Routing
Routing

eBGP Configuration between two SRX 210

01.27.17   |  
‎01-27-2017 01:30 PM

Hello all,

 

I recently acquired a couple of srx210s to expand my knowledge of routing. I've been trying to set up eBGP between the two, exporting local routes. I configured ge-0/0/1 on both sides as 10.0.0.1/24 and 10.0.0.2/24. Local-as for one is 10 and the other is 20. I created and applied export and import policies. I wonder, is the SRX being a firewall a part of it? Is traffic being blocked. I don't seem to even be getting layer 2:

 

Physical interface: ge-0/0/1, Enabled, Physical link is Up
  Interface index: 135, SNMP ifIndex: 509
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps,
  BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled,
  Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  Link flags     : None
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 78:19:f7:aa:5b:01, Hardware address: 78:19:f7:aa:5b:01
  Last flapped   : 2017-01-27 21:03:45 UTC (00:14:25 ago)
  Input rate     : 0 bps (0 pps)
  Output rate    : 0 bps (0 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

  Logical interface ge-0/0/1.0 (Index 70) (SNMP ifIndex 516) 
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Input packets : 1 
    Output packets: 78
    Security: Zone: Null
    Protocol inet, MTU: 1500            
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.0.0/24, Local: 10.0.0.2, Broadcast: 10.0.0.255

Here is my config on one router:

 

## Last changed: 2017-01-27 21:01:54 UTC
version 11.4R5.5;
system {
    host-name SR210Bottom;
    root-authentication {
        encrypted-password "$1$P1EoZ8l8$kDeaHpuxfNAhza8Z.5jsz/"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0;
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.0.0.2/24;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    router-id 10.0.0.2;
}
protocols {
    bgp {
        group external {
            type external;
            local-address 10.0.0.2;
            import bgp-import-all;
            export bgp-export-all;
            peer-as 10;
            local-as 20;
            neighbor 10.0.0.1;
        }
    }
    stp;
}
policy-options {
    policy-statement bgp-export-all {
        term first {
            from protocol [ bgp local ];
            then accept;
        }
    }
    policy-statement bgp-import-all {
        term first {
            from protocol [ bgp local ];
            then accept;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Any ideas?

 

1 REPLY
Highlighted
Routing

Re: eBGP Configuration between two SRX 210

[ Edited ]
01.27.17   |  
‎01-27-2017 05:25 PM

I'd suggest to you to look at a sample config.

 

You didn't put ge-0/0/1.0 into a zone, and that zone will need to have host-inbound-trafffic protocols bgp added.

 

You still have all the default config on there too which I'd recommend you delete.

 

If you're new to junos and want to mess with routing you may want to consider disabling flow processing altogether to have them act like routers.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30461

 

Also, you can verify layer 2 with ">show arp"