Routing

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Expand all | Collapse all

BGP and Bogon / Martian lists

  • 1.  BGP and Bogon / Martian lists

     
    Posted 03-12-2018 04:19

    Hi,

     

    I admit I am far from a BGP expert and would like a little bit of advice on the following:

     

    From a Bogon/Martian lisitng perspective, I can get this automatically updated from the "Cymru" guys who maintain a dynamic listing. I have their BGP details but they have also stated "Communities" for this dynamic update.

     

    I am a little confused when it comes to "Communities" within BGP and would appreciate a little guidance of how to use these.

     

    Apologies if this seems simple to BGP experts but, as I mentioned, I am no BGP expert.

     

    Thank you

     



  • 2.  RE: BGP and Bogon / Martian lists

    Posted 03-12-2018 05:56

    Hi Adgwty,

     

    If i understand correctly, the routes which are receving from the peer will have community tag and you need to accept the same ?

    Let me know is this correct i can help you with that.

     

    regards

    Vadivelan V

     



  • 3.  RE: BGP and Bogon / Martian lists

     
    Posted 03-12-2018 06:05

    Hi,

     

    Yes, that is correct.....

     

    As a quick add on question, if I want to use the loopback address for eBGP do I use the following command:

    local-address

     

    Thanks



  • 4.  RE: BGP and Bogon / Martian lists

    Posted 03-12-2018 07:03

    Hi,

    First check the list of communities from them and match the communities like below and you can set the LP and do some manipulations.

     

    set policy-options community MASK members 1117:.*
    set policy-options community MASK members 8200:.*
    set policy-options community MASK members 4445:.*

    set policy-options policy-statement test term TITAN-BOGES from community MASK
    set policy-options policy-statement test term TITAN-BOGES then accept
    set policy-options policy-statement test term last then reject

    set protocols bgp group TITAN import TITAN-BOGES

     

    You can refer the below links explained nicely to understand the communities manipulation

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/bgp-communities.html

     

    https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/policy-defining-bgp-communities-and-extended-communities-for-use-in-routing-policy-match-conditions.html

     

    By default if you dont mention any import policy or matching communities routes will be accepted by BGP. Communities mainy plan the role of manipulate received/advertised routes. 

     

    regards

    Vadivelan V

     

    Hope this helps

    --------------------------------------------------------------------------------------------------------
    If this post was helpful, please mark this post as an "Accepted Solution".
    Kudos are always appreciated!
    --------------------------------------------------------------------------------------------------------



  • 5.  RE: BGP and Bogon / Martian lists

     
    Posted 03-12-2018 08:32

    Hi,

     

    So, here is the information supplied by CYMRU regarding the Bogon listing:

     

    set policy-options policy-statement cymru-bogons-in term 1 from community CYMRU-bogon-community
    set policy-options policy-statement cymru-bogons-in term 1 then community add dont-announce

    community dont-announce members <your as here>:<some community that supresses anouncements outside your as>;

    community CYMRU-bogon-community members [ no-export xxxxx:888 ];

     

    And this is where the confusion sets in..... this is apparently what we set on our system but I am unsure exactly what it means....

     



  • 6.  RE: BGP and Bogon / Martian lists

    Posted 03-16-2018 07:33

    Hi!

     

    What I understand is that cymru will advertize you the martian routes. And wants you to make sure that you don't announce those routes ahead of your AS.

    To achive this, it is suggested that you add your community (lets say A) while you import routes matching community (CYMRU-bogon-community) added by cymru.

    Now the community you have added i.e. A, needs to used as a match condition and action reject, in an export policy to your other e-BGP peers.

    This will ensure that those martians routes are not advertized beyond your AS. Reason being if those routes gets advertised to other AS, you are susceptible to start receving traffic in your AS for those martian routes, which will be un-desirable.

     

    Hope it clarifies the doubt. Please let me know, if you have any query.

     

     

     



  • 7.  RE: BGP and Bogon / Martian lists

    Posted 03-16-2018 12:04

    Hello,


    @amitsaxena wrote:

     

    To achive this, it is suggested that you add your community (lets say A) while you import routes matching community (CYMRU-bogon-community) added by cymru.

    Now the community you have added i.e. A, needs to used as a match condition and action reject, in an export policy to your other e-BGP peers.

     

     

     

     


    Well, it will work but not in the way the OP desires. Your solution above will ensure that bogon routes received from Team Cymru wil not get advertised upstream (or somewhere else/anywhere, depending on policy). Whereas the OP needed Team Cymru BGP feed in order to block the incoming bogon routes from own upstreams.

    And blockng announce of own routes that fall within bogon prefixes does not require Team Cymru BGP feed.

    Automation is the way to go here, shouldn't be difficult as Team Cymru prefixes do not change too often.

    HTH

    Thx
    Alex

     



  • 8.  RE: BGP and Bogon / Martian lists
    Best Answer

    Posted 03-16-2018 20:32

    Hello Alex,

     

     

    >>>

    Well, it will work but not in the way the OP desires. Your solution above will ensure that bogon routes received from Team Cymru wil not get advertised upstream (or somewhere else/anywhere, depending on policy). Whereas the OP needed Team Cymru BGP feed in order to block the incoming bogon routes from own upstreams.

    And blockng announce of own routes that fall within bogon prefixes does not require Team Cymru BGP feed.

    Automation is the way to go here, shouldn't be difficult as Team Cymru prefixes do not change too often.

    >>>

     

     

    Looks like there was one more similar thread from adgwytc, sometime back...

     

    Actually, I just decoded the policy information from cymru that adgwytc shared above. And how it is expected to work.

    =========

    from: adgwytc

    set policy-options policy-statement cymru-bogons-in term 1 from community CYMRU-bogon-community
    set policy-options policy-statement cymru-bogons-in term 1 then community add dont-announce

    community dont-announce members <your as here>:<some community that supresses anouncements outside your as>;

    community CYMRU-bogon-community members [ no-export xxxxx:888 ];

     

    And this is where the confusion sets in..... this is apparently what we set on our system but I am unsure exactly what it means....

    ===========

     

    You are right, it will not help to block prefixes received from Upstream. And the policy details shared above does not list the action part, but looking at the scenario, I assume this is RTBH and action will be next-hop discard. So it won't help block those prefixes being received from upstream but drop any traffic received for those prefixes.

     

    Blocking the martian prefixes received from upstream can also be done manually (similar to block own martian pefixes advertisement), as you already mentioned that list is not changed too often.

     

    Automating this part, will require to dynamically update the prefix-list used for receive/advertised prefixes from upstream, based on the feed received from cymru with bogan community.

     

    But with RTBH in place and manual martian list blocking/ advertising will pretty much cover against most odds, lets say a new subnet gets added to martian list. Yes?

    Since the martian list doesn't change too often, automation may not be necessary.

     



  • 9.  RE: BGP and Bogon / Martian lists

     
    Posted 03-19-2018 07:34

    Thank you for the help.


    With regards to the local-address for the loopback, I have configured the following (as an answer for anyone viewing this post):

     

    Juniper:

    set protocols bgp group External-Peers local-address 192.168.50.1

    set protocols bgp group external-peers neighbor 192.168.195.1 multihop ttl 2

    set routing-options static route 192.168.195.1 next-hop 192.168.20.2 (interface of Cisco router)

     

    Cisco:

    (interface loopback 5 IP address 192.168.195.1/32)

    conf t

    router bgp 11111

    neighbor 192.168.50.1 remote-as 22222

    neighbor 192.168.50.1 ebgp-multihop 2
    neighbor 192.168.50.1 update-source Loopback5

    address-family ipv4

    neighbor 192.168.50.1 activate

    exit-address-family

    ip route 192.168.50.1 255.255.255.255 192.168.20.1

     

    It all works perfectly. All BGP routes showing as advertised.

    I haven't changed the IPv6 address information yet, but it's the same as above with IPv6 prefix on the Juniper required under the external group and address-family ipv6 on the Cisco....

     

    Thanks

     



  • 10.  RE: BGP and Bogon / Martian lists

    Posted 03-12-2018 07:37
    Yes, you need to set Local-address to loopback’s address if you want to use it as a source for eBGP peering.

    Regards
    Harpreet


  • 11.  RE: BGP and Bogon / Martian lists

    Posted 03-12-2018 07:55

    Just make sure that you increase the ttl value when using multihop eBGP peering 

    or

    when using loopback as a source for eBGP peering between 2 directly connected neighbors.

     

     



  • 12.  RE: BGP and Bogon / Martian lists

    Posted 03-13-2018 02:46

    Hi adgwytc,

     

    I missed your question for ebgp. Yes you need to use ebgp multihop when you use looback address for your ebgp connections.

    By default ebgp ttl value is 1 so this multihop will increase the ttl to 255 if you dont define or you can mentioned ttl value for multihop as well.

     

    Below link for more information on Multihop-BGP

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/bgp-multihop-understanding.html

     

    regards

    Vadivelan V