The previous post (configuring bgp on juniper mx) gave you a brief hint about BGP and how a basic session can be established from a Juniper router. This post will move on further to explain how to override the default policy, which is to receive and export all active BGP routes, and customize the advertisement according to our needs.
Suppose you have procured a subnet like 200.200.200.0/23 (200.200.200.0 - 200.200.201.255). You need to inform your upstream provider and ask them to place appropriate filters to accept your announcement and propagate it further. You on the other hand need to create an export policy to announce your route via BGP. If you will be BGP multihoming ie connecting with two or more ISPs you may also ask them to send you the full routing table, otherwise you will have to configure a default static route to your upstream. More on multihoming in the next article.
Consider a scenario in which you have asked them to send you the complete routing table (which has no meaning for if you have a single ISP connection). You will then also need to configure import policies to accept only relevant advertisements. Thus,
Suppose you have procured a subnet like 200.200.200.0/23 (200.200.200.0 - 200.200.201.255). You need to inform your upstream provider and ask them to place appropriate filters to accept your announcement and propagate it further. You on the other hand need to create an export policy to announce your route via BGP. If you will be BGP multihoming ie connecting with two or more ISPs you may also ask them to send you the full routing table, otherwise you will have to configure a default static route to your upstream. More on multihoming in the next article.
Consider a scenario in which you have asked them to send you the complete routing table (which has no meaning for if you have a single ISP connection). You will then also need to configure import policies to accept only relevant advertisements. Thus,
Export policies:
- Announce your subnets only.
Import policies:
- Reject any private ip
- Reject your own subnet
- Reject any bogon as
- Discard subnets with prefix length greater than /24
The reason being an ISP may accidentally send you BGP updates saying it has routes to private ip ranges (such an incident should be notified to your upstream provider). Also an organisation may intentionally or otherwise start announcing your subnets. You do not want your routers to think that your own subnets are located somewhere else.
Currently not all AS numbers have been allocated. A hacker may start announcing these unallocated AS number as his own. To protect this organisations such as IANA keep a list of such AS numbers and network prefixes. Such routes should be discarded.
As of now there are currently more than 400,000 routes in the Internet. To prevent the routing table to further swelling up it has been decided that ISPs will not announce prefixes greater than /24. Even in case they do it is your responsibility to discard such routes.
Currently not all AS numbers have been allocated. A hacker may start announcing these unallocated AS number as his own. To protect this organisations such as IANA keep a list of such AS numbers and network prefixes. Such routes should be discarded.
As of now there are currently more than 400,000 routes in the Internet. To prevent the routing table to further swelling up it has been decided that ISPs will not announce prefixes greater than /24. Even in case they do it is your responsibility to discard such routes.
Important note: Remember when we "announce" a subnet via BGP, we tell the whole world that a particular subnet belongs to you therefore influence incoming traffic. This will be helpful in the coming articles.
Configuration:
Assuming you have already set autonomous system and configured bgp neighbors. If not read this. We will be creating two new policies, export_subnet and import_bgp_tables and applying them as export and import respectively.
Import policy:
set protocols bgp group test export type external
set protocols bgp group test export export_bgp import import_bgp set policy-options policy-statement import_bgp term RFC_1918 from route-filter 192.168.0.0/16 exact set policy-options policy-statement import_bgp term DENY_BOGONS from prefix-list BOGON-LIST set policy-options policy-statement import_bgp term DENY_BOGONS then reject set policy-options policy-statement import_bgp term DENY-RFC-1918 from route-filter 10.0.0.0/8 orlonger set policy-options policy-statement import_bgp term DENY-RFC-1918 from route-filter 172.16.0.0/12 orlonger set policy-options policy-statement import_bgp term DENY-RFC-1918 from route-filter 192.168.0.0/16 orlonger set policy-options policy-statement import_bgp term DENY-RFC-1918 then reject set policy-options policy-statement import_bgp term deny-own-pool from route-filter 200.200.200.0/23 orlonger set policy-options policy-statement import_bgp term deny-own-pool then reject set policy-options policy-statement import_bgp term DENY-MORE-THAN-/24 from route-filter 0.0.0.0/0 prefix-length-range /25-/32 set policy-options policy-statement import_bgp term DENY-MORE-THAN-/24 then reject set policy-options prefix-list BOGON-LIST 0.0.0.0/8 set policy-options prefix-list BOGON-LIST 127.0.0.0/8 set policy-options prefix-list BOGON-LIST 169.254.0.0/16 set policy-options prefix-list BOGON-LIST 192.0.0.0/24 set policy-options prefix-list BOGON-LIST 192.0.2.0/24 set policy-options prefix-list BOGON-LIST 198.18.0.0/15 set policy-options prefix-list BOGON-LIST 198.51.100.0/24 set policy-options prefix-list BOGON-LIST 203.0.113.0/24 set policy-options prefix-list BOGON-LIST 224.0.0.0/4a sample of a bogon list. RFC 1918 specifies the private network prefixes.
Export policy
set policy-options policy-statement export_bgp term 1 from protocol staticset policy-options policy-statement export_bgp term 1 from route-filter 200.200.200.0/23 exactset policy-options policy-statement export_bgp term 1 then accept set policy-options policy-statement export_bgp term END then reject
Important Note: Remember that for a route policy to take affect the specified route should be present in the routing table as an active route. So if you have 200.200.200.0/24 or /22 as an active static route to your network this policy will not hold. You can only export routes which are present in the routing table. It is one of the tenets of the routing protocols that it sends the best available path to it's neighbor. Make sure you have the subnet you want to announce present in the routing table as active.
Troubleshooting:
One of the most useful commands is show route advertising-protocol bgp [neighbor ip]. It will show which routes are being advertised to your bgp peer.
Also show route receiving-protocol bgp [neighbor ip] will show routes being received from bgp by that particular neighbor.
show route protocol bgp will tell the routes installed in the routing table which were learnt from bgp. An asterisk * represents the active route.
In the below screenshot you will see that even though I am announcing 192.168.0.0/20 to Junos1 it will not receive because of the policies applied.
In the below screenshot you will see that even though I am announcing 192.168.0.0/20 to Junos1 it will not receive because of the policies applied.
ISP is sending 192.168.0.0/16 but customer does not accept it because of policies. CLick on it for the full size. |
In the diagram, even though the ISP is advertising 192.168.0.0/16, the customer is not accepting it because of the policy rejecting it. You can see such routes by running the command show route hidden.
In the next tutorial of this series I will explain why multihoming (more than two ISP connections) is necessary for a production network and how we can play around, manipulate traffic on our links.
In the next tutorial of this series I will explain why multihoming (more than two ISP connections) is necessary for a production network and how we can play around, manipulate traffic on our links.
Important Links:
1) Practical intro to BGP session establishment on Juniper
2) RFC 1918
3) Wiki on Bogon
Thanks for your example. Let's say I got assigned a /26 from my ISP and I'd like to announce that, get a default route back. Where do I configure the /26 in the routing table given that don't use aan IGP?
ReplyDeleteHi
DeleteISPs as a convention do not allow announcement of /26. The minimum subneet is /24. Obviously technically it is possible.
Suppose you want to announce /24. You would have to get an agreement with the ISP provider, get your AS verified. After that you may configure to receive a default route from your ISP while advertising your subnets to your ISP.
Does that answer your question?
G'day, is a "then accept" needed on your import policy as I see only "then reject"..apologies if I misunderstood. Great articles. JB
ReplyDelete1) the default behaviour is to accept all routes. Therefore it is important to allow the correct routes and explicitly deny other routes
Delete2) It also makes the configuration more readable
http://www.juniper.net/documentation/en_US/junos12.3/topics/reference/general/policy-protocol-import-export-defaults.html
Hope it helped! :)