Routing

Expand all | Collapse all

Multiple eBGP setup on Single Juniper SRX

  • 1.  Multiple eBGP setup on Single Juniper SRX

    Posted 11-02-2020 10:39

    We have a standard setup where we run BGP with ISP to learn default route and LAN device is directly connected to Juniper SRX with /29. We run /31 with ISP. 

     

    A requirement has come through where customer wants to run eBGP with us . So its Juniper SRX - eBGP-> customer firewall to advertise more routes to Juniper and then we will have to update ISP to include these additional routes in their allowed prefix. This looks very easy with OSFP to learn customer routes and then redistribute ospf to BGP and then these routes will be advertised to upstream ISP. I would like to know if SRX alllows multiple AS instances on same router and how to run eBGP with customer when we are already running eBGP with upstream carrier. 

     

    Here is our simple BGP config with ISP

     

    show configuration protocols bgp
    group ISP {
    type external;
    family inet {
    unicast;
    }
    export connected-static;
    peer-as ABC;
    local-as 65500;
    neighbor 172.31.255.89;
    }

     

     

    Can some advise if we additional AS config below would work:

     

    show | compare
    [edit protocols bgp]

    + group customer {
    + type external;
    + family inet {
    + unicast;
    + }
    + export connected-static;
    + peer-as 65501;
    + local-as 65500;

     

     

    Also how can we put filters on to only import routes that we only allow from customer?

     

    Any advice would be much appreciated.

     

     

    Thanks


    + neighbor 192.168.1.30;
    + }



  • 2.  Re: Multiple eBGP setup on Single Juniper SRX

    Posted 11-02-2020 16:38

    From the configuration snip you shared it seems you are using same AS "AS65500" for both the peering's. Instead of using local-as knob you can configure AS "set routing-options autonomous-system 65500".

     

    Furthermore, in regards to controlling the routes that are imported from customer you can configure a policy and apply the policy in import of the concerned customer peering. 



  • 3.  Re: Multiple eBGP setup on Single Juniper SRX

    Posted 11-02-2020 22:58

    Hello,

     


    simon.widdup@gmail.com wrote:

    I would like to know if SRX alllows multiple AS instances on same router


     

    You don't need multiple ASN on the SRX router UNLESS Your SRX router needs to present itself as AS 65500 to ISP, and a different AS, say, 6600, to customer. Which is not the case according to Your shared config.

     

     


    simon.widdup@gmail.com wrote:

     

    Also how can we put filters on to only import routes that we only allow from customer?

     

     

    You need to use import policy on customer BGP peering. Example config below:

     

     

    set policy-options policy-statement PL-CUST-BGP term 1 from route-filter 192.168/16 prefix-length-range /16-/24
    set policy-options policy-statement PL-CUST-BGP term 1 then accept
    set policy-options policy-statement PL-CUST-BGP term else then reject
    set protocols bgp group customer import PL-CUST-BGP

     

     

     

    The above example policy restricts customer BGP prefixes to those that fall into 192.168/16 range with netmasks from /16 to /24. The purpose of netmask restriction is to reject copious small subnets (/30,/31,/32) that could be injected into Your SRX router.

     


    simon.widdup@gmail.com wrote:

    we will have to update ISP to include these additional routes in their allowed prefix.


     

    Then please updated Your ISP export policy titled "connected-static" to include customer BGP routes.

     

    HTH

    Thx

    Alex 

     

     



  • 4.  Re: Multiple eBGP setup on Single Juniper SRX

    Posted 11-03-2020 01:16

    Thanks for your suggestion.

     

    Are you saying config I added is correct and all I need to do is just update filters to import from customer?

    So we can use same AS 65500 and peer with both ISP and customer using config I pasted above and we don't need to tweak anything else?

     

    Please confirm

     



  • 5.  Re: Multiple eBGP setup on Single Juniper SRX

    Posted 11-03-2020 02:10

    Hello,

    I also advise You to follow best practice and remove line "local-as 65500" under both customer and ISP groups, and configure this line instead:

     

    set routing-options autonomous-system 65500

     

    Otherwise You could bump into unexpected behaviour in corner cases.

    HTH

    Thx

    Alex