Routing

Expand all | Collapse all

Advertising routes to BGP Peer

Jump to Best Answer
  • 1.  Advertising routes to BGP Peer

     
    Posted 03-23-2018 01:45

    Hi,

     

    I have BGP Peering as "Established" which is good and I am advertsing the networks from the Cisco to Juniper as should be seen (in other words only the PE router is seeing the Cisco loopback interfaces I created to simulate Internet addressing). I can ping the loopback addresses from the CPE through the Juniper network, so that is awesome. What I am having a problem with is getting, or seeming to get, routes from the Juniper peer to the Cisco BGP peer routing table.

     

    So, my remit is to naturally block the physical ISP Data Network address range (that is used on the Network Interfaces).... I do need to advertise our customer networks and also the DNS server which sits within the "Blocked" network ..... So, I create the following Policy Statements:

     

    set policy-options policy-statement ninegroup1-network term 1 from route-filter 192.168.120.0/22 exact
    set policy-options policy-statement ninegroup1-network term 1 from route-filter 172.16.96.0/19 exact
    set policy-options policy-statement ninegroup1-network term 1 from route-filter 192.12.16.89/32 exact
    set policy-options policy-statement ninegroup1-network term 1 then accept

     

    To deny the internal network from being advertsied I have configured the following:

     

    set policy-options policy-statement internal-block-ng from route-filter 192.12.16.0/24 orlonger

     

    I then apply to the BGP group:

    set protocols bgp group External-Peers export internal-block-ng

    set protocols bgp group External-Peers export ninegroup1-network

     

    However, I am not seeing any of the networks I am advertsing on the Peer device?

     

    It is important to note that I am peering from the Cisco Loopback to the Juniper Loopback and have routes in place to those addresses. On the Juniper, as I mentioned, the CIsco BGP advertised networks are seen, and I have included the multihop commands.... so it should work...

     

    So, my questions are:

     

    1: Would I see the routes advertised even if there was no traffic on them yet?

    2: Am I blocking the 192.12.16.0 network correctly with the "orlonger" statement?

    3: If the answer to "2" is "yes" does that also block my DNS address from the other policy noted above?

    4: Am I configuring them correctly?

     

     



  • 2.  RE: Advertising routes to BGP Peer

    Posted 03-23-2018 02:21

    1: Would I see the routes advertised even if there was no traffic on them yet? -

    Yes..if the routes are active in your routing table, they will be advertized.

    2: Am I blocking the 192.12.16.0 network correctly with the "orlonger" statement? - 

     

    I think you have not mentioned the action in the command i assume that is reject or discard. that config part is correct.

    3: If the answer to "2" is "yes" does that also block my DNS address from the other policy noted above?

     

    I believe bgp policies are processesed in sequential manner hence if your reject policy is being hit first then obviously it will deny the traffic.

    You may use insert command to change the order in bgp groups of advertising.

     

    Or rather in a single policy you may add the 2nd term to reject orlonger routes.

     

    "set policy-options policy-statement ninegroup1-network term 1 from route-filter 192.168.120.0/22 exact
    set policy-options policy-statement ninegroup1-network term 1 from route-filter 172.16.96.0/19 exact
    set policy-options policy-statement ninegroup1-network term 1 from route-filter 192.12.16.89/32 exact
    set policy-options policy-statement ninegroup1-network term 1 then accept

    set policy-options policy-statement ninegroup1-network term 2 from route-filter 192.12.16.0/24 orlonger

    set policy-options policy-statement ninegroup1-network term 2 then reject"

     



  • 3.  RE: Advertising routes to BGP Peer

     
    Posted 03-23-2018 03:13

    Hi milindmistry,

     

    That makes sense.... Thank you.... Where I have a little confusion is here:

     

    I configure the following on the Juniper Core:

    set policy-options policy-statement test term 1 from route-filter 192.168.0.33/32 exact
    set policy-options policy-statement test term 1 then accept

     

    And in the BGP configuration:

    set protocols bgp group External-Peers type external
    set protocols bgp group External-Peers local-address 195.80.0.5
    set protocols bgp group External-Peers log-updown
    set protocols bgp group External-Peers import ebgp-martian
    set protocols bgp group External-Peers import ebgp-ipv6-martian-relaxed
    set protocols bgp group External-Peers family inet unicast
    set protocols bgp group External-Peers family inet6 unicast
    set protocols bgp group External-Peers export isis-default
    set protocols bgp group External-Peers export test
    set protocols bgp group External-Peers peer-as 3257
    set protocols bgp group External-Peers neighbor 192.168.195.1 multihop ttl 2

     

    In the routing table on the Juniper core I see that route as follows:

    192.168.0.32/30                       *[Direct/0] 21:50:47
                                                       > via ae2.0

     

    And on the Cisco Upstream Peer I see the following:

    BGP#show ip route 192.168.0.33
    % Subnet not in table

     

    And the BGP table:

    *> 0.0.0.0 192.168.0.5 0 20099 i
    *> 192.168.11.1/32 0.0.0.0 0 32768 i
    *> 192.168.12.1/32 0.0.0.0 0 32768 i
    *> 192.168.13.1/32 0.0.0.0 0 32768 i

     

    Yet, if I run a ping test to that network form the .33 address I get the following response:

    PING 192.168.11.1 (192.168.11.1): 56 data bytes
    64 bytes from 192.168.11.1: icmp_seq=0 ttl=254 time=1.434 ms
    64 bytes from 192.168.11.1: icmp_seq=1 ttl=254 time=0.790 ms
    64 bytes from 192.168.11.1: icmp_seq=2 ttl=254 time=0.863 ms

     

    All I can assume here is that the ICMP traffic is traversing the default 0.0.0.0/0 route...... This is where I am getting a little lost. I would have thought I was advertising that particular address correctly into BGP at the Juniper Core Peer, but yet it is not being seen at the upstream Cisco Peer....

     

    Thanks

     

     

     



  • 4.  RE: Advertising routes to BGP Peer
    Best Answer

    Posted 03-23-2018 03:21

    "I configure the following on the Juniper Core:

    set policy-options policy-statement test term 1 from route-filter 192.168.0.33/32 exact"

     

    Change the above command and see if you write it like this.

    set policy-options policy-statement test term 1 from route-filter 192.168.0.32/30 exact

     

    "In the routing table on the Juniper core I see that route as follows:

    192.168.0.32/30                       *[Direct/0] 21:50:47
                                                       > via ae2.0"

     

    Since you do not have exact route of 192.168.0.33/32 it will not advertize anyways.

     

     HTH

     



  • 5.  RE: Advertising routes to BGP Peer

     
    Posted 03-23-2018 03:52

    Bingo..... awesome.... although I really should have noticed that...... My bad.....

     

    Thank you for your help.



  • 6.  RE: Advertising routes to BGP Peer

     
    Posted 03-23-2018 07:52

    Hi Milindmistry

     

    Just a quick question....... don't worry, all is working.....

     

    When this goes live it is very important that certain networks are not advertised. These are /24 subnets that fall within a /19 supernet. For that, can I just confirm the following config would work:

    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/24 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/24 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/24 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/24 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/24 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/24 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/24 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/24 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/23 orlonger
    set policy-options policy-statement ninegroup-network term 2 from route-filter x.x.x.x/22 orlonger
    set policy-options policy-statement ninegroup-network term 2 then reject
    set policy-options policy-statement ninegroup-network term 3 from route-filter x.x.x.x/19 exact   ----  Supernet
    set policy-options policy-statement ninegroup-network term 3 then accept

     

    Sorry, I think the question I am asking is that these networks should not be advertised to the upstream peer? Given that they are not in the routing table anyway, then they will not be advertised. The /19 is actually a customer network but the "reject" addresses above fall within that /19 and are used on a different system being advertised through a diffrerent route.....

     

     

    ADD ON:    Please ignore this post. It is highly unlikey that a /19 address will be used anyway so it will never appear in the routing table and therefore never advertised. This will require adding the networks to as we go along.

     

    Thanks