Routing

Expand all | Collapse all

SRX iBGP

Jump to Best Answer
  • 1.  SRX iBGP

    Posted 05-05-2018 09:36

    Working on a SP LAB. Having some issues forming an iBGP peering between two SRX devices which are functioning as PE routers in my lab. However the devices are able to form iBGP peers with the cisco devices in my lab. Any insight would be appreciated.

     

    root@PE-R8FW3JunOS_SRX210> show bgp summary
    Groups: 1 Peers: 3 Down peers: 1
    Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
    3.47.28.11 65316 86 87 0 0 37:39 Establ
    bgp.l3vpn.0: 0/0/0/0
    9.17.10.210 65316 0 0 0 0 40:13 Connect
    31.60.37.50 65316 83 86 0 0 37:35 Establ

     

    config for r8:

    set interfaces fe-0/0/5 description "uplink to P-R11Cisco_2901 via Gi0/1"
    set interfaces fe-0/0/5 unit 0 family inet address 10.254.255.3/31
    set interfaces fe-0/0/5 unit 0 family iso address 49.0200.0210.0210.8888.8888.00
    set interfaces fe-0/0/5 unit 0 family mpls

    set interfaces fe-0/0/7 unit 0 description "uplink to P-R3Cisco_1841 via 0/1"
    set interfaces fe-0/0/7 unit 0 family inet address 10.254.255.17/31
    set interfaces fe-0/0/7 unit 0 family iso address 49.0200.0210.0210.8888.8888.00
    set interfaces fe-0/0/7 unit 0 family mpls
    set interfaces lo0 unit 0 description router-id
    set interfaces lo0 unit 0 family inet address 9.17.8.210/32
    set interfaces lo0 unit 0 family iso address 49.0200.0210.0210.8888.8888.00
    set routing-options router-id 9.17.8.210
    set routing-options autonomous-system 65316
    set protocols mpls interface fe-0/0/5.0
    set protocols mpls interface lo0.0
    set protocols mpls interface fe-0/0/7.0
    set protocols bgp traceoptions file BGPDEBUG
    set protocols bgp traceoptions file size 100k
    set protocols bgp traceoptions file files 2
    set protocols bgp local-address 9.17.8.210
    set protocols bgp family inet-vpn unicast
    set protocols bgp local-as 65316
    set protocols bgp group PEtoPE type internal
    set protocols bgp group PEtoPE description "CCNPSP iBGP Peers"
    set protocols bgp group PEtoPE family inet unicast
    set protocols bgp group PEtoPE family l2vpn signaling
    set protocols bgp group PEtoPE authentication-key "$9$3C4r9CpB1Eev8aZ6CAt1I"
    set protocols bgp group PEtoPE neighbor 3.47.28.11 description PE-R1Cisco_2811
    set protocols bgp group PEtoPE neighbor 3.47.28.11 log-updown
    set protocols bgp group PEtoPE neighbor 3.47.28.11 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 3.47.28.11 export iBGPComm
    set protocols bgp group PEtoPE neighbor 3.47.28.11 peer-as 65316
    set protocols bgp group PEtoPE neighbor 31.60.37.50 description PE-Cisco_ME3750
    set protocols bgp group PEtoPE neighbor 31.60.37.50 log-updown
    set protocols bgp group PEtoPE neighbor 31.60.37.50 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 31.60.37.50 export iBGPComm
    set protocols bgp group PEtoPE neighbor 31.60.37.50 peer-as 65316
    set protocols bgp group PEtoPE neighbor 9.17.10.210 description PE-R8FW3JunOS_SRX210
    set protocols bgp group PEtoPE neighbor 9.17.10.210 log-updown
    set protocols bgp group PEtoPE neighbor 9.17.10.210 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 9.17.10.210 export iBGPComm
    set protocols bgp group PEtoPE neighbor 9.17.10.210 peer-as 65316
    set protocols isis apply-groups ISISPEER
    set protocols isis clns-routing
    set protocols isis level 2 authentication-key "$9$fzF6At0hSls2TF3ntp"
    set protocols isis interface fe-0/0/5.0
    set protocols isis interface fe-0/0/7.0
    set protocols isis interface all ldp-synchronization
    set protocols isis interface all point-to-point
    set protocols isis interface lo0.0
    set protocols ldp traceoptions file st
    set protocols ldp traceoptions file size 1m
    set protocols ldp traceoptions file files 10
    set protocols ldp traceoptions flag state
    set protocols ldp traceoptions flag error
    set protocols ldp egress-policy ISIS_Cisco
    set protocols ldp transport-address interface
    set protocols ldp interface fe-0/0/5.0
    set protocols ldp interface fe-0/0/7.0
    set protocols ldp interface lo0.0 transport-address router-id
    set protocols ldp igp-synchronization apply-groups ISISPEER
    set protocols ldp igp-synchronization holddown-interval 30
    set protocols lldp interface fe-0/0/7.0
    set protocols lldp interface fe-0/0/5.0
    set protocols lldp interface fe-0/0/6.0
    set policy-options policy-statement ISIS_Cisco term 1 from protocol ldp
    set policy-options policy-statement ISIS_Cisco term 1 then accept
    set policy-options policy-statement OSPF_Cisco term 1 from protocol ospf
    set policy-options policy-statement OSPF_Cisco term 1 then accept
    set policy-options policy-statement iBGPComm term 1 from neighbor 3.47.28.11
    set policy-options policy-statement iBGPComm term 1 from neighbor 9.17.10.210
    set policy-options policy-statement iBGPComm term 1 from neighbor 31.60.37.50
    set policy-options policy-statement iBGPComm term 1 then accept
    set policy-options community PEiBGPComm members 65316
    set security zones functional-zone management host-inbound-traffic system-services ping
    set security zones functional-zone management host-inbound-traffic protocols all
    set security zones functional-zone management host-inbound-traffic protocols ldp
    set security zones security-zone trustinternalLAN host-inbound-traffic system-services ping
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols ospf
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols ldp
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols bgp
    set security zones security-zone trustinternalLAN interfaces fe-0/0/5.0
    set security zones security-zone trustinternalLAN interfaces fe-0/0/7.0
    set security zones security-zone trustinternalLAN interfaces lo0.0

     

    config for r10:

     


    set interfaces fe-0/0/6 unit 0 description "uplink to P-R4Cisco_1841 via fa0/1"
    set interfaces fe-0/0/6 unit 0 family inet address 10.254.255.251/31
    set interfaces fe-0/0/6 unit 0 family iso address 49.0200.0210.3210.1010.1010.00
    set interfaces fe-0/0/6 unit 0 family mpls
    set interfaces fe-0/0/7 unit 0 description "uplink to P-R5Cisco_1841 via fa0/0"
    set interfaces fe-0/0/7 unit 0 family inet address 10.254.255.249/31
    set interfaces fe-0/0/7 unit 0 family iso address 49.0200.0210.3210.1010.1010.00
    set interfaces fe-0/0/7 unit 0 family mpls
    set interfaces lo0 unit 0 description router-id
    set interfaces lo0 unit 0 family inet address 9.17.10.210/32
    set interfaces vlan unit 0
    set routing-options router-id 9.17.10.210
    set routing-options autonomous-system 65316
    set protocols mpls interface fe-0/0/6.0
    set protocols mpls interface fe-0/0/7.0
    set protocols mpls interface lo0.0
    set protocols bgp traceoptions file BGPDEBUG
    set protocols bgp traceoptions file size 100k
    set protocols bgp traceoptions file files 2
    set protocols bgp traceoptions flag all
    set protocols bgp local-address 9.17.10.210
    set protocols bgp family inet-vpn unicast
    set protocols bgp local-as 65316
    set protocols bgp group PEtoPE type internal
    set protocols bgp group PEtoPE description "CCNPSP iBGP Peers"
    set protocols bgp group PEtoPE family inet unicast
    set protocols bgp group PEtoPE family l2vpn signaling
    set protocols bgp group PEtoPE authentication-key "$9$3C4r9CpB1Eev8aZ6CAt1I"
    set protocols bgp group PEtoPE neighbor 3.47.28.11 description PE-R1Cisco_2811
    set protocols bgp group PEtoPE neighbor 3.47.28.11 log-updown
    set protocols bgp group PEtoPE neighbor 3.47.28.11 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 3.47.28.11 export iBGPComm
    set protocols bgp group PEtoPE neighbor 3.47.28.11 peer-as 65316
    set protocols bgp group PEtoPE neighbor 31.60.37.50 description PE-Cisco_ME3750
    set protocols bgp group PEtoPE neighbor 31.60.37.50 log-updown
    set protocols bgp group PEtoPE neighbor 31.60.37.50 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 31.60.37.50 export iBGPComm
    set protocols bgp group PEtoPE neighbor 31.60.37.50 peer-as 65316
    set protocols bgp group PEtoPE neighbor 9.17.8.210 description PE-R8FW3JunOS_SRX210
    set protocols bgp group PEtoPE neighbor 9.17.8.210 log-updown
    set protocols bgp group PEtoPE neighbor 9.17.8.210 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 9.17.8.210 export iBGPComm
    set protocols bgp group PEtoPE neighbor 9.17.8.210 peer-as 65316
    set protocols isis apply-groups ISISPEER
    set protocols isis clns-routing
    set protocols isis level 2 authentication-key "$9$fzF6At0hSls2TF3ntp"
    set protocols isis interface fe-0/0/6.0
    set protocols isis interface fe-0/0/7.0
    set protocols isis interface all ldp-synchronization
    set protocols isis interface all point-to-point
    set protocols isis interface lo0.0
    set protocols ldp traceoptions file st
    set protocols ldp traceoptions file size 1m
    set protocols ldp traceoptions file files 10
    set protocols ldp traceoptions flag state
    set protocols ldp traceoptions flag error
    set protocols ldp egress-policy ISIS_Cisco
    set protocols ldp transport-address interface
    set protocols ldp interface fe-0/0/6.0
    set protocols ldp interface fe-0/0/7.0
    set protocols ldp interface lo0.0 transport-address interface
    set protocols ldp igp-synchronization apply-groups ISISPEER
    set protocols ldp igp-synchronization holddown-interval 30
    set protocols lldp interface fe-0/0/7.0
    set protocols lldp interface fe-0/0/6.0
    set protocols stp
    set policy-options policy-statement ISIS_Cisco term 1 from protocol ldp
    set policy-options policy-statement ISIS_Cisco term 1 then accept
    set policy-options policy-statement iBGPComm term 1 from protocol bgp
    set policy-options policy-statement iBGPComm term 1 from neighbor 3.47.28.11
    set policy-options policy-statement iBGPComm term 1 from neighbor 31.60.37.50
    set policy-options policy-statement iBGPComm term 1 from neighbor 9.17.8.210
    set policy-options policy-statement iBGPComm term 1 then accept
    set policy-options community PEiBGPComm members 65316
    set security zones functional-zone management host-inbound-traffic system-services ping
    set security zones functional-zone management host-inbound-traffic protocols all
    set security zones functional-zone management host-inbound-traffic protocols bgp
    set security zones functional-zone management host-inbound-traffic protocols ldp
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone untrust
    set security zones security-zone trustinternalLAN host-inbound-traffic system-services ping
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols ldp
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols bgp
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols ospf
    set security zones security-zone trustinternalLAN interfaces fe-0/0/6.0
    set security zones security-zone trustinternalLAN interfaces fe-0/0/7.0
    set security zones security-zone trustinternalLAN interfaces fe-0/0/5.0
    set security zones security-zone trustinternalLAN interfaces lo0.0



  • 2.  RE: SRX iBGP

    Posted 05-05-2018 10:21

    I didn't check the full config but did you tried enabling traceoption and checked if you see anything?

     

    One more thing, you don't need to assign ISO address to every interface. only lo0 is enough



  • 3.  RE: SRX iBGP

    Posted 05-05-2018 10:50

    I narrowed it down, but I am confused as to why its a routing issue.

     

    May 5 15:15:43.716882 bgp_peer_init: BGP peer 9.17.10.210 (Internal AS 65316) local address 9.17.8.210 not found. Leaving peer idled
    May 5 15:15:59.954015 task_connect: task BGP_65316.9.17.10.210+179 addr 9.17.10.210+179: No route to host
    May 5 15:15:59.956835 bgp_connect_start: connect 9.17.10.210 (Internal AS 65316): No route to host
    May 5 15:17:35.942433 task_connect: task BGP_65316.9.17.10.210+179 addr 9.17.10.210+179: No route to host
    May 5 15:17:35.962561 bgp_connect_start: connect 9.17.10.210 (Internal AS 65316): No route to host

     

    show route protocol isis | match 9.17.10.210
    9.17.10.210/32 *[IS-IS/18] 01:58:31, metric 30

    root@PE-R8FW3JunOS_SRX210> show route protocol ldp | match 9.17.10.210
    9.17.10.210/32 *[LDP/9] 02:00:02, metric 1

     



  • 4.  RE: SRX iBGP

    Posted 05-05-2018 11:05
    Can you paste the output of “show route 9.17.10.210” and “show route forwarding-table 9.17.10.210”


  • 5.  RE: SRX iBGP

    Posted 05-05-2018 11:06

    root@PE-R8FW3JunOS_SRX210> show route 9.17.10.210

    inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    9.17.10.210/32 *[IS-IS/18] 02:18:35, metric 30
    to 10.254.255.2 via fe-0/0/5.0
    > to 10.254.255.16 via fe-0/0/7.0

    inet.3: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    9.17.10.210/32 *[LDP/9] 02:18:35, metric 1
    > to 10.254.255.2 via fe-0/0/5.0, Push 30
    to 10.254.255.16 via fe-0/0/7.0, Push 32

     

    root@PE-R8FW3JunOS_SRX210> ...able | match 9.17.10.210
    9.17.10.210/32 user 1 10.254.255.16 ucst 552 15 fe-0/0/7.0



  • 6.  RE: SRX iBGP

    Posted 05-05-2018 11:17
    Did you try to clear the bgp neighborship and check?

    Also, do you see the same error on the R10 as well?


  • 7.  RE: SRX iBGP

    Posted 05-05-2018 11:26

    Thanks I think narrowed it down to just R8. 

     

    R10 shows the following

     

    May 5 17:27:52.976036 bgp_connect_start: peer 9.17.8.210 (Internal AS 65316)
    May 5 17:27:52.976187 bgp_event: peer 9.17.8.210 (Internal AS 65316) old state Active event ConnectRetry new state Connect
    May 5 17:27:52.979215 task_set_socket: task BGP_65316.9.17.8.210 socket 49
    May 5 17:27:52.979677 task_set_option_internal: task BGP_65316.9.17.8.210 socket 49 option NonBlocking(8) value 1
    May 5 17:27:52.979945 task_set_option_internal: task BGP_65316.9.17.8.210 socket 49 option ReUsePort(38) value 1
    May 5 17:27:52.980150 task_set_option_internal: task BGP_65316.9.17.8.210 socket 49 option PathMTUDiscovery(26) value 0
    May 5 17:27:52.980342 task_set_option_internal: task BGP_65316.9.17.8.210 socket 49 option TOS(16) value 192
    May 5 17:27:52.980636 task_addr_local: task BGP_65316.9.17.8.210 address 9.17.10.210
    May 5 17:27:52.981303 task_connect: task BGP_65316.9.17.8.210+179 addr 9.17.8.210+179task_timer_reset: reset BGP_65316.9.17.8.210+179_Connect
    May 5 17:27:52.981555 task_timer_set_oneshot_latest: timer BGP_65316.9.17.8.210+179_Connect interval set to 2:28

     


    root@PE-R10FW2JunOS_SRX210> ...route forwarding-table | match 9.17.8.210
    9.17.8.210/32 user 1 10.254.255.248 ucst 1327 18 fe-0/0/7.0

     

    root@PE-R10FW2JunOS_SRX210> show route 9.17.8.210

    inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    9.17.8.210/32 *[IS-IS/18] 02:39:38, metric 30
    to 10.254.255.250 via fe-0/0/6.0
    > to 10.254.255.248 via fe-0/0/7.0

    inet.3: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    9.17.8.210/32 *[LDP/9] 02:39:38, metric 1
    to 10.254.255.250 via fe-0/0/6.0, Push 30
    > to 10.254.255.248 via fe-0/0/7.0, Push 31



  • 8.  RE: SRX iBGP

    Posted 05-06-2018 07:07

    Still unable to resolve the issue. I am wondering if I need to create a mpls lsp to each PE router. It is confusing because my Cisco to Juniper devices connect over BGP/ISIS/LDP with no issue, but the Juniper devices do not.



  • 9.  RE: SRX iBGP

    Posted 05-06-2018 07:30

    no need for LSP to being up iBGP neighborship. you just need IP reachability.

     

    I guess, you are able to ping the R10's loopback from R8 and still you are seeing no route to host in the BGP traceoptions. this is weired.

     

    Can you show the topology which shows the connectivity between both R10 and R8 and complete config of R8 ?



  • 10.  RE: SRX iBGP

    Posted 05-06-2018 08:36

    Nope. The Juniper devices can not ping each other. Although they have routes to each others loopback. Router 8 and Router 10 are the devices with the ASA icon circled in yellow.JNET UPload.jpg

     

     

    set version 11.4R1.6
    set groups ISISPEER protocols isis traceoptions file isis-debug
    set groups ISISPEER protocols isis traceoptions file size 1m
    set groups ISISPEER protocols isis traceoptions file files 10
    set groups ISISPEER protocols isis traceoptions flag state
    set groups ISISPEER protocols isis traceoptions flag error
    set groups ISISPEER protocols isis level 1 disable
    set groups ISISPEER protocols isis interface <*>
    set system host-name PE-R8FW3JunOS_SRX210
    set system root-authentication encrypted-password "$1$J1ePhXam$ql1lI3dlDNg/Xzutil4AU0"
    set interfaces interface-range redundantlink member fe-0/0/2
    set interfaces interface-range redundantlink member fe-0/0/3
    set interfaces interface-range redundantlink description "redundant interlink to R7FW2JunOS_SRX220"
    set interfaces ge-0/0/0 unit 0
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.15.2/24
    set interfaces fe-0/0/5 description "uplink to P-R11Cisco_2901 via Gi0/1"
    set interfaces fe-0/0/5 unit 0 family inet address 10.254.255.3/31
    set interfaces fe-0/0/5 unit 0 family iso address 49.0200.0210.0210.8888.8888.00
    set interfaces fe-0/0/5 unit 0 family mpls
    set interfaces fe-0/0/6 description "IPsoft - 303 Colorado St, Austin, TX 78701"
    set interfaces fe-0/0/6 vlan-tagging
    set interfaces fe-0/0/6 unit 1100 description "L3VPN - IPsoft - 303 Colorado St, Suite 1001, Austin, TX 78701"
    set interfaces fe-0/0/6 unit 1100 vlan-id 1100
    set interfaces fe-0/0/6 unit 1300 description "L2VPN - IPsoft - 303 Colorado St, Suite 1001, Austin, TX 78701"
    set interfaces fe-0/0/6 unit 1300 vlan-id 1300
    set interfaces fe-0/0/7 unit 0 description "uplink to P-R3Cisco_1841 via 0/1"
    set interfaces fe-0/0/7 unit 0 family inet address 10.254.255.17/31
    set interfaces fe-0/0/7 unit 0 family iso address 49.0200.0210.0210.8888.8888.00
    set interfaces fe-0/0/7 unit 0 family mpls
    set interfaces lo0 unit 0 description router-id
    set interfaces lo0 unit 0 family inet address 9.17.8.210/32
    set interfaces lo0 unit 0 family iso address 49.0200.0210.0210.8888.8888.00
    set routing-options router-id 9.17.8.210
    set routing-options autonomous-system 65316
    set protocols mpls interface fe-0/0/5.0
    set protocols mpls interface fe-0/0/7.0
    set protocols bgp traceoptions file BGPDEBUG
    set protocols bgp traceoptions file size 100k
    set protocols bgp traceoptions file files 2
    set protocols bgp local-address 9.17.8.210
    set protocols bgp family inet-vpn unicast
    set protocols bgp local-as 65316
    set protocols bgp group PEtoPE type internal
    set protocols bgp group PEtoPE description "CCNPSP iBGP Peers"
    set protocols bgp group PEtoPE family inet unicast
    set protocols bgp group PEtoPE family l2vpn signaling
    set protocols bgp group PEtoPE authentication-key "$9$3C4r9CpB1Eev8aZ6CAt1I"
    set protocols bgp group PEtoPE neighbor 3.47.28.11 description PE-R1Cisco_2811
    set protocols bgp group PEtoPE neighbor 3.47.28.11 log-updown
    set protocols bgp group PEtoPE neighbor 3.47.28.11 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 3.47.28.11 export iBGPComm
    set protocols bgp group PEtoPE neighbor 3.47.28.11 peer-as 65316
    set protocols bgp group PEtoPE neighbor 31.60.37.50 description PE-Cisco_ME3750
    set protocols bgp group PEtoPE neighbor 31.60.37.50 log-updown
    set protocols bgp group PEtoPE neighbor 31.60.37.50 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 31.60.37.50 export iBGPComm
    set protocols bgp group PEtoPE neighbor 31.60.37.50 peer-as 65316
    set protocols bgp group PEtoPE neighbor 9.17.10.210 description PE-R8FW3JunOS_SRX210
    set protocols bgp group PEtoPE neighbor 9.17.10.210 log-updown
    set protocols bgp group PEtoPE neighbor 9.17.10.210 family inet-vpn unicast
    set protocols bgp group PEtoPE neighbor 9.17.10.210 export iBGPComm
    set protocols bgp group PEtoPE neighbor 9.17.10.210 peer-as 65316
    set protocols isis apply-groups ISISPEER
    set protocols isis export ISIS_Cisco
    set protocols isis clns-routing
    set protocols isis level 2 authentication-key "$9$fzF6At0hSls2TF3ntp"
    set protocols isis interface fe-0/0/5.0
    set protocols isis interface fe-0/0/7.0
    set protocols isis interface all ldp-synchronization
    set protocols isis interface all point-to-point
    set protocols isis interface lo0.0
    set protocols ldp traceoptions file st
    set protocols ldp traceoptions file size 1m
    set protocols ldp traceoptions file files 10
    set protocols ldp traceoptions flag state
    set protocols ldp traceoptions flag error
    set protocols ldp import ISIS_Cisco
    set protocols ldp egress-policy ISIS_Cisco
    set protocols ldp interface fe-0/0/5.0
    set protocols ldp interface fe-0/0/7.0
    set protocols ldp interface lo0.0 transport-address interface
    set protocols ldp igp-synchronization apply-groups ISISPEER
    set protocols lldp interface fe-0/0/7.0
    set protocols lldp interface fe-0/0/5.0
    set protocols lldp interface fe-0/0/6.0
    set protocols lldp interface ge-0/0/0.0
    set policy-options policy-statement ISIS_Cisco term 1 from protocol ldp
    set policy-options policy-statement ISIS_Cisco term 1 then accept
    set policy-options policy-statement OSPF_Cisco term 1 from protocol ospf
    set policy-options policy-statement OSPF_Cisco term 1 then accept
    set policy-options policy-statement iBGPComm term 1 from neighbor 3.47.28.11
    set policy-options policy-statement iBGPComm term 1 from neighbor 9.17.10.210
    set policy-options policy-statement iBGPComm term 1 from neighbor 31.60.37.50
    set policy-options policy-statement iBGPComm term 1 then accept
    set policy-options community PEiBGPComm members 65316
    set security zones functional-zone management host-inbound-traffic system-services ping
    set security zones functional-zone management host-inbound-traffic protocols all
    set security zones functional-zone management host-inbound-traffic protocols ldp
    set security zones security-zone trustinternalLAN host-inbound-traffic system-services ping
    set security zones security-zone trustinternalLAN host-inbound-traffic system-services traceroute
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols ospf
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols ldp
    set security zones security-zone trustinternalLAN host-inbound-traffic protocols bgp
    set security zones security-zone trustinternalLAN interfaces fe-0/0/5.0
    set security zones security-zone trustinternalLAN interfaces fe-0/0/7.0
    set security zones security-zone trustinternalLAN interfaces lo0.0
    set security zones security-zone trustinternalLAN interfaces ge-0/0/0.0
    set security zones security-zone trustinternalLAN interfaces ge-0/0/1.0



  • 11.  RE: SRX iBGP
    Best Answer

    Posted 05-06-2018 10:06

    Hello,

    Set Your SRXes to "packet-mode" and You should be golden

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461

    Generally speaking, You cannot use security in packet mode but since You said it is a lab, then I reckon it does not matter.

    There are ways to use security with selective packet mode but I suggest You get the routing learning done first before trying security in selective packet mode.

    HTH

    Thx

    Alex 



  • 12.  RE: SRX iBGP

    Posted 05-06-2018 11:45

    You are a Star !

     

     

    i guess for reference, why was packet based needed for the iBGP peering between Juniper devices and not Juniper to Cisco devices.

     

    thank you all for your helop