Configuring iBGP on Juniper MX

For example, I will configure Internal BGP on Juniper MX204. Since there are servers with Accel-ppp (ipoe) in the network and you need to balance users between these servers and Juniper, iBGP will transfer user routes with /32 mask from all devices to the main router/routers. iBGP is also needed when there are several links to Uplink providers that are connected to different routers, then you need to configure iBGP between these routers.

Let’s switch to configuration mode:


Be sure to specify the router-id:

set routing-options router-id

Specify the AS number:

set routing-options autonomous-system 65000

Let’s start configuring the BGP protocol:

edit protocols bgp
set local-as 65000

You can log the state of neighbors:

set log-updown

Immediately create a group with a list of local neighbors:

edit group iBGP
set type internal
set neighbor
set neighbor
set peer-as 65000
set description ""

Now you need to create a policy in which we define which routes need to be announced to neighbors, for example direct – to announce the routes that are on loopback, access-internal – routes of connected users, and also indicate that only routes with the /32 mask are allowed:

edit policy-options policy-statement ixnfo-export
set term 1 from route-filter prefix-length-range /32-/32
set term 1 from protocol [ access-internal direct ]
set term 1 then accept
set term 2 from protocol [ bgp ospf ]
set term 2 then reject
set then reject

Let’s apply this policy to BGP:

edit protocols bgp
set export ixnfo-export

Let’s apply the configuration:

commit check
commit comment "iBGP"

As neighbors, I had Linux servers with Bird, in which I also specified a filter that allowed only /32 routes to be accepted, and also configured a route reflector.

In the BGP protocol settings, you can also enable debug logs (and disable them later so as not to damage the internal memory of the device):

edit protocols bgp
set traceoptions file bgp.log size 1m files 2
set traceoptions flag ?
set traceoptions flag all
run show log bgp.log | last 100
delete traceoptions

I will give another example of a policy that excludes gray networks:

edit policy-options
set policy-statement bogons-reject from route-filter orlonger
set policy-statement bogons-reject from route-filter orlonger
set policy-statement bogons-reject from route-filter orlonger
set policy-statement bogons-reject from route-filter orlonger
set policy-statement bogons-reject from route-filter orlonger
set policy-statement bogons-reject from route-filter orlonger
set policy-statement bogons-reject from route-filter orlonger
set policy-statement bogons-reject then reject

set policy-statement bogons-as from as-path grey-as
set policy-statement bogons-as then reject
set policy-statement as-path grey-as 64512-65534

Policy forbidding to accept the default route:

edit policy-options
set policy-statement default-route-reject from route-filter exact
set policy-statement default-route-reject then reject

You can apply several policies at once:

edit protocols bgp
set import [ bogons-reject bogons-as xxx1 xxx2 ]

Let’s check which routes from the specified network and policies were exported:

test policy ixnfo-export

Let’s exit the configuration mode and see which routes are imported and exported from the specified neighbor:

show route receive-protocol bgp
show route advertising-protocol bgp

An example of viewing routes in Linux, and you can also monitor their number through Zabbix:

 ip route | grep "via"
 ip route | grep "via" | wc -l

Let’s see the information and statistics about the neighbors:

show bgp neighbor
show bgp summary
show bgp group
show route protocol bgp
show bgp group iBGP

The BGP port should be open only for neighbors, and not publicly, so you need to restrict access, for example, as I described in the article:
Restricting access to management on Juniper MX

Or like this:

edit policy-options prefix-list bgp-neighbors
set apply-path "protocols bgp group <*> neighbor <*>"

edit firewall family inet filter bgp-protect
set term accept-bgp from source-prefix-list bgp-neighbors
set term accept-bgp from protocol tcp
set term accept-bgp from port bgp
set term accept-bgp then accept
set term deny-bgp from protocol tcp
set term deny-bgp from port bgp
set term deny-bgp then reject

set interfaces lo0 unit 0 family inet filter input-list [ bgp-protect limit-mgmt-access ]

Let’s apply the configuration and make sure that everything works (the number 1 means the number of minutes after which the configuration will return to its previous state if, for example, you configured something wrong and lost connection with the device):

commit confirmed 1

If everything is fine, then finally apply the configuration:


From a third-party Linux server, make sure that the port is closed:


If you plan to configure iBGP only between two devices, then it may not be necessary at all, it is enough to specify static routes on the router, for example:

route add -host gw
route del -host gw
route add -net gw

See also my articles:
How to configure BGP prefix-limit
Installing and configuring BIRD (BGP)
How to set up iBGP in Bird
Juniper MX204 setup

Leave a comment

Leave a Reply