SRX Services Gateway
SRX Services Gateway

BGP configuration

03.28.10   |  
‎03-28-2010 10:09 PM

Hi Guys,


Can anyone help me to find sample configurations of BGP on SRX 240 using 3 different ISP?


Please... please



SRX Services Gateway

Re: BGP configuration

03.29.10   |  
‎03-29-2010 02:09 PM

There are a couple of good examples from juniper's own documentation regarding this and there is always the cymru secure template (found here usually referred to as "old but useful"). You can find some juniper examples here and here. There are a couple of things you need to consider for your specific setup. Source address is one of those (for ibgp a loopback is good practice, for ebgp it's not) Basically these are the sections you need in there for the very basic function


routing-options {
 autonomous-system <your as>;

protocols {
 bgp {
  group ebgp-transits {
   type external;
   description "Your ISP's";
   export bgp-transit-export;
   neighbor x.x.x.x {
    description "ISP 1";
    peer-as <ISP 1 IP>;
   neighbor x.x.x.y {
    description "ISP 2";
    peer-as <ISP 2 IP>;
   neighbor x.x.x.z {
    description "ISP 3";
    peer-as <ISP 3 IP>;

policy-options {
 policy-statement bgp-transit-export {
  term your_public_subnet {
   from {
    protocol static;
    route-filter <your-public-allocation>/<your-netmask>;
   then {
   term the_rest {
    then reject;



There are however a few other aspects worth considering/exploring before going into production:

 * Bogon-filtering (the cymru template covers this topic although it isn't updated to cover the cymru bogon filtering project, find out about it at their homepage)

 * Protection of the loopback (firewall filters) This might be complex and error prone but rather important, the cymru template has some coverage of this but really it has not much to do with bgp specifically.

 * Internal routing - the redistribution might differ depending on how you do this. iBGP and/or OSPF makes the setup a bit more complex.

SRX Services Gateway

Re: BGP configuration

04.22.10   |  
‎04-22-2010 04:41 AM

Is there anything special you have to add to ensure that keepalives aren't blocked by the firewall?


I'm running IBGP over a GRE tunnel and it continues to flap because my keepalives aren't making it to the other end (or the other end's keepalives aren't being accepted by me, i'm not sure which).