I will give an example of setting up eBGP on Juniper MX204 with several uplinks and balancing traffic between them.
Let’s go to configuration mode:
configure
We will prepare the necessary policies in advance so that we can then apply them to BGP neighbors:
edit policy-options
For example, accept only the default IPv4/IPv6 route:
set policy-statement DEFAULT-IPv4 term ACCEPT from route-filter 0.0.0.0/0 exact
set policy-statement DEFAULT-IPv4 term ACCEPT then accept
set policy-statement DEFAULT-IPv4 term REJECT then reject
set policy-statement DEFAULT-IPv6 term ACCEPT from route-filter ::/0 exact
set policy-statement DEFAULT-IPv6 term ACCEPT then accept
set policy-statement DEFAULT-IPv6 term REJECT then reject
Accept only the default IPv4 route and increase as-path-prepend (this way you can balance outgoing traffic):
set policy-statement DEFAULT-IPv4-IXNFO1-IN term 1 from route-filter 0.0.0.0/0 exact
set policy-statement DEFAULT-IPv4-IXNFO1-IN term 1 then as-path-prepend "MYAS MYAS"
set policy-statement DEFAULT-IPv4-IXNFO1-IN term 1 then accept
set policy-statement DEFAULT-IPv4-IXNFO1-IN term 2 then reject
Example with as-path-prepend to balance incoming traffic:
set policy-statement IXNFO1-OUT term my-prefix from protocol aggregate policy MY-NET-Aggregated
set policy-statement IXNFO1-OUT term my-prefix then as-path-prepend "MYAS MYAS"
set policy-statement IXNFO1-OUT term my-prefix then accept
set policy-statement IXNFO1-OUT term reject-other then reject
Instead of as-path-prepend you can use as-path-expand, example:
then as-path-expand last-as count 2
Example of viewing AS path:
run show route protocol bgp
run show bgp neighbor 192.168.5.5
Don’t accept default route:
set policy-statement default-route-reject from route-filter 0.0.0.0/0 exact
set policy-statement default-route-reject then reject
Do not accept gray networks:
set policy-statement bogus-reject from route-filter 127.0.0.0/8 orlonger
set policy-statement bogus-reject from route-filter 10.0.0.0/8 orlonger
set policy-statement bogus-reject from route-filter 172.16.0.0/12 orlonger
set policy-statement bogus-reject from route-filter 192.168.0.0/16 orlonger
set policy-statement bogus-reject from route-filter 169.254.0.0/16 orlonger
set policy-statement bogus-reject from route-filter 224.0.0.0/4 orlonger
set policy-statement bogus-reject from route-filter 240.0.0.0/4 orlonger
set policy-statement bogus-reject then reject
To advertise your network to uplinks, we will create an aggregated route for it (if no route is active in this network, then the aggregated route will also be inactive):
set policy-statement IXNFO-COM1-OUT term my-prefix from protocol aggregate
set policy-statement IXNFO-COM1-OUT term my-prefix from policy MY-NET-Aggregated
set policy-statement IXNFO-COM1-OUT term my-prefix then accept
set policy-statement IXNFO-COM1-OUT term reject-other then reject
set policy-statement MY-NET-Aggregated term MYAS-prefix from route-filter x.x.x.0/23 exact
set policy-statement MY-NET-Aggregated term MYAS-prefix then accept
set routing-options aggregate route x.x.x.0/23
The /23 network can also be divided into two /24 networks, for example for balancing, but you can balance without this:
set policy-statement MY-NET-Aggregated term MYAS-prefix from route-filter x.x.x.0/23 orlonger
set policy-statement MY-NET-Aggregated term MYAS-prefix then accept
set routing-options aggregate route x.x.1.0/24
set routing-options aggregate route x.x.2.0/24
Do not accept gray AS:
set policy-statement bogus-ases from as-path grey-as
set policy-statement bogus-ases then reject
set as-path grey-as 64512-65535
Let’s move on to setting up the BGP protocol, specifying our AS, logging session breaks with neighbors:
edit protocols bgp
set local-as 201
set log-updown
It is better to send all logs to the syslog server and view them through the web interface, this is more convenient and the built-in memory of the devices will last longer.
Installing Rsyslog + Loganalyzer + MySQL
An example of specifying neighbors (I showed additional parameters in the commented lines):
edit group IXNFO_COM_1
set type external
set hold-time 30
set log-updown
set description TEXT
set peer-as 200
set local-as 201
set export IXNFO-COM1-OUT
; no-advertise-peer-as
; set advertise-inactive
; set damping
; set multipath multiple-as
set neighbor 192.168.5.5 description TEXT
set neighbor 192.168.5.5 local-address 192.168.5.4
set neighbor 192.168.5.5 import [ bogus-reject bogus-ases IXNFO1-IN ]
set neighbor 192.168.6.5 description TEXT
set neighbor 192.168.6.5 local-address 192.168.6.4
set neighbor 192.168.6.5 import [ bogus-reject bogus-ases default-route-reject IXNFO1-IN ]
show
exit
set policy-statement IXNFO1-IN term accept-other then accept
Let’s indicate our AS and router-id (any IP address from the network of the same AS that is assigned to the device, at the same time, the aggregated route will always be active):
set routing-options router-id 1.2.3.4
set routing-options autonomous-system 201
Let’s configure balancing, for example, when it is necessary to accept the default route (0.0.0.0/0) from all uplinks:
set policy-options policy-statement load-balancing-policy term balance then load-balance per-packet
set routing-options forwarding-table export load-balancing-policy
An example of changing local-preference (default value 100), for example, if certain routes belong to your neighbor’s AS, are advertised to you from other neighbors, and so that outgoing traffic preferably goes directly to it rather than through other neighbors, increase local-preference for all routes of the specified AS, if only routes of this AS are accepted, or through the prefix-list we indicate the networks and raise local-preference for them):
set policy-statement IXNFO-COM1-IN term 1 from as-path prov-1-as
set policy-statement IXNFO-COM1-IN term 1 then local-preference 200
set policy-statement IXNFO-COM1-IN term 1 then accept
set policy-statement IXNFO-COM1-IN term accept-other then accept
set policy-statement IXNFO-COM1-IN term accept-other then local-preference 100
set as-path prov-1-as «.*555»
run show bgp neighbor | match preference
set prefix-list LIST1 100.100.100.0/23
set policy-statement IXNFO-COM1-IN term 1 from prefix-list-filter LIST1 exact
set policy-statement IXNFO-COM1-IN term 1 then local-preference 200
set policy-statement IXNFO-COM1-IN term reject-other then reject
It is advisable to connect uplinks directly to the L3 ports of Juniper MX, so as not to drive L3 traffic through L2 switches, and then you can also add filters to the L3 uplink ports, for example, to filter small UDP packets to NTP and others to protect the device and network.
An example of enabling debug logs (don’t forget to disable them later):
set protocols bgp traceoptions file bgp.log
set protocols bgp traceoptions file size 1m
set protocols bgp traceoptions file files 3
set protocols bgp log-updown
If there is no default route, but there are gray networks that need to be sent to the NAT server, then see my article:
Juniper MX. How to send client traffic to a NAT server
Let’s check the configuration and apply it with a comment:
commit check
commit comment «ixnfo.com»
An example of viewing routes by AS number:
show route aspath-regex ".*65000" | count
View various information:
show route table
run show bgp summary
show route summary
The BGP port should be open only to neighbors, and not publicly, so you need to restrict access, for example, as I described in the article:
Restricting access to management on Juniper MX
Or like this:
edit policy-options prefix-list bgp-neighbors
set apply-path "protocols bgp group <*> neighbor <*>"
edit firewall family inet filter bgp-protect
set term accept-bgp from source-prefix-list bgp-neighbors
set term accept-bgp from protocol tcp
set term accept-bgp from port bgp
set term accept-bgp then accept
set term deny-bgp from protocol tcp
set term deny-bgp from port bgp
set term deny-bgp then reject
set interfaces lo0 unit 0 family inet filter input-list [ bgp-protect limit-mgmt-access ]
An example of a session termination with a BGP neighbor:
clear bgp neighbor 192.168.5.5
clear bgp neighbor all
View accepted and announced routes:
run show route receive-protocol bgp 192.168.5.5
run show route advertising-protocol bgp 192.168.5.5
See also my articles:
Configuring iBGP on Juniper MX
How to configure BGP prefix-limit on Juniper