Sample BGP topology redundancy
We have a sample topology as below. On AS4000 side, there is a PC goes to R1 and some IPs behind the R1. vSRX1 and R1 routers have 2 WAN connection between them. We name upper one as line 1 and lower one is line 2. vSRX1 receives routes of 8.8.8.0/23 and 12.12.12.0/24 through line 1 and line 2. But R1 announces prefix of 9.9.9.0/24 only through line 1 and prefix of 11.11.11.0/24 only through line 2. So we need both lines.
We are responsible of side of the AS 400. We want redundancy, but how?
We decided to duplicate the vSRX1 router and divide into two the lines one by one. vSRX devices are going to run as active/passive. We ‘re going to configure VRRP on them. But how the vSRX devices run active and passive, while the active device should route to the line over the passive device. So, we must also configure iBGP between vSRX devices.
vSRX1
set system host-name vSRX1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 vrrp-group 1 virtual-address 192.168.1.3
set interfaces ge-0/0/1 unit 0 family inet address 192.168.254.1/24
set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.2/29
set protocols bgp local-as 4000
set protocols bgp group LINE_1 neighbor 1.1.1.1 peer-as 1000
set protocols bgp group internal export NXT_HP_SLF
set protocols bgp group internal neighbor 192.168.254.2 peer-as 4000
set policy-options policy-statement NXT_HP_SLF then next-hop self
set security nat source rule-set SNAT from zone trust
set security nat source rule-set SNAT to zone untrust
set security nat source rule-set SNAT rule R1 match source-address 192.168.1.0/24
set security nat source rule-set SNAT rule R1 then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic protocols bgp
vSRX2
set system host-name vSRX2
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 vrrp-group 1 virtual-address 192.168.1.3
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 vrrp-group 1 priority 50
set interfaces ge-0/0/1 unit 0 family inet address 192.168.254.2/24
set interfaces ge-0/0/2 unit 0 family inet address 2.2.2.2/29
set protocols bgp local-as 4000
set protocols bgp group LINE_2 neighbor 2.2.2.1 peer-as 1000
set protocols bgp group internal export NXT_HP_SLF
set protocols bgp group internal neighbor 192.168.254.1 peer-as 4000
set policy-options policy-statement NXT_HP_SLF then next-hop self
set security nat source rule-set SNAT from zone trust
set security nat source rule-set SNAT to zone untrust
set security nat source rule-set SNAT rule R1 match source-address 192.168.1.0/2
set security nat source rule-set SNAT rule R1 then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic protocols bgp
R1
Current configuration : 1736 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface Loopback0
ip address 8.8.8.8 255.255.255.0
!
interface Loopback1
ip address 9.9.9.9 255.255.255.0
!
interface Loopback2
ip address 11.11.11.11 255.255.255.0
!
interface Loopback3
ip address 12.12.12.12 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 1.1.1.1 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 2.2.2.1 255.255.255.248
duplex auto
speed auto
!
router bgp 1000
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 1.1.1.2 remote-as 4000
neighbor 1.1.1.2 prefix-list PATH_1_PRFX out
neighbor 2.2.2.2 remote-as 4000
neighbor 2.2.2.2 prefix-list PATH_2_PRFX out
no auto-summary
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip prefix-list PATH_1_PRFX seq 5 permit 8.8.8.0/24
ip prefix-list PATH_1_PRFX seq 10 permit 9.9.9.0/24
ip prefix-list PATH_1_PRFX seq 15 permit 12.12.12.0/24
!
ip prefix-list PATH_2_PRFX seq 5 permit 12.12.12.0/24
ip prefix-list PATH_2_PRFX seq 10 permit 11.11.11.0/24
ip prefix-list PATH_2_PRFX seq 15 permit 8.8.8.0/24
!
control-plane
!
line con 0
logging synchronous
line aux 0
line vty 0 4
logging synchronous
login
!
end