Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What BGP aggregation options are available on the firewall?

0

0

Article ID: KB32915 KB Last Updated: 30 Jul 2018Version: 1.0
Summary:

This article explains the options available with BGP route (NLRI) aggregation on firewalls running ScreenOS.

Solution:

Topology :


We have eBGP neighbourship between FW1 to FW2 and FW2 to FW3

Neighbour table on FW2:

FW2-> get vr trust proto bgp neighbor
Peer AS Remote IP       Local IP          Wt Status   State     ConnID Up/Down
--------------------------------------------------------------------------------------
      2 4.4.4.2         4.4.4.1          100 Enabled  ESTABLISH      4 01:41:58
      3 5.5.5.100       5.5.5.50         100 Enabled  ESTABLISH      5 01:41:58
total 2 BGP peers shown

Neighbour table on FW3 :
FW3-> get vr trust proto bgp neighbor
Peer AS Remote IP       Local IP           v4/v6Wt   Status   State    ConnID Up/Down
--------------------------------------------------------------------------------------
      1 4.4.4.1         4.4.4.2           100/  100  Enabled  ESTABLISH     6 01:42:44
 

With the above topology on FW2, we are learning multiple NLRI from its neighbor 5.5.5.100. Here is the rib-in output from FW2 :

FW2-> get vr trust proto bgp rib-in

i: IBGP route, e: EBGP route, >: best route, *: valid route
               Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path
--------------------------------------------------------------------------------------
Total ipv4 routes in rib-in: 9 (0 in flap-damping history)
--------------------------------------------------------------------------------------
>e*    192.168.0.0/24       5.5.5.100   100   100     0  IGP   3 1111 1121 1234 23456 12112
>e*    192.168.1.0/24       5.5.5.100   100   100     0  IGP   3 9876 6454 1212 8757 9646
>e*    192.168.2.0/24       5.5.5.100   100   100     0  IGP   3 9865 1234 65435 12343
>e*    192.168.3.0/24       5.5.5.100   100   100     0  IGP   3 23456 6123 1213 1233
>e*    10.219.88.0/24       5.5.5.100   100   100     0  IGP   3
 

If ScreenOS firewall FW2 wants to aggregate the NLRI that was been received from neighbor 5.5.5.100, we have the following options:

> set vr trust protocol bgp aggregate ip <aggregated prefix> 
<return>
advertise-map        Set condition to advertise attribute
as-set               use AS_SET insetad of AS_SEQUENCE
attribute-map        Set attributes of aggregate
summary-only         advertise summary address only
suppress-map         Conditionally filter more specific routes from updates
 
 
  1. Run the command, set vr trust protocol bgp aggregate ip 192.168.0.0/22s

    Config on FW2:
    set vr trust protocol bgp aggregate ip 192.168.0.0/22

    With the above command, ScreenOS firewall FW2 will inject a new route (NLRI) with 192.168.0.0/22 with the originator as itself and when it advertises the route to the eBGP peer, it will inject it as only local AS in AS_PATH.

    FW3-> get vr trust proto bgp rib-in
    
    i: IBGP route, e: EBGP route, >: best route, *: valid route
    
                   Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path
    --------------------------------------------------------------------------------------
    Total ipv4 routes in rib-in: 9 (0 in flap-damping history)
    --------------------------------------------------------------------------------------
     e         4.4.4.0/24         4.4.4.1   100   100     0  IGP   1
    >e*        5.5.5.0/24         4.4.4.1   100   100     0  IGP   1
    >i      12.12.12.0/24         0.0.0.0 32768   100     0  IGP
    >e*    192.168.0.0/22         4.4.4.1   100   100     0  IGP   1 <-- Aggregated NLRI
    >e*    192.168.0.0/24         4.4.4.1   100   100     0  IGP   1 3 1111 1121 1234 23456 12112
    >e*    192.168.1.0/24         4.4.4.1   100   100     0  IGP   1 3 9876 6454 1212 8757 9646
    >e*    192.168.2.0/24         4.4.4.1   100   100     0  IGP   1 3 9865 1234 65435 12343
    >e*    192.168.3.0/24         4.4.4.1   100   100     0  IGP   1 3 23456 6123 1213 1233
    >e*    10.219.88.0/24         4.4.4.1   100   100     0  IGP   1 3

    With the help of suppress-map we can have firewall inject the aggregated NLRI and suppress some specific NLRI.

    Config on FW2 :

    set vr trust-vr access-list 2
    set vr trust-vr access-list 2 permit ip 192.169.1.0/24 1
    set vr trust-vr route-map name "suppres" permit 1
    set vr trust-vr match ip 2
     
    set vr trust-vr proto bgp aggregate ip 192.168.0.0/22 suppress-map suppres
     

    With the above command, the firewall will inject the aggregated NLRI. However, it will supress the NLRI that is matching with the route-map "suppres".
    Here is the output seen on FW3 BGP table:

    FW3-> get vr trust proto bgp rib-in
    
    i: IBGP route, e: EBGP route, >: best route, *: valid route
                   Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path
    -------------------------------------------------------------------------------------
    Total ipv4 routes in rib-in: 9 (0 in flap-damping history)
    -------------------------------------------------------------------------------------
     e         4.4.4.0/24         4.4.4.1   100   100     0  IGP   1
    >e*        5.5.5.0/24         4.4.4.1   100   100     0  IGP   1
    >i      12.12.12.0/24         0.0.0.0 32768   100     0  IGP
    >e*    192.168.0.0/22         4.4.4.1   100   100     0  IGP   1
    >e*    192.168.0.0/24         4.4.4.1   100   100     0  IGP   1 3 1111 1121 1234 23456 12112
    >e*    192.168.2.0/24         4.4.4.1   100   100     0  IGP   1 3 9865 1234 65435 12343
    >e*    192.168.3.0/24         4.4.4.1   100   100     0  IGP   1 3 23456 6123 1213 1233
    >e*    10.219.88.0/24         4.4.4.1   100   100     0  IGP   1 3
  2. Run the command, set vr trust-vr protocol bgp agg ip 192.168.0.0/22 attribute-map attribute:

    Config on FW2 :
     
    set vr trust-vr route-map name "attribute" permit 10
    set vr trust-vr metric 9999
    set vr trust-vr protocol bgp agg ip 192.168.0.0/22 attribute-map attribute
     
    With above command in place, firewall will inject the aggregated NLRI along with the specified attribute in route-map that is mentioned next to attribute-map.
    FW3-> get vr trust proto bgp rib-in
    i: IBGP route, e: EBGP route, >: best route, *: valid route
                   Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path
    --------------------------------------------------------------------------------------
    Total ipv4 routes in rib-in: 9 (0 in flap-damping history)
    --------------------------------------------------------------------------------------
     e         4.4.4.0/24         4.4.4.1   100   100     0  IGP   1
    >e*        5.5.5.0/24         4.4.4.1   100   100     0  IGP   1
    >i      12.12.12.0/24         0.0.0.0 32768   100     0  IGP
    >e*    192.168.0.0/22         4.4.4.1   100   100  9999  IGP   1 <-- NLRI is advertise with 9999 as MED
    >e*    192.168.0.0/24         4.4.4.1   100   100     0  IGP   1 3 1111 1121 1234 23456 12112
    >e*    192.168.1.0/24         4.4.4.1   100   100     0  IGP   1 3 9876 6454 1212 8757 9646
    >e*    192.168.2.0/24         4.4.4.1   100   100     0  IGP   1 3 9865 1234 65435 12343
    >e*    192.168.3.0/24         4.4.4.1   100   100     0  IGP   1 3 23456 6123 1213 1233
    >e*    10.219.88.0/24         4.4.4.1   100   100     0  IGP   1 3
    Total no. of ipv4 entries shown: 9
    i: IBGP route, e: EBGP route, >: best route, *: valid route
                                            Prefix        Wt  Pref   Med Orig
                                           Nexthop    AS-Path
    --------------------------------------------------------------------------------------
    Total ipv6 routes in rib-in: 0 (0 in flap-damping history)
    --------------------------------------------------------------------------------------
    Total no. of ipv6 entries shown: 0
  3. Run the command, set vr trust protocol bgp aggregate ip 192.168.0.0/22 as-set

    Config on FW2 :

    set vr trust protocol bgp aggregate ip 192.168.0.0/22 as-set

    With the above command, the ScreenOS firewall will inject a new route (NLRI) with 192.168.0.0/22 with the originator as itself, and along with all the other AS no, which is there in the NLRI for which it is injecting the aggregated route as the AS_SET under {}.

    Note: Unlike AS_PATH we cannot track the update with AS_SET in sequential manner. However, we can get information on what AS the update has traversed from.

    FW3-> get vr trust proto bgp rib-in
    i: IBGP route, e: EBGP route, >: best route, *: valid route
                   Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path
    --------------------------------------------------------------------------------------
    Total ipv4 routes in rib-in: 9 (0 in flap-damping history)
    --------------------------------------------------------------------------------------
     e         4.4.4.0/24         4.4.4.1   100   100     0  IGP   1
    >e*        5.5.5.0/24         4.4.4.1   100   100     0  IGP   1
    >i      12.12.12.0/24         0.0.0.0 32768   100     0  IGP
    >e*    192.168.0.0/22         4.4.4.1   100   100     0  IGP   1 {3 23456 6123 1213 1233 9865 1234 65435 12343 9876 6454 1212 8757 9646 1111 1121 12112} <-- NLRI with AS_SET
    >e*    192.168.0.0/24         4.4.4.1   100   100     0  IGP   1 3 1111 1121 1234 23456 12112
    >e*    192.168.1.0/24         4.4.4.1   100   100     0  IGP   1 3 9876 6454 1212 8757 9646
    >e*    192.168.2.0/24         4.4.4.1   100   100     0  IGP   1 3 9865 1234 65435 12343
    >e*    192.168.3.0/24         4.4.4.1   100   100     0  IGP   1 3 23456 6123 1213 1233
    >e*    10.219.88.0/24         4.4.4.1   100   100     0  IGP   1 3

    Including the AS_SET, there is a way  to suppress the more specific NLRI from update. For that, we have following option:

    Config on FW2:

    Run the command, set vr trust protocol bgp aggregate ip 192.168.0.0/22 as-set summary-only

    With the above command, the ScreenOS firewall will inject a new route (NLRI) with 192.168.0.0/22 with the originator as itself and along with all the other AS no, which is there in the NLRI for which it is injecting the aggregated route as the AS_SET under {}.

    However, with the above keyword in place, the firewall will no longer be sending more specific NLRI with aggregated NLRI.

    FW3-> get vr trust proto bgp rib-in
    i: IBGP route, e: EBGP route, >: best route, *: valid route
                   Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path
    --------------------------------------------------------------------------------------
    Total ipv4 routes in rib-in: 5 (0 in flap-damping history)
    --------------------------------------------------------------------------------------
     e         4.4.4.0/24         4.4.4.1   100   100     0  IGP   1
    >e*        5.5.5.0/24         4.4.4.1   100   100     0  IGP   1
    >i      12.12.12.0/24         0.0.0.0 32768   100     0  IGP
    >e*    192.168.0.0/22         4.4.4.1   100   100     0  IGP   1 {3 23456 6123 1213 1233 9865 1234 65435 12343 9876 6454 1212 8757 9646 1111 1121 12112}
    >e*    10.219.88.0/24         4.4.4.1   100   100     0  IGP   1 3
    Total no. of ipv4 entries shown: 5

    Config on FW2:

    set vr trust protocol bgp aggregate ip 192.168.0.0/22 as-set summary-only advertise-map adv
    set access-list 1
    set access-list 1 permit ip 192.168.0.0/24 1
    set access-list 2
    set access-list 2 permit ip 192.169.1.0/24 1
    set route-map name "adv" permit 1
    set match ip 1
     
    With the above command, the ScreenOS firewall will inject a new route (NLRI) with 192.168.0.0/22 with the originator as itself and along with only the AS no under AS_SET, which is there in the NLRI for which it is matching with the router-map that is configured along with the advertise-map "adv".

    ​So when the firewall injects the NLRI 192.168.0.0/22, it will supress all the other specific NLRI and along with that the AS_SET will not include all the other AS for all the specific NLRI. Rahter, it will only include the AS_PATH which is there in the access-list 1.
     
    FW3-> get vr trust proto bgp rib-in
    i: IBGP route, e: EBGP route, >: best route, *: valid route
                   Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path
    --------------------------------------------------------------------------------------
    Total ipv4 routes in rib-in: 5 (0 in flap-damping history)
    --------------------------------------------------------------------------------------
     e         4.4.4.0/24         4.4.4.1   100   100     0  IGP   1
    >e*        5.5.5.0/24         4.4.4.1   100   100     0  IGP   1
    >i      12.12.12.0/24         0.0.0.0 32768   100     0  IGP
    >e*    192.168.0.0/22         4.4.4.1   100   100     0  IGP   1 {3 1111 1121 1234 23456 12112}
    >e*    10.219.88.0/24         4.4.4.1   100   100     0  IGP   1 3
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search