Timber by www.emsien3.com EMSIEN-3 Ltd
  • OPT/Net Blog

JUNOS router as BGP Route Server - Part 2

Blog by Taras Matselyukh – CTO and Principal Consultant at Opt/Net Consulting B.V.
Hashtags: #BGPRouteServerJUNOS

Part 2 - Route manipulation and filtering

In today’s blog we will show how to exercise control at our pseudo-route server over the incoming and outgoing routing updates.

For the purpose of the exercise, we sourced a default route into our network under the test from one of the participating peers. Obviously, this is an errorneous scenario. We now see the route propagated by our pseudo Route Server to the other peers.

C1#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.3.1 to network 0.0.0.0

     20.0.0.0/30 is subnetted, 1 subnets
C       20.0.1.0 is directly connected, Serial1
     10.0.0.0/32 is subnetted, 3 subnets
B       10.2.2.2 [20/0] via 20.0.1.2, 00:06:29
B       10.0.0.1 [20/0] via 192.168.3.201, 00:06:29
C       10.1.1.1 is directly connected, Loopback0
     192.168.255.0/32 is subnetted, 1 subnets
B       192.168.255.1 [20/0] via 192.168.3.1, 00:04:2
B    192.168.0.0/24 [20/0] via 192.168.3.1, 00:04:24
B    192.168.1.0/24 [20/0] via 192.168.3.1, 00:04:24
B    192.168.2.0/24 [20/0] via 192.168.3.1, 00:04:24
C    192.168.3.0/24 is directly connected, Ethernet0
B*   0.0.0.0/0 [20/0] via 192.168.3.1, 00:00:01

Banning routes from routing tables (invasion of Martians)

Junos has a very useful concept called “Martian addresses”. These are the routes that simply should not be in the routing tables either because these are bogus or undesirable. The method of declaring of the routes as ‘outlaws’ is very convenient way of banning existence of certain routes in the routing tables, and hence in BGP routing updates. (because BGP sends out only routing updates about the prefixes which are present and active in the routing table).

There is a default set of “Martian addresses” in each JUNOS router arranged per routing table even without any specific configuration.

taras@J> show route martians 

inet.0:
             0.0.0.0/0 exact -- allowed
             0.0.0.0/8 orlonger -- disallowed
             127.0.0.0/8 orlonger -- disallowed
             128.0.0.0/16 orlonger -- disallowed
             191.255.0.0/16 orlonger -- disallowed
             192.0.0.0/24 orlonger -- disallowed
             223.255.255.0/24 orlonger -- disallowed
             240.0.0.0/4 orlonger -- disallowed

inet.1:
             0.0.0.0/0 exact -- allowed
             0.0.0.0/8 orlonger -- disallowed
             127.0.0.0/8 orlonger -- disallowed
             128.0.0.0/16 orlonger -- disallowed
             191.255.0.0/16 orlonger -- disallowed
             192.0.0.0/24 orlonger -- disallowed
             223.255.255.0/24 orlonger -- disallowed
             240.0.0.0/4 orlonger -- disallowed

inet.2:
             0.0.0.0/0 exact -- allowed
             0.0.0.0/8 orlonger -- disallowed
             127.0.0.0/8 orlonger -- disallowed
             128.0.0.0/16 orlonger -- disallowed
             191.255.0.0/16 orlonger -- disallowed
             192.0.0.0/24 orlonger -- disallowed
             223.255.255.0/24 orlonger -- disallowed
             240.0.0.0/4 orlonger -- disallowed

inet.3:
             0.0.0.0/0 exact -- allowed
             0.0.0.0/8 orlonger -- disallowed
             127.0.0.0/8 orlonger -- disallowed
             128.0.0.0/16 orlonger -- disallowed
             191.255.0.0/16 orlonger -- disallowed
             192.0.0.0/24 orlonger -- disallowed
             223.255.255.0/24 orlonger -- disallowed
             240.0.0.0/4 orlonger -- disallowed

__juniper_private1__.inet.0:
             0.0.0.0/0 exact -- allowed
             0.0.0.0/8 orlonger -- disallowed
             127.0.0.0/8 orlonger -- disallowed
             128.0.0.0/16 orlonger -- disallowed
             191.255.0.0/16 orlonger -- disallowed
             192.0.0.0/24 orlonger -- disallowed
             223.255.255.0/24 orlonger -- disallowed
             240.0.0.0/4 orlonger -- disallowed

__juniper_private2__.inet.0:
             0.0.0.0/0 exact -- allowed
             0.0.0.0/8 orlonger -- disallowed
             127.0.0.0/8 orlonger -- disallowed
             128.0.0.0/16 orlonger -- disallowed
             191.255.0.0/16 orlonger -- disallowed
             192.0.0.0/24 orlonger -- disallowed
             223.255.255.0/24 orlonger -- disallowed
             240.0.0.0/4 orlonger -- disallowed

inet6.0:
             ::1/128 exact -- disallowed

inet6.1:
             ::1/128 exact -- disallowed

inet6.2:
             ::1/128 exact -- disallowed

inet6.3:
             ::1/128 exact -- disallowed

__juniper_private1__.inet6.0:
             ::1/128 exact -- disallowed

__juniper_private2__.inet6.0:
             ::1/128 exact -- disallowed

This list may be modified. Let’s add the default route 0.0.0.0/0 to the list of the “Martian addresses.

taras@J# show routing-options | display set 

set routing-options martians 0.0.0.0/0 exact
set routing-options autonomous-system 200
taras@J# run show route terse 

inet.0: 11 destinations, 14 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 0.0.0.0/0          B 170        100            >192.168.3.1     300 I
* 10.0.0.1/32        B 170        100            >192.168.3.201   400 I
* 10.1.1.1/32        B 170        100          0 >192.168.3.202   100 ?
* 10.2.2.2/32        B 170        100            >192.168.3.202   100 500 ?
* 20.0.1.0/30        B 170        100          0 >192.168.3.202   100 ?
* 192.168.0.0/24     B 170        100            >192.168.3.1     300 I
* 192.168.1.0/24     B 170        100            >192.168.3.1     300 I
* 192.168.2.0/24     B 170        100            >192.168.3.1     300 I
* 192.168.3.0/24     D   0                       >fe-0/0/0.0   
                     B 170        100            >192.168.3.201   400 I
                     B 170        100            >192.168.3.1     300 I
                     B 170        100          0 >192.168.3.202   100 ?
* 192.168.3.200/32   L   0                        Local
* 192.168.255.1/32   B 170        100            >192.168.3.1     300 I

__juniper_private1__.inet.0: 4 destinations, 4 routes (2 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 10.0.0.1/32        D   0                       >lo0.16385    
* 10.0.0.16/32       D   0                       >lo0.16385    

[edit]

taras@J# commit 

commit complete

[edit]

taras@J# run show route terse    

inet.0: 11 destinations, 14 routes (10 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 10.0.0.1/32        B 170        100            >192.168.3.201   400 I
* 10.1.1.1/32        B 170        100          0 >192.168.3.202   100 ?
* 10.2.2.2/32        B 170        100            >192.168.3.202   100 500 ?
* 20.0.1.0/30        B 170        100          0 >192.168.3.202   100 ?
* 192.168.0.0/24     B 170        100            >192.168.3.1     300 I
* 192.168.1.0/24     B 170        100            >192.168.3.1     300 I
* 192.168.2.0/24     B 170        100            >192.168.3.1     300 I
* 192.168.3.0/24     D   0                       >fe-0/0/0.0   
                     B 170        100            >192.168.3.201   400 I
                     B 170        100            >192.168.3.1     300 I
                     B 170        100          0 >192.168.3.202   100 ?
* 192.168.3.200/32   L   0                        Local
* 192.168.255.1/32   B 170        100            >192.168.3.1     300 I

__juniper_private1__.inet.0: 4 destinations, 4 routes (2 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 10.0.0.1/32        D   0                       >lo0.16385    
* 10.0.0.16/32       D   0                       >lo0.16385    

--------------- Cisco client -------------
C1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     20.0.0.0/30 is subnetted, 1 subnets
C       20.0.1.0 is directly connected, Serial1
     10.0.0.0/32 is subnetted, 3 subnets
B       10.2.2.2 [20/0] via 20.0.1.2, 00:25:58
B       10.0.0.1 [20/0] via 192.168.3.201, 00:25:58
C       10.1.1.1 is directly connected, Loopback
     192.168.255.0/32 is subnetted, 1 subnets
B       192.168.255.1 [20/0] via 192.168.3.1, 00:23:53
B    192.168.0.0/24 [20/0] via 192.168.3.1, 00:23:53
B    192.168.1.0/24 [20/0] via 192.168.3.1, 00:23:53
B    192.168.2.0/24 [20/0] via 192.168.3.1, 00:23:53
C    192.168.3.0/24 is directly connected, Ethernet0
C1#

Our misbehaving client still advertises the prefix 0/0 to the pseudo route server, but the Martian filter is effectively disabling the route by marking it as hidden.

taras@S> show route advertising-protocol bgp 192.168.3.200    

inet.0: 21 destinations, 21 routes (21 active, 0 holddown, 0 hidden)

  Prefix  Nexthop       MED     Lclpref    AS pat
* 0.0.0.0/0               Self                                    I
* 192.168.0.0/24          Self                                    I
* 192.168.1.0/24          Self                                    I
* 192.168.2.0/24          Self                                    I
* 192.168.3.0/24          Self                                    I
* 192.168.255.1/32        Self                                    I

taras@J> show route receive-protocol bgp 192.168.3.1

inet.0: 11 destinations, 14 routes (10 active, 0 holddown, 1 hidden)

  Prefix  Nexthop       MED     Lclpref    AS pat
* 192.168.0.0/24          192.168.3.1                             300 I
* 192.168.1.0/24          192.168.3.1                             300 I
* 192.168.2.0/24          192.168.3.1                             300 I
  192.168.3.0/24          192.168.3.1                             300 I
* 192.168.255.1/32        192.168.3.1                             300 I

__juniper_private1__.inet.0: 4 destinations, 4 routes (2 active, 0 holddown, 2 hidden)

taras@J> show route 0/0 detail hidden

inet.0: 11 destinations, 14 routes (10 active, 0 holddown, 1 hidden)

0.0.0.0/0 (1 entry, 0 announced)
         BGP                 /-101
                Next hop type: Router, Next hop index: 521
                Next-hop reference count: 10
                Source: 192.168.3.1
                Next hop: 192.168.3.1 via fe-0/0/0.0, selected
                State: <Hidden Martian Ext>
                Local AS:   200 Peer AS:   300
                Age: 21:24 
                Task: BGP_300.192.168.3.1+56114
                AS path: 300 I
                Localpref: 100
                Router ID: 192.168.255.1

__juniper_private1__.inet.0: 4 destinations, 4 routes (2 active, 0 holddown, 2 hidden)

128.0.0.1/32 (1 entry, 0 announced)
         Direct Preference: 0
                Next hop type: Interface
                Next-hop reference count: 1
                Next hop: via lo0.16385, selected
                State: <Hidden Martian Int>
                Age: 29:40 
                Task: IF
                AS path: I

128.0.1.16/32 (1 entry, 0 announced)
         Direct Preference: 0
                Next hop type: Interface
                Next-hop reference count: 1
                Next hop: via lo0.16385, selected
                State: <Hidden Martian Int>
                Age: 29:40 
                Task: IF
                AS path: I

The ability to exercise control over the route aggregates and summary routes on the route server will be discussed in the next part of this blog.
Stay tuned!

P.S. If you have feedback, questions or suggestions, please, discuss it on the LinkedIn with us or e-mail us This email address is being protected from spambots. You need JavaScript enabled to view it.