Tags

,

Junos_sw_logo

And now the final post before the whole workbook is posted, Route Filtering
 

RouteFilter

Ok, lets discuss Route Filtering in this lab, and to keep is simple, we will use eBGP for the routing protocol.  For this lab we will need to create another loopback on R4 for 44.44.44.44/32.

The goal of this lab is in 3 parts.

Part 1: Full reachability

Part 2: Filter 44.44.44.44/32 in on J1

Part 3: Filter 1.1.1.1/32, 2.2.2.2/32, and 3.3.3.3/32 to R4

The first step is yours as we need to reset all configs to the rollback/base configurations.

Ok, lets get started!

 

On R4 we will need to create Loopback1 and configure BGP to peer with J1:

R4# config t

R4(config)#int lo1

R4(config-if)#ip add 44.44.44.44 255.255.255.255

R4(config-if)# router bgp 4

R4(config-router)#no auto-summary

R4(config-router)#nei 192.168.14.1 remote-as 123

R4(config-router)#net 4.4.4.4 mask 255.255.255.255

R4(config-router)#net 44.44.44.44 mask 255.255.255.255

R4(config-router)#^Z

R4#

 

Ok, we will start with J2, then J3, and finally J1 for the configuration.

 

J2:

 

jfry@J2> edit

Entering configuration mode

 

[edit]

jfry@J2# set policy-options policy-statement Connected term 1 from protocol direct             

 

[edit]

jfry@J2# set policy-options policy-statement Connected term 1 then accept

 

[edit]

jfry@J2# set routing-options autonomous-system 123

 

[edit]

jfry@J2# edit protocols bgp group ibgp

 

[edit protocols bgp group ibgp]

jfry@J2# set type internal

 

[edit protocols bgp group ibgp]

jfry@J2# set neighbor 192.168.23.3 

 

[edit protocols bgp group ibgp]

jfry@J2# set neighbor 192.168.12.1

 

[edit protocols bgp group ibgp]

jfry@J2# up

 

[edit protocols bgp]

jfry@J2# set export Connected

 

 

[edit protocols bgp]

jfry@J2# commit and-quit

commit complete

Exiting configuration mode

 

jfry@J2>

 

Ok, onto J3:

jfry@J3> edit

Entering configuration mode

 

[edit]

jfry@J3# set policy-options policy-statement Connected term 1 from protocol direct               

 

[edit]

jfry@J3# set policy-options policy-statement Connected term 1 then accept

 

[edit]

jfry@J3# set routing-options autonomous-system 123

 

[edit]

jfry@J3# edit protocols bgp group ibgp

 

[edit protocols bgp group ibgp]

jfry@J3# set type internal

 

[edit protocols bgp group ibgp]

jfry@J3# set neighbor 192.168.23.2

 

[edit protocols bgp group ibgp]

jfry@J3# set neighbor 192.168.13.1

 

[edit protocols bgp group ibgp]

jfry@J3# up

 

[edit protocols bgp]

jfry@J3# set export Connected

 

[edit protocols bgp]

jfry@J3# commit and-quit

 

 

 

Now for J1:

 

jfry@J1> edit

Entering configuration mode

 

[edit]

jfry@J1# set policy-options policy-statement Connected term 1 from protocol direct               

 

[edit]

jfry@J1# set policy-options policy-statement Connected term 1 then accept

 

[edit]

jfry@J1# set routing-options autonomous-system 123

 

[edit]

jfry@J1# edit protocols bgp group ibgp

 

[edit protocols bgp group ibgp]

jfry@J1# set type internal

 

[edit protocols bgp group ibgp]

jfry@J1# set neighbor 192.168.12.2

 

[edit protocols bgp group ibgp]

jfry@J1# set neighbor 192.168.13.3

 

[edit protocols bgp group ibgp]

jfry@J1# up

 

[edit protocols bgp]

jfry@J1# set export Connected

 

[edit protocols bgp]

jfry@J1# edit group ebgp

 

[edit protocols bgp group ebgp]

jfry@J1# set type external

 

[edit protocols bgp group ebgp]

jfry@J1# set neighbor 192.168.14.4 peer-as 4

 

[edit protocols bgp group ebgp]

jfry@J1# up        

 

[edit protocols bgp]

jfry@J1# commit and-quit

Ok, now that is complete we should have a full routing table on R4 and J3:

R4:

R4#sh ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP

       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

       E1 – OSPF external type 1, E2 – OSPF external type 2

       i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

       ia – IS-IS inter area, * – candidate default, U – per-user static route

       o – ODR, P – periodic downloaded static route

 

Gateway of last resort is not set

 

B    192.168.12.0/24 [20/0] via 192.168.14.1, 00:02:12

     1.0.0.0/32 is subnetted, 1 subnets

B       1.1.1.1 [20/0] via 192.168.14.1, 00:02:12

B    192.168.13.0/24 [20/0] via 192.168.14.1, 00:02:12

     2.0.0.0/32 is subnetted, 1 subnets

B       2.2.2.2 [20/0] via 192.168.14.1, 00:02:12

C    192.168.14.0/24 is directly connected, Ethernet0

     3.0.0.0/32 is subnetted, 1 subnets

B       3.3.3.3 [20/0] via 192.168.14.1, 00:02:12

     4.0.0.0/32 is subnetted, 1 subnets

C       4.4.4.4 is directly connected, Loopback0

B    192.168.23.0/24 [20/0] via 192.168.14.1, 00:02:12

     44.0.0.0/32 is subnetted, 1 subnets

C       44.44.44.44 is directly connected, Loopback1

R4#

 

J3:

jfry@J3> show route

 

inet.0: 11 destinations, 14 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, – = Last Active, * = Both

 

1.1.1.1/32         *[BGP/170] 00:02:46, localpref 100

                      AS path: I

                    > to 192.168.13.1 via fe-0/0/2.0

2.2.2.2/32         *[BGP/170] 00:05:45, localpref 100

                      AS path: I

                    > to 192.168.23.2 via fe-0/0/1.0

3.3.3.3/32         *[Direct/0] 00:24:18

                    > via lo0.0

4.4.4.4/32         *[BGP/170] 00:02:42, MED 0, localpref 100

                      AS path: 4 I

                    > to 192.168.13.1 via fe-0/0/2.0

44.44.44.44/32     *[BGP/170] 00:02:42, MED 0, localpref 100

                      AS path: 4 I

                    > to 192.168.13.1 via fe-0/0/2.0

192.168.12.0/24    *[BGP/170] 00:02:46, localpref 100

                      AS path: I

                    > to 192.168.13.1 via fe-0/0/2.0

                    [BGP/170] 00:05:45, localpref 100

                      AS path: I

                    > to 192.168.23.2 via fe-0/0/1.0

192.168.13.0/24    *[Direct/0] 00:24:18

                    > via fe-0/0/2.0

                    [BGP/170] 00:02:46, localpref 100

                      AS path: I

                    > to 192.168.13.1 via fe-0/0/2.0

192.168.13.3/32    *[Local/0] 00:24:18

                      Local via fe-0/0/2.0

192.168.14.0/24    *[BGP/170] 00:02:46, localpref 100

                      AS path: I

                    > to 192.168.13.1 via fe-0/0/2.0

192.168.23.0/24    *[Direct/0] 00:06:20

                    > via fe-0/0/1.0

                    [BGP/170] 00:05:45, localpref 100

                      AS path: I

                    > to 192.168.23.2 via fe-0/0/1.0

192.168.23.3/32    *[Local/0] 00:06:20

                      Local via fe-0/0/1.0

                                       

jfry@J3>

 

Good, now to test a PING from J3 to R4 Loopback1:

jfry@J3> ping 44.44.44.44 source 3.3.3.3 rapid

PING 44.44.44.44 (44.44.44.44): 56 data bytes

!!!!!

— 44.44.44.44 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 3.201/3.352/3.735/0.194 ms

 

jfry@J3>

 

Good. 

 

 

Now time to do some filtering.  First up, we will filter R4 Loop1 (44.44.44.44/32) inbound on J1:

 

jfry@J1> edit 

Entering configuration mode

 

First we will create a prefix-list matching 44.44.44.44/32:

[edit]

jfry@J1# set policy-options prefix-list R4ASN 44.44.44.44/32

 

Now we will create our policy statement to Reject the 44.44.44.44/32:

[edit]

jfry@J1# set policy-options policy-statement FromR4 term 1 from prefix-list R4ASN              

 

[edit]

jfry@J1# set policy-options policy-statement FromR4 term 1 then reject

 

Then we will set our next statement to permit everything else:

[edit]

jfry@J1# set policy-options policy-statement FromR4 term 2 then accept

 

And finally we will edit our group/neighbor

[edit]

jfry@J1# edit protocols bgp group ebgp

 

[edit protocols bgp group ebgp]

jfry@J1# edit neighbor 192.168.14.4

 

And set our import rule:

[edit protocols bgp group ebgp neighbor 192.168.14.4]

jfry@J1# set import FromR4  

 

[edit protocols bgp group ebgp neighbor 192.168.14.4]

jfry@J1# commit and-quit

 

Ok, now back to J3 to see what the routing table looks like:

jfry@J3> show route

 

inet.0: 10 destinations, 13 routes (10 active, 0 holddown, 0 hidden)

+ = Active Route, – = Last Active, * = Both

 

1.1.1.1/32         *[BGP/170] 00:07:12, localpref 100

                      AS path: I

                    > to 192.168.13.1 via fe-0/0/2.0

2.2.2.2/32         *[BGP/170] 00:10:11, localpref 100

                      AS path: I

                    > to 192.168.23.2 via fe-0/0/1.0

3.3.3.3/32         *[Direct/0] 00:28:44

                    > via lo0.0

4.4.4.4/32         *[BGP/170] 00:07:08, MED 0, localpref 100

                      AS path: 4 I

                    > to 192.168.13.1 via fe-0/0/2.0

192.168.12.0/24    *[BGP/170] 00:07:12, localpref 100

                      AS path: I

                    > to 192.168.13.1 via fe-0/0/2.0

                    [BGP/170] 00:10:11, localpref 100

                      AS path: I

                    > to 192.168.23.2 via fe-0/0/1.0

192.168.13.0/24    *[Direct/0] 00:28:44

                    > via fe-0/0/2.0

                    [BGP/170] 00:07:12, localpref 100

                      AS path: I

                    > to 192.168.13.1 via fe-0/0/2.0

192.168.13.3/32    *[Local/0] 00:28:44

                      Local via fe-0/0/2.0

192.168.14.0/24    *[BGP/170] 00:07:12, localpref 100

                      AS path: I

                    > to 192.168.13.1 via fe-0/0/2.0

192.168.23.0/24    *[Direct/0] 00:10:46

                    > via fe-0/0/1.0

                    [BGP/170] 00:10:11, localpref 100

                      AS path: I

                    > to 192.168.23.2 via fe-0/0/1.0

192.168.23.3/32    *[Local/0] 00:10:46

                      Local via fe-0/0/1.0

                                        

jfry@J3>

 

There you go, the 44.44.44.44/32 route is now filter from being accepted.

 

Now time to filter routes to R4:

jfry@J1> edit

Entering configuration mode

 

First up, create our prefix-lists to match J1, J2, and J3 loopbacks:

[edit]

jfry@J1# set policy-options prefix-list JLoopbacks 1.1.1.1/32

 

[edit]

jfry@J1# set policy-options prefix-list JLoopbacks 2.2.2.2/32   

 

[edit]

jfry@J1# set policy-options prefix-list JLoopbacks 3.3.3.3/32   

 

 

 

Now to create out policy statement to reject JLoopbacks and then permit everything else.

[edit]

jfry@J1# set policy-options policy-statement ToR4 term 1 from prefix-list JLoopbacks           

 

[edit]

jfry@J1# set policy-options policy-statement ToR4 term 1 then reject

 

[edit]

jfry@J1# set policy-options policy-statement ToR4 term 2 then accept

 

 

Then, in one command, we will apply the export map:

[edit]

jfry@J1# set protocols bgp group ebgp neighbor 192.168.14.4 export ToR4

 

[edit]

jfry@J1# commit and-quit

 

 

Now back to look at R4 Routing table:

R4#sh ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP

       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

       E1 – OSPF external type 1, E2 – OSPF external type 2

       i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

       ia – IS-IS inter area, * – candidate default, U – per-user static route

       o – ODR, P – periodic downloaded static route

 

Gateway of last resort is not set

 

B    192.168.12.0/24 [20/0] via 192.168.14.1, 00:07:04

B    192.168.13.0/24 [20/0] via 192.168.14.1, 00:07:04

C    192.168.14.0/24 is directly connected, Ethernet0

     4.0.0.0/32 is subnetted, 1 subnets

C       4.4.4.4 is directly connected, Loopback0

B    192.168.23.0/24 [20/0] via 192.168.14.1, 00:07:04

     44.0.0.0/32 is subnetted, 1 subnets

C       44.44.44.44 is directly connected, Loopback1

R4#

 

There you go, routes filter to R4!