AS-path filtering

Monday, June 22nd, 2009

Cisco way:

ip as-path access-list 1 deny _1234$
ip as-path access-list 1 deny _5678$
ip as-path access-list 1 permit .*

router bgp 100
neighbor 192.168.0.1 remote-as 200
neighbor 192.168.0.1 des ebgp-test
neighbor 192.168.0.1 filter-list 1 in

Juniper way:

protocols {
bgp {
group “ebgp-test” {
type external;
import test-in;
peer-as 200;
neighbor 192.168.0.1 {
}
}
policy-options {
policy-statement test {
from as-path [test test1];
then reject;
}
set policy-options as-path a “.*1234″
set policy-options as-path b “.*5678″
}

Tags: , , , , , , , , ,
Posted in Cisco, Juniper | No Comments »

IP GRE tunnel between Juniper and FreeBSD

Friday, June 12th, 2009

The configuration @ FreeBSD router:

ifconfig gif0 create
ifconfig gif0 inet 10.100.100.2 10.100.100.1 netmask 255.255.255.252
ifconfig gif0 tunnel 192.168.1.2 10.242.2.242

The configuration @ M7i:

# show interfaces ip-1/2/0
unit 0 {
tunnel {
source 10.242.2.242;
destination 192.168.1.2;
routing-instance {
destination VRF-TEST;
}
}
family inet {
address 10.100.100.1/30;
}
}

And also don’t forget to define the ip-1/2/0.0 interface in the correct routing-instance (in this case, VRF-TEST routing -instance)

Network topology for testing purpose is shown below:

10.100.100.2/30 (ipip tunnel) 10.100.100.1/30
FreeBSD ———-LAN————M7i
192.168.1.2 10.242.2.242

And finally, based on the result below, we could see that it is possible to do ipip/gre tunnelling in M7i base system without AS PIC or LS PIC.
M7i base system has 1 builtin tunnel interface.

# show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis 32297 M7i
Midplane REV 04 710-008761 CE3630
Power Supply 0 Rev 02 740-008985 QF15548 DC
Power Supply 1 Rev 02 740-008985 QF15558 DC
Routing Engine REV 09 740-009459 1000542657 RE-5.0
CFEB REV 03 750-010463 CE7095 Internet Processor II
FPC 0 E-FPC
FPC 1 E-FPC
PIC 2 BUILTIN BUILTIN 1x Tunnel
PIC 3 REV 07 750-009098 CC7914 2x F/E, 100 BASE-TX

And these are the results:
———

I did ping from the M7i

# run ping 10.100.100.2 routing-instance VRF-TEST
PING 10.100.100.2 (10.100.100.2): 56 data bytes
64 bytes from 10.100.100.2: icmp_seq=0 ttl=64 time=1.103 ms
64 bytes from 10.100.100.2: icmp_seq=1 ttl=64 time=1.125 ms
64 bytes from 10.100.100.2: icmp_seq=2 ttl=64 time=1.109 ms

and this is the result:

# tcpdump -n -i gif0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
12:30:08.971272 IP 10.100.100.1 > 10.100.100.2: icmp 64: echo request seq 4608
12:30:08.971287 IP 10.100.100.2 > 10.100.100.1: icmp 64: echo reply seq 4608
12:30:09.981402 IP 10.100.100.1 > 10.100.100.2: icmp 64: echo request seq 4864
12:30:09.981414 IP 10.100.100.2 > 10.100.100.1: icmp 64: echo reply seq 4864
12:30:10.991369 IP 10.100.100.1 > 10.100.100.2: icmp 64: echo request seq 5120
12:30:10.991382 IP 10.100.100.2 > 10.100.100.1: icmp 64: echo reply seq 5120
-rendo-

Tags: , , , ,
Posted in Juniper | No Comments »