Configuring BGP on Cisco router and Juniper SRX.
Introduction.
You have multihomed network (two and more ISPs) and you need to reliable connection and fixed network address space for your services.
Solution - BGP protocol, PI (Provider Independent) Network, AS (Autonomous System).
Preparation.
For obtaining PI Network and AS you need to send request to any company with LIR status (Usually ISP have a LIR status). This process takes about two-three months.
So, you have obtained you AS and PI Network. For example AS - 47668, PI NETWORK - 91.208.39.0/24 and you have two connected ISPs:
Now you need to request your LIR and all of your connected ISPs for adding import/export records to RIPE or ARIN database. All of ISPs using RIPE and ARIN database for routing filters configuration.
You can check RIPE database record using this link and typing your AS (for example 47668) and each ISPs AS (for example AS8359, AS8629).
You should see the following import/export records:
aut-num: AS47668
as-name: SCANEX-AS
descr: LLC "R&D Center ScanEx"
org: ORG-SRaD1-RIPE
import: from AS8359 accept ANY
import: from AS8629 accept ANY
export: to AS8359 announce AS47668
export: to AS8629 announce AS47668
ISP-1:
aut-num: AS8359
as-name: MTS
descr: MTS OJSC
descr: former CJSC COMSTAR-Direct
descr: Smolenskaya-Sennaya Sq., 27 block 2
descr: 119121 Moscow, Russia
org: ORG-ZM1-RIPE
import: from AS47668 action pref=105; accept AS47668
export: to AS47668 announce ANY
ISP-2:
aut-num: AS8629
as-name: MCNTT-AS
descr: MCNTT Autonomous System
descr: Moscow Center of New Telecommunication Technologies
descr: Arbat 46, 121002 Moscow
import: from AS47668 action pref=300; accept AS47668
export: to AS47668 announce ANY
Now you can start to configure network infrastructure.
This article will observe the process of configuration BGP on Juniper SRX and Cisco Router
Let's assume:
EXT_IP_1 - IP address of external interface that connected to ISP-1
EXT_IP_2 - IP address of external interface that connected to ISP-2
91.208.39.1/24 - IP address of intefaces that connected to 91.208.39.0/24 network
ISP_IP_1 - IP address of router of ISP-1
ISP_IP_2 - IP address of router of ISP-2
ISP-1 - main ISP
ISP-2 - reserve ISP
Configuring BGP on Cisco Router 2911
en
conf t
1. Access lists
ip access-list extended SCANEX_IN_ISP1_FILTER
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.255.255.255 any
permit tcp host ISP_IP_1 host EXT_ISP_IP_1 eq 179
permit tcp any host EXT_ISP_IP_1 established
permit icmp any any
deny ip any host 91.208.39.1
permit ip any 91.208.39.0 0.255.255.255
deny ip any any
exit
ip access-list extended SCANEX_IN_ISP2_FILTER
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.255.255.255 any
permit tcp host ISP_IP_2 host EXT_ISP_IP_2 eq 179
permit tcp any host EXT_ISP_IP_2 established
permit icmp any any
deny ip any host 91.208.39.1
permit ip any 91.208.39.0 0.255.255.255
deny ip any any
exit
ip access-list extended SCANEX_IN_GL_NET_FILTER
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.255.255.255 any
permit tcp any host 91.208.39.1 established
permit icmp any any
!don't forget to add ssh access to cisco
deny ip any host 91.208.39.1
permit ip 91.208.39.0 0.255.255.255 any
deny ip any any
exit
ip access-list standard ISP-in
deny 10.0.0.0 0.255.255.255
deny 172.16.0.0 0.15.255.255
deny 192.168.0.0 0.0.255.255
deny 91.208.39.0 0.0.0.255
permit any
exit
ip access-list standard ISP-out
permit 91.208.39.0 0.0.0.255
exit
2. Interfaces
int gi 0/0
ip address EXT_ISP_IP_1
ip access-group SCANEX_IN_ISP1_FILTER in
no shutdown
exit
int gi 0/1
ip address EXT_ISP_IP_2
ip access-group SCANEX_IN_ISP2_FILTER in
no shutdown
exit
int gi 0/2
ip address 91.208.39.1 255.255.255.0
ip access-group SCANEX_IN_GL_NET_FILTER in
no shutdown
exit
3. Static routes
At starting or reloading of BGP the routing table is empty. The process of downloading full list of global routes takes about two minutes. Solution is set main ISP as static default gateway.
ip route 0.0.0.0 0.0.0.0 ISP_IP_1
4. Route maps
route-map set-as-path permit 10
match ip address ISP-out
set as-path prepend 47668 47668 47668 47668 47668
5. BGP
router bgp 47668
bgp router-id 91.208.39.1
network 91.208.39.0/24
neighbor ISP_IP_1 remote-as 8629
neighbor ISP_IP_1 weight 200
neighbor ISP_IP_1 distribute-list ISP-in in
neighbor ISP_IP_1 distribute-list ISP-out out
neighbor ISP_IP_2 remote-as 8359
neighbor ISP_IP_2 weight 100
neighbor ISP_IP_2 distribute-list ISP-in in
neighbor ISP_IP_2 distribute-list ISP-out out
neighbor ISP_IP_2 route-map set-as-path out
exit
6. Write configuration
do wr
Configuring BGP on Juniper SRX 220H
1. Interfaces
set interfaces ge-0/0/1
set interfaces ge-0/0/1 unit 0 description ISP-1
set interfaces ge-0/0/1 unit 0 family inet address EXT_IP_1
set interfaces ge-0/0/1 unit 0 family inet filter input SCANEX_IN_ISP1_FILTER
set interfaces ge-0/0/2
set interfaces ge-0/0/2 unit 0 description ISP-2
set interfaces ge-0/0/2 unit 0 family inet address EXT_IP_2
set interfaces ge-0/0/2 unit 0 family inet filter input SCANEX_IN_ISP2_FILTER
set interfaces ge-0/0/3
set interfaces ge-0/0/3 unit 0 description My Global
set interfaces ge-0/0/3 unit 0 family inet address 91.208.39.1/24
set interfaces ge-0/0/3 unit 0 family inet filter input SCANEX_IN_GL_NET_FILTER
2. Static routes
At starting or reloading of BGP the routing table is empty. The process of downloading full list of global routes takes about two minutes. Solution is set main ISP as static default gateway.
set routing-options static route 0.0.0.0/0 next-hop IP_ISP_1
3. Security Zones
set security zones security-zone ISPs host-inbound-traffic system-services ping
set security zones security-zone ISPs host-inbound-traffic protocols bgp
set security zones security-zone ISPs interfaces ge-0/0/1.0
set security zones security-zone ISPs interfaces ge-0/0/2.0
set security zones security-zone SCANEX_GL_NET_LAN host-inbound-traffic system-services ping
set security zones security-zone SCANEX_GL_NET_LAN interfaces ge-0/0/3.0
4. Security Polices
set security policies default-policy permit-all
5. Policy Options
## term 1 will be used to extend a return path (for secondary ISP)
set policy-options policy-statement ASPREPEND term 1 from route-filter 91.208.39.0/24 exact
set policy-options policy-statement ASPREPEND term 1 then as-path-prepend "47668 47668 47668 47668 47668 47668"
set policy-options policy-statement ASPREPEND term 1 then reject
set policy-options policy-statement ASPREPEND term 2 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ASPREPEND term 2 then reject
set policy-options policy-statement ASPREPEND term 3 then reject
set policy-options policy-statement ISP-in term 1 from route-filter 91.208.39.0/24 exact
set policy-options policy-statement ISP-in term 1 then reject
## term 2-4 will be used to defend from possible ISPs mistakes
set policy-options policy-statement ISP-in term 2 from route-filter 192.168.0.0/16 exact
set policy-options policy-statement ISP-in term 2 then reject
set policy-options policy-statement ISP-in term 3 from route-filter 172.16.0.0/12 exact
set policy-options policy-statement ISP-in term 3 then reject
set policy-options policy-statement ISP-in term 4 from route-filter 10.0.0.0/8 exact
set policy-options policy-statement ISP-in term 4 then reject
set policy-options policy-statement ISP-in term 5 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ISP-in term 5 then accept
set policy-options policy-statement ISP-out term 1 from route-filter 91.208.39.0/24 exact
set policy-options policy-statement ISP-out term 1 then accept
set policy-options policy-statement ISP-out term 2 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement ISP-out term 2 then reject
set policy-options policy-statement ISP-out term 3 then reject
6. BGP
set protocols bgp group MTS_BGP type external
## There is no BGP attribute of Weight in the Junos world, since Weight is Cisco proprietary.
set protocols bgp group MTS_BGP preference 180
set protocols bgp group MTS_BGP import ISP-in
set protocols bgp group MTS_BGP export ASPREPEND
set protocols bgp group MTS_BGP export ISP-out
set protocols bgp group MTS_BGP neighbor ISP_IP_2 peer-as 8359
set protocols bgp group MCNTT_BGP type external
set protocols bgp group MCNTT_BGP import ISP-in
set protocols bgp group MCNTT_BGP export ISP-out
set protocols bgp group MCNTT_BGP neighbor ISP_IP_1 peer-as 8629
7. Firewall
set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 10.0.0.0/8
set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 172.16.0.0/12
set firewall filter SCANEX_IN_ISP1_FILTER term 1 from source-address 192.168.0.0/16
set firewall filter SCANEX_IN_ISP1_FILTER term 1 then discard
set firewall filter SCANEX_IN_ISP1_FILTER term 2 from source-address ISP_IP_1
set firewall filter SCANEX_IN_ISP1_FILTER term 2 from destination-address EXT_ISP_IP_1
set firewall filter SCANEX_IN_ISP1_FILTER term 2 from protocol tcp
set firewall filter SCANEX_IN_ISP1_FILTER term 2 from destination-port 179
set firewall filter SCANEX_IN_ISP1_FILTER term 2 then accept
set firewall filter SCANEX_IN_ISP1_FILTER term 3 from tcp-established
set firewall filter SCANEX_IN_ISP1_FILTER term 3 then accept
set firewall filter SCANEX_IN_ISP1_FILTER term 4 from protocol icmp
set firewall filter SCANEX_IN_ISP1_FILTER term 4 then accept
set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address EXT_ISP_IP_1
set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address EXT_ISP_IP_2
set firewall filter SCANEX_IN_ISP1_FILTER term 5 from destination-address 91.208.39.1
set firewall filter SCANEX_IN_ISP1_FILTER term 5 then discard
set firewall filter SCANEX_IN_ISP1_FILTER term 100 from destination-address 91.208.39.0/24
set firewall filter SCANEX_IN_ISP1_FILTER term 100 then accept
set firewall filter SCANEX_IN_ISP1_FILTER term 200 then discard
set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 10.0.0.0/8
set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 172.16.0.0/12
set firewall filter SCANEX_IN_ISP2_FILTER term 1 from source-address 192.168.0.0/16
set firewall filter SCANEX_IN_ISP2_FILTER term 1 then discard
set firewall filter SCANEX_IN_ISP2_FILTER term 2 from source-address ISP_IP_2
set firewall filter SCANEX_IN_ISP2_FILTER term 2 from destination-address EXT_ISP_IP_2
set firewall filter SCANEX_IN_ISP2_FILTER term 2 from protocol tcp
set firewall filter SCANEX_IN_ISP2_FILTER term 2 from destination-port 179
set firewall filter SCANEX_IN_ISP2_FILTER term 2 then accept
set firewall filter SCANEX_IN_ISP2_FILTER term 3 from tcp-established
set firewall filter SCANEX_IN_ISP2_FILTER term 3 then accept
set firewall filter SCANEX_IN_ISP2_FILTER term 4 from protocol icmp
set firewall filter SCANEX_IN_ISP2_FILTER term 4 then accept
set firewall filter SCANEX_IN_ISP2_FILTER term 5 from destination-address EXT_ISP_IP_2
set firewall filter SCANEX_IN_ISP2_FILTER term 5 from destination-address EXT_ISP_IP_1
set firewall filter SCANEX_IN_ISP2_FILTER term 5 then discard
set firewall filter SCANEX_IN_ISP2_FILTER term 100 from destination-address 91.208.39.0/24
set firewall filter SCANEX_IN_ISP2_FILTER term 100 then accept
set firewall filter SCANEX_IN_ISP2_FILTER term 200 then discard
set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 10.0.0.0/8
set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 172.16.0.0/12
set firewall filter SCANEX_IN_GL_NET_FILTER term 1 from source-address 192.168.0.0/16
set firewall filter SCANEX_IN_GL_NET_FILTER term 1 then discard
set firewall filter SCANEX_IN_GL_NET_FILTER term 2 from tcp-established
set firewall filter SCANEX_IN_GL_NET_FILTER term 2 then accept
set firewall filter SCANEX_IN_GL_NET_FILTER term 3 from protocol icmp
set firewall filter SCANEX_IN_GL_NET_FILTER term 3 then accept
## don't forget to add ssh access to SRX
set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address 91.208.39.1
set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address EXT_ISP_IP_1
set firewall filter SCANEX_IN_GL_NET_FILTER term 4 from destination-address EXT_ISP_IP_2
set firewall filter SCANEX_IN_GL_NET_FILTER term 4 then discard
set firewall filter SCANEX_IN_GL_NET_FILTER term 100 then accept
8. Commit
commit
About author