For example, I will configure Internal BGP on Juniper MX204. Since there are servers with Accel-ppp (ipoe) in the network and you need to balance users between these servers and Juniper, iBGP will transfer user routes with /32 mask from all devices to the main router/routers. iBGP is also needed when there are several links to Uplink providers that are connected to different routers, then you need to configure iBGP between these routers.
Let’s switch to configuration mode:
configure
Be sure to specify the router-id:
set routing-options router-id 192.168.5.5
Specify the AS number:
set routing-options autonomous-system 65000
Let’s start configuring the BGP protocol:
edit protocols bgp
set local-as 65000
You can log the state of neighbors:
set log-updown
Immediately create a group with a list of local neighbors:
edit group iBGP
set type internal
set neighbor 192.168.5.6
set neighbor 192.168.5.7
set peer-as 65000
set description "ixnfo.com"
exit
exit
Now you need to create a policy in which we define which routes need to be announced to neighbors, for example direct – to announce the routes that are on loopback, access-internal – routes of connected users, and also indicate that only routes with the /32 mask are allowed:
edit policy-options policy-statement ixnfo-export
set term 1 from route-filter 0.0.0.0/0 prefix-length-range /32-/32
set term 1 from protocol [ access-internal direct ]
set term 1 then accept
set term 2 from protocol [ bgp ospf ]
set term 2 then reject
set then reject
exit
Let’s apply this policy to BGP:
edit protocols bgp
set export ixnfo-export
exit
Let’s apply the configuration:
commit check
commit comment "iBGP"
As neighbors, I had Linux servers with Bird, in which I also specified a filter that allowed only /32 routes to be accepted, and also configured a route reflector.
In the BGP protocol settings, you can also enable debug logs (and disable them later so as not to damage the internal memory of the device):
edit protocols bgp
set traceoptions file bgp.log size 1m files 2
set traceoptions flag ?
set traceoptions flag all
commit
run show log bgp.log | last 100
delete traceoptions
commit
exit
I will give another example of a policy that excludes gray networks:
edit policy-options
set policy-statement bogons-reject from route-filter 127.0.0.0/8 orlonger
set policy-statement bogons-reject from route-filter 10.0.0.0/8 orlonger
set policy-statement bogons-reject from route-filter 172.16.0.0/12 orlonger
set policy-statement bogons-reject from route-filter 192.168.0.0/16 orlonger
set policy-statement bogons-reject from route-filter 169.254.0.0/16 orlonger
set policy-statement bogons-reject from route-filter 224.0.0.0/4 orlonger
set policy-statement bogons-reject from route-filter 240.0.0.0/4 orlonger
set policy-statement bogons-reject then reject
set policy-statement bogons-as from as-path grey-as
set policy-statement bogons-as then reject
set policy-statement as-path grey-as 64512-65534
Policy forbidding to accept the default route:
edit policy-options
set policy-statement default-route-reject from route-filter 0.0.0.0/0 exact
set policy-statement default-route-reject then reject
You can apply several policies at once:
edit protocols bgp
set import [ bogons-reject bogons-as xxx1 xxx2 ]
Let’s check which routes from the specified network and policies were exported:
test policy ixnfo-export 172.16.0.0/12
Let’s exit the configuration mode and see which routes are imported and exported from the specified neighbor:
exit
show route receive-protocol bgp 192.168.5.6
show route advertising-protocol bgp 192.168.5.6
An example of viewing routes in Linux, and you can also monitor their number through Zabbix:
ip route | grep "via 192.168.5.5"
ip route | grep "via 192.168.5.5" | wc -l
Let’s see the information and statistics about the neighbors:
show bgp neighbor
show bgp summary
show bgp group
show route protocol bgp
show bgp group iBGP
The BGP port should be open only for neighbors, and not publicly, so you need to restrict access, for example, as I described in the article:
Restricting access to management on Juniper MX
Or like this:
edit policy-options prefix-list bgp-neighbors
set apply-path "protocols bgp group <*> neighbor <*>"
edit firewall family inet filter bgp-protect
set term accept-bgp from source-prefix-list bgp-neighbors
set term accept-bgp from protocol tcp
set term accept-bgp from port bgp
set term accept-bgp then accept
set term deny-bgp from protocol tcp
set term deny-bgp from port bgp
set term deny-bgp then reject
set interfaces lo0 unit 0 family inet filter input-list [ bgp-protect limit-mgmt-access ]
Let’s apply the configuration and make sure that everything works (the number 1 means the number of minutes after which the configuration will return to its previous state if, for example, you configured something wrong and lost connection with the device):
commit confirmed 1
If everything is fine, then finally apply the configuration:
commit
From a third-party Linux server, make sure that the port is closed:
nmap 192.168.5.5
If you plan to configure iBGP only between two devices, then it may not be necessary at all, it is enough to specify static routes on the router, for example:
route add -host 172.16.0.1 gw 192.168.5.5
route del -host 172.16.0.1 gw 192.168.5.5
route add -net 10.10.0.0/20 gw 192.168.5.5
See also my articles:
- How to configure BGP prefix-limit
- Configuring eBGP on Juniper MX – traffic balancing
- Installing and configuring BIRD (BGP)
- How to set up iBGP in Bird
- Juniper MX204 setup