And now the final post before the whole workbook is posted, Route Filtering
Ok, lets discuss Route Filtering in this lab, and to keep is simple, we will use eBGP for the routing protocol. For this lab we will need to create another loopback on R4 for 44.44.44.44/32.
The goal of this lab is in 3 parts.
Part 1: Full reachability
Part 2: Filter 44.44.44.44/32 in on J1
Part 3: Filter 1.1.1.1/32, 2.2.2.2/32, and 3.3.3.3/32 to R4
The first step is yours as we need to reset all configs to the rollback/base configurations.
Ok, lets get started!
On R4 we will need to create Loopback1 and configure BGP to peer with J1:
R4# config t
R4(config)#int lo1
R4(config-if)#ip add 44.44.44.44 255.255.255.255
R4(config-if)# router bgp 4
R4(config-router)#no auto-summary
R4(config-router)#nei 192.168.14.1 remote-as 123
R4(config-router)#net 4.4.4.4 mask 255.255.255.255
R4(config-router)#net 44.44.44.44 mask 255.255.255.255
R4(config-router)#^Z
R4#
Ok, we will start with J2, then J3, and finally J1 for the configuration.
J2:
jfry@J2> edit
Entering configuration mode
[edit]
jfry@J2# set policy-options policy-statement Connected term 1 from protocol direct
[edit]
jfry@J2# set policy-options policy-statement Connected term 1 then accept
[edit]
jfry@J2# set routing-options autonomous-system 123
[edit]
jfry@J2# edit protocols bgp group ibgp
[edit protocols bgp group ibgp]
jfry@J2# set type internal
[edit protocols bgp group ibgp]
jfry@J2# set neighbor 192.168.23.3
[edit protocols bgp group ibgp]
jfry@J2# set neighbor 192.168.12.1
[edit protocols bgp group ibgp]
jfry@J2# up
[edit protocols bgp]
jfry@J2# set export Connected
[edit protocols bgp]
jfry@J2# commit and-quit
commit complete
Exiting configuration mode
jfry@J2>
Ok, onto J3:
jfry@J3> edit
Entering configuration mode
[edit]
jfry@J3# set policy-options policy-statement Connected term 1 from protocol direct
[edit]
jfry@J3# set policy-options policy-statement Connected term 1 then accept
[edit]
jfry@J3# set routing-options autonomous-system 123
[edit]
jfry@J3# edit protocols bgp group ibgp
[edit protocols bgp group ibgp]
jfry@J3# set type internal
[edit protocols bgp group ibgp]
jfry@J3# set neighbor 192.168.23.2
[edit protocols bgp group ibgp]
jfry@J3# set neighbor 192.168.13.1
[edit protocols bgp group ibgp]
jfry@J3# up
[edit protocols bgp]
jfry@J3# set export Connected
[edit protocols bgp]
jfry@J3# commit and-quit
Now for J1:
jfry@J1> edit
Entering configuration mode
[edit]
jfry@J1# set policy-options policy-statement Connected term 1 from protocol direct
[edit]
jfry@J1# set policy-options policy-statement Connected term 1 then accept
[edit]
jfry@J1# set routing-options autonomous-system 123
[edit]
jfry@J1# edit protocols bgp group ibgp
[edit protocols bgp group ibgp]
jfry@J1# set type internal
[edit protocols bgp group ibgp]
jfry@J1# set neighbor 192.168.12.2
[edit protocols bgp group ibgp]
jfry@J1# set neighbor 192.168.13.3
[edit protocols bgp group ibgp]
jfry@J1# up
[edit protocols bgp]
jfry@J1# set export Connected
[edit protocols bgp]
jfry@J1# edit group ebgp
[edit protocols bgp group ebgp]
jfry@J1# set type external
[edit protocols bgp group ebgp]
jfry@J1# set neighbor 192.168.14.4 peer-as 4
[edit protocols bgp group ebgp]
jfry@J1# up
[edit protocols bgp]
jfry@J1# commit and-quit
Ok, now that is complete we should have a full routing table on R4 and J3:
R4:
R4#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
B 192.168.12.0/24 [20/0] via 192.168.14.1, 00:02:12
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [20/0] via 192.168.14.1, 00:02:12
B 192.168.13.0/24 [20/0] via 192.168.14.1, 00:02:12
2.0.0.0/32 is subnetted, 1 subnets
B 2.2.2.2 [20/0] via 192.168.14.1, 00:02:12
C 192.168.14.0/24 is directly connected, Ethernet0
3.0.0.0/32 is subnetted, 1 subnets
B 3.3.3.3 [20/0] via 192.168.14.1, 00:02:12
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
B 192.168.23.0/24 [20/0] via 192.168.14.1, 00:02:12
44.0.0.0/32 is subnetted, 1 subnets
C 44.44.44.44 is directly connected, Loopback1
R4#
J3:
jfry@J3> show route
inet.0: 11 destinations, 14 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, – = Last Active, * = Both
1.1.1.1/32 *[BGP/170] 00:02:46, localpref 100
AS path: I
> to 192.168.13.1 via fe-0/0/2.0
2.2.2.2/32 *[BGP/170] 00:05:45, localpref 100
AS path: I
> to 192.168.23.2 via fe-0/0/1.0
3.3.3.3/32 *[Direct/0] 00:24:18
> via lo0.0
4.4.4.4/32 *[BGP/170] 00:02:42, MED 0, localpref 100
AS path: 4 I
> to 192.168.13.1 via fe-0/0/2.0
44.44.44.44/32 *[BGP/170] 00:02:42, MED 0, localpref 100
AS path: 4 I
> to 192.168.13.1 via fe-0/0/2.0
192.168.12.0/24 *[BGP/170] 00:02:46, localpref 100
AS path: I
> to 192.168.13.1 via fe-0/0/2.0
[BGP/170] 00:05:45, localpref 100
AS path: I
> to 192.168.23.2 via fe-0/0/1.0
192.168.13.0/24 *[Direct/0] 00:24:18
> via fe-0/0/2.0
[BGP/170] 00:02:46, localpref 100
AS path: I
> to 192.168.13.1 via fe-0/0/2.0
192.168.13.3/32 *[Local/0] 00:24:18
Local via fe-0/0/2.0
192.168.14.0/24 *[BGP/170] 00:02:46, localpref 100
AS path: I
> to 192.168.13.1 via fe-0/0/2.0
192.168.23.0/24 *[Direct/0] 00:06:20
> via fe-0/0/1.0
[BGP/170] 00:05:45, localpref 100
AS path: I
> to 192.168.23.2 via fe-0/0/1.0
192.168.23.3/32 *[Local/0] 00:06:20
Local via fe-0/0/1.0
jfry@J3>
Good, now to test a PING from J3 to R4 Loopback1:
jfry@J3> ping 44.44.44.44 source 3.3.3.3 rapid
PING 44.44.44.44 (44.44.44.44): 56 data bytes
!!!!!
— 44.44.44.44 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.201/3.352/3.735/0.194 ms
jfry@J3>
Good.
Now time to do some filtering. First up, we will filter R4 Loop1 (44.44.44.44/32) inbound on J1:
jfry@J1> edit
Entering configuration mode
First we will create a prefix-list matching 44.44.44.44/32:
[edit]
jfry@J1# set policy-options prefix-list R4ASN 44.44.44.44/32
Now we will create our policy statement to Reject the 44.44.44.44/32:
[edit]
jfry@J1# set policy-options policy-statement FromR4 term 1 from prefix-list R4ASN
[edit]
jfry@J1# set policy-options policy-statement FromR4 term 1 then reject
Then we will set our next statement to permit everything else:
[edit]
jfry@J1# set policy-options policy-statement FromR4 term 2 then accept
And finally we will edit our group/neighbor
[edit]
jfry@J1# edit protocols bgp group ebgp
[edit protocols bgp group ebgp]
jfry@J1# edit neighbor 192.168.14.4
And set our import rule:
[edit protocols bgp group ebgp neighbor 192.168.14.4]
jfry@J1# set import FromR4
[edit protocols bgp group ebgp neighbor 192.168.14.4]
jfry@J1# commit and-quit
Ok, now back to J3 to see what the routing table looks like:
jfry@J3> show route
inet.0: 10 destinations, 13 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, – = Last Active, * = Both
1.1.1.1/32 *[BGP/170] 00:07:12, localpref 100
AS path: I
> to 192.168.13.1 via fe-0/0/2.0
2.2.2.2/32 *[BGP/170] 00:10:11, localpref 100
AS path: I
> to 192.168.23.2 via fe-0/0/1.0
3.3.3.3/32 *[Direct/0] 00:28:44
> via lo0.0
4.4.4.4/32 *[BGP/170] 00:07:08, MED 0, localpref 100
AS path: 4 I
> to 192.168.13.1 via fe-0/0/2.0
192.168.12.0/24 *[BGP/170] 00:07:12, localpref 100
AS path: I
> to 192.168.13.1 via fe-0/0/2.0
[BGP/170] 00:10:11, localpref 100
AS path: I
> to 192.168.23.2 via fe-0/0/1.0
192.168.13.0/24 *[Direct/0] 00:28:44
> via fe-0/0/2.0
[BGP/170] 00:07:12, localpref 100
AS path: I
> to 192.168.13.1 via fe-0/0/2.0
192.168.13.3/32 *[Local/0] 00:28:44
Local via fe-0/0/2.0
192.168.14.0/24 *[BGP/170] 00:07:12, localpref 100
AS path: I
> to 192.168.13.1 via fe-0/0/2.0
192.168.23.0/24 *[Direct/0] 00:10:46
> via fe-0/0/1.0
[BGP/170] 00:10:11, localpref 100
AS path: I
> to 192.168.23.2 via fe-0/0/1.0
192.168.23.3/32 *[Local/0] 00:10:46
Local via fe-0/0/1.0
jfry@J3>
There you go, the 44.44.44.44/32 route is now filter from being accepted.
Now time to filter routes to R4:
jfry@J1> edit
Entering configuration mode
First up, create our prefix-lists to match J1, J2, and J3 loopbacks:
[edit]
jfry@J1# set policy-options prefix-list JLoopbacks 1.1.1.1/32
[edit]
jfry@J1# set policy-options prefix-list JLoopbacks 2.2.2.2/32
[edit]
jfry@J1# set policy-options prefix-list JLoopbacks 3.3.3.3/32
Now to create out policy statement to reject JLoopbacks and then permit everything else.
[edit]
jfry@J1# set policy-options policy-statement ToR4 term 1 from prefix-list JLoopbacks
[edit]
jfry@J1# set policy-options policy-statement ToR4 term 1 then reject
[edit]
jfry@J1# set policy-options policy-statement ToR4 term 2 then accept
Then, in one command, we will apply the export map:
[edit]
jfry@J1# set protocols bgp group ebgp neighbor 192.168.14.4 export ToR4
[edit]
jfry@J1# commit and-quit
Now back to look at R4 Routing table:
R4#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
B 192.168.12.0/24 [20/0] via 192.168.14.1, 00:07:04
B 192.168.13.0/24 [20/0] via 192.168.14.1, 00:07:04
C 192.168.14.0/24 is directly connected, Ethernet0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
B 192.168.23.0/24 [20/0] via 192.168.14.1, 00:07:04
44.0.0.0/32 is subnetted, 1 subnets
C 44.44.44.44 is directly connected, Loopback1
R4#
There you go, routes filter to R4!
I’ve been loving these posts! Are you currently going for a Juniper cert?
I have some Juniper certs – JNCIS-SEC, JNCIS-SP, and JNCIP-ENT. I am planning on going for the JNCIE-ENT soon. Thank you!