How to configure a Juniper SRX210 as a client gateway using BGP?

Hi,

I need help configuring a Juniper SRX210 router; it's new so assume it has the latest JunOS. we recently had a major Telco install Fibre internet (10Mbps full) but it is "Customer Managed" meaning they just provide a fibre transceiver with an RJ-45 port and we're supposed to do the rest!

We were told to purchase the Juniper SRX210he router, and they sent us the networking details we'd need to configure it. Unfortunately I've never used JunOS and BGP; I have used Juniper ScreenOS with Amazon's VPC service, and various other routers, but not much else with BGP. So I don't really know where to begin. I'm not even sure what this config is called so I'm not even sure what to search for.

I would like the SRX210 to act the "default gateway" for our existing router (a SonicWALL), so in theory it shouldn't need much config as it only needs to route all packets between us and the internet, no NAT or filtering (our SonicWALL is already configured for all that). Like:

[ISP Fibre] -- [ISP Transceiver] -- [Juniper SRX210] -- [Our SonicWALL] -- [Our LAN]

---------------------------------

Here is the (sanitized) info we were given (I've substituted different values in some places, but the idea is the same):

Customer Service ID:      1587599
Routing Protocol: BGP
ISP ASN: 6582
Customer ASN: 65422
BGP Password: 1587599
ISP Primary Internet IP: 201.194.38.18/30
Customer Primary Internet IP & Subnet Mask: 201.194.38.17 / 255.255.255.252
Primary Internet VLAN: 1900
ISP   Secondary Internet IP:      201.194.38.38/30
Customer Secondary Internet IP & Subnet Mask: 201.194.38.37 / 255.255.255.252
Secondary Internet VLAN: 1901
Routable LAN IP & Subnet mask: 201.194.210.8/29
Useable LAN IPs: 201.194.210.9 - 14

What I believe needs to be done:

 1. Configure an interface with 2 VLANs/virtual interfaces, one each for the Primary and Secondary IPs. Connect to the Fibre connection.
 2. Configure an interface with a usable IP (such as 201.194.210.9/29). Connect to our router.
 3. Configure eBGP between the Juniper and the ISP.
 4. Place all interfaces in the same trust zone.
 5. Disable NAT.
 6. Disable any firewall rules (or configure any/any/any rules).
 7. Configure routing. I assume ISP will advertise a default route to the internet. The Juniper may need to advertise the 201.194.210.8/29 network back to ISP.
 8. Are there additional steps needed on the Juniper to enable Steps A-C on the SonicWALL (below)?

Then I should be able to:  
A: Assign 201.194.210.10/29 to our SonicWALL  
B: Use 201.194.210.10 as the Default Gateway on our SonicWALL  
C: Use this Fibre internet connection.  
(I can do these)

-----------------------------

Can anyone help with Steps 1-8? Either a config I can edit, paste in and use? Or guide me to what I need to do? Or point me to a site/document with info to accomplish what I need to do?

I have tried searching along the lines of Juniper/JunOS BGP Customer Gateway, etc but since I don't know what the ISPs/Network Gurus would call this I'm not having much luck. I suspect it's probably easier than I think, I just don't know where to begin, I am fairly proficient with networking, just not JunOS or BGP.

Thanks so much!
LVL 1
YardstickAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
Assumptions:
1. You have connected console cable on SRX and have access to CLI.
2. ge-0/0/0 (first port from left) is connected to fibre from ISP and ge-0/0/1 (second port from left) is connected to Sonicwall [both are Gigabit ports [1000 mbps speed]; rest ports are fast ethernet [100 mbps speed]]
3. ISP is pushing a default route down the eBGP
4. You are not running ipv6.
5. BGP password is MD5.

From the router CLI:
1. Log in as user root; there is no password.
2. You should get a prompt like root#.
3. Issue command: cli [press ENTER key]; prompt should change to root@>
4. Issue command: configure [press ENTER key]; prompt should change to root@#
5. Delete all the default configuration so we start afresh; issue command:
     delete
 [press ENTER key; you would be prompted; press y, hit ENTER key]
6. Give router some name, issue command:
       set system host-name name-as-you-wish
7. You can create an additional user [other than predefined user root; you would be prompted to enter and then re-enter password for this user; OPTIONAL]:
      set system login user new-user-name class super-user authentication plain-text-password
8. If you wish to configure DNS on the router [OPTIONAL]:
      set system name-server address dns-ip ###Eg., 8.8.8.8 or 4.2.2.2
9. As you wish to use SRX as router; we can configure the SRX to act in packet mode instead of flow mode; command below:
      set security forwarding-options family mpls mode packet-based
10. Set password for root user [you would be prompted to enter and then re-enter password]:
     set system root-authentication plain-text-password
11. To enable SSH/telnet/web GUI, issue cli below:
     set system services ssh
     set system services telnet #### [OPTIONAL]
* For HTTP access [OPTIONAL; web GUI would open from IP 201.194.210.9]:
     set system services web-management http interface ge-0/0/1.0
* For HTTPS access [OPTIONAL; web GUI would open from IP 201.194.210.9]:
     set system services web-management https system-generated-certificate
     set system services web-management https interface ge-0/0/1.0
12. Configuring IPs on interfaces [with the assumptions above]:
     set interfaces ge-0/0/0 vlan-tagging
     set interfaces ge-0/0/0.1900 vlan-id 1900
     set interfaces ge-0/0/0.1900 family inet address 201.194.38.17/30
     set interfaces ge-0/0/0.1901 vlan-id 1901
     set interfaces ge-0/0/0.1901 family inet address 201.194.38.37/30
     set interfaces ge-0/0/1.0 family inet address 201.194.210.9/29
13. Enabling eBGP on ge-0/0/0.1900 [not creating BGP peering over VLAN 1901 in this example]:
     set protocols bgp group external-peers type external
     set protocols bgp group external-peers peer-as 6582
     set protocols bgp group external-peers neighbor 201.194.38.18
     set protocols bgp group external-peers local-interface ge-0/0/0.1900
     set protocols bgp group external-peers export POL_STATIC
     set protocols bgp group external-peers authentication-key 1587599
     set routing-options autonomous-system 65422
14. Creating policy to export LAN route to BGP:
     set policy-options policy-statement POL_STATIC term 1 from interface ge-0/0/1.0
     set policy-options policy-statement POL_STATIC term 1 then accept
15. To view all the configuration:
     show
     show | display set
16. Commit the configuration:
     commit
17. Exit the configuration mode; prompt would change to root@hostname>
     exit
18. Reboot the router for flow to packet mode conversion:
     request system reboot

Now SRX would behave as a router.

One correction on your original post:
>> B: Use 201.194.210.10 as the Default Gateway on our SonicWALL  
The IP I have mentioned for SRX is .9; so default gateway on Sonicwall should be 201.194.210.9.

Please implement and update.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YardstickAuthor Commented:
Thanks dpk_wal,

I will get someone to connect up the Juniper so I can connect via console cable (unfortunately I am in another city from the router).

And yes, the step B: was a copy/paste typo on my part, the Gateway on the SonicWALL should be .9 as you noted.

Regarding your assumptions:
3. ISP is pushing a default route down the eBGP
-- I don't know, but I assume so. The ISP is listed on http://routeserver.org and I can connect to their route server so I can probably check.
4. You are not running ipv6.
-- Correct, no IPv6 at this point.
5. BGP password is MD5.
-- I don't know, all I know is what they gave me (above), if MD5 for the BGP password is standard then I assume it is.

One other question, how would we implement firewall rules to alow SSH and HTTPS only from certain IPs/subnets? For example, to allow SSH and HTTPS from any IP on ge-0/0/1 (the internal interface, or our internal LAN subnet is 10.77.124.0/24 if that is easier), but only from, say, 171.90.198.180 and 65.126.35.155/29 on ge-0/0/0 (the external interface) Those are our other offices so we can manage the Juniper remotely.

Thanks again, and I'll post back once I get console access and can connect in to try this out!
0
dpk_walCommented:
Have a look at link below:
http://www.juniper.net/techpubs/en_US/junos12.2/topics/example/firewall-filter-stateless-example-trusted-source-block-telnet-and-ssh-access.html

In the example above it talks about SSH and telnet; you can extend it to HTTPS; and change source from 192.168.1.0/24 to your specific subnets [both internal and external].

In the link above the firewall filter [FF; called ACL in other vendors vocabulary] is applied on loopback interface [lo0.0] and has box specific scope; if you wish to permit access to specific interface from specific hosts/subnet then you can create two FF and apply one each on input [ingress direction] on the specific interface.

Please let know if you need more details.

Thank you.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

dpk_walCommented:
Any progress on this?
0
YardstickAuthor Commented:
Hi dpk_wal,

I have the router connected and I am configuring it now. I followed your steps but when I try to commit I get an error:

root@# commit
[edit protocols]
  'bgp'
    Error in neighbor 201.194.38.18 of group external-peers:
local interface valid for IPv6 link local direct EBGP
warning: You have changed mpls flow mode.
You have to reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
error: configuration check-out failed

If I try to exit it says I have uncommited changes. I tried googling to see if I missed something or if I could add something, but nothing I tried helped. I removed the whole bgp group "external-peers" and re-added it using your commands but I get the same error. I did no IPv6 / inet6 config so I'm not sure why it thinks anything of IPv6. All I did optionally was enable SSH and HTTPS, but not telnet or HTTP. I reviewed "show | display set" and it looks correct compared to what I typed in.

Ideas? I can post the config as it is now, if that helps.
0
YardstickAuthor Commented:
show | display set

set version 11.2R4.3
set system host-name FibreGateway
set system root-authentication encrypted-password "blahblahblah"
set system name-server 8.8.8.8
set system services ssh
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 1900 vlan-id 1900
set interfaces ge-0/0/0 unit 1900 family inet address 201.194.38.17/30
set interfaces ge-0/0/0 unit 1901 vlan-id 1901
set interfaces ge-0/0/0 unit 1901 family inet address 201.194.38.37/30
set interfaces ge-0/0/1 unit 0 family inet address 201.194.210.9/29
set routing-options autonomous-system 65422
set protocols bgp group external-peers type external
set protocols bgp group external-peers local-interface ge-0/0/0.1900
set protocols bgp group external-peers authentication-key "blahblah"
set protocols bgp group external-peers export POL_STATIC
set protocols bgp group external-peers peer-as 6582
set protocols bgp group external-peers neighbor 201.194.38.18
set policy-options policy-statement POL_STATIC term 1 from interface ge-0/0/1.0
set policy-options policy-statement POL_STATIC term 1 then accept
set security forwarding-options family mpls mode packet-based

Did I miss something?
0
dpk_walCommented:
deactivate the BGP part for time being so you can commit and will configure BGP post commit and reboot.

deactivate protocols bgp
0
dpk_walCommented:
Remove the below CLI:
set protocols bgp group external-peers local-interface ge-0/0/0.1900
>>
delete protocols bgp group external-peers local-interface

the config becomes:

set protocols bgp group external-peers type external
set protocols bgp group external-peers authentication-key "blahblah"
set protocols bgp group external-peers export POL_STATIC
set protocols bgp group external-peers peer-as 6582
set protocols bgp group external-peers neighbor 201.194.38.18

To check BGP summary [operational mode command]:
show bgp summary

Please check and update.

Thank you.
0
YardstickAuthor Commented:
Hi,

After I posted I tried something similar (removed the external-peers group, commited, rebooted, tried to add it back again, but failed).

So now I have run:
delete protocols bgp group external-peers local-interface
And my config will commit, and it is as you indicate. [I also created an "admin" user]

I got someone to connect in the ISP's connection to the left-most port:
admin@FibreGateway> show bgp summary
Groups: 1 Peers: 1 Down peers: 1
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 0          0          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
201.194.38.18           6582          0          0       0       0     2:17:47 Active

Initally it said Connect instead of Active, but once the ISP connection was live after a few minutes it said Connect. That seems like a good sign!

I tried to ping something but it fails:
admin@FibreGateway> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host

I wonder if there isn't a default route. You said we needed to assume the ISP was pushing a default route down eBGP, how do we confirm that? Or manually enter one?

admin@FibreGateway> show route summary
Autonomous system number: 65422
Router ID: 201.194.38.17

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
              Direct:      2 routes,      2 active
               Local:      3 routes,      3 active

admin@FibreGateway> show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

201.194.38.16/30   *[Direct/0] 01:56:20
                    > via ge-0/0/0.1900
201.194.38.17/32   *[Local/0] 03:08:30
                      Local via ge-0/0/0.1900
201.194.38.36/30   *[Direct/0] 01:56:20
                    > via ge-0/0/0.1901
201.194.38.37/32   *[Local/0] 03:08:30
                      Local via ge-0/0/0.1901
201.194.210.9/32   *[Local/0] 03:08:30
                      Reject

Not sure if either of those help.
0
dpk_walCommented:
You are correct there is no default route.

You can add one manually:
set routing-options static route default next-hop 201.194.38.18

This should get you to internet.

>> 201.194.210.9/32   *[Local/0] 03:08:30
                      Reject
Why is this route in reject?
I think you have not allocated IP correctly to interface ge-0/0/1; looks like instead of:
 set interfaces ge-0/0/1.0 family inet address 201.194.210.9/29
you have:
 set interfaces ge-0/0/1.0 family inet address 201.194.210.9/32

Please check and update.

Thank you.
0
YardstickAuthor Commented:
I added the default route as you suggested, now when I "ping 8.8.8.8" I just get nothing, the cursor sits there. When I hit ^C it says 100% packet loss, it doesn't even say no route. Does it require some other kind of routing? (OSPF maybe? I did some googling before I posted and I saw it mentioned alongside BGP)

The ge-0/0/1.0 interface is correct, I confirmed it, but also removed it and re-added it to be sure. (see below)

The "show bgp summary" is the same.

The "show route summary" now lists 6 routes:
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
              Direct:      2 routes,      2 active
               Local:      3 routes,      3 active
              Static:      1 routes,      1 active

This is now updated for the static route:
admin@FibreGateway> show route

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:15:22
                    > to 201.194.38.18 via ge-0/0/0.1900
201.194.38.16/30   *[Direct/0] 09:54:41
                    > via ge-0/0/0.1900
201.194.38.17/32   *[Local/0] 11:06:51
                      Local via ge-0/0/0.1900
201.194.38.36/30   *[Direct/0] 09:54:41
                    > via ge-0/0/0.1901
201.194.38.37/32   *[Local/0] 11:06:51
                      Local via ge-0/0/0.1901
201.194.210.9/32   *[Local/0] 11:06:51
                      Reject

But it still shows Reject for 201.194.210.9/32. Does it require a loop back / lo0 interface maybe? Or a firewall rule to enable ping/ICMP? Or can we set it to something other than Reject? It should be Local for that IP via the ge-0/0/1 interface, no? And the 201.194.210.8/29 subnet should be ge-0/0/1.0 too, right? (so it can route for the SonicWALL, when we get to that)

When I ping the "internal" IP I get:
admin@FibreGateway> ping 201.194.210.9
PING 201.194.210.9 (201.194.210.9): 56 data bytes
ping: sendto: No route to host

admin@FibreGateway> show bgp group
Group Type: External                               Local AS: 65422
  Name: external-peers  Index: 0                   Flags: <>
  Export: [ POL_STATIC ]
  Holdtime: 0
  Total peers: 1        Established: 0
  204.191.38.18+179

Groups: 1  Peers: 1    External: 1    Internal: 0    Down peers: 1   Flaps: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 0          0          0          0          0          0

Has 0 for what I assume is Total and Active Paths.

Here is the current config:
admin@FibreGateway# show | display set
set version 11.2R4.3
set system host-name FibreGateway
set system root-authentication encrypted-password "blahblah"
set system name-server 8.8.8.8
set system services ssh
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 1900 vlan-id 1900
set interfaces ge-0/0/0 unit 1900 family inet address 201.194.38.17/30
set interfaces ge-0/0/0 unit 1901 vlan-id 1901
set interfaces ge-0/0/0 unit 1901 family inet address 201.194.38.37/30
set interfaces ge-0/0/1 unit 0 family inet address 201.194.210.9/29
set routing-options static route 0.0.0.0/0 next-hop 201.194.38.18
set routing-options autonomous-system 65422
set protocols bgp group external-peers type external
set protocols bgp group external-peers authentication-key "blahblah"
set protocols bgp group external-peers export POL_STATIC
set protocols bgp group external-peers peer-as 6582
set protocols bgp group external-peers neighbor 201.194.38.18
set policy-options policy-statement POL_STATIC term 1 from interface ge-0/0/1.0
set policy-options policy-statement POL_STATIC term 1 then accept
set security forwarding-options family mpls mode packet-based

And just the internal interface:
ge-0/0/1 {
    unit 0 {
        family inet {
            address 201.194.210.9/29;
        }
    }
}

I will reboot the router (just in case?) and see if it's any happier in the morning. Thanks again for all your help.
0
dpk_walCommented:
Give me output for:
show int ge-0/0/1
I think the interface is down; hence the route is in reject state.

For unable to ping 8.8.8.8; I think you would not be able to ping you ISP's IP 201.194.38.18
I overlooked the output you had posted for show bgp summary; the peer is down.
The connection is in Active state and not Established

http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/command-summary/show-bgp-summary.html

Please check with your ISP why the eBGP session is down.

For troubleshooting on SRX, we can enable traceoptions [what other vendors call debug] to help find where the issue is:
http://www.juniper.net/techpubs/en_US/junos12.1/topics/topic-map/bgp-troubleshooting.html

CLIs:
set protocol bgp trace file <filename>
set protocol bgp trace flag all

show log <filename> ### this CLI would display the contents of the debug file

Please sanitize and post.

As we have configured SRX in packet mode; it is now a router and everything is permitted by default unless explicitly denied.

Thank you.
0
YardstickAuthor Commented:
You were right, ge-0/0/1 was not connected to anything yet, I checked before:

admin@FibreGateway> show interfaces ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Down
  Interface index: 135, SNMP ifIndex: 511
  Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 1000mbps,

Then I had someone connect a WAN port of some old DLink router to ge-0/0/1:

admin@FibreGateway> show interfaces ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Up
  Interface index: 135, SNMP ifIndex: 511
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

That fixed the local route:

admin@FibreGateway> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 10:38:58
                    > to 201.194.38.18 via ge-0/0/0.1900
201.194.38.16/30   *[Direct/0] 10:38:58
                    > via ge-0/0/0.1900
201.194.38.17/32   *[Local/0] 10:39:03
                      Local via ge-0/0/0.1900
201.194.38.36/30   *[Direct/0] 10:38:58
                    > via ge-0/0/0.1901
201.194.38.37/32   *[Local/0] 10:39:03
                      Local via ge-0/0/0.1901
201.194.210.8/29   *[Direct/0] 00:06:52
                    > via ge-0/0/1.0
201.194.210.9/32   *[Local/0] 10:39:03
                      Local via ge-0/0/1.0

And being able to ping itself:

admin@FibreGateway> ping 201.194.210.9
PING 201.194.210.9 (201.194.210.9): 56 data bytes
64 bytes from 201.194.210.9: icmp_seq=0 ttl=64 time=0.391 ms

I enabled BGP logging and let it run for a while, it doesn't appear to be connecting as you pointed out (not Established). I will try and attach the logs. I can call the ISP and see what they say, but can you tell from the logs what I should be asking/telling them? (other than "it doesn't work!" :)

The ISP's equipment (fibre transceiver) is in a different room from the Juniper, so I had created a VLAN to connect them. I am getting someone to temporarily move the Juniper and the remote console computer I'm connected to closer so I can connect in directly. I'll let you know if that makes a difference. (I suspect the ISP would insist I do that to test anyway...)

The connection was:

FibreTransceiver -> (p24) Switch1 (p28) -> (p20) Switch2 (p3) -> Juniper ge-0/0/0

I had created VLAN 999 on both switches:
Switch1 untagged 24, tagged 28
Switch2 untagged 3, tagged 20
So it should be fine, but if it works connected directly we'll know for sure, or that soemone has been messing with the cables :)

Thanks again.
bgp-log
0
YardstickAuthor Commented:
Success!!

It seems that either the VLAN was configured wrong or the cables were not connected as I was told. Or maybe the speed/duplex were wrong as the Juniper is connected at Half Duplex.
Connecting the Juniper directly to the ISP's fibre transceiver has it working now:

admin@FibreGateway> show bgp summary
Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 1          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
201.194.38.18           6582          3          7       0       1        1:32 1/1/1/0              0/0/0/0

I removed the static route we added and it looks like the ISP is pushing a default route over eBGP:

admin@FibreGateway> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 00:01:09, MED 80, localpref 100
                      AS path: 6582 ?
                    > to 201.194.38.18 via ge-0/0/0.1900
201.194.38.16/30   *[Direct/0] 00:01:37
                    > via ge-0/0/0.1900
201.194.38.17/32   *[Local/0] 00:47:48
                      Local via ge-0/0/0.1900
201.194.38.36/30   *[Direct/0] 00:47:43
                    > via ge-0/0/0.1901
201.194.38.37/32   *[Local/0] 00:47:48
                      Local via ge-0/0/0.1901
201.194.210.8/29   *[Direct/0] 00:47:44
                    > via ge-0/0/1.0
201.194.210.9/32   *[Local/0] 00:47:48
                      Local via ge-0/0/1.0

I can ping 8.8.8.8 as well now. However I can't ping by hostname, any idea why that would be?

I can connect to my real external IP (x.x.210.9). I am just getting someone to configure that DLink router's WAN port to test actual internet access.

I tested and I can SSH to the Juniper remotely, but I can't connect to HTTPS (says not valid for this interface -- which is fine). I will look at that link you gave to secure SSH to just the IPs I want.

I tried adding the ISP Secondary IP to the BGP peers and it worked, I disabled the ge-0/0/0.1900 interface and I still had internet so it must have switched over to 0.1901. I re-enabled the interface and now it is running with both (looks like Primary has metric 80 and Secondary has metric 120).

If the internet on the Dlink test router works then it is all good I think! Thanks so much for your help.

Here is the final config file:

admin@FibreGateway> show configuration | display set
set version 11.2R4.3    ### My version
set system host-name FibreGateway
set system root-authentication encrypted-password "blahblah"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system login user admin uid 2001     ### Added a 2nd user
set system login user admin class super-user
set system login user admin authentication encrypted-password "blahblah"
set system services ssh    ### World accessible, need to secure
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 1900 vlan-id 1900
set interfaces ge-0/0/0 unit 1900 family inet address 201.194.38.17/30
set interfaces ge-0/0/0 unit 1901 vlan-id 1901
set interfaces ge-0/0/0 unit 1901 family inet address 201.194.38.37/30
set interfaces ge-0/0/1 unit 0 family inet address 201.194.210.9/29
set routing-options autonomous-system 65422
set protocols bgp group external-peers type external
set protocols bgp group external-peers authentication-key "blahblah"
set protocols bgp group external-peers export POL_STATIC
set protocols bgp group external-peers peer-as 6582
set protocols bgp group external-peers neighbor 201.194.38.18
set protocols bgp group external-peers neighbor 201.194.38.38   ### Added both
set policy-options policy-statement POL_STATIC term 1 from interface ge-0/0/1.0
set policy-options policy-statement POL_STATIC term 1 then accept
set security forwarding-options family mpls mode packet-based

(I disabled the logging)
0
YardstickAuthor Commented:
Update:

Looks like internet is working on the test Dlink! So your config is working! Thanks so much!

One question, I followed the firewall link:
http://www.juniper.net/techpubs/en_US/junos12.2/topics/example/firewall-filter-stateless-example-trusted-source-block-telnet-and-ssh-access.html

To try and block SSH access but I was unsuccessful. I tried to limit it to 2 ranges of external IPs and the "internal" subnet, but I can still connect via SSH from my house.

Here is what I did, created the firewall rules (the 82.x and 109.x are other offices, the 201.194.210.8/29 is the local internal subnet):

set firewall family inet filter local_acl term terminal_access from address 82.13.169.32/28
set firewall family inet filter local_acl term terminal_access from address 109.90.171.176/29
set firewall family inet filter local_acl term terminal_access from address 201.194.210.8/29
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then reject
set firewall family inet filter local_acl term default-term then accept

Then I applied it to the loopback interface:

set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32

Commited and I could still connect on SSH from my house (which is a 68.x.x.x IP). I tried applying the local_acl to ge-0/0/1.0 as well with no luck. Did I miss something?

It looks the same as the example. Is it because it is in router mode? Can you suggest how to limit SSH access to just certain IPs/subnets?

Thanks.
0
dpk_walCommented:
Good to know that internet is working.

Did you disconnect your SSH after commit from your home and then tried to SSH in, existing sessions might not get impacted by firewall filters [FF].

The firewall filter configuration looks correct.
For access from internet the FF should be applied either on loopback or ge-0/0/0.1900 and ge-0/0/0.1901
For access from internal network restrictions ge-0/0/1 should be used instead.

Use show firewall log CLI to see which session is permitted/denied, details on CLI below:
http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/command-summary/show-firewall-log.html

Please check and update.

Thank you.
0
YardstickAuthor Commented:
Yes, internet is now working 100% -- we connected up the SonicWALL, I have tested inbound/outboud, all working as it should. Thanks so much for you help!

For management I had SSH disconnected, applied the FF rules and tried SSH, and it would still connect from any IP.  I tried applying the "local_acl" filter to all interfaces, no change.

I looked in the firewall log and there wasn't much in there, just some random IPs trying to connect to the BGP interfaces (the .1900 and .1901 ones).

I found this site: http://www.dummies.com/how-to/content/control-ssh-and-telnet-access-to-junos-routers.html
It didn't work -- I think there are some typos, and when I corrected them I managed to block ALL access, even ICMP/ping. So between the site you listed and the one I found I maanged to make it work.

I enabled HTTPS on all interfaces as well, then created the following policy:

set firewall filter limit_remote_access term access-ping from protocol icmp
set firewall filter limit_remote_access term access-ping then accept
set firewall filter limit_remote_access term access-term from source-address 82.13.169.32/28
set firewall filter limit_remote_access term access-term from source-address 109.90.171.176/29
set firewall filter limit_remote_access term access-term from source-address 201.194.210.8/29
set firewall filter limit_remote_access term access-term from protocol tcp
set firewall filter limit_remote_access term access-term from destination-port ssh
set firewall filter limit_remote_access term access-term then accept
set firewall filter limit_remote_access term block-term from protocol tcp
set firewall filter limit_remote_access term block-term from destination-port ssh
set firewall filter limit_remote_access term block-term then count bad-access
set firewall filter limit_remote_access term block-term then log
set firewall filter limit_remote_access term block-term then reject
set firewall filter limit_remote_access term default-term then accept

I then applied it to just the loopback interface:
set interfaces lo0 unit 0 family inet filter input limit_remote_access

Committed and it works! I can ping .9 from any IP, I can SSH and HTTPS from only those subnets (over the Internet and from an internal LAN machine, behind the SonicWALL); and it is routing as it should for .10 and the other IPs!

I was able to remove the "local_acl" FF. I'm not sure what the difference is between them. I think my rule (limit_remote_access) doesn't do anything foolish (what do you think?)

I'm all happy!
0
YardstickAuthor Commented:
dpk_wal knows his stuff. I learned a lot. He/she was patient and answered my questions. It's all working just the way I want it now!
0
dpk_walCommented:
Both the FF look similar to me, with few minor difference; which should not matter.

Its working which is all what matters!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.