06-junos bgp and policy
TRANSCRIPT
-
8/10/2019 06-Junos Bgp and Policy
1/99
JUNOS BGP and Policy
-
8/10/2019 06-Junos Bgp and Policy
2/99
JUNOS BGP Basics and Policy This Presentation will show examples of BGP Policies
covering: BGP Show Commands
BGP Tracing
Juniper BGP Policy Basics
Import/Export Policies
Route Reflectors
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 2
Local Preference MED
Communities
Next Hop Self
AS Path Regular Expressions
Route-filters
Prefix Lists
Test and View Policies
-
8/10/2019 06-Junos Bgp and Policy
3/99
Juniper Default Route Preference
Values
Route Source Default Preference
direct /local 0
Static 5RSVP 7
LDP 9
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 3
OSPF internal route 10IS-IS Level 1 15
IS-IS Level 2 18
Redirects 30
Generated or aggregate 130
OSPF AS external routes 150
BGP 170
-
8/10/2019 06-Junos Bgp and Policy
4/99
Cisco Default Administrative Distances
Route Source Default Preference
Connected interface 0
Static route 1External BGP 20
EIGRP (internal) 90
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 4
OSPF 110
ISIS 115
RIP 120
EGP 140
EIGRP (external) 170
Internal BGP 200
Unknown 255
-
8/10/2019 06-Junos Bgp and Policy
5/99
BGP Route Selection Process (Juniper) Can the BGP next-hop (BNH) be reached?
If Yes, proceed
If No, stop processing
Prefer the path with the higher local preference.
Prefer the path with the shorter AS path.
Prefer the path with lower Origin code.
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 5
.
Prefer paths learned via EBGP over routes via IBGP
Prefer the path with the lower IGP metric to BGP next-hop
Prefer paths where BNH is resolved in inet.3 over inet.0
Prefer paths where BNH has greater number of equal costpaths
Prefer paths with the shortest cluster-List length
Prefer the path with lower router ID (RID)
Prefer the path with the lower peer IP address.
-
8/10/2019 06-Junos Bgp and Policy
6/99
BGP Soft configuration
Default on Juniper
Must be turned on for Cisco
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 6
-
8/10/2019 06-Junos Bgp and Policy
7/99
BGP Show Commands
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 7
-
8/10/2019 06-Junos Bgp and Policy
8/99
Show BGP Routesuser@host> show route protocol bgp ?
Possible completions:
Execute this command
Destination prefix and mask information
advertising-protocol Information transmitted by a particular routingprotocol
aspath-regex Entries learned via a specific AS path
best Show longest match
brief Brief view
community List of communities to match, including wildcards
damped Entries that have been suppressed due to route
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 8
detail Detailed viewexact Show exact match
extensive Extensive view
inactive Inactive entries
next-hop Entries pointing to a particular next hop
output Entries sending packets out a particular interface
range Show entire prefix range
receive-protocol Information learned from a particular routing
protocolsource-gateway Entries learned from a particular router
table Entries in a particular routing table
terse Terse view
-
8/10/2019 06-Junos Bgp and Policy
9/99
BGP Information Several commands display a wide variety of BGP
information either from the protocol itself or from
BGP routes
user@host> show bgp ?
Possible com letions:
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 9
group Show the BGP group databaseneighbor Show the BGP neighbor database
summary Show an overview of the BGP
information
-
8/10/2019 06-Junos Bgp and Policy
10/99
Show BGP Neighboruser@host> show bgp neighbor
Peer: 11.1.1.2+179 AS 29 Local: 11.1.1.1+1048 AS 29
Type: Internal State: Established Flags:
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Options: Holdtime: 90 Preference: 170
Number of flaps: 1
Error: "Cease" Sent: 1 Recv: 0
Peer ID: 11.1.1.2 Local ID: 0.0.0.0 Active Holdtime: 90
NLRI advertised by peer: unicast
NLRI for this session: unicast
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 10
Group B t: Sen state: n sync
Table inet.0Active Prefixes: 0
Received Prefixes: 0
Suppressed due to damping: 0
Table inet.2
Active Prefixes: 0
Received Prefixes: 0
Suppressed due to damping: 0
Last traffic (seconds): Received 25 Sent 21 Checked 21Input messages: Total 4143 Updates 0 Octets 78717
Output messages: Total 4156 Updates 10 Octets 79303
Output Queue[0]: 0
Output Queue[1]: 0
-
8/10/2019 06-Junos Bgp and Policy
11/99
Show BGP Summary show bgp summary
View basic information about all BGP neighbors
user@host> show bgp summaryGroups: 12 Peers: 26 Unestablished peers: 2
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dn State|#Act/Recv/Da
131.103.0.2 45 1225 55263 50511 0 18:22:14 47769/50591/0
192.168.1.1 33 911 0 0 0 18:22:27 Active
192.168.1.97 23 10458 2201 41043 0 18:22:03 0/0/0
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 11
. . .
InPkt Number of packets received from the peer.
OutPkt Number of packets sent to the peer.
OutQ Count of the number of BGP packets that are queued to be transmitted to a particular neighbor. It normally
is 0 because the queue usually is emptied quickly.
Last Up/Down time since the neighbor transitioned to or from the established state.
-
8/10/2019 06-Junos Bgp and Policy
12/99
Show BGP Next Hopjuniper@R1> show route table inet.0 hidden detail
inet.0: 20 destinations, 20 routes (18 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both
10.1.0.0/32 (1 entry, 0 announced)
BGP Preference: 170/-101
Next hop type: Unusable
State:
Local AS: 65501 Peer AS: 65501
Age: 24:23 Metric2: 0
Task: BGP_65501.192.168.254.4+179
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 12
BGP next hop: 172.16.1.2
Localpref: 100
Router ID: 192.168.254.4
10.2.0.0/32 (1 entry, 0 announced)
BGP Preference: 170/-101
Next hop type: Unusable
State:
Local AS: 65501 Peer AS: 65501
Age: 24:23 Metric2: 0
Task: BGP_65501.192.168.254.4+179
AS path: 65520 I
BGP next hop: 172.16.1.2
Localpref: 100
Router ID: 192.168.254.4
-
8/10/2019 06-Junos Bgp and Policy
13/99
Show BGP Routes show route receive-protocolbgp
Look at routes received by a peer beforepolicy is
applieduser@host> show route receive-protocol bgp 11.1.1.1
inet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
Prefix Nexthop MED Lclpref AS path
10.0.0.0/8 11.1.1.1 100 I
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 13
. . . . . .
show route advertising-protocolbgp Look at routes being advertised to a specific peer
user@host> show route advertising-protocol bgp 11.1.1.2
inet.0: 10 destinations, 10 routes (8 active, 0 holddown, 2 hidden)
Prefix Nexthop MED Lclpref AS path
10.0.0.0/8 Self 100 I
172.16.0.0/12 Self 100 I
-
8/10/2019 06-Junos Bgp and Policy
14/99
Looking at Specific Routes show route extensive
Look at specific entries in the routing table
user@host> show route 172.16.0.0 extensiveinet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.0.0/12 (1 entry, 1 announced)
TSI:
BGP_Sync_Any dest 172.16.0.0/12 MED 0
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 14
*BGP Preference: 170/-101
Nexthop: 11.1.1.1 via fxp0.0, selected
State:
Local AS: 29 Peer AS: 29
Age: 1d 9:46:54 Metric2: 0
Task: BGP_29.11.1.1.1+1048
Announcement bits (2): 0-KRT 2-BGP_Sync_Any
AS path: I
BGP next hop: 11.1.1.1
Localpref: 100
Router ID: 172.18.1.1
-
8/10/2019 06-Junos Bgp and Policy
15/99
BGP Tracing
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 15
-
8/10/2019 06-Junos Bgp and Policy
16/99
General Tracing Tracing for each software feature shares similar
configuration
[edit feature-name]
user@host# show
traceoptions {
file filename [replace] [size size] [files number] [no-stamp];
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 16
flag flag [flag-modifier] [disable];
}
Each feature allows tracing to only one file
You can trace multiple options (flags) to each file
-
8/10/2019 06-Junos Bgp and Policy
17/99
General Tracing General Flags
allAll tracing operations
generalAll normal operations and routing table changes (combination
of normal and route)normalAll normal operations
policyRouting policy operations and actions
routeRouting table changes
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 17
taskInterface transactions and processingtimerTimer usage
ModifiersdetailDetailed trace information
receivePackets being receivedsendPackets being transmitted
-
8/10/2019 06-Junos Bgp and Policy
18/99
BGP Tracing Configuration parameters for tracing under BGP
[edit protocols bgp]
user@host# showtraceoptions {
file filename [replace] [size size] [files number] [no-stamp];
flag flag [flag-modifier] [disable];
}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 18
-
8/10/2019 06-Junos Bgp and Policy
19/99
Trace Flags for BGP[edit protocols bgp traceoptions]
user@host# set flag ?
Possible completions:
all Trace everythingaspath Trace aspath regular expression operations
damping Trace damping operations
general Trace general events
keepalive Trace BGP keepalive events
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 19
normal Trace normal events
open Trace BGP open packets
packets Trace all BGP protocol packets
policy Trace policy processing
route Trace routing information
state Trace state transitions
task Trace routing protocol task processing
timer Trace routing protocol timer processing
update Trace BGP update packets
-
8/10/2019 06-Junos Bgp and Policy
20/99
BGP Tracing Example[edit protocols]
user@host# show
bgp {
damping;
traceoptions {
file BGP-Events;
flag normal;
}
rou external {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 20
type external;
peer-as 54;
neighbor 11.1.1.1 {
traceoptions {
file problem-neighbor;
flag damping detail;
}}
}
}
-
8/10/2019 06-Junos Bgp and Policy
21/99
View Logs and Traces By default, trace files are stored in /var/log
Viewing stored log files
user@host> show log
total 5778
-rw-r--r-- 1 root bin 1429 Feb 25 10:11 BGP-Events
-rw-r--r-- 1 root bin 17734 Feb 17 17:26 bgp.log
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 21
- - -- -- -
-rw-r--r-- 1 root bin 486 Feb 25 10:11 critical-rw-r--r-- 1 root bin 793495 Feb 25 10:11 dcd
-rw-r--r-- 1 root bin 999987 Feb 2 09:55 dcd.0
-rw-r--r-- 1 root bin 999956 Jan 15 11:35 dcd.1
-rw-r--r-- 1 root bin 41217 Feb 25 10:51 general-routing
-rw-rw-r-- 1 root wheel 56056 Feb 25 10:11 lastlog
-rw-rw-r-- 1 root wheel 20519 Jan 8 10:18 messages
-rw-r--r-- 1 root bin 4095 Feb 25 10:05 ospf-log
-rw-r--r-- 1 root bin 438 Feb 25 10:05 problem-neighbor
-
8/10/2019 06-Junos Bgp and Policy
22/99
View Logs and Traces View a specific log
user@host> show log filename
Exampleuser@host> show log dcdFeb 25 10:06:13 Test /kernel: fxp0: link down
Feb 25 10:06:20 Test /kernel: fxp1: link up, speed = 10000000,
linktype = 1
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 22
, ,= 0x1e1,
prtnr = 0x21, expan = 0x0, exten = 0x400
Feb 25 10:11:08 Test /kernel: fxp1: link down
Feb 25 10:11:10 Test /kernel: fxp0: link up, speed = 10000000,linktype = 1
Feb 25 10:11:10 Test /kernel: fxp0: bmcr = 0x1000, status = 0x782d, ad
= 0x1e1,
prtnr = 0x21, expan = 0x0, exten = 0x400
[additional information]
-
8/10/2019 06-Junos Bgp and Policy
23/99
Monitor Traces Use themonitor CLI command to view real-time log
information
user@host>monitor (start | stop) filenames
Shows new entries in monitored files until canceled
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 23
Like Unix tail -f
-
8/10/2019 06-Junos Bgp and Policy
24/99
Monitor Example
user@host>monitor start system-log
*** system-log***
Jul 20 15:07:34 hang sshd[5845]: log: Generating 768 bit RSA key.
Jul 20 15:07:35 hang sshd[5845]: log: RSA key generation complete.
Jul 20 15:07:35 hang sshd[5845]: log: Connection from 204.69.248.180 port 912
Jul 20 15:07:37 hang sshd[5845]: log: RSA authentication for root accepted.
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 24
Jul 20 15:07:37 hang sshd[5845]: log: ROOT LOGIN as 'root' from snowcone.jimbo.com
Jul 20 15:07:37 hang sshd[5847]: log: executing remote command as root: scp -t /tmp
Jul 20 15:07:37 hang sshd[5845]: log: Closing connection to 14.32.69.5
-
8/10/2019 06-Junos Bgp and Policy
25/99
Delete Traces To stop a tracing operation, delete the trace flag
or disable it
[edit protocols bgp traceoptions]
user@host# delete flag open
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 25
-
8/10/2019 06-Junos Bgp and Policy
26/99
Establish EBGP and IBGP peers
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 26
-
8/10/2019 06-Junos Bgp and Policy
27/99
Establish BGP Peers
EBGP Peering
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 27
AS 100SmallNet
AS 200BigNet
172.1.1.1 172.1.1.2
-
8/10/2019 06-Junos Bgp and Policy
28/99
Establish EBGP peers EBGP Example:
routing-options {
router-id 1.1.1.1;
autonomous-system 100;
}
protocols {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 28
bgp {
group AS200 {
type external;
description "EBGP Peer to BIGNET - AS200";
peer-as 200;
neighbor 172.1.1.2;
}}
}
-
8/10/2019 06-Junos Bgp and Policy
29/99
Establish EBGP peers EBGP Example:
routing-options {
router-id 2.2.2.2;
autonomous-system 200;
}
protocols {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 29
bgp {
group AS100 {
type external;
description "EBGP Peer to SmallNet AS100";
peer-as 100;
neighbor 172.1.1.1;
}}
}
-
8/10/2019 06-Junos Bgp and Policy
30/99
Establish iBGP Peers
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 30
IBGP Peering
AS 100
-
8/10/2019 06-Junos Bgp and Policy
31/99
Local-address Address to establish and accept TCP sessions from a peer
Without local-address, the TCP connection is sourced fromthe physical interface
Just like Ciscos update-source loopback0
protocols {
bgp {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 31
group InternalPeers {
type internal;
local-address 1.1.1.1;
neighbor 2.2.2.2;
neighbor 3.3.3.3;
neighbor 4.4.4.4;
neighbor 5.5.5.5;
}
}
}
-
8/10/2019 06-Junos Bgp and Policy
32/99
Establish IBGP peers IBGP Example:
routing-options {
router-id 1.1.1.1;autonomous-system 100;
}
protocols {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 32
group InternalPeers {type internal;
local-address 1.1.1.1;
neighbor 2.2.2.2;
neighbor 3.3.3.3;
neighbor 4.4.4.4;neighbor 5.5.5.5;
}
}
}
-
8/10/2019 06-Junos Bgp and Policy
33/99
JUNOS BGP Policy Basics
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 33
-
8/10/2019 06-Junos Bgp and Policy
34/99
When to Apply PolicyYou do not want to importall learned routes into
the routing table
You do not want to advertiseall learned routes toneighboring routers
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 34
You want one protocol to receive routes fromanother protocol (redistribution)
You want to modify information (attributes)associated with a route
-
8/10/2019 06-Junos Bgp and Policy
35/99
JUNOS BGP Route Advertisement JUNOS software default BGP
advertisement rules
Active routes only
All BGP learned routes (except IBGP rule)
Advertise-inactive knob available
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 35
Export policies needed toAdvertise static routes
Advertise aggregate routes
Advertise default route
Redistribute other routes to BGP
-
8/10/2019 06-Junos Bgp and Policy
36/99
BGP Default Policy BGP
Import
All routes learned from BGP neighbors Export
Transmit all routes learned from BGP neighbors to all BGPneighbors
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 36
Only active routes can be exported
-
8/10/2019 06-Junos Bgp and Policy
37/99
Import vs Export Import Policy
Apply an import routing policy to control the routes that
the routing protocol process uses to determine activeroutes.
Affect routes that BGP receives froma neighbor.
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 37
Export Policy Apply an export routing policy to control the routes that
a BGP advertises toits neighbors.
-
8/10/2019 06-Junos Bgp and Policy
38/99
Import vs Export
Neighbors
Routingtable
Neighbors
ImportRoutes Routes
Export
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 38
Protocol
Forwardingtable
Protocol
PFE
-
8/10/2019 06-Junos Bgp and Policy
39/99
Applying Policy BGP global filter syntax
protocols {bgp {
export [policy-list ];
import [policy-list ];
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 39
}}
-
8/10/2019 06-Junos Bgp and Policy
40/99
Import Policy Use Example:
protocols {
bgp {
group SomeRegional.ISP {
type external;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 40
multihop;
import customer-routes;
peer-as 500;
neighbor 6.6.6.6;}
}
}
-
8/10/2019 06-Junos Bgp and Policy
41/99
Export Policy Use Example:
protocols {
bgp {
local-address 5.5.5.5;
group Internal-Peers {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 41
type internal;
export nexthopself;
neighbor 2.2.2.2;
neighbor 1.1.1.1;
neighbor 9.9.9.9;
-
8/10/2019 06-Junos Bgp and Policy
42/99
You can have both Import/Exportprotocols {
bgp {
local-address 5.5.5.5;
group Some-Customer {
import customer-routes;
export advertise-policy;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 42
type external;
neighbor 2.2.2.2;
neighbor 1.1.1.1;
neighbor 9.9.9.9;}
}}
-
8/10/2019 06-Junos Bgp and Policy
43/99
Configuring Policy Policies are made up of terms
Terms are made up of match conditions and
actions Match conditions can be split into from and to
parts
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 43
PolicyPolicy
TermTerm
MatchMatchconditioncondition
ActionAction
TermTerm
MatchMatchconditioncondition
ActionAction
-
8/10/2019 06-Junos Bgp and Policy
44/99
Basic Policy syntaxpolicy-options {
policy-statementpolicy-name{term term-name{
from {match-conditions;
}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 44
t en
action;}
}final-action;
}}
-
8/10/2019 06-Junos Bgp and Policy
45/99
Match Conditions General
Route metrics
Metric
Preference
Color
Interface name
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 45
Neighbor address Next-hop address
Protocol
bgp, direct, dvmrp, isis, local, mpls, ospf,
pim-dense, pim-sparse, rip, static, aggregate
-
8/10/2019 06-Junos Bgp and Policy
46/99
Match Conditions Some match conditions are protocol specific
OSPF Area ID, external type
Tag and tag2 fields
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 46
Level number BGP
Autonomous system path (AS path)
Community name
Local preference Origin
-
8/10/2019 06-Junos Bgp and Policy
47/99
Match Actions Modify
Metric
(protocol specific) Preference
(global routing preference)
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 47
Next-hop address
-
8/10/2019 06-Junos Bgp and Policy
48/99
Match Actions Modify
OSPF
Type 1 or type 2 external link advertisement Tag and tag2 fields
BGP
Pre end AS ath
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 48
Add, delete, or set community Change route damping parameters
Change local preference value
Change protocol origin
-
8/10/2019 06-Junos Bgp and Policy
49/99
Policy Match Actions Terminate
Accept route
Reject (or suppress) route
Flow Control
Skip to next policy
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 49
Skip to next term
Trace
Log the match to a trace file, continue processingterm
-
8/10/2019 06-Junos Bgp and Policy
50/99
Policy Match Examplepolicy-statement advertise-policy {
term advertise {
from community transit;then next policy;
}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 50
erm ca c -a
then reject;
}
-
8/10/2019 06-Junos Bgp and Policy
51/99
Policy Terms Policies contain collections of terms
Terms contain a condition and an action to
apply to each route
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 51
Route Term
Accept
Reject
Term
Accept
Reject
...Lastterm
Nextpolicy
Accept
Reject
-
8/10/2019 06-Junos Bgp and Policy
52/99
Policy Terms Example:
policy-statement advertise-policy {
term advertise {from community transit;
then accept;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 52
term do-not-advertise {from community Tier-1;
then reject;
}
term catch-all {then reject;
}
-
8/10/2019 06-Junos Bgp and Policy
53/99
Chained Policies Policies can be chained together to increase their
effectiveness
Accept Accept Accept Accept
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 53
Route Policy
Reject
Policy
Reject
... Lastpolicy Defaultpolicy
Reject Reject
-
8/10/2019 06-Junos Bgp and Policy
54/99
Chained Policies Example:
protocols {
bgp {
group Regional.ISP.AS47 {
type external;
multihop;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 54
import [martian-filter long-prefix-filter as-47-filter ];
peer-as 500;
neighbor 6.6.6.6;
Policies are done sequentially.
-
8/10/2019 06-Junos Bgp and Policy
55/99
BGP Filtering points
BGP has three filtering points
Global Groups of neighbors
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 55
Neighbor policy overrides group and global policies
Group policy overrides global policy
-
8/10/2019 06-Junos Bgp and Policy
56/99
BGP Filtering points
protocols {
bgp {
export nexthopself1;
local-address 5.5.5.5;
group Internal-Peers {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 56
neighbor 2.2.2.2;neighbor 1.1.1.1;
neighbor 9.9.9.9;}
}}
-
8/10/2019 06-Junos Bgp and Policy
57/99
-
8/10/2019 06-Junos Bgp and Policy
58/99
BGP Filtering points
protocols {
bgp {
local-address 5.5.5.5;
group Internal-Peers {
type internal;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 58
. . .
neighbor 1.1.1.1;export nexthopself3;
neighbor 9.9.9.9;}
}}
-
8/10/2019 06-Junos Bgp and Policy
59/99
BGP Filtering points
protocols {
bgp {
local-address 5.5.5.5;
group Internal-Peers {
export nexthopself;
type internal;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 59
ne g or . . . ;
neighbor 1.1.1.1;export localpref;
-
8/10/2019 06-Junos Bgp and Policy
60/99
Advertising Networks
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 60
d i i k
-
8/10/2019 06-Junos Bgp and Policy
61/99
Advertising Networks
A network that resides within an AS is saidto originate from that network. To inform
other ASs about its networks, the ASadvertises them. BGP provides three ways
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 61
originates: Redistributing Dynamic Routes
Redistributing Static Routes
Redistributing Aggregates
R di t ib ti D i R t
-
8/10/2019 06-Junos Bgp and Policy
62/99
Redistributing Dynamic Routes
protocols {
bgp {
group peer-to-someNET {
export redistribute-ospf;
peer-as 9999;neighbor 23.43.12.16;
}
}
}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 62
policy-options {
policy-statement redistribute-ospf {from {
protocol ospf;
}
then accept;
}
}
BAD BAD BAD BAD
-
8/10/2019 06-Junos Bgp and Policy
63/99
C t th t ti t
-
8/10/2019 06-Junos Bgp and Policy
64/99
Create the static route
routing-options {
static {
route 9.0.0.0/8 discard;
}
}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 64
Reject
Drop packets to destination; send ICMP unreachables
Discard Drop packets to destination; send no ICMP unreachables
Create a policy
-
8/10/2019 06-Junos Bgp and Policy
65/99
Create a policy
policy-options {
policy-statement redistribute-static {
from {
protocol static;
route-filter 9.0.0.0/8 exact;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 65
then accept;}
}
Export the policy
-
8/10/2019 06-Junos Bgp and Policy
66/99
Export the policy
protocols {
bgp {
group peer-to-BIGNET {
export redistribute-static;
peer-as 9999;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 66
}}
}
The whole config
-
8/10/2019 06-Junos Bgp and Policy
67/99
The whole config
routing-options {
static {
route 9.0.0.0/8 discard;
}
}protocols {
bgp {
group peer-to-BIGNET {
ex ort redistribute-static;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 67
peer-as 9999;
neighbor 23.43.12.16;}
}
}
policy-options {
policy-statement redistribute-static {
from {protocol static;
route-filter 9.0.0.0/8 exact;
}
then accept;
}
}
Redistributing Aggregate Routes
-
8/10/2019 06-Junos Bgp and Policy
68/99
Redistributing Aggregate Routes
Route aggregation allows you to combinegroups of routes with common addresses
into a single entry in the routing table.
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 68
s ecreases e s ze o e rou ng a e
as well as the number of routeadvertisements sent by the router.
Redistributing Aggregate Routes
-
8/10/2019 06-Junos Bgp and Policy
69/99
Redistributing Aggregate Routes
An aggregate route becomes active when ithas one or more contributing routes.
A contributing route is an active route that
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 69
s a more spec c ma c or e aggrega e
destination.
Redistributing Aggregate Routes
-
8/10/2019 06-Junos Bgp and Policy
70/99
Redistributing Aggregate Routes
routing-options {
aggregate {
route 9.0.0.0/8;
}
}protocols {
bgp {
group peer-to-BIGNET {
ex ort redistribute-a re ates;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 70
peer-as 9999;
neighbor 23.43.12.16;}
}
}
policy-options {
policy-statement redistribute-aggregates {
from {protocol aggregate;
route-filter 9.0.0.0/8 exact;
}
then accept;
}
}
Route Filter
-
8/10/2019 06-Junos Bgp and Policy
71/99
Route Filter
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 71
Route Filter
-
8/10/2019 06-Junos Bgp and Policy
72/99
Route Filter
To specify route prefixes in policies, include oneor more route-filter options in the from statementof the policy-statement statement
Multiple route filters in a single term
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 72
Route Filters
-
8/10/2019 06-Junos Bgp and Policy
73/99
Route Filters
[]
term term-name {
from {route-filterprefix/prefix-length match-type ;
[]
}
;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 73
[]
Match type can be
Exact, orlonger, longer, upto, through
Multiple route filters in a single term
Evaluation of route filters has special rules
Route Filter Example 1
-
8/10/2019 06-Junos Bgp and Policy
74/99
Route Filter Example 1
Create the Policy on the gateway routerpolicy-options {
policy-statementAS600customer-routes {
term routes-to-accept {
from {
protocol BGP;
route-filter 1.0.0.0/8 exact;
-Logical
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 74
route-filter 3.0.0.0/8 exact;
route-filter 4.0.0.0/8 exact;}
then accept;
}
term reject-routes {
then reject;}
function
Route Filter Example 1
-
8/10/2019 06-Junos Bgp and Policy
75/99
Route Filter Example 1
Apply the policy on the gateway routerprotocols {
bgp {
group As600Regional.ISP {type external;
multihop;
-
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 75
peer-as 500;
neighbor 6.6.6.6;
Route Filter Match Action
-
8/10/2019 06-Junos Bgp and Policy
76/99
Route Filter Match Action
term term-name {
from {
route-filter dest-prefix match-type;
route-filter dest-prefix match-type;[]
}
then
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 76
}
If the route matches the filter and an action isspecified, it takes effect immediately and the
then portion of the term is ignored
If one or more patterns match and no action isspecified, the then portion is executed
Route Filter Match Action
-
8/10/2019 06-Junos Bgp and Policy
77/99
term term-name {
from {
route-filter dest-prefix match-type ;
route-filter dest-prefix match-type ;
route-filter dest-prefix match-type ;
[]
}
Logical
ORfunction
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 77
;
}
Multiple filters with similar prefixes match the longestprefix
Action associated with longest filter is performed
Route Filter Example 2
-
8/10/2019 06-Junos Bgp and Policy
78/99
p
Create the Policy on the gateway routerpolicy-options {
policy-statementAS600customer-routes {
term routes-to-accept {
from {
protocol BGP;
route-filter 1.0.0.0/8 exact reject;
-
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 78
route-filter 3.0.0.0/8 exact;
route-filter 4.0.0.0/8 exact;}
then accept;
}
term reject-routes {
then reject;}
Match Typesexact
-
8/10/2019 06-Junos Bgp and Policy
79/99
Exactly match a single prefix and prefix length
term sample {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 79
from route-filter 192.168/16 exact;
then accept;}
Includes192.168.0.0/16
ExcludesEverything else
Match Typesorlonger
-
8/10/2019 06-Junos Bgp and Policy
80/99
Greater than or equal to
Match a range of routes having themost-significant bits in common as described by the prefix
length
term sample {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 80
from route-filter 192.168/16 orlonger;
then accept;}
Includes192.168.0.0/16 192.168.12.4/30
192.168.0.0/17 192.168.12.128/32
192.168.4.0/24
Excludes192.0.0.0/8 192.169.1.0/24
192.170.0.0/16
Match Typeslonger
-
8/10/2019 06-Junos Bgp and Policy
81/99
Match a range of routes having themost-significant bits in common as described bythe prefix length, except the exact match
Greater than
term sample {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 81
from route-filter 192.168/16 longer;
then accept;}
Includes192.168.12.4/30
192.168.0.0/17 192.168.12.128/32
192.168.4.0/24
Excludes192.0.0.0/8 192.169.1.0/24
192.170.0.0/16 192.168.0.0/16
Match Typesupto
-
8/10/2019 06-Junos Bgp and Policy
82/99
Match a range of routes having themost-significant bits in common as described by the firstprefix length, but not exceeding the second prefix length
term sample {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 82
from route-filter 192.168/16 upto /24;
then accept;}
Includes192.168.0.0/16
192.168.0.0/17
192.168.4.0/24
Excludes192.0.0.0/8 192.169.1.0/24
192.170.0.0/16 192.168.5.4/30
192.168.12.128/32
Match Typesthrough
-
8/10/2019 06-Junos Bgp and Policy
83/99
Match a contiguous set of routes from the firstprefix-prefix length pair to the secondprefix-prefix length pair
Not used very oftencovers a corner case
term sample {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 83
from route-filter 192.168/16 through 192.168.16/20;
then accept;}
Includes192.168.0.0/16 192.168.0.0/19
192.168.0.0/17 192.168.16.0/20
192.168.0.0/18
Excludes192.168.128.0/17 192.168.0.0/20
192.168.192.0/18
192.168.224.0/19
Route Filter Example 3
-
8/10/2019 06-Junos Bgp and Policy
84/99
This policy will reject routes with a destination prefix of 0.0.0.0and a mask length from 0 through 8, and accept all other routes:
[edit]
policy-options {
policy-statement from-hall2 {
term 1 {
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 84
from {
route-filter 0.0.0.0/0 upto 0.0.0.0/8 reject;}
}
then accept;
Route Filter Example 4
-
8/10/2019 06-Junos Bgp and Policy
85/99
Reject all unwanted routes (Martians):
policy-options {
policy-statement reject-unwanted-routes {
term drop-bogus-routes {
from {
route-filter 0/0 exact; # Default
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 85
route- ter or onger; oop ac s
route-filter 10/8 orlonger; # Reserved A block
route-filter 172.16/12 orlonger; # Reserved B block
route-filter 192.168/16 orlonger; # Reserved C block
route-filter 224/4 orlonger; # Multicast
route-filter 192.0/16 orlonger; # IANA reserved-2
}
then reject;
-
8/10/2019 06-Junos Bgp and Policy
86/99
Prefix List
-
8/10/2019 06-Junos Bgp and Policy
87/99
You can define and name a set of IP addressprefixes and use them in the configuration forrouting policy statements and firewall filters.
Note: Per-prefix policy actions cannot be applied
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 87
to individual prefixes in the list or to the collection
of prefixes in the list. It is all or nothing.
Prefix List Example
-
8/10/2019 06-Junos Bgp and Policy
88/99
Create the named prefix list
[edit policy-options]
prefix-list ISP1-acceptable-routes {
1.0.0.0/8;
2.0.0.0/8;
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 88
. . .
}
Prefix List Example
-
8/10/2019 06-Junos Bgp and Policy
89/99
Use the named prefix list in a policypolicy-statement customer-routes {
term routes-to-accept {
from {prefix-list ISP1-acceptable-routes;
}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 89
then accept;
}term reject-routes {
then reject;
}
then next policy;
Route Reflectors
-
8/10/2019 06-Junos Bgp and Policy
90/99
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 90
BGP Route Reflection (example)
-
8/10/2019 06-Junos Bgp and Policy
91/99
Route Reflection
Non-clientpeers
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 91
IBGP Peering
RouteReflectors
Reflector
Clients
Reflector
Clients
Cluster2.2.2.2
Cluster1.1.1.1
-
8/10/2019 06-Junos Bgp and Policy
92/99
no-client-reflect
-
8/10/2019 06-Junos Bgp and Policy
93/99
RouteReflector
Non-clientpeers
Non-clientpeers
Clients are fully
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 93
IBGP Peering
RouteReflectorClients
RouteReflectorClients
RouteReflectorClients
es e
Cluster1.1.1.1
no-client-reflect
-
8/10/2019 06-Junos Bgp and Policy
94/99
protocols {
bgp {
export static-to-bgp;
group ibgp {
type internal;
local-address 2.2.2.2;peer-as 100;
neighbor 5.5.5.5;
}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 94
group rrc uster
type internal;
local-address 2.2.2.2;no-client-reflect;
cluster 192.128.1.1;
peer-as 100;
neighbor 1.1.1.1;
neighbor 3.3.3.3;
}
}
Test and View Policies
-
8/10/2019 06-Junos Bgp and Policy
95/99
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 95
Test and View Policies
-
8/10/2019 06-Junos Bgp and Policy
96/99
Test how policies respond to individual prefixes
Not all match conditions are supported Generally useful for matching route
filter-style policies
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 96
to protocol xxxcanno e eva ua e an a ways
passes
Default protocol policies are not evaluated
Test and View Policies
-
8/10/2019 06-Junos Bgp and Policy
97/99
Given the policypolicy-options {
policy-statement lab-routes {
from {
route-filter default exact reject;route-filter 10.0.0.0/8 orlonger accept;
route-filter 192.0.2.0/24 orlonger accept;
}
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 97
then reject;
}
}
Test it against all routes in tableuser@host# run test policy lab-routes 0.0.0.0/0
Test it against a specific route
user@host# run test policy lab-routes 10.49.0.0/16
Test and View Policies
-
8/10/2019 06-Junos Bgp and Policy
98/99
Use the show policy command to view each
policyuser@host> show policy
Configured policies:
lab-routes
user@host> show policy lab-routes
Policy lab-routes:
Juniper Networks, Inc. Copyright 2000 - Proprietary & Confidential 98
from
0.0.0.0/0 reject
10.0.0.0/8 orlonger accept192.0.2.0/24 orlonger accept
then reject
user@host>
-
8/10/2019 06-Junos Bgp and Policy
99/99
Thank you!