How can I configure the Juniper firewall to deny BGP routes with certain communities but permit others?
Topology
SSG (172.19.51.71)----BGP-----(172.19.51.37) ISP On the SSG, the goal is to deny routes which have certain communities strings.
Configuration on the SSG:
- Enter the appropriate Virtual Router:
ssg-> set vr trust
ssg(trust-vr)->
- Enter the BGP instance and configure the community list:
ssg(trust-vr)-> set proto bgp
**Note that there are two ways to specify the community list
(i) By entering the community value directly: ssg(trust-vr/bgp)-> set community-list 50 permit 2770732131
OR
(ii) By specifying the AS number and the final two octets in community value
ssg(trust-vr/bgp)-> set community-list 50 permit as 42278 1123
- Set up the access list to match the rest of the routes which you want to accept; in this case we want to accept all the rest of the routes:
ssg(trust-vr)-> set access-list 2 permit ip 0.0.0.0/0 5 ***Note that this access list "2" will be referenced later on
- Set up the route-map to accomplish the following.
(i) First deny routes with the community string which was specified earlier:
ssg(trust-vr)-> set route-map name "bgp" deny 10 ***Note seq number is 10 which is to deny whatever is matched
ssg(trust-vr/bgp-10)-> set match community 50 ***Matches the community pecified in Step 2
ssg(trust-vr/bgp-10)-> exit
(ii) Second, match and allow all the other routes which are incoming: ssg(trust-vr)-> set route-map "bgp" 20 ***Note seq number is 20 and will be processed after seq 10
ssg(trust-vr/bgp-10)-> set match ip 2 *** The access list refers to the 2 in Step 3.
- Remember to apply the route map on the neighbour you wish to filter the routes from:
set neighbor 172.19.51.37 route-map "bgp" in
- How do you confirm that this is working?
In this topology, the ISP is sending 172.19.0.0/16 with the community list which should be denied AND 5.5.5.5/32 with NO community list. Here are the steps to run the debugs to confirm this:
ssg-> cl db (this clears the debug buffer)
ssg-> debug bgp update
---> Trigger the BGP update
ssg-> get db str
The relevant output should show:
## 2009-03-23 12:34:22 : [bgp/rtmap]: start: apply policy route 172.19.0.0/16, peer 172.19.51.37, rtmap bgp
## 2009-03-23 12:34:22 : [bgp/rtmap]: MATCH comm-list: comm-list-id 2 found
## 2009-03-23 12:34:22 : [bgp/rtmap]: comm-list matched
## 2009-03-23 12:34:22 : [bgp/rtmap]: done: policy DENY in route-map entry ***Notice the DENY
## 2009-03-23 12:34:22 : [bgp/update]: done : proc nlri 172.19.255.255/16 not accepted ***Route has not been accepted
## 2009-03-23 12:34:22 : [bgp/update]: Delete PA for peer 172.19.51.37
## 2009-03-23 12:34:22 : [bgp/update]: done : proc updt msg, peer:172.19.51.37
## 2009-03-23 12:34:22 : [bgp/stack]: Rx 172.19.51.37: UPDATE msg, conn-id 15
## 2009-03-23 12:34:22 : [bgp/update]: created new PA, peer 172.19.51.37
## 2009-03-23 12:34:22 : [bgp/update]: validate/canonical UPDATE pass
## 2009-03-23 12:34:22 : [bgp/update]: start: proc updt msg, peer:172.19.51.37
## 2009-03-23 12:34:22 : [bgp/update]: start: proc nlri 5.5.5.5/32
## 2009-03-23 12:34:22 : [bgp/rtmap]: start: apply policy route 5.5.5.5/32, peer 172.19.51.37, rtmap bgp
## 2009-03-23 12:34:22 : [bgp/rtmap]: MATCH comm-list: comm-list-id 2 found ***Notice that this will match the sequence 20 of the route-map
## 2009-03-23 12:34:22 : [bgp/rtmap]: IP addr match: acc-list-id 2 return permit
## 2009-03-23 12:34:22 : [bgp/rtmap]: done : apply policy pref 100, metric 0, weight 100
## 2009-03-23 12:34:22 : [bgp/update]: local rib add prefix 5.5.5.5 / pref 100, metric 0, next-hop 172.19.50.1 ***Notice route has been added
## 2009-03-23 12:34:22 : [bgp/nexthop]: added nexthop for BGP nexthop: 172.19.50.1 with fdb nexthop: 172.19.50.1, cost: 0, reach_addr: 172.19.51.71, reach_mask: 23, bgprt: 0
## 2009-03-23 12:34:22 : [bgp/update]: add 5.5.5.5/32 to intchg