Skip to main content

Introduction

Table of Contents

  1. Network Overview
  2. BGP Routing Architecture
  3. Best Practices and Recommendations
  4. BGP Traffic Engineering and Redundancy
  5. Internal IP Addressing Scheme
  6. New BGP Partner Configuration
  7. Troubleshooting
  8. Appendix A: Configuration Examples
  9. Appendix B: Migration Instructions

Network Overview

Our network consists of:

  • AS Number: 213683
  • Router: SRX5400 (Primary routing device)
  • Switch: QFX5100 (Distribution/access)
  • Interconnection: ae1 LACP bundle between SRX and QFX
    • IPv4: 192.168.99.1/30 (SRX) to 192.168.99.2/30 (QFX)
    • IPv6: 2602:f700:e0::1/64 (SRX) to 2602:f700:e0::2/64 (QFX)

BGP Routing Architecture

Design Principles

  1. Route Announcement:

    • SRX is responsible for all BGP announcements to upstream providers
    • Aggregate routes with appropriate AS paths are used for announcing partner prefixes

  2. Traffic Flow:

    • Traffic enters via SRX (BGP announcements)
    • SRX forwards to QFX via static routes
    • QFX delivers to partner devices via appropriate VLANs

  3. Route Preferences:

    • Direct routes: Preference 0
    • Specific static routes: Preference 5
    • Aggregate routes for BGP: Preference 130

New BGP Partner Configuration

Scenario A: Partner with Own BGP Session

This scenario is for partners who maintain their own BGP session with us.

1. Physical Connectivity

  1. Determine VLAN Assignment:

    • Assign a dedicated VLAN (e.g., CLIENT-XXXXX where XXXXX is their AS number)
    • Select an available interface on QFX for connecting the partner

  2. QFX Configuration:

    # Create VLAN
    set vlans CLIENT-$"ASNUM" vlan-id {VLAN-ID}
    set vlans CLIENT-$"ASNUM" l3-interface irb.{VLAN-ID}

    # Configure IRB interface
    set interfaces irb unit {VLAN-ID} family inet address {P2P-IPV4-QFX}/30
    set interfaces irb unit {VLAN-ID} family inet6 address {P2P-IPV6-QFX}/126

    # Assign physical interface to VLAN
    set interfaces xe-0/0/{INTERFACE} unit 0 family ethernet-switching interface-mode access
    set interfaces xe-0/0/{INTERFACE} unit 0 family ethernet-switching vlan members CLIENT-$"ASNUM"

  3. SRX Static Routes:

    # Configure static routes to QFX for this client's subnet
    set routing-options static route {CLIENT-SUBNET}/30 next-hop 192.168.99.2
    set routing-options rib inet6.0 static route {CLIENT-SUBNET-V6}/126 next-hop 2602:f700:e0::2

2. BGP Configuration on SRX

  1. Create BGP Group:

    # IPv4 BGP
    set protocols bgp group CLIENT-AS$"ASNUM" type external
    set protocols bgp group CLIENT-AS$"ASNUM" description "Downstream AS$"ASNUM""
    set protocols bgp group CLIENT-AS$"ASNUM" local-address {P2P-IPV4-SRX}
    set protocols bgp group CLIENT-AS$"ASNUM" peer-as $"ASNUM"
    set protocols bgp group CLIENT-AS$"ASNUM" neighbor {P2P-IPV4-CLIENT}

    # IPv6 BGP (if applicable)
    set protocols bgp group CLIENT-AS$"ASNUM"-V6 type external
    set protocols bgp group CLIENT-AS$"ASNUM"-V6 description "Downstream AS$"ASNUM" IPv6"
    set protocols bgp group CLIENT-AS$"ASNUM"-V6 local-address {P2P-IPV6-SRX}
    set protocols bgp group CLIENT-AS$"ASNUM"-V6 family inet6 any
    set protocols bgp group CLIENT-AS$"ASNUM"-V6 peer-as $"ASNUM"
    set protocols bgp group CLIENT-AS$"ASNUM"-V6 neighbor {P2P-IPV6-CLIENT}

  2. Create Import/Export Policies:

    # Import policy
    set policy-options policy-statement ACCEPT-AS$"ASNUM" term accept-routes from protocol bgp
    set policy-options policy-statement ACCEPT-AS$"ASNUM" term accept-routes from as-path AS$"ASNUM"
    set policy-options policy-statement ACCEPT-AS$"ASNUM" term accept-routes then local-preference 300
    set policy-options policy-statement ACCEPT-AS$"ASNUM" term accept-routes then community add LOCAL-PREF-HIGHEST
    set policy-options policy-statement ACCEPT-AS$"ASNUM" term accept-routes then accept

    # Export policy (usually default route)
    set policy-options policy-statement ps-default term default from route-filter 0.0.0.0/0 exact
    set policy-options policy-statement ps-default term default then accept
    set policy-options policy-statement ps-default-v6 term accept-default from route-filter ::/0 exact
    set policy-options policy-statement ps-default-v6 term accept-default then accept

    # Apply policies
    set protocols bgp group CLIENT-AS$"ASNUM" import ACCEPT-AS$"ASNUM"
    set protocols bgp group CLIENT-AS$"ASNUM" export ps-default
    set protocols bgp group CLIENT-AS$"ASNUM"-V6 import ACCEPT-AS$"ASNUM"
    set protocols bgp group CLIENT-AS$"ASNUM"-V6 export ps-default-v6

  3. Define AS Paths and Communities:

    set policy-options as-path AS$"ASNUM" "^$"ASNUM".*$"
    set policy-options community LOCAL-PREF-HIGHEST members large:213683:1:300

Scenario B: Announcing Routes on Partner's Behalf

This scenario is for partners who rely on us to announce their prefixes.

1. Physical Connectivity

Same as Scenario A.

2. Prefix Configuration on SRX

  1. Create Aggregate Routes:

    # IPv4 Aggregate
    set routing-options aggregate route {CLIENT-PREFIX} as-path path {CLIENT-ASNUM}
    set routing-options aggregate route {CLIENT-PREFIX} as-path origin egp

    # IPv6 Aggregate (if applicable)
    set routing-options rib inet6.0 aggregate route {CLIENT-PREFIX-V6} as-path path {CLIENT-ASNUM}
    set routing-options rib inet6.0 aggregate route {CLIENT-PREFIX-V6} as-path origin egp

  2. Create More Specific Static Routes:

    # For IPv4 prefixes
    set routing-options static route {CLIENT-PREFIX-HALF1} next-hop 192.168.99.2 preference 5
    set routing-options static route {CLIENT-PREFIX-HALF2} next-hop 192.168.99.2 preference 5

    # For IPv6 prefixes
    set routing-options rib inet6.0 static route {CLIENT-PREFIX-V6-HALF1} next-hop 2602:f700:e0::2 preference 5
    set routing-options rib inet6.0 static route {CLIENT-PREFIX-V6-HALF2} next-hop 2602:f700:e0::2 preference 5

  3. Create Export Policy:

    # Create policy
    set policy-options policy-statement ANNOUNCE-AS$"ASNUM" term announce-prefixes from route-filter {CLIENT-PREFIX} exact
    set policy-options policy-statement ANNOUNCE-AS$"ASNUM" term announce-prefixes then accept
    set policy-options policy-statement ANNOUNCE-AS$"ASNUM" term announce-prefixes-v6 from route-filter {CLIENT-PREFIX-V6} exact
    set policy-options policy-statement ANNOUNCE-AS$"ASNUM" term announce-prefixes-v6 then accept

    # Apply to upstream BGP groups
    set protocols bgp group upstream export ANNOUNCE-AS$"ASNUM"
    set protocols bgp group cogent export ANNOUNCE-AS$"ASNUM"
    set protocols bgp group cogent-v6 export ANNOUNCE-AS$"ASNUM"

Note: Loopback addresses on the SRX are not needed when announcing routes on behalf of a customer who already has physical devices with actual IP addresses from the announced prefix range. Loopbacks are only needed for testing or when there are no actual devices using the IPs yet.

3. QFX Static Routes (when client is connected)

# Configure static routes on QFX to direct traffic to client
set routing-options static route {CLIENT-PREFIX} next-hop xe-0/0/{INTERFACE}.0
set routing-options rib inet6.0 static route {CLIENT-PREFIX-V6} discard

Existing Partner Migration

When migrating existing BGP partners from QFX to SRX, follow these steps:

1. Replicate BGP Configuration on SRX

  1. Copy BGP Policies:

    • Duplicate import/export policies
    • Ensure AS paths and communities are defined

  2. Create BGP Groups:

    • Configure BGP sessions with same parameters

2. Set Up Routing Path

  1. Configure Static Routes on SRX:

    # For announced prefixes
    set routing-options aggregate route {CLIENT-PREFIX} as-path path {CLIENT-ASNUM}
    set routing-options aggregate route {CLIENT-PREFIX} as-path origin egp

    # For traffic forwarding
    set routing-options static route {CLIENT-PREFIX-HALF1} next-hop 192.168.99.2 preference 5
    set routing-options static route {CLIENT-PREFIX-HALF2} next-hop 192.168.99.2 preference 5

  2. Verify BGP Announcements:

    show route advertising-protocol bgp {UPSTREAM-PEER} {CLIENT-PREFIX}

3. Migration Process

  1. Phased Approach:

    • Configure SRX first
    • Verify routing and announcements
    • Remove configuration from QFX

  2. Important Checks:

    • Verify BGP sessions
    • Confirm BGP announcements have correct AS path
    • Test traffic flow

Best Practices and Recommendations

BGP Configuration Best Practices

  1. Consistent Naming Conventions:

    • BGP groups: CLIENT-AS$"ASNUM" for IPv4, CLIENT-AS$"ASNUM"-V6 for IPv6
    • Policies: ACCEPT-AS$"ASNUM" for imports, ANNOUNCE-AS$"ASNUM" for exports
    • VLANs: CLIENT-$"ASNUM" for client VLANs

  2. Route Filtering:

    • Always specify exact prefixes in import/export policies
    • Use prefix-lists for groups of prefixes
    • Filter private ASNs at border routers

  3. BGP Security:

    • Apply inbound filters to prevent bogon route announcements
    • Implement maximum-prefix limits to prevent route flooding
    • Consider implementing BGP authentication for critical sessions

  4. Documentation:

    • Document AS paths and local preferences in policy descriptions
    • Use interface descriptions to identify BGP peer connections
    • Maintain an updated BGP peering matrix

  5. Redundancy:

    • For critical customers, consider dual connections when possible
    • Configure BFD for faster BGP session failure detection

  6. Export Policies:

    • CRITICAL: Always include a default deny policy at the end of export policy chains
    • Never remove export policies without understanding the default behavior
    • Use explicit permit/deny statements rather than relying on implicit behaviors

Default Export Policy Framework

To ensure consistent and secure BGP route advertisements, implement this standardized policy framework for all upstreams:

# Create a master export policy framework
set policy-options policy-statement BGP-EXPORT-FRAMEWORK term explicit-permits then next policy
set policy-options policy-statement BGP-EXPORT-FRAMEWORK term default-deny then reject

Then for each upstream BGP group:

# Apply the framework as the LAST policy
set protocols bgp group upstream export [SPECIFIC-ANNOUNCEMENT-POLICIES]
set protocols bgp group upstream export BGP-EXPORT-FRAMEWORK

With this approach:

  1. All specific route announcements are defined in individual policies (like ANNOUNCE-AS34689)
  2. These specific policies are applied first in the export policy chain
  3. The BGP-EXPORT-FRAMEWORK is always applied last
  4. Only routes explicitly permitted in the specific policies will be announced
  5. All other routes are implicitly denied by the framework's default-deny term

Key advantages:

  • Works for all upstreams regardless of IP ranges or ASNs
  • Creates a consistent, predictable export behavior
  • Prevents accidental route leaks
  • Makes it safe to add/remove specific announcement policies
  • Simplifies configuration management

Example application:

# Define specific announcement policies
set policy-options policy-statement ANNOUNCE-AS34689 term announce from route-filter 185.75.243.0/24 exact
set policy-options policy-statement ANNOUNCE-AS34689 term announce then accept

set policy-options policy-statement ANNOUNCE-AS136787 term announce from route-filter 147.93.215.0/24 exact
set policy-options policy-statement ANNOUNCE-AS136787 term announce then accept

# Apply to upstream providers with the framework
set protocols bgp group upstream export ANNOUNCE-AS34689
set protocols bgp group upstream export ANNOUNCE-AS136787
set protocols bgp group upstream export BGP-EXPORT-FRAMEWORK

set protocols bgp group cogent export ANNOUNCE-AS34689
set protocols bgp group cogent export ANNOUNCE-AS136787
set protocols bgp group cogent export BGP-EXPORT-FRAMEWORK

When you need to stop announcing a specific prefix to an upstream, simply remove that specific policy:

delete protocols bgp group upstream export ANNOUNCE-AS34689

The BGP-EXPORT-FRAMEWORK will ensure no unintended routes are leaked.

Route Preference Hierarchy

Maintain this consistent hierarchy of route preferences:

  • Direct routes: Preference 0 (most preferred)
  • Specific test routes: Preference 5
  • Static routes: Preference 10
  • OSPF/IS-IS: Preference 15/18
  • Aggregate routes for BGP: Preference 130
  • BGP routes: Preference 170

AS Path Handling

  • Use consistent AS path prepending patterns
  • For transit customers, always validate their AS path
  • Use communities to control route propagation

BGP Traffic Engineering and Redundancy

Understanding AS Path Prepending

AS Path prepending is a technique used to influence BGP path selection by artificially making a route look less preferred. BGP routers prefer the shortest AS path, so adding additional instances of your own AS number makes a path less preferred without affecting route availability.

When you prepend your AS number multiple times:

set policy-options policy-statement PREPEND-TO-UPSTREAM term prepend-as34689 then as-path-prepend "213683 213683 213683"

The resulting AS path would look like "213683 213683 213683 213683 34689 E" instead of just "213683 34689 E".

The number of prepends determines how much less preferred the path becomes:

  • 1 prepend: Slightly less preferred
  • 2 prepends: Moderately less preferred
  • 3 prepends: Significantly less preferred (commonly used)

Traffic Engineering Strategies

1. Basic Route Advertisement Control

To stop advertising a specific prefix to an upstream, simply removing an export policy can lead to unintended consequences:

# DO NOT DO THIS without a default deny policy
delete protocols bgp group upstream export ANNOUNCE-AS34689

CRITICAL WARNING: Removing a specific export policy without having a default deny policy can result in leaking ALL routes to your upstream provider. This happens because when no export policy is applied, the default behavior is to advertise all active routes.

Correct approach:

# Create a policy that explicitly denies the specific prefix
set policy-options policy-statement DENY-AS34689 term deny-specific from route-filter 185.75.243.0/24 exact
set policy-options policy-statement DENY-AS34689 term deny-specific then reject

# For all other prefixes, maintain existing policies
set policy-options policy-statement DENY-AS34689 term allow-rest then next policy

# Apply this policy FIRST in the export policy chain
set protocols bgp group upstream export DENY-AS34689
set protocols bgp group upstream export [OTHER-EXISTING-POLICIES]

Best Practice: Always maintain a default deny policy at the end of your export policy chain:

set policy-options policy-statement EXPORT-DEFAULT-DENY term deny-all then reject
set protocols bgp group upstream export EXPORT-DEFAULT-DENY

This ensures that only explicitly permitted routes are advertised.

2. AS Path Prepending for Path Preference

To advertise to all upstreams but prefer traffic through Cogent:

# For primary path (Cogent) - No prepending
set policy-options policy-statement TO-COGENT term announce-as34689 from route-filter 185.75.243.0/24 exact
set policy-options policy-statement TO-COGENT term announce-as34689 then accept

# For secondary path (other upstream) - With prepending
set policy-options policy-statement TO-UPSTREAM term announce-as34689 from route-filter 185.75.243.0/24 exact
set policy-options policy-statement TO-UPSTREAM term announce-as34689 then as-path-prepend "213683 213683"
set policy-options policy-statement TO-UPSTREAM term announce-as34689 then accept

# Apply to respective BGP groups
set protocols bgp group cogent export TO-COGENT
set protocols bgp group upstream export TO-UPSTREAM

3. Conditional Advertisement

For automatic failover to secondary upstreams when primary is down:

# Create policy to test if Cogent routes are present
set policy-options policy-statement COGENT-ROUTES-EXIST term check-routes from route-filter 0.0.0.0/0 exact
set policy-options policy-statement COGENT-ROUTES-EXIST term check-routes from protocol bgp
set policy-options policy-statement COGENT-ROUTES-EXIST term check-routes from neighbor 149.6.153.129
set policy-options policy-statement COGENT-ROUTES-EXIST term check-routes then accept
set policy-options policy-statement COGENT-ROUTES-EXIST term default then reject

# Create policy for conditional advertisement
set policy-options policy-statement BACKUP-ANNOUNCE term announce-if-cogent-down from route-filter 185.75.243.0/24 exact
set policy-options policy-statement BACKUP-ANNOUNCE term announce-if-cogent-down from policy COGENT-ROUTES-EXIST
set policy-options policy-statement BACKUP-ANNOUNCE term announce-if-cogent-down then reject
set policy-options policy-statement BACKUP-ANNOUNCE term announce-if-cogent-down-else from route-filter 185.75.243.0/24 exact
set policy-options policy-statement BACKUP-ANNOUNCE term announce-if-cogent-down-else then accept

# Apply to upstream BGP group
set protocols bgp group upstream export BACKUP-ANNOUNCE

4. BGP Communities for Traffic Engineering

Use communities to control route propagation:

# Define communities
set policy-options community NO-EXPORT members no-export
set policy-options community LOCAL-PREF-LOW members large:213683:1:100

# Create policy using communities
set policy-options policy-statement CONTROL-WITH-COMMUNITIES term secondary-path from route-filter 185.75.243.0/24 exact
set policy-options policy-statement CONTROL-WITH-COMMUNITIES term secondary-path then community add LOCAL-PREF-LOW
set policy-options policy-statement CONTROL-WITH-COMMUNITIES term secondary-path then accept

# Apply to upstream BGP group
set protocols bgp group upstream export CONTROL-WITH-COMMUNITIES

For optimal redundancy with traffic engineering:

  1. Advertise to all upstreams with AS path prepending:

    • No prepending on primary path
    • 2-3 prepends on secondary paths

  2. Implement BFD for faster failure detection:

    set protocols bgp group cogent bfd-liveness-detection minimum-interval 300
    set protocols bgp group cogent bfd-liveness-detection multiplier 3

  3. Configure GTSM (Generalized TTL Security Mechanism) for protection:

    set protocols bgp group cogent ttl 255

This approach provides automatic failover while preferring your primary path during normal operations.

Migration Instructions for AS11867 (23.134.52.0/24 + 2602:f700::/48)

Phase 1: Configure SRX

# Aggregate routes for BGP announcements
set routing-options aggregate route 23.134.52.0/24 as-path path 11867
set routing-options aggregate route 23.134.52.0/24 as-path origin egp
set routing-options rib inet6.0 aggregate route 2602:f700::/48 as-path path 11867
set routing-options rib inet6.0 aggregate route 2602:f700::/48 as-path origin egp

# Static routes for traffic forwarding
set routing-options static route 23.134.52.0/25 next-hop 192.168.99.2 preference 5
set routing-options static route 23.134.52.128/25 next-hop 192.168.99.2 preference 5
set routing-options rib inet6.0 static route 2602:f700::/49 next-hop 2602:f700:e0::2 preference 5
set routing-options rib inet6.0 static route 2602:f700:8000::/49 next-hop 2602:f700:e0::2 preference 5

# BGP export policy
set policy-options policy-statement ANNOUNCE-AS11867 term announce-prefixes from route-filter 23.134.52.0/24 exact
set policy-options policy-statement ANNOUNCE-AS11867 term announce-prefixes then accept
set policy-options policy-statement ANNOUNCE-AS11867 term announce-prefixes-v6 from route-filter 2602:f700::/48 exact
set policy-options policy-statement ANNOUNCE-AS11867 term announce-prefixes-v6 then accept

# Apply to upstream BGP groups
set protocols bgp group upstream export ANNOUNCE-AS11867
set protocols bgp group cogent export ANNOUNCE-AS11867
set protocols bgp group cogent-v6 export ANNOUNCE-AS11867

Note: No loopback addresses are needed on SRX if the client is already connected to the QFX with actual IP addresses from these prefix ranges.

Phase 2: Verify Configuration

# Verify routing table
show route 23.134.52.0/24
show route 2602:f700::/48

# Verify BGP announcements
show route advertising-protocol bgp 149.6.153.129 23.134.52.0/24
show route advertising-protocol bgp 10.9.11.9 23.134.52.0/24
show route advertising-protocol bgp 2001:978:2:2a::99:1 2602:f700::/48

Phase 3: Remove QFX Announcements

# On QFX
delete routing-options aggregate route 23.134.52.0/24
delete routing-options rib inet6.0 aggregate route 2602:f700::/48
delete policy-options policy-statement ANNOUNCE-PREFIX term as11867
delete policy-options policy-statement ANNOUNCE-TO-ANIX term as11867
commit

Phase 4: Final Verification

# On SRX - Verify traffic flow
ping 23.134.52.1 source 192.168.99.1
ping 2602:f700::1 source 2602:f700:e0::1

# On SRX - Verify BGP announcements maintained
show route advertising-protocol bgp 149.6.153.129 23.134.52.0/24
show route advertising-protocol bgp 2001:978:2:2a::99:1 2602:f700::/48

This migration can be performed with minimal impact, as it only changes where the route announcements originate from while maintaining the same physical connectivity through the QFX.## Appendix: Current Configurations and Migration Instructions

Current AS34689 Configuration on SRX

# Loopback addresses
set interfaces lo0 unit 0 family inet address 185.75.243.1/32
set interfaces lo0 unit 0 family inet address 185.75.243.130/32
set interfaces lo0 unit 0 family inet6 address 2a13:9403::2/128
set interfaces lo0 unit 0 family inet6 address 2a13:9403:8000::2/128

# Aggregate routes for BGP announcements
set routing-options aggregate route 185.75.243.0/24 as-path path 34689
set routing-options aggregate route 185.75.243.0/24 as-path origin egp
set routing-options rib inet6.0 aggregate route 2a13:9403::/32 as-path path 34689
set routing-options rib inet6.0 aggregate route 2a13:9403::/32 as-path origin egp
set routing-options rib inet6.0 aggregate route 2a13:9403::/33 as-path path 34689
set routing-options rib inet6.0 aggregate route 2a13:9403::/33 as-path origin egp
set routing-options rib inet6.0 aggregate route 2a13:9403:8000::/33 as-path path 34689
set routing-options rib inet6.0 aggregate route 2a13:9403:8000::/33 as-path origin egp

# Static routes for traffic forwarding
set routing-options static route 185.75.243.0/25 next-hop 192.168.99.2 preference 5
set routing-options static route 185.75.243.128/25 next-hop 192.168.99.2 preference 5
set routing-options rib inet6.0 static route 2a13:9403::/33 next-hop 2602:f700:e0::2 preference 5
set routing-options rib inet6.0 static route 2a13:9403:8000::/33 next-hop 2602:f700:e0::2 preference 5

# BGP export policies
set policy-options policy-statement ANNOUNCE-AS34689 term announce-as34689-prefixes from route-filter 185.75.243.0/24 exact
set policy-options policy-statement ANNOUNCE-AS34689 term announce-as34689-prefixes then accept
set policy-options policy-statement ANNOUNCE-AS34689 term announce-as34689-prefixes-v6 from route-filter 2a13:9403::/32 exact
set policy-options policy-statement ANNOUNCE-AS34689 term announce-as34689-prefixes-v6 then accept

# Applied to upstream BGP groups
set protocols bgp group upstream export ANNOUNCE-AS34689
set protocols bgp group cogent export ANNOUNCE-AS34689
set protocols bgp group cogent-v6 export ANNOUNCE-AS34689

Migration Instructions for AS136787 (147.93.215.0/24)

Phase 1: Configure SRX

# Aggregate route for BGP announcements
set routing-options aggregate route 147.93.215.0/24 as-path path 136787
set routing-options aggregate route 147.93.215.0/24 as-path origin egp

# Static routes for traffic forwarding
set routing-options static route 147.93.215.0/25 next-hop 192.168.99.2 preference 5
set routing-options static route 147.93.215.128/25 next-hop 192.168.99.2 preference 5

# BGP export policy
set policy-options policy-statement ANNOUNCE-AS136787 term announce-prefixes from route-filter 147.93.215.0/24 exact
set policy-options policy-statement ANNOUNCE-AS136787 term announce-prefixes then accept

# Apply to upstream BGP groups
set protocols bgp group upstream export ANNOUNCE-AS136787
set protocols bgp group cogent export ANNOUNCE-AS136787

Note: No loopback addresses are needed on SRX since the client is already connected to the QFX with actual IP addresses from this prefix range.

Phase 2: Verify Configuration

# Verify routing table
show route 147.93.215.0/24

# Verify BGP announcements
show route advertising-protocol bgp 149.6.153.129 147.93.215.0/24
show route advertising-protocol bgp 10.9.11.9 147.93.215.0/24

Phase 3: Remove QFX Announcements

# On QFX
delete routing-options aggregate route 147.93.215.0/24
delete policy-options policy-statement ANNOUNCE-PREFIX term announce-as136787
delete policy-options policy-statement ANNOUNCE-TO-ANIX term announce-as136787-prefixes
commit

Phase 4: Final Verification

# On SRX - Verify traffic flow
ping 147.93.215.1 source 192.168.99.1

# On SRX - Verify BGP announcements maintained
show route advertising-protocol bgp 149.6.153.129 147.93.215.0/24

This migration can be performed with minimal impact, as it only changes where the route announcements originate from while maintaining the same physical connectivity through the QFX.# BGP Configuration Guide for AS213683

This document outlines the standard procedures for configuring BGP partnerships on our network infrastructure, which consists of:

  • SRX5400 Router (Primary routing device)
  • QFX5100 Switch (Access and distribution)

Internal IP Addressing Scheme

For point-to-point links between routers/switches and customers:

Link TypeIPv4 Prefix SizeIPv6 Prefix SizeRecommended Ranges
Internal router links/30 or /31/126 or /127192.168.0.0/16 (IPv4), fd00::/48 (IPv6)
Customer BGP links/30 or /31/126 or /127192.168.$"ASNUM-LAST-OCTET".0/30

VLAN Addressing

For client VLANs:

Client TypeVLAN ID RangeIPv4 RangeIPv6 Range
Standard clients100-19910.100.0.0/16fd00💯:/48
BGP partners$"ASNUM Last 3 digits"Varies by clientVaries by client

Loopback Addressing

Device RoleIPv4 RangeIPv6 Range
Core routers10.1.1.0/24fd00:1:1::/48
Distribution switches10.1.2.0/24fd00:1:2::/48
Route servers10.1.3.0/24fd00:1:3::/48

Management Network

Device TypeIPv4 Range
Network devices10.10.10.0/24
Servers10.10.20.0/24
Out-of-band management10.10.30.0/24

Troubleshooting

Common Issues and Solutions

  1. BGP Not Advertising with Correct AS Path:

    • Ensure aggregate routes are active in routing table
    • Check that static routes are more specific but with higher preference
    • Verify export policies are applied correctly

  2. Traffic Not Reaching Client:

    • Check VLAN assignment on QFX
    • Verify client is in correct VLAN
    • Confirm static routes on QFX point to client interface
    • Verify IRB interface is up

  3. Route Preference Issues:

    • Direct routes: Preference 0
    • Specific static routes: Preference 5
    • Aggregate routes: Preference 130

Configuration Examples

Example: Announcing Prefix for AS34689

SRX Configuration:

# Aggregate route for BGP announcement
set routing-options aggregate route 185.75.243.0/24 as-path path 34689
set routing-options aggregate route 185.75.243.0/24 as-path origin egp

# More specific routes for forwarding
set routing-options static route 185.75.243.0/25 next-hop 192.168.99.2 preference 5
set routing-options static route 185.75.243.128/25 next-hop 192.168.99.2 preference 5

# Policy for BGP export
set policy-options policy-statement ANNOUNCE-AS34689 term announce-as34689-prefixes from route-filter 185.75.243.0/24 exact
set policy-options policy-statement ANNOUNCE-AS34689 term announce-as34689-prefixes then accept

# Apply to upstream BGP
set protocols bgp group upstream export ANNOUNCE-AS34689
set protocols bgp group cogent export ANNOUNCE-AS34689

Note: If there are no actual devices using IPs from the announced prefix yet, temporary loopback addresses may be needed on the SRX. However, these can be removed once real devices are connected.

QFX Configuration:

# VLAN configuration
set vlans CLIENT-34689 vlan-id 346
set vlans CLIENT-34689 l3-interface irb.346

# IRB interface
set interfaces irb unit 346 family inet address 185.75.243.1/25 primary
set interfaces irb unit 346 family inet address 185.75.243.129/25

# Client interface
set interfaces xe-0/0/13 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/13 unit 0 family ethernet-switching vlan members CLIENT-34689

Example: Partner with Own BGP Session

SRX Configuration:

# BGP group
set protocols bgp group CLIENT-AS44477 type external
set protocols bgp group CLIENT-AS44477 description "Downstream AS44477"
set protocols bgp group CLIENT-AS44477 local-address 192.168.44.1
set protocols bgp group CLIENT-AS44477 import ACCEPT-AS44477
set protocols bgp group CLIENT-AS44477 export ps-default
set protocols bgp group CLIENT-AS44477 peer-as 44477
set protocols bgp group CLIENT-AS44477 neighbor 192.168.44.2

# Policies
set policy-options policy-statement ACCEPT-AS44477 term accept-routes from protocol bgp
set policy-options policy-statement ACCEPT-AS44477 term accept-routes from as-path AS44477
set policy-options policy-statement ACCEPT-AS44477 term accept-routes then local-preference 300
set policy-options policy-statement ACCEPT-AS44477 term accept-routes then community add LOCAL-PREF-HIGHEST
set policy-options policy-statement ACCEPT-AS44477 term accept-routes then accept

QFX Configuration:

# VLAN configuration
set vlans CLIENT-44477 vlan-id 444
set vlans CLIENT-44477 l3-interface irb.444

# IRB interface
set interfaces irb unit 444 family inet address 192.168.44.1/30

# Client interface
set interfaces et-0/0/48 unit 0 family ethernet-switching interface-mode trunk
set interfaces et-0/0/48 unit 0 family ethernet-switching vlan members CLIENT-44477