Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How can I configure the Juniper firewall to deny BGP routes with certain communities but permit others?

0

0

Article ID: KB13660 KB Last Updated: 17 Jun 2010Version: 2.0
Summary:
How can I configure the Juniper firewall to deny BGP routes with certain communities but permit others?
Symptoms:

Solution:
Topology

SSG (172.19.51.71)----BGP-----(172.19.51.37) ISP

On the SSG, the goal is to deny routes which have certain communities strings.

Configuration on the SSG:
  1. Enter the appropriate Virtual Router:
  2. ssg-> set vr trust
    ssg(trust-vr)->
  3. Enter the BGP instance and configure the community list:
  4. ssg(trust-vr)-> set proto bgp
    **Note that there are two ways to specify the community list

    (i) By entering the community value directly:
    ssg(trust-vr/bgp)-> set community-list 50 permit 2770732131
    OR

    (ii) By specifying the AS number and the final two octets in community value
    ssg(trust-vr/bgp)-> set community-list 50 permit as 42278 1123
  5. Set up the access list to match the rest of the routes which you want to accept; in this case we want to accept all the rest of the routes:
  6. ssg(trust-vr)-> set access-list 2 permit ip 0.0.0.0/0 5      ***Note that this access list "2" will be referenced later on
  7. Set up the route-map to accomplish the following.
  8. (i) First deny routes with the community string which was specified earlier:
    ssg(trust-vr)-> set route-map name "bgp" deny 10             ***Note seq number is 10 which is to deny whatever is matched
    ssg(trust-vr/bgp-10)-> set match community 50                ***Matches the community pecified in Step 2
    ssg(trust-vr/bgp-10)-> exit
    (ii) Second, match and allow all the other routes which are incoming:
    ssg(trust-vr)-> set route-map "bgp" 20                       ***Note seq number is 20 and will be processed after seq 10
    ssg(trust-vr/bgp-10)-> set match ip 2                        *** The access list refers to the 2 in Step 3.
  9. Remember to apply the route map on the neighbour you wish to filter the routes from:
  10. set neighbor 172.19.51.37 route-map "bgp" in
  11. How do you confirm that this is working?

  12. In this topology, the ISP is sending 172.19.0.0/16 with the community list which should be denied AND 5.5.5.5/32 with NO community list. Here are the steps to run the debugs to confirm this:
    ssg-> cl db (this clears the debug buffer)
    ssg-> debug bgp update
    ---> Trigger the BGP update
    ssg-> get db str
    The relevant output should show:
    ## 2009-03-23 12:34:22 : [bgp/rtmap]: start: apply policy route 172.19.0.0/16, peer 172.19.51.37, rtmap bgp
    ## 2009-03-23 12:34:22 : [bgp/rtmap]: MATCH comm-list: comm-list-id 2 found
    ## 2009-03-23 12:34:22 : [bgp/rtmap]: comm-list matched
    ## 2009-03-23 12:34:22 : [bgp/rtmap]: done: policy DENY in route-map entry                  ***Notice the DENY
    ## 2009-03-23 12:34:22 : [bgp/update]: done : proc nlri 172.19.255.255/16 not accepted      ***Route has not been accepted
    ## 2009-03-23 12:34:22 : [bgp/update]: Delete PA for peer 172.19.51.37
    ## 2009-03-23 12:34:22 : [bgp/update]: done : proc updt msg, peer:172.19.51.37
    ## 2009-03-23 12:34:22 : [bgp/stack]: Rx 172.19.51.37: UPDATE msg, conn-id 15
    ## 2009-03-23 12:34:22 : [bgp/update]: created new PA, peer 172.19.51.37
    ## 2009-03-23 12:34:22 : [bgp/update]: validate/canonical UPDATE pass
    ## 2009-03-23 12:34:22 : [bgp/update]: start: proc updt msg, peer:172.19.51.37
    ## 2009-03-23 12:34:22 : [bgp/update]: start: proc nlri 5.5.5.5/32
    ## 2009-03-23 12:34:22 : [bgp/rtmap]: start: apply policy route 5.5.5.5/32, peer 172.19.51.37, rtmap bgp
    ## 2009-03-23 12:34:22 : [bgp/rtmap]: MATCH comm-list: comm-list-id 2 found                ***Notice that this will match the sequence 20 of the route-map
    ## 2009-03-23 12:34:22 : [bgp/rtmap]: IP addr match: acc-list-id 2 return permit
    ## 2009-03-23 12:34:22 : [bgp/rtmap]: done : apply policy pref 100, metric 0, weight 100
    ## 2009-03-23 12:34:22 : [bgp/update]: local rib add prefix 5.5.5.5 / pref 100, metric 0, next-hop 172.19.50.1        ***Notice route has been added
    ## 2009-03-23 12:34:22 : [bgp/nexthop]: added nexthop for BGP nexthop: 172.19.50.1 with fdb nexthop: 172.19.50.1, cost: 0, reach_addr: 172.19.51.71, reach_mask: 23, bgprt: 0
    ## 2009-03-23 12:34:22 : [bgp/update]: add 5.5.5.5/32 to intchg
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search