Saturday, February 7, 2015

Juniper Lab Environment - Part I - Basic eBGP, and Routing Policy

I have been working in my lab for quite some time to test out different scenarios. I thought it would be useful to share a step-by-step design, and some of the different exercises I have gone through. The first part in this series of blog posts will cover a basic topology that consists of two vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this particular post is to use eBGP to interconnect the two vSRX firewalls (SRX1 and SRX3) and then inject a default route that will allow us to ping out to the internet from SRX3.


The following should be noted prior to moving forward:
  • The vSRX is a firewall. As such, it is required to configure security zones and policies. This and subsequent posts assume that the basic security features (zones/policies) have been already been configured. I will show that portion of the configuration in this post only.
  • The PA-200 that resides on the perimeter of my home network required a route that points back to my lab network. This will not be covered.
  • Some of the configuration items in these posts are for lab purposes only and may or may not be applicable/best practice in a production environment. Always consult a professional prior to making changes in a production environment!
SRX1 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.234.234.20/24
set interfaces ge-0/0/1 unit 0 family inet address 10.10.13.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set routing-options router-id 1.1.1.1
set routing-options autonomous-system 65001
set routing-options static route 0.0.0.0/0 next-hop 10.234.234.1
set protocols bgp group 1 type external
set protocols bgp group 1 peer-as 65003
set protocols bgp group 1 neighbor 10.10.13.3
set policy-options policy-statement static term 1 from protocol static
set policy-options policy-statement static term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement static term 1 then accept
set protocols bgp group 1 export static

The important thing to remember about routing policy is that all actions are performed from the perspective of the routing table. In this case, there is a default route in the routing table that has the trust interface of the PA-200 as the next hop. The policy statement static is applied as an export policy because we are exporting the static route we created to the BGP routing protocol. This will allow us to see the default route on SRX3.

set security zones security-zone home host-inbound-traffic system-services all
set security zones security-zone home host-inbound-traffic protocols all
set security zones security-zone home interfaces ge-0/0/0.0
set security zones security-zone home interfaces lo0.0
set security zones security-zone lab host-inbound-traffic system-services all
set security zones security-zone lab host-inbound-traffic protocols all
set security zones security-zone lab interfaces ge-0/0/1.0
set security policies from-zone lab to-zone lab policy default-permit match source-address any
set security policies from-zone lab to-zone lab policy default-permit match destination-address any
set security policies from-zone lab to-zone lab policy default-permit match application any
set security policies from-zone lab to-zone lab policy default-permit then permit
set security policies from-zone home to-zone home policy default-permit match source-address any
set security policies from-zone home to-zone home policy default-permit match destination-address any
set security policies from-zone home to-zone home policy default-permit match application any
set security policies from-zone home to-zone home policy default-permit then permit
set security policies from-zone lab to-zone home policy default-permit match source-address any
set security policies from-zone lab to-zone home policy default-permit match destination-address any
set security policies from-zone lab to-zone home policy default-permit match application any
set security policies from-zone lab to-zone home policy default-permit then permit
set security policies from-zone home to-zone lab policy default-permit match source-address any
set security policies from-zone home to-zone lab policy default-permit match destination-address any
set security policies from-zone home to-zone lab policy default-permit match application any
set security policies from-zone home to-zone lab policy default-permit then permit
set security nat source rule-set 1 from zone lab
set security nat source rule-set 1 to zone home
set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 then source-nat interface

SRX3 Configuration:

set interfaces ge-0/0/2 unit 0 family inet address 10.10.13.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
set routing-options router-id 3.3.3.3
set routing-options autonomous-system 65003
set protocols bgp group 1 type external
set protocols bgp group 1 peer-as 65001
set protocols bgp group 1 neighbor 10.10.13.1
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit

Verification from SRX3:

root@3> show bgp summary
Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 1          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted
10.10.13.1            65001       5619       5628       0       6 1d 17:22:45 1/1/1/0              0/0/0/0

root@3> show route receive-protocol bgp 10.10.13.1

inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 0.0.0.0/0               10.10.13.1                              65001 I

root@3> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 00:14:10, localpref 100
                      AS path: 65001 I
                    > to 10.10.13.1 via ge-0/0/2.0
3.3.3.3/32         *[Direct/0] 05:52:13
                    > via lo0.0
10.10.13.0/24      *[Direct/0] 05:51:57
                    > via ge-0/0/2.0
10.10.13.3/32      *[Local/0] 05:51:58
                      Local via ge-0/0/2.0

root@3> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=10.330 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=6.143 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=10.245 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.414/10.752/12.200/1.574 ms
Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)