set interfaces ge-0/0/1 unit 0 family inet filter input SCANEX_IN_ISP1_FILTER set interfaces ge-0/0/2 set interfaces ge-0/0/2 unit 0 description ISP-2 set interfaces ge-0/0/2 unit 0 family inet address EXT_IP_2 set interfaces ge-0/0/2 unit 0 family inet filter input SCANEX_IN_ISP2_FILTER set interfaces ge-0/0/3 set interfaces ge-0/0/3 unit 0 description My Global set interfaces ge-0/0/3 unit 0 family inet address 91.208.39.1/24 set interfaces ge-0/0/3 unit 0 family inet filter input SCANEX_IN_GL_NET_FILTER **2. Статические маршруты** At starting or reloading of BGP the routing table is empty. The process of downloading full list of global routes takes about two minutes. Solution is set main ISP as static default gateway. set routing-options static route 0.0.0.0/0 next-hop IP_ISP_1 **3. Security Zones** set security zones security-zone ISPs host-inbound-traffic system-services ping set security zones security-zone ISPs host-inbound-traffic protocols bgp set security zones security-zone ISPs interfaces ge-0/0/1.0 set security zones security-zone ISPs interfaces ge-0/0/2.0 set security zones security-zone SCANEX_GL_NET_LAN host-inbound-traffic system-services ping set security zones security-zone SCANEX_GL_NET_LAN interfaces ge-0/0/3.0 **4. Security Polices** set security policies default-policy permit-all **5. Policy Options** ## term 1 will be used to extend a return path (for secondary ISP) set policy-options policy-statement ASPREPEND term 1 from route-filter 91.208.39.0/24 exact set policy-options policy-statement ASPREPEND term 1 then as-path-prepend "47668 47668 47668 47668 47668 47668" set policy-options policy-statement ASPREPEND term 1 then reject set policy-options policy-statement ASPREPEND term 2 from route-filter 0.0.0.0/0 exact set policy-options policy-statement ASPREPEND term 2 then reject set policy-options policy-statement ASPREPEND term 3 then reject set policy-options policy-statement ISP-in term 1 from route-filter 91.208.39.0/24 exact set policy-options policy-statement ISP-in term 1 then reject ## term 2-4 will be used to defend from possible ISPs mistakes set policy-options policy-statement ISP-in term 2 from route-filter 192.168.0.0/16 exact set policy-options policy-statement ISP-in term 2 then reject set policy-options policy-statement ISP-in term 3 from route-filter 172.16.0.0/12 exact set policy-options policy-statement ISP-in term 3 then reject set policy-options policy-statement ISP-in term 4 from route-filter 10.0.0.0/8 exact set policy-options policy-statement ISP-in term 4 then reject set policy-options policy-statement ISP-in term 5 from route-filter 0.0.0.0/0 exact set policy-options policy-statement ISP-in term 5 then accept set policy-options policy-statement ISP-out term 1 from route-filter 91.208.39.0/24 exact set policy-options policy-statement ISP-out term 1 then accept set policy-options policy-statement ISP-out term 2 from route-filter 0.0.0.0/0 exact set policy-options policy-statement ISP-out term 2 then reject set policy-options policy-statement ISP-out term 3 then reject **6. BGP** set protocols bgp group MTS_BGP type external ## There is no BGP attribute of Weight in the Junos world, since Weight is Cisco proprietary. set protocols bgp group MTS_BGP preference 180 set protocols bgp group MTS_BGP import ISP-in set protocols bgp group MTS_BGP export ASPREPEND set protocols bgp group MTS_BGP export ISP-out set protocols bgp group MTS_BGP neighbor ISP_IP_2 peer-as 8359 set protocols bgp group MCNTT_BGP type external set protocols bgp group MCNTT_BGP import ISP-in set protocols bgp group MCNTT_BGP export ISP-out set protocols bgp group MCNTT_BGP neighbor ISP_IP_1 peer-as 8629 **7. Firewall** set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 10.0.0.0/8 set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 172.16.0.0/12 set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 192.168.0.0/16 set firewall filter SCANEX_IN_ISP1_FILTER term 1 then discard set firewall filter SCANEX_IN_ISP1_FILTER term 2 from source-address ISP_IP_1 set firewall filter SCANEX_IN_ISP1_FILTER term 2 from destination-address EXT_ISP_IP_1 set firewall filter SCANEX_IN_ISP1_FILTER term 2 from protocol tcp set firewall filter SCANEX_IN_ISP1_FILTER term 2 from destination-port 179 set firewall filter SCANEX_IN_ISP1_FILTER term 2 then accept set firewall filter SCANEX_IN_ISP1_FILTER term 3 from tcp-established set firewall filter SCANEX_IN_ISP1_FILTER term 3 then accept set firewall filter SCANEX_IN_ISP1_FILTER term 4 from protocol icmp set firewall filter SCANEX_IN_ISP1_FILTER term 4 then accept set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address EXT_ISP_IP_1 set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address EXT_ISP_IP_2 set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address 91.208.39.1 set firewall filter SCANEX_IN_ISP1_FILTER term 5 then discard set firewall filter SCANEX_IN_ISP1_FILTER term 100 from destination-address 91.208.39.0/24 set firewall filter SCANEX_IN_ISP1_FILTER term 100 then accept set firewall filter SCANEX_IN_ISP1_FILTER term 200 then discard set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 10.0.0.0/8 set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 172.16.0.0/12 set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 192.168.0.0/16 set firewall filter SCANEX_IN_ISP2_FILTER term 1 then discard set firewall filter SCANEX_IN_ISP2_FILTER term 2 from source-address ISP_IP_2 set firewall filter SCANEX_IN_ISP2_FILTER term 2 from destination-address EXT_ISP_IP_2 set firewall filter SCANEX_IN_ISP2_FILTER term 2 from protocol tcp set firewall filter SCANEX_IN_ISP2_FILTER term 2 from destination-port 179 set firewall filter SCANEX_IN_ISP2_FILTER term 2 then accept set firewall filter SCANEX_IN_ISP2_FILTER term 3 from tcp-established set firewall filter SCANEX_IN_ISP2_FILTER term 3 then accept set firewall filter SCANEX_IN_ISP2_FILTER term 4 from protocol icmp set firewall filter SCANEX_IN_ISP2_FILTER term 4 then accept set firewall filter SCANEX_IN_ISP2_FILTER term 5 from destination-address EXT_ISP_IP_2 set firewall filter SCANEX_IN_ISP2_FILTER term 5 from destination-address EXT_ISP_IP_1 set firewall filter SCANEX_IN_ISP2_FILTER term 5 then discard set firewall filter SCANEX_IN_ISP2_FILTER term 100 from destination-address 91.208.39.0/24 set firewall filter SCANEX_IN_ISP2_FILTER term 100 then accept set firewall filter SCANEX_IN_ISP2_FILTER term 200 then discard set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 10.0.0.0/8 set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 172.16.0.0/12 set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 192.168.0.0/16 set firewall filter SCANEX_IN_GL_NET_FILTER term 1 then discard set firewall filter SCANEX_IN_GL_NET_FILTER term 2 from tcp-established set firewall filter SCANEX_IN_GL_NET_FILTER term 2 then accept set firewall filter SCANEX_IN_GL_NET_FILTER term 3 from protocol icmp set firewall filter SCANEX_IN_GL_NET_FILTER term 3 then accept ## don't forget to add ssh access to SRX set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address 91.208.39.1 set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address EXT_ISP_IP_1 set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address EXT_ISP_IP_2 set firewall filter SCANEX_IN_GL_NET_FILTER term 4 then discard set firewall filter SCANEX_IN_GL_NET_FILTER term 100 then accept **8. Применение конфигурации** commit ==== Об авторе ==== [[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] автора