{"id":1053,"date":"2008-11-15T16:05:37","date_gmt":"2008-11-15T15:05:37","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/"},"modified":"2008-11-15T16:05:37","modified_gmt":"2008-11-15T15:05:37","slug":"juniper-screenos-bgp-basics-a-simple-ibgp-test-case","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/","title":{"rendered":"Juniper ScreenOS BGP Basics : a simple iBGP test case"},"content":{"rendered":"<p>As explained in one of my <a href=\"\/index.php\/2008\/10\/19\/using-ospf-on-juniper-netscreen-firewalls\/\" target=\"_blank\" rel=\"noopener\">earlier posts<\/a>, ScreenOS supports a couple of ways to provide for dynamic routing. Today, I\u2019m going to explain some basic implementations of <a href=\"http:\/\/en.wikipedia.org\/wiki\/BGP\" target=\"_blank\" rel=\"noopener\">BGP<\/a> on ScreenOS. Unlike my post on OSPF, I won\u2019t be going too much into all the details of what BGP is and how it works, but we need to understand some important basic facts about BGP before looking at the configuration.<\/p>\n<h3>Introduction<\/h3>\n<p>First of all, while OSPF is a broadcast-based mechanism, BGP is connection-oriented uses TCP sessions between BGP peers in order to exchange information. This means that BGP peers don\u2019t need to be in the same broadcast domain in order to communicate, form neighbors and exchange information.&#160; This means that you can have BGP peers that are connected over one or more routers, even non-BGP enabled routers\/hosts, and that you can easily run BGP through firewalls as well.&#160; BGP uses tcp 179 to communicate.<\/p>\n<p>It is important to know that BGP does not really have reliability mechanisms (OSPF has LSAck messages), so the TCP sessions between the peers must be up at all time, even if the peers are not exchange information.<\/p>\n<p>Next, BGP is a path-vector routing protocol.&#160; Unlike <a href=\"http:\/\/en.wikipedia.org\/wiki\/Interior_gateway_protocol\" target=\"_blank\" rel=\"noopener\">interior routing protocols<\/a> (such as OSPF), BGP (which is an <a href=\"http:\/\/en.wikipedia.org\/wiki\/Exterior_Gateway_Protocol\" target=\"_blank\" rel=\"noopener\">exterior routing protocol<\/a>) does not contain metric information, but merely consists of the AS path that can be used to reach a particular network.&#160;&#160; By default, the best path is the one with the fewest number of AS&#160; in the path between source and destination.<\/p>\n<p>BGP does not deal with hops or links, but with AS (Autonomous Systems).&#160; BGP refers to networks as <em>prefixes<\/em>.&#160; When a prefix is advertised from an AS, BGP will send out the information about the prefix to the connected AS, until all AS are aware of the prefix.&#160;&#160; BGP adds the AS number to the AS path (which is the equivalent of a route in a IGP such as OSPF). So when an AS learns about a new prefix (network), it really learns about the path associated with this network.&#160; This is what happens on the internet, and within other EBGP networks.<\/p>\n<p>IBGP is somewhat easier to understand, because there is only one AS \u2013 the current AS. That\u2019s the main difference between IBGP and EBGP.&#160; <\/p>\n<p>Since there is only one AS within IBGP, why would we choose BGP over OSPF ?&#160;&#160; 2 easy reasons :<\/p>\n<ul>\n<li>BGP uses tcp connections instead of broadcasts (ability to connect to BGP peers across routers) <\/li>\n<li>the abililty to use access lists and route maps to filter both incoming and outgoing advertisements (OSPF can only filter outgoing routes, not incoming routes). Furthermore, you can even filter traffic from other AS (in, out or passing through) <\/li>\n<\/ul>\n<p>&#160;<\/p>\n<p>Some terminology before looking at a basic setup :<\/p>\n<p><strong><u>Peers (neighbors): <\/u><\/strong>these are BGP device pairs that are configured to exchange information.&#160; On Juniper, when a device has been configured to connect to a peer, the device can be in one of the following BGP states :<\/p>\n<ul>\n<li>Idle (initial state, all BGP connections are refused until a start event is triggered) <\/li>\n<li>Connect : the BGP host waits for a TCP connection to be completed <\/li>\n<li>Active : BGP is configured on the host, but a TCP timeout has occurred and the sessions is not established yet. (Note : When state is Active, this only means that BGP has been configured.) <\/li>\n<li>OpenSent : TCP connection is established and open message was sent to the remote peer.&#160; BGP waits to receive an open message from the remote peer <\/li>\n<li>OpenConfirm : Open message was received from remote peer, and BGP now waits for keepalive message or notification message.&#160; If it receives a keepalive, the state will change to Established. If no keepalive is received, the state will change to idle <\/li>\n<li>Establish : BGP peers are fully connected\/adjacent and can exchange information (keepalives, updates and notification messages) <\/li>\n<\/ul>\n<p>BGP only sends updates when a change occurs. There is no periodic refresh.&#160; Peers will, however, use keepalives to maintain the TCP connection, even if nothing needs to be exchange.&#160; If a neighbor goes down, BGP will remove all routes to the peer and will update its other peers accordingly.<\/p>\n<p><strong><u>BGP modes :<\/u><\/strong><\/p>\n<p>There are 2 main BGP modes : EBGP and IBGP<\/p>\n<p>If peers are members of 2 different ASs, the connection between the two peers is an EBGP connection.&#160; When running EBGP, the devices must be directly connected<\/p>\n<p>If peers are member sof the same AS, the connection between the two peers is an IBGP connection. Devices only need to be able to connect to each other. They need to be connected over IP, reachable over tcp 179, but they don\u2019t have to be directly connected. They only need to be able to route to each other.&#160; Take this into account. Make sure the route that interconnects the BGP peers in IBGP will continue to work, even if BGP does not work.&#160; In order for iBGP to fully work, all iBGP hosts in the AS must be fully meshed. In other words, all iBGP peers must be connected to each other.&#160; This is required because iBGP peers only exchange information about themselves, and not about other neighbors.&#160; This could make the number of neighbors quite large, and thus the setup quite complex.&#160; You can set up one or more iBGP hosts to become a BGP reflector. In this mode, the iBGP host will exchange information from all reflector clients (from all iBGP hosts that have a relationship with the reflector), which could help simplifying the setup.&#160; You can also use confederations (sub-AS glued together as an new AS) as an alternative to a full mesh topology.<\/p>\n<p><u><strong>Transit domain :<\/strong><\/u><\/p>\n<p>This configuration allows traffic from other ASs to pass through its network.<\/p>\n<p>&#160;<\/p>\n<p>&#160;<\/p>\n<p>&#160;<\/p>\n<p>It is important to understand that BGP enabled devices will not add new routes to the routing table if the next hop to the BGP route is reachable.&#160; The BGP next_hop for a specific route that is learned via EBGP is typically the EBGP peer\u2019s IP address, which may not be reachable for a host that talks IGP (behind the EBGP router).&#160; In that case, BGP can be configured to change the next_hop address and put it\u2019s own IP address as next_hop, so the IGP routers can still reach the next_hop.&#160; This feature can be enabled using the nhself-enable configuration attribute (configure this on a per peer basis)<\/p>\n<p>&#160;<\/p>\n<h3>Basic configuration<\/h3>\n<p><strong><u>Initial setup :<\/u><\/strong><\/p>\n<p><a href=\"\/wp-content\/uploads\/2008\/11\/bgp-initial.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" title=\"bgp_initial\" style=\"border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px\" height=\"301\" alt=\"bgp_initial\" src=\"\/wp-content\/uploads\/2008\/11\/bgp-initial-thumb.png\" width=\"507\" border=\"0\" \/><\/a>&#160; <br \/><em>(click to enlarge)<\/em><\/p>\n<p>the SSG5, router 1 and router 2 are part of OSPF area 0. They all have connected subnets. These subnets are redistributed into OSPF and are available on all hosts.<\/p>\n<p>The routing table on SSG5-1 looks like this :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">IPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">untrust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">trust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (34 entries)\n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*      1029          0.0.0.0\/0         eth0\/0    84.197.144.1   C    0      1     Root\n*        15        10.2.0.8\/32         eth0\/3         0.0.0.0   H    0      0     Root\n*      1014   192.168.132.0\/24         eth0\/1     192.168.0.1  E2  200      1     Root\n*         7     192.168.0.8\/32         eth0\/1         0.0.0.0   H    0      0     Root\n*        13     192.168.1.8\/32         eth0\/2         0.0.0.0   H    0      0     Root\n*         6     192.168.0.0\/24         eth0\/1         0.0.0.0   C    0      0     Root\n*       996   192.168.100.0\/24         eth0\/1     192.168.0.7  E2  200     10     Root\n*        14        10.2.0.0\/24         eth0\/3         0.0.0.0   C    0      0     Root<\/pre>\n<\/div>\n<p><strong><u>Goal<\/u><\/strong> : Add SSG5-2 to the network, ip 192.168.0.30. This device has connected network 192.168.2.0\/24.&#160; Form a iBGP connection between SSG5-1 and SSG5-2 (AS65000) and exchange routing information between the two SSG5 devices.&#160; In addition, we will configure SSG5 so it injects the routes that are learned over BGP into OSPF (so they will become available on the OSPF routers)<\/p>\n<p>&#160;<a href=\"\/wp-content\/uploads\/2008\/11\/bgp-goal.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" title=\"bgp_goal\" style=\"border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px\" height=\"365\" alt=\"bgp_goal\" src=\"\/wp-content\/uploads\/2008\/11\/bgp-goal-thumb.png\" width=\"491\" border=\"0\" \/><\/a> <\/p>\n<p><em>(click to enlarge)<\/em><\/p>\n<p>&#160;<\/p>\n<p><strong><u>Configuration : SSG5-1<\/u><\/strong><\/p>\n<p>On SSG5-1, we need to enable BGP on the vrouter, set the AS, create neigbor peer, set up authentication, and enable bgp on the interface (eth0\/1)<\/p>\n<p>SSG5-1 has already been configured for OSPF, so the device already has a router-id<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">#define local AS\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp 65000\n#enable BGP in vrouter trust-vr\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp enable\n#create neighbor\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor 192.168.0.30 remote-as 65000\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor 192.168.0.30 md5-authentication ThisIsMyMD5Password\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor 192.168.0.30 enable\n#enable BGP on interface eth0\/1\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set int eth0\/1 proto bgp<\/pre>\n<\/div>\n<p>When looking up the bgp neighbor list on ssg5-1, this is what we see :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get vrouter trust-vr proto bgp neighbor \nPeer AS Remote IP       Local IP          Wt Status   State     ConnID Up\/Down\n--------------------------------------------------------------------------------\n  65000 192.168.0.30    0.0.0.0          100 Enabled  ACTIVE         0 8d;20:49:30<\/pre>\n<\/div>\n<p>State is ACTIVE, which only means that BGP is configured, but not connection has been established with the peer. This is normal, because we did not configure the peer yet<\/p>\n<p>&#160;<\/p>\n<p><strong><u>Configuration : SSG5-2<\/u><\/strong><\/p>\n<p>Initial config : interfaces<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ss5-2-<span style=\"color: #0000ff\">&gt;<\/span> get int\n\nA - Active, I - Inactive, U - Up, D - Down, R - Ready \n\nInterfaces in vsys Root: \nName           IP Address                        Zone        MAC            VLAN State VSD      \nserial0\/0      0.0.0.0\/0                         Null        0021.5934.2c15    -   D   -  \neth0\/0         0.0.0.0\/0                         Untrust     0021.5934.2c00    -   D   -  \neth0\/1         192.168.0.30\/24                   LAN         0021.5934.2c05    -   U   -  \neth0\/2         192.168.2.8\/24                    LAN2        0021.5934.2c06    -   U   -  \neth0\/3         0.0.0.0\/0                         Null        0021.5934.2c07    -   D   -  \neth0\/4         0.0.0.0\/0                         Null        0021.5934.2c08    -   D   -  \neth0\/5         0.0.0.0\/0                         Null        0021.5934.2c09    -   D   -  \neth0\/6         0.0.0.0\/0                         Null        0021.5934.2c0a    -   D   -  \nbgroup0        0.0.0.0\/0                         Trust       0021.5934.2c0b    -   D   -  \nbgroup1        0.0.0.0\/0                         Null        0021.5934.2c0c    -   D   -  \nbgroup2        0.0.0.0\/0                         Null        0021.5934.2c0d    -   D   -  \nbgroup3        0.0.0.0\/0                         Null        0021.5934.2c0e    -   D   -  \nvlan1          0.0.0.0\/0                         VLAN        0021.5934.2c0f    1   D   -  \nnull           0.0.0.0\/0                         Null        N\/A               -   U   0 <\/pre>\n<\/div>\n<p>Initial config : routes<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ss5-2-<span style=\"color: #0000ff\">&gt;<\/span> get route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">untrust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">trust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (4 entries)\n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*         8     192.168.2.8\/32         eth0\/2         0.0.0.0   H    0      0     Root\n*         6    192.168.0.30\/32         eth0\/1         0.0.0.0   H    0      0     Root\n*         7     192.168.2.0\/24         eth0\/2         0.0.0.0   C    0      0     Root\n*         5     192.168.0.0\/24         eth0\/1         0.0.0.0   C    0      0     Root<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>Set up BGP<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">#define local AS\nssg5-2-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp 65000\n#enable BGP in vrouter trust-vr\nssg5-2-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp enable\n#create neighbor\nssg5-2-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor 192.168.0.8 remote-as 65000\nssg5-2-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor 192.168.0.8 md5-authentication ThisIsMyMD5Password\nssg5-2-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor 192.168.0.8 enable\n#enable BGP on interface eth0\/1\nssg5-2-<span style=\"color: #0000ff\">&gt;<\/span> set int eth0\/1 proto bgp<\/pre>\n<\/div>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<p>If we look at the bgp neighbor information on ssg5-2, this is what we get :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ss5-2-<span style=\"color: #0000ff\">&gt;<\/span> get vrouter trust-vr proto bgp neighbor \nPeer AS Remote IP       Local IP          Wt Status   State     ConnID Up\/Down\n--------------------------------------------------------------------------------\n  65000 192.168.0.8     192.168.0.30     100 Enabled  ESTABLISH      5 00:00:13\n\ntotal 1 BGP peers shown<\/pre>\n<\/div>\n<p>On ssg5-1, we see<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get vrouter trust-vr proto bgp neighbor\nPeer AS Remote IP       Local IP          Wt Status   State     ConnID Up\/Down\n--------------------------------------------------------------------------------\n  65000 192.168.0.30    192.168.0.8      100 Enabled  ESTABLISH     52 00:01:38\n\ntotal 1 BGP peers shown<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>So as soon as we have enabled bgp, the two ssg5 devices have formed neighbors and are in state establish.<\/p>\n<p>What does the routing table look like at this point ?<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ss5-2-<span style=\"color: #0000ff\">&gt;<\/span> get route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">untrust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">trust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (4 entries)\n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*         8     192.168.2.8\/32         eth0\/2         0.0.0.0   H    0      0     Root\n*         6    192.168.0.30\/32         eth0\/1         0.0.0.0   H    0      0     Root\n*         7     192.168.2.0\/24         eth0\/2         0.0.0.0   C    0      0     Root\n*         5     192.168.0.0\/24         eth0\/1         0.0.0.0   C    0      0     Root\n\n\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get route\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">untrust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">trust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (xx entries)\n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*      1029          0.0.0.0\/0         eth0\/0    84.197.144.1   C    0      1     Root\n*        15        10.2.0.8\/32         eth0\/3         0.0.0.0   H    0      0     Root\n*      1014   192.168.132.0\/24         eth0\/1     192.168.0.1  E2  200      1     Root\n*         7     192.168.0.8\/32         eth0\/1         0.0.0.0   H    0      0     Root\n*        13     192.168.1.8\/32         eth0\/2         0.0.0.0   H    0      0     Root\n*         6     192.168.0.0\/24         eth0\/1         0.0.0.0   C    0      0     Root\n*       996   192.168.100.0\/24         eth0\/1     192.168.0.7  E2  200     10     Root\n*        14        10.2.0.0\/24         eth0\/3         0.0.0.0   C    0      0     Root<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>=&gt; no change.&#160; This is normal. We formed peers, but we did not specify what kind of information needs to be exchanged yet.<\/p>\n<p>Let\u2019s start by injecting the connected subnets on ssg5-2 into BGP :<\/p>\n<p>There are 2 ways to do this : you can inject the network manually, or you can use a route-map. We\u2019ll do it manually this time, you can find more info about creating route maps later in this blog post.<\/p>\n<p>Before setting up the redistribution, enable debugging on ssg5-1 :&#160; debug bgp all&#160; (so we can see what is going on under the hood)<\/p>\n<p>On ssg5-2, in order to distribute the connected network 192.168.2.0\/24, you need one command :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ss5-2-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp network 192.168.2.0\/24\nss5-2-<span style=\"color: #0000ff\">&gt;<\/span> get vrouter trust-vr proto bgp network\n\nnetwork            weight check reachable-prefix   rib-in route-map\n--------------------------------------------------------------------------------\n192.168.2.0\/24      32768 yes   192.168.2.0\/24     yes    null<\/pre>\n<\/div>\n<\/p>\n<p>(The second command shows that the route is being distributed into bgp)<\/p>\n<p>Now wait. The change will not be visible on ssg5-1 yet.&#160; Stop debugging on ssg5-1 (undebug all) and have a look at the log<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get db str\n## 2008-11-15 15:28:45 : [bgp\/update]:    start: send eBGP updates\n## 2008-11-15 15:28:45 : [bgp\/update]:    done : send eBGP updates OK\n## 2008-11-15 15:28:54 : [bgp\/update]:    start: update FDB CHUNKABLE run\n## 2008-11-15 15:28:54 : [bgp\/update]:    update FDB for 192.168.2.0\/24 flags 0x9\n## 2008-11-15 15:28:54 : [bgp\/route]:     best route does not exist: 192.168.2.0\/24\n## 2008-11-15 15:28:54 : [bgp\/network]:   check if route exists for (192.168.2.0\/24)-<span style=\"color: #0000ff\">&gt;<\/span>0.0.0.0\n## 2008-11-15 15:28:54 : [bgp\/network]:   route doesn't exist for (192.168.2.0\/24)\n## 2008-11-15 15:28:54 : [bgp\/route]:     Synchronization check failed\n## 2008-11-15 15:28:54 : [bgp\/update]:    done : update FDB COMPLETED run, sync fail 5 times\n## 2008-11-15 15:28:55 : [bgp\/update]:    start: send eBGP updates\n## 2008-11-15 15:28:55 : [bgp\/update]:    done : send eBGP updates OK\n## 2008-11-15 15:29:04 : [bgp\/update]:    start: update FDB CHUNKABLE run\n## 2008-11-15 15:29:04 : [bgp\/update]:    update FDB for 192.168.2.0\/24 flags 0x9\n## 2008-11-15 15:29:04 : [bgp\/route]:     best route does not exist: 192.168.2.0\/24\n## 2008-11-15 15:29:04 : [bgp\/network]:   check if route exists for (192.168.2.0\/24)-<span style=\"color: #0000ff\">&gt;<\/span>0.0.0.0\n## 2008-11-15 15:29:04 : [bgp\/network]:   route doesn't exist for (192.168.2.0\/24)\n## 2008-11-15 15:29:04 : [bgp\/route]:     Synchronization check failed\n## 2008-11-15 15:29:04 : [bgp\/update]:    done : update FDB COMPLETED run, sync fail 6 times\n## 2008-11-15 15:29:05 : [bgp\/update]:    start: send eBGP updates\n## 2008-11-15 15:29:05 : [bgp\/update]:    done : send eBGP updates OK\n## 2008-11-15 15:29:14 : [bgp\/update]:    start: update FDB CHUNKABLE run\n## 2008-11-15 15:29:14 : [bgp\/update]:    update FDB for 192.168.2.0\/24 flags 0x9<\/pre>\n<\/div>\n<p>As you can see, ssg5-1 did get the BGP update, but it did not accept it (\u201croute doesn\u2019t exist for\u2026&#160;&#160; \u201c and \u201csynchronization check failed\u201d)<\/p>\n<p>Run the following command on ssg5-1 :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">unset vrouter trust-vr proto bgp synchronization<\/pre>\n<\/div>\n<p>Now look again :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span>get route proto bgp\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">untrust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">trust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (35 entries)\n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*      1031     192.168.2.0\/24         eth0\/1    192.168.0.30  iB  250      0     Root\n\nTotal number of bgp routes: 1<\/pre>\n<\/div>\n<p>The log file now indicates<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">## 2008-11-15 15:37:22 : [bgp\/stack]:     Rx 192.168.0.30: UPDATE msg, conn-id 56\n## 2008-11-15 15:37:22 : [bgp\/update]:    created new PA, peer 192.168.0.30\n## 2008-11-15 15:37:22 : [bgp\/update]:    validate\/canonical UPDATE pass\n## 2008-11-15 15:37:22 : [bgp\/update]:    start: proc updt msg, peer:192.168.0.30\n## 2008-11-15 15:37:22 : [bgp\/rtmap]:     start: apply policy route 0.0.0.0\/0, peer 192.168.0.30, rtmap NULL\n## 2008-11-15 15:37:22 : [bgp\/rtmap]:     done : apply policy route 0.0.0.0\/0, peer 192.168.0.30, rtmap NULL\n## 2008-11-15 15:37:22 : [bgp\/update]:    start: proc nlri 192.168.2.16\/24\n## 2008-11-15 15:37:22 : [bgp\/update]:    local rib add prefix 192.168.2.0 \/ pref 100, metric 0, next-hop 192.168.0.30\n## 2008-11-15 15:37:22 : [bgp\/nexthop]: added nexthop for BGP nexthop: 192.168.0.30 with fdb nexthop: 192.168.0.30, cost: 0, reach_addr: 192.168.0.8, reach_mask: 24, bgprt: 0\n## 2008-11-15 15:37:22 : [bgp\/update]:    add 192.168.2.0\/24 to intchg\n## 2008-11-15 15:37:22 : [bgp\/update]:    done : proc nlri 192.168.2.16\/24 OK\n## 2008-11-15 15:37:22 : [bgp\/update]:    done : proc updt msg, peer:192.168.0.30\n## 2008-11-15 15:37:22 : [bgp\/update]:    start: send iBGP updates\n## 2008-11-15 15:37:22 : [bgp\/update]:    proc iBGP update prefix: 192.168.2.0\/24\n## 2008-11-15 15:37:22 : [bgp\/update]:     Add Withd_rt 192.168.2.0\/24 to peer 192.168.0.30 Tx_q\n## 2008-11-15 15:37:22 : [bgp\/update]:    add withdrawn prefix 192.168.2.0\/24 to peer 192.168.0.30 Tx-q\n## 2008-11-15 15:37:22 : [bgp\/stack]:     enqueue UPDATE msg to peer 192.168.0.30 via connID 56\n## 2008-11-15 15:37:22 : [bgp\/update]:    done : send iBGP updates<\/pre>\n<\/div>\n<p>Now the route is available on ssg5-1. We can now inject the routes learned via BGP into OSPF :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr\nssg5-1(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list 5 permit ip 192.168.2.0\/24 10\nssg5-1(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set route-map name RedistBGPintoOSPF permit 10\nssg5-1(trust-vr\/RedistBGPintoOSPF-10)-<span style=\"color: #0000ff\">&gt;<\/span> set match ip 5\nssg5-1(trust-vr\/RedistBGPintoOSPF-10)-<span style=\"color: #0000ff\">&gt;<\/span> exit\nssg5-1(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> exit         \nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto ospf redistribute route-map RedistBGPintoOSPF proto bgp<\/pre>\n<\/div>\n<p>If you now look on the OSP routers (router-1 and router-2), you should see the route that was injected into OSPF<\/p>\n<p>On router 2 :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">C:\\<span style=\"color: #0000ff\">&gt;<\/span>route print\n\nIPv4 Route Table\n===========================================================================\nInterface List\n0x1 ........................... MS TCP Loopback interface\n0x10002 ...00 53 45 00 00 00 ...... WAN (PPP\/SLIP) Interface\n0x10003 ...00 1b 21 04 25 6d ...... Intel(R) PRO\/1000 GT Desktop Adapter\n0x20004 ...00 53 45 00 00 00 ...... WAN (PPP\/SLIP) Interface\n===========================================================================\n===========================================================================\nActive Routes:\nNetwork Destination        Netmask          Gateway       Interface  Metric\n          0.0.0.0          0.0.0.0      192.168.0.8      192.168.0.1     10\n      192.168.0.0    255.255.255.0      192.168.0.1      192.168.0.1     10\n      192.168.0.1  255.255.255.255        127.0.0.1        127.0.0.1     10\n    192.168.0.255  255.255.255.255      192.168.0.1      192.168.0.1     10\n<strong><font color=\"#ff0000\">      192.168.2.0    255.255.255.0     192.168.0.30      192.168.0.1     20<\/font><\/strong>\n    192.168.100.0    255.255.255.0      192.168.0.7      192.168.0.1     10\n    192.168.132.0    255.255.255.0      192.168.0.1      192.168.0.1     10\n        224.0.0.0        240.0.0.0      192.168.0.1      192.168.0.1     10\n  255.255.255.255  255.255.255.255      192.168.0.1      192.168.0.1      1\nDefault Gateway:       192.168.0.8\n===========================================================================<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>Step 1 accomplished. Now we would like to inject the routes that are known on ssg5-1 (connected nets + nets that are learned via OSPF) into BGP, so they would become visible on ssg5-2.<\/p>\n<p>Let\u2019s start with the connected nets.&#160; <\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp network 10.2.0.0\/24\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp network 192.168.1.0\/24\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get vrouter trust-vr proto bgp network\n\nnetwork            weight check reachable-prefix   rib-in route-map\n--------------------------------------------------------------------------------\n10.2.0.0\/24         32768 yes   10.2.0.0\/24        yes    null\n192.168.1.0\/24      32768 yes   192.168.1.0\/24     yes    null<\/pre>\n<\/div>\n<p>Note the \u201cyes\u201d in the check column. By default, the route will only be advertised to the other BGP peers when the network is reachable (either via a static route or via IGP).&#160; You can turn this behaviour off by specifying the no-check attribute when defining the network that needs to be advertised :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp network 10.2.0.0\/24 no-check<\/pre>\n<\/div>\n<p>Keep in mind that, with this setting of, you could be advertising prefixes to other bgp peers without being able to route packets to those networks.&#160; So I would recommend keeping these checks enabled.<\/p>\n<p>&#160;<\/p>\n<p>On ssg5-2, the nets are not visible yet. The bgp synchronisation is still active on this host, so this is blocking the prefixes from being added to the ssg5-2 routing table (as you would be able to see in the output of a debug bgp all). Turn off bgp sync and then check the route table again<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ss5-2-<span style=\"color: #0000ff\">&gt;<\/span> unset vrouter trust-vr proto bgp synchronization \nss5-2-<span style=\"color: #0000ff\">&gt;<\/span> get route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">untrust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">trust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (6 entries)\n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*         8     192.168.2.8\/32         eth0\/2         0.0.0.0   H    0      0     Root\n*         6    192.168.0.30\/32         eth0\/1         0.0.0.0   H    0      0     Root\n*         7     192.168.2.0\/24         eth0\/2         0.0.0.0   C    0      0     Root\n*        10     192.168.1.0\/24         eth0\/1     192.168.0.8  iB  250      0     Root\n*         5     192.168.0.0\/24         eth0\/1         0.0.0.0   C    0      0     Root\n*         9        10.2.0.0\/24         eth0\/1     192.168.0.8  iB  250      0     Root<\/pre>\n<\/div>\n<p><em>The \u201cunset vrouter trust-vr proto bgp sync\u201d command is needed because otherwise BGP will not advertise an update received from and iBGP peer unless the nexthop address in the update can be reached via an update from IGP or a static route. <\/em><\/p>\n<p>Excellent. The connected subnets from ssg5-1 are now available on ssg5-2<\/p>\n<p><em>You can also see the rib-in (Routing Information Base containing <\/em><a name=\"idx-CHP-17-1272\"><\/a><em>prefixes learned from BGP neighbors) (which should provide the same output as get route proto bgp) using the following command :<\/em><\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\"><em>get vrouter trust-vr protocol bgp rib-in<\/em><\/pre>\n<\/div>\n<p><em>With this command, you will see the AS numbers in the table as well. Since we are doing purely iBGP here, there will only be one AS, but if you start connecting to other ASes, doing eBGP, you will be able to use this command to find out the AS path to the destination<\/em><\/p>\n<p><em>Example output (not related to this exercise) :<\/em><\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\"><em>i: IBGP route, e: EBGP route, <span style=\"color: #0000ff\">&gt;<\/span>: best route, *: valid route\n               Prefix         Nexthop    Wt  Pref   Med Orig    AS-Path\n--------------------------------------------------------------------------------\nTotal routes in rib-in: 32 (0 in flap-damping history)\n--------------------------------------------------------------------------------\n<span style=\"color: #0000ff\">&gt;<\/span>e*    192.168.3.0\/24    192.168.0.31   100   100     0  IGP   65002\n<span style=\"color: #0000ff\">&gt;<\/span>i     192.168.1.0\/24         0.0.0.0 32768   100     0  IGP\netc...<\/em><\/pre>\n<\/div>\n<p><em>=&gt; in this example output, in order to reach the 192.168.3.0\/24 network, you need to get to AS 65002 (because this prefix originates from this AS).&#160; Host 192.168.0.31 provides a path to this AS. (next-hop), with Weight of 100 and Preference of 100.&#160; The MED is 0, and the origin is IGP (so there is a full path known to this AS). If the path to the AS would be incomplete, the \u201cOrig\u201d colum would state \u201dINC\u201d<\/em><\/p>\n<p>&#160;<\/p>\n<p>Now, on ssg5-1, redistribute the routes that were learned via OSPF into BGP. We will need to create an access list and route map to do this, and then we can tell BGP to permit or deny in\/out flow of these routes.<\/p>\n<p>We will allow all nets, so we\u2019ll use 0.0.0.0\/0 in our access list :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr\nssg5-1(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set access-list 1 permit ip 0.0.0.0\/0 10\nssg5-1(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set route-map name RedistAllOSPFNets permit 10\nssg5-1(trust-vr\/RedistAllOSPFNets-10)-<span style=\"color: #0000ff\">&gt;<\/span> set match ip 1\nssg5-1(trust-vr\/RedistAllOSPFNets-10)-<span style=\"color: #0000ff\">&gt;<\/span> exit\nssg5-1(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> set proto bgp\nssg5-1(trust-vr\/bgp)-<span style=\"color: #0000ff\">&gt;<\/span> set neighbor 192.168.0.30 route-map RedistAllOSPFNets out\nssg5-1(trust-vr\/bgp)-<span style=\"color: #0000ff\">&gt;<\/span> exit\nssg5-1(trust-vr)-<span style=\"color: #0000ff\">&gt;<\/span> exit<\/pre>\n<\/div>\n<p>Now we need to tell BGP to redistribute routes from OSPF as well<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp redistribute route-map RedistAllOSPFNets proto ospf<\/pre>\n<\/div>\n<p>From the CLI on ssg5-1, disable and re-enable BGP and see if it starts working<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> unset vrouter trust-vr proto bgp enable\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp enable<\/pre>\n<\/div>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<p>(Note : if you don\u2019t want to reset\/break the bgp relationship, you can also use the following command to reset routing updates) :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\"><p>ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> clear vrouter trust-vr protocol bgp neighbor 192.168.0.30 soft-in&#160;&#160;&#160;&#160;&#160;&#160; # for Adj-rib-in messages<\/p><p>ssg5-1-&gt; clear vrouter trust-vr protocol bgp neighbor 192.168.0.30 soft-out      # for Adj-rib-out messages<\/p><\/pre>\n<\/div>\n<p>You can confirm that the refresh has been completed by looking at the neighbor status :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get vrouter trust-vr protocol bgp neighbor 192.168.0.30 | incl refresh\nRoute refresh: advertised and received\n    route-refresh messages to peer: 1, from peer: 0<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ss5-2-<span style=\"color: #0000ff\">&gt;<\/span> get route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">untrust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">trust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> \n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*        52   192.168.132.0\/24         eth0\/1     192.168.0.1  iB  250      0     Root\n*         8     192.168.2.8\/32         eth0\/2         0.0.0.0   H    0      0     Root\n*         6    192.168.0.30\/32         eth0\/1         0.0.0.0   H    0      0     Root\n*         7     192.168.2.0\/24         eth0\/2         0.0.0.0   C    0      0     Root\n*        39     192.168.1.0\/24         eth0\/1     192.168.0.8  iB  250      0     Root\n*         5     192.168.0.0\/24         eth0\/1         0.0.0.0   C    0      0     Root\n*        34   192.168.100.0\/24         eth0\/1     192.168.0.7  iB  250      0     Root\n*        33        10.2.0.0\/24         eth0\/1     192.168.0.8  iB  250      0     Root<\/pre>\n<\/div>\n<p>Perfect !<\/p>\n<p>The debug bgp all shows<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">## 2001-05-12 02:48:20 : [bgp\/update]:    start: send iBGP updates\n## 2001-05-12 02:48:20 : [bgp\/update]:    proc iBGP update prefix: 192.168.100.0\/24\n## 2001-05-12 02:48:20 : [bgp\/update]:     Add Withd_rt 192.168.100.0\/24 to peer 192.168.0.8 Tx_q\n## 2001-05-12 02:48:20 : [bgp\/update]:    add withdrawn prefix 192.168.100.0\/24 to peer 192.168.0.8 Tx-q\n## 2001-05-12 02:48:20 : [bgp\/stack]:     enqueue UPDATE msg to peer 192.168.0.8 via connID 23\n## 2001-05-12 02:48:20 : [bgp\/update]:    done : send iBGP updates\n## 2001-05-12 02:48:20 : [bgp\/update]:    proc iBGP update prefix: 192.168.132.0\/24\n## 2001-05-12 02:48:20 : [bgp\/update]:     Add Withd_rt 192.168.132.0\/24 to peer 192.168.0.8 Tx_q\n## 2001-05-12 02:48:20 : [bgp\/update]:    add withdrawn prefix 192.168.132.0\/24 to peer 192.168.0.8 Tx-q\n## 2001-05-12 02:48:20 : [bgp\/stack]:     enqueue UPDATE msg to peer 192.168.0.8 via connID 23\n## 2001-05-12 02:48:20 : [bgp\/update]:    done : send iBGP updates<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>Let\u2019s see if BGP updates work.&#160; Disconnect eth0\/2 on ssg5-2, so the route to 192.168.2.0\/24 network should disappear on ssg5-1&#160; (Just wait before the updates take place and then have a look at the routing table)<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get route protocol bgp\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">untrust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <span style=\"color: #0000ff\">&lt;<\/span><span style=\"color: #800000\">trust-vr<\/span><span style=\"color: #0000ff\">&gt;<\/span> (34 entries)\n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n\nTotal number of bgp routes: 0<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>You can see the BGP peer configuration on ssh5-1 using the following command :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get vrouter trust-vr proto bgp neighbor 192.168.0.30\n\npeer: 192.168.0.30,  remote AS: 65000, admin status: enable\ntype: IBGP\nconnection state: ESTABLISH, connection id: 63 retry interval: 120s, cur retry time 15s\nconfigured hold time: node default(180s), configured keepalive: node default(60s)\ndesignated local IP: n\/a\nlocal IP address\/port: 192.168.0.8\/179, remote IP address\/port: 192.168.0.30\/1086\nrouter ID of peer: 192.168.2.8, remote AS: 65000\nnegotiated hold time: 180s, negotiated keepalive interval: 60s\nMD5 authentication: enable\nroute map in name: , route map out name: RedistAllOSPFNets\nweight: 100 (default)\nself as next hop: disable\nsend default route to peer: disable\nignore default route from peer: disable\nsend community path attribute: no\nreflector client: no\nNeighbor Capabilities: \n  Route refresh: advertised and received\n  Address family IPv4 Unicast:  advertised and received\nforce reconnect is disable\ntotal messages to peer: 293, from peer: 291 \nupdate messages to peer: 13, from peer: 14 \nroute-refresh messages to peer: 0, from peer: 0 \nlast reset 9d;01:42:16 ago, due to BGP recv Notification(Cease: Admin stopped)(code 6 : subcode 0)\nnumber of total successful connections: 4\nconnected: 4 hours 0 minutes 51 seconds\nElapsed time since last update: 3 hours 48 minutes 22 seconds<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>If you have additional questions on using OSPF and BGP on ScreenOS, please visit my forum at <a title=\"\/index.php\/forum\/screenos-routing-staticripospfbgp\/page-1\" href=\"https:\/\/www.corelan.be\/index.php\/forum\/\">\/index.php\/forum\/screenos-routing-staticripospfbgp\/page-1<\/a><\/p>\n<p>&#160;<\/p>\n<p>Notes :<\/p>\n<p>1. You can manually disconnect and connect two peers using the following command :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> exec vrouter trust-vr proto bgp neighbor 192.168.0.30 disconnect\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> exec vrouter trust-vr proto bgp neighbor 192.168.0.30 connect<\/pre>\n<\/div>\n<p>&#160;<\/p>\n<p>2. By default, the default route will be advertised over BGP. If you have created route maps that allow updates from 0.0.0.0\/0, you are taking the risk that a new default route is injected, and depending on the preferences of your routes, the routing process can be different from what you expect.&#160; You can disable this behaviour using the following command :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">ssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp reject-default-route \nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> get vrouter trust-vr proto bgp reject-default-route \nIgnore default route:  enable<\/pre>\n<\/div>\n<\/p>\n<p>&#160;<\/p>\n<h3>Advanced Features<\/h3>\n<h4>Route dampening<\/h4>\n<p>If you want to be sure that routes only get advertised when they have become stable (after being in a flapping state), you can enable flap-damping. This is a bgp global config setting (and will apply to bgp operations on the device). Flap dampening is based on a suppress-limit and reuse-limit, and uses penalties for each flap. When the total penalty rises above the suppress-limit, the route will go away. When the line becomes stable again (penalty drops below reuse-limit, the route will be added again)<\/p>\n<p>To enable flap-damping, use the&#160; \u201cset vrouter trust-vr proto bgp flap-damping\u201d command<\/p>\n<p>&#160;<\/p>\n<h4>Aggregate route announcements<\/h4>\n<p>This feature is mostly used in EBGP configurations, and allows you to reduce the number of avertised prefixes by reducing the number of route announcements.<\/p>\n<p>So instead of advertising all individual nets, you announce aggregated nets (supernets) to the EBGP peer.&#160; <\/p>\n<p>You can enable aggregation using the following commands :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">set vrouter trust-vr proto bgp aggregate 192.168.0.0\/16 summary only\nset vrouter trust-vr proto bgp aggregate enable<\/pre>\n<\/div>\n<p>Now when this host is announcing routes to BGP, that are a subnet of this 192.168.0.0\/16 network, these individual routes will be ignored. The 192.168.0.0\/16 supernet will be used instead.<\/p>\n<p>&#160;<\/p>\n<h4>Peer Groups<\/h4>\n<p>If you need to configure multiple peers that share the same AS\/MD5 password\/\u2026 on a single system, then you can either specify all bgp settings and neighbors\/peer settings manually, or you can create a peer group, define the settings on the group, and just add the peers into the peer group<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\"># Create the peer group\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor peer-group ibgpPeers\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor peer-group ibgpPeers remote-as 65000\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor peer-group ibgpPeers md5-authentication ThisIsMyMD5Password\n# Put a new peer in the peer group\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor 192.168.0.30 peer-group ibgpPeers\nssg5-1-<span style=\"color: #0000ff\">&gt;<\/span> set vrouter trust-vr proto bgp neighbor 192.168.0.30 enable<\/pre>\n<\/div>\n<div>&#160;<\/div>\n<p>&#160;<\/p>\n<h3>What\u2019s next ?<\/h3>\n<p>In one of my next posts, I will explain how to set up a Linux host to run BGP\/OSPF and to work in conjunction with the Juniper devices.&#160; <\/p>\n","protected":false},"excerpt":{"rendered":"<p>As explained in one of my earlier posts, ScreenOS supports a couple of ways to provide for dynamic routing. Today, I\u2019m going to explain some basic implementations of BGP on ScreenOS. Unlike my post on OSPF, I won\u2019t be going too much into all the details of what BGP is and how it works, but &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Juniper ScreenOS BGP Basics : a simple iBGP test case\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[554,164,127],"tags":[3742,3735,1408,1308,1307],"class_list":["post-1053","post","type-post","status-publish","format-standard","hentry","category-juniper","category-networking","category-security","tag-networking","tag-juniper-netscreen-screenos","tag-routing","tag-bgp","tag-autonomous-system"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Juniper ScreenOS BGP Basics : a simple iBGP test case - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Juniper ScreenOS BGP Basics : a simple iBGP test case - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"As explained in one of my earlier posts, ScreenOS supports a couple of ways to provide for dynamic routing. Today, I\u2019m going to explain some basic implementations of BGP on ScreenOS. Unlike my post on OSPF, I won\u2019t be going too much into all the details of what BGP is and how it works, but &hellip; Continue reading &quot;Juniper ScreenOS BGP Basics : a simple iBGP test case&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2008-11-15T15:05:37+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/15\\\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/15\\\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Juniper ScreenOS BGP Basics : a simple iBGP test case\",\"datePublished\":\"2008-11-15T15:05:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/15\\\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\\\/\"},\"wordCount\":2513,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"networking\",\"juniper netscreen screenos\",\"routing\",\"bgp\",\"autonomous system\"],\"articleSection\":[\"Juniper\",\"Networking\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/15\\\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/15\\\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\\\/\",\"name\":\"Juniper ScreenOS BGP Basics : a simple iBGP test case - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2008-11-15T15:05:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/15\\\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/15\\\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/15\\\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Juniper ScreenOS BGP Basics : a simple iBGP test case\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Juniper ScreenOS BGP Basics : a simple iBGP test case - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/","og_locale":"en_US","og_type":"article","og_title":"Juniper ScreenOS BGP Basics : a simple iBGP test case - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"As explained in one of my earlier posts, ScreenOS supports a couple of ways to provide for dynamic routing. Today, I\u2019m going to explain some basic implementations of BGP on ScreenOS. Unlike my post on OSPF, I won\u2019t be going too much into all the details of what BGP is and how it works, but &hellip; Continue reading \"Juniper ScreenOS BGP Basics : a simple iBGP test case\"","og_url":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2008-11-15T15:05:37+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Juniper ScreenOS BGP Basics : a simple iBGP test case","datePublished":"2008-11-15T15:05:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/"},"wordCount":2513,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["networking","juniper netscreen screenos","routing","bgp","autonomous system"],"articleSection":["Juniper","Networking","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/","url":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/","name":"Juniper ScreenOS BGP Basics : a simple iBGP test case - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2008-11-15T15:05:37+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/15\/juniper-screenos-bgp-basics-a-simple-ibgp-test-case\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Juniper ScreenOS BGP Basics : a simple iBGP test case"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":16598,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=1053"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1053\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=1053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=1053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=1053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}