Technical Tips and Tricks: juniper bgp policy

Saturday, February 7, 2015

Juniper Lab Environment - Part II - Basic OSPF, & Routing Policy

This post is a continuation of my last post, which consisted of a simple BGP configuration that connected my home network to my lab. The second part in this series of blog posts will cover a topology that consists of four vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this post is to build an OSPF network and then inject routes between protocols so that we can ping out to internet from SRX5.

SRX5 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.10.45.5/24
set interfaces lo0 unit 0 family inet address 5.5.5.5/32
set routing-options router-id 5.5.5.5
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0

SRX4 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.10.34.4/24
set interfaces ge-0/0/1 unit 0 family inet address 10.10.45.4/24
set interfaces lo0 unit 0 family inet address 4.4.4.4/32
set routing-options router-id 4.4.4.4
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0

SRX3 Configuration

set interfaces ge-0/0/1 unit 0 family inet address 10.10.34.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
set routing-options router-id 3.3.3.3
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0

OSPF Verification:

root@3> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *3.3.3.3 3.3.3.3 0x80000109 227 0x22 0x70e2 48
Router 4.4.4.4 4.4.4.4 0x80000102 2131 0x22 0x49b7 48
Router 5.5.5.5 5.5.5.5 0x800000f8 9 0x22 0x5f24 36
Network 10.10.34.4 4.4.4.4 0x800000f2 2124 0x22 0xc71a 32
Network 10.10.45.5 5.5.5.5 0x800000f1 470 0x22 0x7c4e 32

root@3> show ospf neighbor
Address Interface State ID Pri Dead
10.10.34.4 ge-0/0/1.0 Full 4.4.4.4 128 32

root@5> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 3.3.3.3 3.3.3.3 0x80000109 422 0x22 0x70e2 48
Router 4.4.4.4 4.4.4.4 0x80000102 2324 0x22 0x49b7 48
Router *5.5.5.5 5.5.5.5 0x800000f8 200 0x22 0x5f24 36
Network 10.10.34.4 4.4.4.4 0x800000f2 2317 0x22 0xc71a 32
Network *10.10.45.5 5.5.5.5 0x800000f1 661 0x22 0x7c4e 32

root@5> show ospf neighbor
Address Interface State ID Pri Dead
10.10.45.4 ge-0/0/0.0 Full 4.4.4.4 128 35

root@5> show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

5.5.5.5/32         *[Direct/0] 1w1d 21:11:21
                    > via lo0.0
10.10.34.0/24      *[OSPF/10] 3d 14:41:29, metric 2
                    > to 10.10.45.4 via ge-0/0/0.0
10.10.45.0/24      *[Direct/0] 1w1d 21:11:10
                    > via ge-0/0/0.0
10.10.45.5/32      *[Local/0] 1w1d 21:11:10
                      Local via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 1w1d 21:11:26, metric 1
                      MultiRecv

Route Injection:

In the previous post, we exported a default route to BGP so that we could ping the internet from SRX3. We now need to export the same default route to OSPF so that we can also ping the internet from any router in area 0 of our OSPF network. As you can see above, SRX5 does not have a default route

SRX3 Configuration:

set policy-options policy-statement bgp term 1 from protocol bgp
set policy-options policy-statement bgp term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement bgp term 1 then accept
set protocols bgp export ospf

Default Route Verification:

root@5> show route

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[OSPF/150] 00:01:24, metric 0, tag 0
                    > to 10.10.45.4 via ge-0/0/0.0
5.5.5.5/32         *[Direct/0] 1w1d 21:11:21
                    > via lo0.0
10.10.34.0/24      *[OSPF/10] 3d 14:41:29, metric 2
                    > to 10.10.45.4 via ge-0/0/0.0
10.10.45.0/24      *[Direct/0] 1w1d 21:11:10
                    > via ge-0/0/0.0
10.10.45.5/32      *[Local/0] 1w1d 21:11:10
                      Local via ge-0/0/0.0
10.10.56.0/24      *[Direct/0] 10:06:18
                    > via ge-0/0/1.0
10.10.56.5/32      *[Local/0] 10:06:18
                      Local via ge-0/0/1.0
224.0.0.5/32       *[OSPF/10] 1w1d 21:11:26, metric 1
                      MultiRecv

root@5> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
0 packets transmitted, 0 packets received, 100% packet loss

Even though the default route is there now, we have to remember that SRX1 does not know about the OSPF network that we just created.

root@1> show route

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:04:13
                    > to 10.234.234.1 via ge-0/0/0.0
1.1.1.1/32         *[Direct/0] 00:04:25
                    > via lo0.0
10.10.13.0/24      *[Direct/0] 00:04:13
                    > via ge-0/0/1.0
10.10.13.1/32      *[Local/0] 00:04:14
                      Local via ge-0/0/1.0
10.234.234.0/24    *[Direct/0] 00:04:13
                    > via ge-0/0/0.0
10.234.234.20/32   *[Local/0] 00:04:14
                      Local via ge-0/0/0.0

Another policy that exports our OSPF networks to BGP should do it.

SRX3 Configuration:

set policy-options policy-statement ospf term 1 from protocol ospf
set policy-options policy-statement ospf term 1 from protocol direct
set policy-options policy-statement ospf term 1 then accept
set protocols bgp export ospf

OSPF Networks Verification:

root@1> show route

inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 04:31:35
> to 10.234.234.1 via ge-0/0/0.0
1.1.1.1/32 *[Direct/0] 04:31:47
> via lo0.0
3.3.3.3/32 *[BGP/170] 04:22:18, localpref 100
AS path: 65003 I
> to 10.10.13.3 via ge-0/0/1.0
10.10.13.0/24 *[Direct/0] 04:31:35
> via ge-0/0/1.0
[BGP/170] 04:22:18, localpref 100
AS path: 65003 I
> to 10.10.13.3 via ge-0/0/1.0
10.10.13.1/32 *[Local/0] 04:31:36
Local via ge-0/0/1.0
10.10.34.0/24 *[BGP/170] 04:22:18, localpref 100
AS path: 65003 I
> to 10.10.13.3 via ge-0/0/1.0
10.10.45.0/24 *[BGP/170] 04:22:18, MED 2, localpref 100
AS path: 65003 I
> to 10.10.13.3 via ge-0/0/1.0
10.234.234.0/24 *[Direct/0] 04:31:35
> via ge-0/0/0.0
10.234.234.20/32 *[Local/0] 04:31:36
Local via ge-0/0/0.0

Now let's try to ping the internet from SRX5.

root@5> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=12.184 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=8.414 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=12.200 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=10.210 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.414/10.752/12.200/1.574 ms

Juniper Lab Environment - Part I - Basic eBGP, and Routing Policy

I have been working in my lab for quite some time to test out different scenarios. I thought it would be useful to share a step-by-step design, and some of the different exercises I have gone through. The first part in this series of blog posts will cover a basic topology that consists of two vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this particular post is to use eBGP to interconnect the two vSRX firewalls (SRX1 and SRX3) and then inject a default route that will allow us to ping out to the internet from SRX3.

The following should be noted prior to moving forward:

The vSRX is a firewall. As such, it is required to configure security zones and policies. This and subsequent posts assume that the basic security features (zones/policies) have been already been configured. I will show that portion of the configuration in this post only.
The PA-200 that resides on the perimeter of my home network required a route that points back to my lab network. This will not be covered.
Some of the configuration items in these posts are for lab purposes only and may or may not be applicable/best practice in a production environment. Always consult a professional prior to making changes in a production environment!

SRX1 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.234.234.20/24
set interfaces ge-0/0/1 unit 0 family inet address 10.10.13.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set routing-options router-id 1.1.1.1
set routing-options autonomous-system 65001
set routing-options static route 0.0.0.0/0 next-hop 10.234.234.1
set protocols bgp group 1 type external
set protocols bgp group 1 peer-as 65003
set protocols bgp group 1 neighbor 10.10.13.3
set policy-options policy-statement static term 1 from protocol static
set policy-options policy-statement static term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement static term 1 then accept
set protocols bgp group 1 export static

The important thing to remember about routing policy is that all actions are performed from the perspective of the routing table. In this case, there is a default route in the routing table that has the trust interface of the PA-200 as the next hop. The policy statement static is applied as an export policy because we are exporting the static route we created to the BGP routing protocol. This will allow us to see the default route on SRX3.

set security zones security-zone home host-inbound-traffic system-services all
set security zones security-zone home host-inbound-traffic protocols all
set security zones security-zone home interfaces ge-0/0/0.0
set security zones security-zone home interfaces lo0.0
set security zones security-zone lab host-inbound-traffic system-services all
set security zones security-zone lab host-inbound-traffic protocols all
set security zones security-zone lab interfaces ge-0/0/1.0
set security policies from-zone lab to-zone lab policy default-permit match source-address any
set security policies from-zone lab to-zone lab policy default-permit match destination-address any
set security policies from-zone lab to-zone lab policy default-permit match application any
set security policies from-zone lab to-zone lab policy default-permit then permit
set security policies from-zone home to-zone home policy default-permit match source-address any
set security policies from-zone home to-zone home policy default-permit match destination-address any
set security policies from-zone home to-zone home policy default-permit match application any
set security policies from-zone home to-zone home policy default-permit then permit
set security policies from-zone lab to-zone home policy default-permit match source-address any
set security policies from-zone lab to-zone home policy default-permit match destination-address any
set security policies from-zone lab to-zone home policy default-permit match application any
set security policies from-zone lab to-zone home policy default-permit then permit
set security policies from-zone home to-zone lab policy default-permit match source-address any
set security policies from-zone home to-zone lab policy default-permit match destination-address any
set security policies from-zone home to-zone lab policy default-permit match application any
set security policies from-zone home to-zone lab policy default-permit then permit
set security nat source rule-set 1 from zone lab
set security nat source rule-set 1 to zone home
set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 then source-nat interface

SRX3 Configuration:

set interfaces ge-0/0/2 unit 0 family inet address 10.10.13.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
set routing-options router-id 3.3.3.3
set routing-options autonomous-system 65003
set protocols bgp group 1 type external
set protocols bgp group 1 peer-as 65001
set protocols bgp group 1 neighbor 10.10.13.1
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit

Verification from SRX3:

root@3> show bgp summary
Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths Act Paths Suppressed    History Damp State    Pending
inet.0                 1          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted
10.10.13.1            65001       5619       5628       0       6 1d 17:22:45 1/1/1/0              0/0/0/0

root@3> show route receive-protocol bgp 10.10.13.1

inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 10.10.13.1 65001 I

root@3> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[BGP/170] 00:14:10, localpref 100
AS path: 65001 I
> to 10.10.13.1 via ge-0/0/2.0
3.3.3.3/32 *[Direct/0] 05:52:13
> via lo0.0
10.10.13.0/24 *[Direct/0] 05:51:57
> via ge-0/0/2.0
10.10.13.3/32 *[Local/0] 05:51:58
Local via ge-0/0/2.0

root@3> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=10.330 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=6.143 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=10.245 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.414/10.752/12.200/1.574 ms