In this article, we will review EVPN MPLS Port-Based VLAN-Aware Bundle Service configuration example using Juniper MX devices. As per Port-Based VLAN-Aware service definition in RFC7432, all of the VLANs on the port are part of the same service and are mapped to a single bundle without any VID translation.
In our sample, we will add L3 IRB interfaces to VLANs, simulating L3 Default Gateways.
Continue reading “EVPN MPLS Port-Based VLAN-Aware Bundle Service”
Deliver end-to-end VLAN connectivity between Juniper QFX5100 devices leveraging EVPN with VXLAN encapsulation.
Complete configuration repository on GitHub:
https://github.com/bgphelp/blueprints/tree/master/evpn/vlan-evpn-vxlan-qfx5100
MPLS VPN Configuration example with IS-IS based Segment Routing (SPRING) on Juniper QFX5100 devices. The purpose of this lab is to demonstrate what LDP or RSVP-TE can be easily replaced with SR.
Complete Configuration Repository on GitHub:
https://github.com/bgphelp/blueprints/tree/master/SR/MPLS-VPN-SR-QFX5100
Configuration examples of VLAN-Based EVPN service using MPLS Dataplane Encapsulation in Segment Routing-Enabled Juniper Network.
Complete Configuration Repository on GitHub:
https://github.com/bgphelp/blueprints/tree/master/evpn/vlan-based-mx
Continue reading “EVPN MPLS VLAN-Based Configuration”
Cisco and Juniper Segment Routing Interoperability design with configuration examples. IS-IS based IGP topology.
Complete configuration repository on GitHub: https://github.com/bgphelp/blueprints/tree/master/1-SR-Cisco-Juniper
Continue reading “Segment Routing Cisco – Juniper Interop Design”
Step-by-step migration from LDP-based design to Segment Routing topology in Juniper environment. In this example, we will be using IS-IS as IGP protocol.
Continue reading “LDP to Segment Routing (also known as SR and SPRING) Migration Steps”
Discussion on how to migrate to BGP-Free Core by deploying MPLS as network tunneling mechanism. Document provides step-by-step migration steps for a Juniper-based network.
Continue reading “Migrating to BGP-Free Core in Juniper Environment”
Configuring Dual-CE BGP High Availability Site. This article provides Juniper Configuration Example that uses BGP AS-Prepend to identify primary and secondary paths.
Continue reading “Juniper High Availability Customer Site using AS-Prepend”
In this example, we will show recommended configuration for a Single-homed Single CE device using private AS with an upstream ISP. It is assumed that management of this device will be performed from a dedicated server residing within Customer’s Network.
This type of setup is quite common in an environment where a dedicated firewall performing source NAT function is setup to protect customer infrastructure.
Please note, that the Management Station is connected directly to the LAN interface for illustration purpose only. In real production deployments, Management Station must be protected by a firewall.
BGP configuration can be split in the following tasks:
The actual configuration is comprised of the following blocks:
ip prefix-list default-only seq 10 permit 0.0.0.0/0 ip prefix-list originated-out seq 10 permit 120.0.50.0/24
router bgp 111100 bgp log-neighbor-changes network 120.0.50.0 mask 255.255.255.0 neighbor 120.0.4.17 remote-as 100 neighbor 120.0.4.17 description PE2 neighbor 120.0.4.17 password 7 14141B180F0B neighbor 120.0.4.17 soft-reconfiguration inbound neighbor 120.0.4.17 prefix-list default-only in neighbor 120.0.4.17 prefix-list originated-out out !
Next step is to secure the router itself. But default, it will pass any traffic (with some exceptions, not covered in this article) and accept connections from anywhere on the Internet. Your job is to make sure that only trusted sources can communicate with your device (control plane protection) and spoofed traffic is not allowed in and out of your network (data plane protection).
ip access-list extended martians deny ip host 255.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 196.18.0.0 10.1.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.0.0 0.255.255.255 any deny ip 198.0.0.0 0.255.255.255 any deny ip 203.0.0.0 0.255.255.255 any deny ip 100.64.0.0 0.0.63.255 any ! ßLocal Traffic, should not be arriving from the Internet à deny ip 120.0.50.0 0.0.0.255 any permit ip any any
interface GigabitEthernet2 description 'CE5->PE2' ip address 120.0.4.18 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip access-group martians in negotiation auto ! interface GigabitEthernet3 description 'LAN Segment' ip address 120.0.50.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip verify unicast source reachable-via rx negotiation auto !
no ip http server no ip http secure-server ip route 192.168.74.0 255.255.255.0 192.168.3.18 ip ssh rsa keypair-name ssh-key ip ssh version 2 logging host 120.0.50.10 access-list 10 permit 120.0.50.10 snmp-server community t0ps3crrr3t RO 10 line vty 0 4 access-class 10 in exec-timeout 11 0 password d0ntt3ll login local transport input ssh !
! Routing Protocols (BGP) access-list 120 permit tcp any gt 1024 host 120.0.4.18 eq bgp access-list 120 permit tcp any eq bgp host 120.0.4.18 gt 1024 established ! Management Protocols (SSH, SNMP) access-list 121 permit tcp host 120.0.50.10 host 120.0.50.1 eq 22 access-list 121 permit tcp host 120.0.50.10 eq 22 host 120.0.50.1 established access-list 121 permit udp host 120.0.50.10 host 120.0.50.1 eq snmp ! Ping / Traceroute LAN Interface access-list 122 permit icmp any host 120.0.50.1 echo access-list 122 permit icmp any host 120.0.50.1 echo-reply access-list 122 permit icmp any host 120.0.50.1 ttl-exceeded access-list 122 permit icmp any host 120.0.50.1 packet-too-big access-list 122 permit icmp any host 120.0.50.1 port-unreachable access-list 122 permit icmp any host 120.0.50.1 unreachable ! Ping/Traceroute WAN Interface access-list 122 permit icmp any host 120.0.4.18 echo access-list 122 permit icmp any host 120.0.4.18 echo-reply access-list 122 permit icmp any host 120.0.4.18 ttl-exceeded access-list 122 permit icmp any host 120.0.4.18 packet-too-big access-list 122 permit icmp any host 120.0.4.18 port-unreachable access-list 122 permit icmp any host 120.0.4.18 unreachable ! Undesired Traffic access-list 123 permit icmp any any fragments access-list 123 permit udp any any fragments access-list 123 permit tcp any any fragments access-list 123 permit ip any any fragments access-list 123 permit tcp any any eq bgp rst ! All Other Traffic access-list 124 permit tcp any any access-list 124 permit udp any any access-list 124 permit icmp any any access-list 124 permit ip any any ! ! Define Class-Maps class-map match-all Catch-All-IP match access-group 124 class-map match-all Management match access-group 121 class-map match-all Normal match access-group 122 class-map match-all Undesirable match access-group 123 class-map match-all Routing match access-group 120 ! ! Configure CoPP Policy policy-map RTR_CoPP class Undesirable police 8000 1500 1500 conform-action drop exceed-action drop class Routing police 100000 5000 5000 conform-action transmit exceed-action transmit class Management police 100000 20000 20000 conform-action transmit exceed-action drop class Normal police 50000 5000 5000 conform-action transmit exceed-action drop class Catch-All-IP police 50000 5000 5000 conform-action transmit exceed-action drop class class-default police 8000 1500 1500 conform-action transmit exceed-action drop ! Apply CoPP Policy control-plane service-policy input RTR_CoPP !
service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption! hostname CE11 ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$9Ah6$7tFkcd/bJRrHSx0grfmYA1 ! no aaa new-model no ip source-route no ip domain lookup ! username cisco privilege 15 secret 5 $1$ZJAP$Hmq/nCv7qQcwPHyB4Ixdo0 ! ! class-map match-all Catch-All-IP match access-group 124 class-map match-all Management match access-group 121 class-map match-all Normal match access-group 122 class-map match-all Undesirable match access-group 123 class-map match-all Routing match access-group 120 ! policy-map RTR_CoPP class Undesirable police 8000 1500 1500 conform-action drop exceed-action drop class Routing police 100000 5000 5000 conform-action transmit exceed-action transmit class Management police 100000 20000 20000 conform-action transmit exceed-action drop class Normal police 50000 5000 5000 conform-action transmit exceed-action drop class Catch-All-IP police 50000 5000 5000 conform-action transmit exceed-action drop class class-default police 8000 1500 1500 conform-action transmit exceed-action drop ! ! interface GigabitEthernet1 description 'Out-of-Band Management' ip address 192.168.3.231 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp negotiation auto ! interface GigabitEthernet2 description 'CE5->PE2' ip address 120.0.4.18 255.255.255.252 no ip redirects no ip proxy-arp ip access-group martians in negotiation auto ! interface GigabitEthernet3 description 'LAN Segment' ip address 120.0.50.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip verify unicast source reachable-via rx negotiation auto ! router bgp 111100 bgp log-neighbor-changes network 120.0.50.0 mask 255.255.255.0 neighbor 120.0.4.17 remote-as 100 neighbor 120.0.4.17 description PE2 neighbor 120.0.4.17 password 7 14141B180F0B neighbor 120.0.4.17 soft-reconfiguration inbound neighbor 120.0.4.17 prefix-list default-only in neighbor 120.0.4.17 prefix-list originated-out out ! virtual-service csr_mgmt ! ip forward-protocol nd ! no ip http server no ip http secure-server ip route 192.168.74.0 255.255.255.0 192.168.3.18 ip ssh rsa keypair-name ssh-key ip ssh version 2 ! ip access-list extended martians deny ip host 255.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 196.18.0.0 10.1.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.0.0 0.255.255.255 any deny ip 198.0.0.0 0.255.255.255 any deny ip 203.0.0.0 0.255.255.255 any deny ip 100.64.0.0 0.0.63.255 any deny ip 120.0.50.0 0.0.0.255 any permit ip any any ! ! ip prefix-list default-only seq 10 permit 0.0.0.0/0 ! ip prefix-list originated-out seq 10 permit 120.0.50.0/24 logging host 120.0.50.10 access-list 10 permit 120.0.50.10 access-list 10 permit 192.168.0.0 0.0.255.255 access-list 120 permit tcp any gt 1024 host 120.0.4.18 eq bgp access-list 120 permit tcp any eq bgp host 120.0.4.18 gt 1024 established access-list 121 permit tcp host 120.0.50.10 host 120.0.50.1 eq 22 access-list 121 permit tcp host 120.0.50.10 eq 22 host 120.0.50.1 established access-list 121 permit udp host 120.0.50.10 host 120.0.50.1 eq snmp access-list 122 permit icmp any host 120.0.50.1 echo access-list 122 permit icmp any host 120.0.50.1 echo-reply access-list 122 permit icmp any host 120.0.50.1 ttl-exceeded access-list 122 permit icmp any host 120.0.50.1 packet-too-big access-list 122 permit icmp any host 120.0.50.1 port-unreachable access-list 122 permit icmp any host 120.0.50.1 unreachable access-list 122 permit icmp any host 120.0.4.18 echo access-list 122 permit icmp any host 120.0.4.18 echo-reply access-list 122 permit icmp any host 120.0.4.18 ttl-exceeded access-list 122 permit icmp any host 120.0.4.18 packet-too-big access-list 122 permit icmp any host 120.0.4.18 port-unreachable access-list 122 permit icmp any host 120.0.4.18 unreachable access-list 124 permit tcp any any access-list 124 permit udp any any access-list 124 permit icmp any any access-list 124 permit ip any any ! snmp-server community t0ps3crrr3t RO 10 ! ! control-plane service-policy input RTR_CoPP ! banner motd ^C Disconnect IMMEDIATELY if you are not an authorized user! ^C ! line con 0 exec-timeout 11 0 password d0ntt3ll stopbits 1 line vty 0 4 access-class 10 in exec-timeout 11 0 password d0ntt3ll login local transport input ssh ! ! end
BGP Best Practice Recommendation documented in RFC 7454 and discussed in “BGP Best Practices or Dissecting RFC 7454” article mandates the use of inbound prefix-list filtering to discard bogus route-advertisements to and from BGP peers. It is strongly recommended that you implement aforementioned filtering if you accept the full or partial BGP view from your peers.
You do not need to maintain inbound bogus route filtering if the only route you are planning to accept from your service providers is the default 0.0.0.0/0 prefix. In this scenario, you should configure an explicit prefix-filter permitting 0.0.0.0/0 route and rejecting all other advertisements.
Over the years, networking professions have used various terms to refer to the same thing. These “bad” advertisements might be referred to as Bogons, Martian Lists, Bogus Advertisements, etc.
The current list is comprised of IP Blocks that are used for some kind of special use, such as RFC1918 space, Loopback block, etc. Sometime ago this list also included valid IPv4 prefixes that have not been allocated by The Internet Assigned Numbers Authority (IANA). IPv4 Space Exhaustion put stop to this. For the majority of ISPs and Enterprises, it is no longer feasible to include remaining unallocated blocks to the Bogons least, as this IPv4 space is small and constantly changing. The situation is very different when it comes to IPv6 space, and it will be discussed in IPv6 Martians article.
The main reason for filtering-out Bogon advertisements is the Internet security. Bad things might begin to happen if you allow Bogon blocks to be accepted into your BGP domain. Let’s consider a few scenarios where hackers were able to advertise RFC1918 block to your network.
Source: http://www.radb.net/query/?keywords=fltr-martian
ip prefix-list martians seq 10 deny 0.0.0.0/8 le 32 ip prefix-list martians seq 20 deny 10.0.0.0/8 le 32 ip prefix-list martians seq 30 deny 100.64.0.0/10 le 32 ip prefix-list martians seq 40 deny 127.0.0.0/8 le 32 ip prefix-list martians seq 50 deny 169.254.0.0/16 le 32 ip prefix-list martians seq 60 deny 172.16.0.0/12 le 32 ip prefix-list martians seq 70 deny 192.0.0.0/24 le 32 ip prefix-list martians seq 80 deny 192.0.2.0/24 le 32 ip prefix-list martians seq 90 deny 192.168.0.0/16 le 32 ip prefix-list martians seq 100 deny 198.18.0.0/15 le 32 ip prefix-list martians seq 110 deny 198.51.100.0/24 le 32 ip prefix-list martians seq 120 deny 203.0.113.0/24 le 32 ip prefix-list martians seq 130 deny 224.0.0.0/3 le 32 ip prefix-list martians seq 9999 permit 0.0.0.0/0 le 32 router bgp 111100 ... neighbor 120.0.4.17 prefix-list martians in
Set Format:
set policy-options policy-statement martians-ipv4 from route-filter 0.0.0.0/8 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 10.0.0.0/8 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 100.64.0.0/10 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 127.0.0.0/8 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 169.254.0.0/16 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 172.16.0.0/12 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 192.0.0.0/24 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 192.0.2.0/24 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 192.168.0.0/16 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 198.18.0.0/15 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 198.51.100.0/24 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 203.0.113.0/24 orlonger reject set policy-options policy-statement martians-ipv4 from route-filter 224.0.0.0/3 orlonger reject set policy-options policy-statement martians-ipv4 then accept set protocols bgp group ebgp import martians-ipv4
Curly Braces format:
policy-statement martians-ipv4 {
from {
route-filter 0.0.0.0/8 orlonger reject;
route-filter 10.0.0.0/8 orlonger reject;
route-filter 100.64.0.0/10 orlonger reject;
route-filter 127.0.0.0/8 orlonger reject;
route-filter 169.254.0.0/16 orlonger reject;
route-filter 172.16.0.0/12 orlonger reject;
route-filter 192.0.0.0/24 orlonger reject;
route-filter 192.0.2.0/24 orlonger reject;
route-filter 192.168.0.0/16 orlonger reject;
route-filter 198.18.0.0/15 orlonger reject;
route-filter 198.51.100.0/24 orlonger reject;
route-filter 203.0.113.0/24 orlonger reject;
route-filter 224.0.0.0/3 orlonger reject;
}
then accept;
}
protocols {
bgp {
group ebgp {
import martians-ipv4;
...
}
}
}