BGP between ScreenOS and IOS

Firewall Oct 26, 2011

There are some times where using static routing on firewalls is simply not scalable… As long as the routing is inside a trusted network, I do not see any reason to avoid dynamic routing. Juniper devices (Junos and ScreenOS) can even use virtual routers to split the routing domain into several domains. In the example here below, we will only show how to build a BGP peering between a ScreenOS cluster and two Cisco routers.

Firewalls J1 and J2 are in cluster, only one device is actively forwarding traffic. The eBGP peering will be done with the active device via a virtual IP called VSI in ScreenOS jargon. The cluster is in AS 64999. As the active device is J1 the traffic will be forced through C1 which is connected to the same switch.

C1 and C2 are core routers running BGP in AS 65000, they have an iBGP session between them and will form an eBGP peering with the cluster’s VSI.

Cisco IOS configuration

Cisco routers have a very basic BGP configuration.

C1

interface Vlan644
 ip address 10.6.44.1 255.255.255.248

interface Vlan645
 ip address 10.6.45.1 255.255.255.248

router bgp 65000
 neighbor 10.6.45.2 remote-as 65000
 neighbor 10.6.45.2 password exp-networks
 neighbor 10.6.44.4 remote-as 64999
 neighbor 10.6.44.4 password exp-networks
 network 10.6.45.0 mask 255.255.255.248

C2

interface Vlan644
 ip address 10.6.44.2 255.255.255.248

interface Vlan645
 ip address 10.6.45.2 255.255.255.248

router bgp 65000
 neighbor 10.6.45.1 remote-as 65000
 neighbor 10.6.44.1 password exp-networks
 neighbor 10.6.44.4 remote-as 64999
 neighbor 10.6.44.4 password exp-networks
 network 10.6.45.0 mask 255.255.255.248

Juniper ScreenOS configuration

Only the active ScreenOS device needs to be configured, the configuration will be replicated to the standby device thanks to NSRP. For demonstration purpose the cluster will send the default route to the routers and refuse it from the routers… As the active node is connected to C1 the traffic will be forced to go through that router with the help of MED and weight.

J1

set interface "aggregate1.644" tag 644 zone "Trust"
set interface aggregate1.644 ip 10.6.44.4/29
set interface aggregate1.644 route
set interface aggregate1.644 manage-ip 10.6.44.5
set interface aggregate1.644 protocol bgp

set vrouter "trust-vr"
set protocol bgp 64999
set enable
set neighbor 10.6.44.1 remote-as 65000
set neighbor 10.6.44.1 enable
set neighbor 10.6.44.1 md5-authentication exp-networks
set neighbor 10.6.44.2 remote-as 65000
set neighbor 10.6.44.2 enable
set neighbor 10.6.44.2 md5-authentication exp-networks
set ipv4 neighbor 10.6.44.1 activate
set ipv4 neighbor 10.6.44.1 med 10
set ipv4 neighbor 10.6.44.1 advertise-def-route
set ipv4 neighbor 10.6.44.1 reject-default-route
set ipv4 neighbor 10.6.44.1 weight 200
set ipv4 neighbor 10.6.44.2 activate
set ipv4 neighbor 10.6.44.2 med 20
set ipv4 neighbor 10.6.44.2 advertise-def-route
set ipv4 neighbor 10.6.44.2 reject-default-route
exit
exit

J2

To be complete, J2 is configured with its own manage-ip.

set interface aggregate1.644 manage-ip 10.6.44.6

Verifications

Few second after the configuration the BGP peering should be established.

Check BGP peering on ScreenOS

On Juniper devices

J1(M)-> get vrouter trust-vr protocol bgp neighbor
Peer AS Remote IP   Local IP      Wt Status   State     ConnID Up/Down
-----------------------------------------------------------------------
  65000 10.6.44.1   10.6.44.4    100 Enabled  ESTABLISH   1020 00:18:18
  65000 10.6.44.2   10.6.44.4    100 Enabled  ESTABLISH   1043 00:00:19

total 2 BGP peers shown

On Cisco routers

C1# sh ip bgp summary
BGP router identifier 10.6.45.1, local AS number 65000
BGP table version is 96, main routing table version 96
2 network entries using 274 bytes of memory
3 path entries using 204 bytes of memory
7/3 BGP path/bestpath attribute entries using 980 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1530 total bytes of memory
BGP activity 15/9 prefixes, 51/44 paths, scan interval 15 secs

Neighbor   V    AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.6.44.4  4 64999    5964    7607     96   0    0 00:35:02        1
10.6.45.2  4 65000     974     925     96   0    0 00:35:06        1

Check the bgp table

On Juniper devices

J1(M)-> get vrouter trust-vr protocol bgp rib-in
i: IBGP route, e: EBGP route, >: best route, *: valid route
               Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path
-----------------------------------------------------------------------
Total ipv4 routes in rib-in: 2 (0 in flap-damping history)
-----------------------------------------------------------------------
>e*      10.6.45.0/29       10.6.44.1   200   100     0  IGP   65000
 e       10.6.45.0/29       10.6.44.2   100   100     0  IGP   65000
Total no. of ipv4 entries shown: 2

Or to see all the details

J1(M)-> get vrouter trust-vr protocol bgp rib-in 10.6.45.0/29
Prefix: 10.6.45.0/29
Nexthop: 10.6.44.1, Weight: 200, Local Pref: 100, MED: 0, Flags: 0x486 0x88, Orig: IGP
AS segment type: AS_SEQ, AS path:65000

Prefix: 10.6.45.0/29
Nexthop: 10.6.44.2, Weight: 100, Local Pref: 100, MED: 0, Flags: 0x404 0x88, Orig: IGP
AS segment type: AS_SEQ, AS path:65000

On Cisco devices. C1 should only see the default route from J1 while C2 should see it from C1 and J1 and select the one through C1 due to the better MED.

C1#sh ip bgp 
BGP table version is 96, local router ID is 10.10.254.164
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 0.0.0.0          10.6.44.4               10             0 64999 i
* i10.6.45.0/29     10.6.45.2                0    100      0 i
*>                  0.0.0.0                  0         32768 i

C2#sh ip bgp
BGP table version is 152, local router ID is 10.10.254.201
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i0.0.0.0          10.6.45.1               10    100      0 64999 i
*                   10.6.44.4               20             0 64999 i
*> 10.6.45.0/29     0.0.0.0                  0         32768 i
* i                 10.6.45.1                0    100      0 i

Or to see all the details (on C2 only)

C2# sh ip bgp 0.0.0.0/0
BGP routing table entry for 0.0.0.0/0, version 148
Paths: (2 available, best #1)
  Advertised to update-groups:
     2
  64999
    10.6.45.1 from 10.6.45.1 (10.6.45.1)
      Origin IGP, metric 10, localpref 100, valid, internal, best
  64999
    10.6.44.4 from 10.6.44.4 (10.6.44.4)
      Origin IGP, metric 20, localpref 100, valid, external

That’s it… Not very complex and it may ease your life a lot.

Tags

Christophe Lemaire

Christophe is network and security engineer for more than 20 years. He has always been eager to learn new technologies and to share them with his peers. He's always happy to help, so don't hesitate...

Recommended for you

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.