{"id":1064,"date":"2008-11-16T20:50:16","date_gmt":"2008-11-16T19:50:16","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/"},"modified":"2008-11-16T20:50:16","modified_gmt":"2008-11-16T19:50:16","slug":"using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/","title":{"rendered":"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS"},"content":{"rendered":"

In this post, I\u2019m going to show you how to set up a Linux host (Fedora Core 9) and use it as a BGP enabled router.  <\/p>\n

In order to fully understand the setup & configuration, please have a look at this blog post<\/a> first, because I\u2019ll use the setup in that post as a foundation for this explanation.<\/p>\n

Initial setup : basic Fedora 9 install, 2 network cards recognized by Fedora<\/p>\n

eth0 : 192.168.100.100, mask 255.255.255.0 \u2013 no default gateway <\/p>\n

eth1 : 192.168.3.1, mask 255.255.255.0 \u2013 no default gateway<\/p>\n

This is what we will build  :<\/p>\n

\"bgp_with_linux1\"<\/a> <\/p>\n

( click to enlarge )<\/em><\/p>\n

If you compare this drawing with the drawing in my post on BGP with ScreenOS<\/a>, you\u2019ll notice that I have simply added a linux host to the 192.168.100.0\/24 network, and added a new network behind the linux host.  The idea is to set up the Linux host to become part of BGP AS 65000 (IBGP).  In a second phase, we\u2019ll give the Linux host it\u2019s own AS and we\u2019ll form EBGP peers between the Linux host and one of the screenOS devices and see what the impact is. (I\u2019ll write this procedure when I have more time in the next couple of days.  We\u2019ll start with IBGP first)<\/p>\n

 <\/p>\n

Set up Quagga Routing Suite<\/h3>\n

1. Install Quagga Routing Suite<\/a> :  <\/p>\n

\n
[root@router-3 \/]# yum install quagga\nLoaded plugins: refresh-packagekit\nfedora                                                   | 2.4 kB     00:00    \nupdates                                                  | 2.6 kB     00:00    \nSetting up Install Process\nParsing package install arguments\nResolving Dependencies\n--><\/span> Running transaction check\n---><\/span> Package quagga.i386 0:0.99.9-6.fc9 set to be updated\n--><\/span> Finished Dependency Resolution\n\nDependencies Resolved\n\n=============================================================================\n Package                 Arch       Version          Repository        Size \n=============================================================================\nInstalling:\n quagga                  i386       0.99.9-6.fc9     fedora            1.2 M\n\nTransaction Summary\n=============================================================================\nInstall      1 Package(s)         \nUpdate       0 Package(s)         \nRemove       0 Package(s)         \n\nTotal download size: 1.2 M\nIs this ok [y\/N]: y\nDownloading Packages:\n(1\/1): quagga-0.99.9-6.fc9.i386.rpm                      | 1.2 MB     00:06     \nRunning rpm_check_debug\nRunning Transaction Test\nFinished Transaction Test\nTransaction Test Succeeded\nRunning Transaction\n  Installing: quagga                       ######################### [1\/1] \n\nInstalled: quagga.i386 0:0.99.9-6.fc9\nComplete!<\/pre>\n<\/div>\n
2. Open \/etc\/services and see if the following entries are present. (On Fedora Core 9, most of these entries are present, except for ospfapi and isisd)<\/p>\n
\n
zebrasrv      2600\/tcp          # zebra service\nzebra         2601\/tcp          # zebra vty\nripd          2602\/tcp          # RIPd vty\nripngd        2603\/tcp          # RIPngd vty\nospfd         2604\/tcp          # OSPFd vty\nbgpd          2605\/tcp          # BGPd vty\nospf6d        2606\/tcp          # OSPF6d vty\nospfapi       2607\/tcp          # ospfapi\nisisd         2608\/tcp          # ISISd vty<\/pre>\n<\/div>\n
3. Set quagga global configuration options<\/p>\n
The quagga configuration files can be found at \/etc\/quagga<\/p>\n
We are interested in the OSPF \/ BGP components of quagga, which are provided by zebra.  Thus we need to look at \/etc\/quagga\/zebra.conf<\/p>\n
After installing quagga, the only entry in the configuration file is the hostname. We need to add a password, otherwise the daemon will not allow us to connect to the configuration console. You can set an enable password as well, configure logging, etc<\/p>\n
\n
[root@router-3 quagga]# cat zebra.conf\nhostname router-3\npassword MyBadPassword\nenable password MyBadEnablePassword\nlog file \/var\/log\/quagga\/zebra.log informational\nlog stdout<\/pre>\n<\/div>\n
You can now start the zebra daemon by running  \u2018service zebra start\u2019. You can set the daemon to start at boot time by running \u2018chkconfig zebra on\u2019<\/p>\n
\n
[root@router-3 quagga]# chkconfig zebra on\n[root@router-3 quagga]# service zebra start\nStarting zebra: Nothing to flush.\n[  OK  ]\n[root@router-3 quagga]# <\/pre>\n<\/div>\n
Verify that the daemon is running : <\/p>\n
\n
[root@router-3 quagga]# netstat -vantu | grep 2601\ntcp        0      0 127.0.0.1:2601              0.0.0.0:*                   LISTEN <\/pre>\n<\/div>\n
 <\/p>\n
4. Test if you can connect to the Quagga configuration console<\/p>\n
\n
[root@router-3 quagga]# telnet localhost 2601\nTrying 127.0.0.1...\nConnected to localhost.\nEscape character is '^]'.\n\nHello, this is Quagga (version 0.99.9).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\n\nUser Access Verification\n\nPassword: \nrouter-3><\/span> enable\nPassword: \nrouter-3# conf t\nrouter-3(config)# sh \n  history         Display the session command history\n  running-config  running configuration\nrouter-3(config)# sh r\n\nCurrent configuration:\n!\nhostname router-3\npassword MyBadPassword\nenable password MyBadEnablePassword\nlog file \/var\/log\/quagga\/zebra.log informational\nlog stdout\n!\ninterface eth0\n ipv6 nd suppress-ra\n!\ninterface eth1\n ipv6 nd suppress-ra\n!\ninterface lo\n!\ninterface pan0\n ipv6 nd suppress-ra\n!\ninterface sit0\n ipv6 nd suppress-ra\n!\nip forwarding\n!\n!\nline vty\n!\nend<\/pre>\n<\/div>\n
 <\/p>\n
Configure Zebra BGP to form an IBGP peer with Juniper ScreenOS (and set up full mesh with ssg5-1 and ssg5-2)<\/h3>\n
First of all, we need to look at the connectivity between the Linux host and Juniper screenOS. The Linux host is not in the same IP subnet as the 2 screenOS devices, and if you look at the previous post, you can see that connectivity between the screenOS devices and the 192.168.100.0 network is handled via OSPF.  This is fine, as long as you can make sure that connectivity between all hosts that need to become peers will work before you enable BGP. So you cannot rely on BGP to create routing between these hosts, because the routing needs to work before we can use BGP.<\/p>\n
On ssg5-1, we can see that the route towards 192.168.100.0 is injected via OSPF (E2), which is ok. But on ssg5-2, the route is added via BGP (iB), and this may cause problems. Think about it : If you disable BGP and reenable BGP, the route will disappear, which will make the Linux host unreachable for ssg5-2, so it will not be able to reach the host again in order to become peers.<\/p>\n
\n
ssg5-1-><\/span> get route | incl 192.168.100.0\n*      1057   192.168.100.0\/24         eth0\/1     192.168.0.7  E2  200     10     Root\n\nss5-2-><\/span> get route | incl 192.168.100.0\n*        28   192.168.100.0\/24         eth0\/1     192.168.0.7  iB  250      0     Root<\/pre>\n<\/div>\n
So on ssg5-2, we need to add a static route to 192.168.100.0\/24, and on the Linux host, we also need to set up some routing.<\/p>\n
\n
ss5-2-><\/span> set route 192.168.100.0\/24 gate 192.168.0.7\nss5-2-><\/span> get route | incl 192.168.100.0             \n*        29   192.168.100.0\/24         eth0\/1     192.168.0.7   S   20      1     Root\n         28   192.168.100.0\/24         eth0\/1     192.168.0.7  iB  250      0     Root<\/pre>\n<\/div>\n
This will ensure that, even if BGP is down, the static route will ensure that ssg5-2 can reach the 192.168.100.0\/24 network. So while the active route is the one that is distributed via BGP, the static route will take over the moment BGP goes away, ensuring connectivity at all times.<\/p>\n
On Linux, we can either count on a default gateway that points to 192.168.100.2 in order to be able to route to the 192.168.0.0\/24 network, or you can simply add a route towards the 192.168.0.0\/24 network. Either way, we will need some kind of route, because this is required for the Linux host to be able to talk to the other 2 IBGP hosts (ssg5-1 : 192.168.0.8 and ssg5-2 : 192.168.0.30). We won\u2019t use a default gateway, we\u2019ll just do direct routing :<\/p>\n
Edit \/etc\/rc.d\/rc.local and add the following line to the file :<\/p>\n
\/sbin\/route add -net 192.168.0.0\/24 gw 192.168.100.2<\/em><\/p>\n
After making the change, the file should look like this :<\/p>\n
\n
[root@router-3 \/]# cat \/etc\/rc.d\/rc.local \n#!\/bin\/sh\n#\n# This script will be executed *after* all the other init scripts.\n# You can put your own initialization stuff in here if you don't\n# want to do the full Sys V style init stuff.\n\ntouch \/var\/lock\/subsys\/local\n\/sbin\/route add -net 192.168.0.0\/24 gw 192.168.100.2<\/pre>\n<\/div>\n
This will make sure the static route is available when the Linux machine boots. (a.k.a. making the route permanent)
\n  
In order to add the route to the routing table right away, simply run the command from the command prompt :<\/p>\n
\n
[root@router-3 \/] #\/sbin\/route add -net 192.168.0.0\/24 gw 192.168.100.2<\/pre>\n<\/div>\n
Look at the routing table, you should see this :<\/p>\n
\n
[root@router-3 ~]# route -n\nKernel IP routing table\nDestination     Gateway         Genmask         Flags Metric Ref    Use Iface\n192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0\n192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1\n192.168.0.0     192.168.100.2   255.255.255.0   UG    0      0        0 eth0<\/pre>\n<\/div>\n
Or, verify the routing via the zebra daemon :<\/p>\n
\n
[root@router-3 ~]# telnet localhost 2601\nTrying 127.0.0.1...\nConnected to localhost.\nEscape character is '^]'.\n\nHello, this is Quagga (version 0.99.9).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\n\nUser Access Verification\n\nPassword: \nrouter-3><\/span> enable\nPassword: \nrouter-3# sh ip route\nCodes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,\n       I - ISIS, B - BGP, ><\/span> - selected route, * - FIB route\n\nC><\/span>* 127.0.0.0\/8 is directly connected, lo\nK><\/span>* 192.168.0.0\/24 via 192.168.100.2, eth0\nC><\/span>* 192.168.3.0\/24 is directly connected, eth1\nC><\/span>* 192.168.100.0\/24 is directly connected, eth0<\/pre>\n<\/div>\n
 <\/p>\n
Furthermore, this linux host should now be able to connect to 192.168.0.8 and 192.168.0.30 :<\/p>\n
\n
[root@router-3 \/]# ping 192.168.0.8\nPING 192.168.0.8 (192.168.0.8) 56(84) bytes of data.\n64 bytes from 192.168.0.8: icmp_seq=1 ttl=64 time=6.07 ms\n64 bytes from 192.168.0.8: icmp_seq=2 ttl=64 time=1.75 ms\n64 bytes from 192.168.0.8: icmp_seq=3 ttl=64 time=1.92 ms\n^C\n--- 192.168.0.8 ping statistics ---\n3 packets transmitted, 3 received, 0% packet loss, time 2160ms\nrtt min\/avg\/max\/mdev = 1.757\/3.251\/6.073\/1.996 ms\n\n[root@router-3 \/]# ping 192.168.0.30\nPING 192.168.0.30 (192.168.0.30) 56(84) bytes of data.\n64 bytes from 192.168.0.30: icmp_seq=1 ttl=64 time=4.95 ms\n64 bytes from 192.168.0.30: icmp_seq=2 ttl=64 time=1.91 ms\n64 bytes from 192.168.0.30: icmp_seq=3 ttl=64 time=1.45 ms\n^C\n--- 192.168.0.30 ping statistics ---\n3 packets transmitted, 3 received, 0% packet loss, time 2406ms\nrtt min\/avg\/max\/mdev = 1.452\/2.772\/4.954\/1.554 ms<\/pre>\n<\/div>\n
 <\/p>\n
Next, we need to configure the Zebra based BGP daemon on the Linux host to become an IBGP peer of AS 65000<\/p>\n
First, let\u2019s set all IP properties of the Linux host using the Zebra daemon :<\/p>\n
\n
[root@router-3 \/]# telnet localhost 2601\nTrying 127.0.0.1...\nConnected to localhost.\nEscape character is '^]'.\n\nHello, this is Quagga (version 0.99.9).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\n\nUser Access Verification\n\nPassword: \nrouter-3><\/span> enable\nPassword: \nrouter-3# conf t\nrouter-3(config)# int eth0\nrouter-3(config-if)# ip address 192.168.100.100\/24\nrouter-3(config-if)# exit\nrouter-3(config)# int eth1\nrouter-3(config-if)# ip address 192.168.3.8\/24\nrouter-3(config-if)# exit\nrouter-3(config)# exit\nrouter-3# write\nConfiguration saved to \/etc\/quagga\/zebra.conf\nrouter-3# <\/pre>\n<\/div>\n
Now start the bgp daemon, so we can connect to it and set up the configuration.<\/p>\n
\n
[root@router-3 quagga]# service bgpd start\nStarting bgpd: [  OK  ]\n[root@router-3 quagga]# netstat -vantu | grep 2605\ntcp        0      0 127.0.0.1:2605              0.0.0.0:*                   LISTEN<\/pre>\n<\/div>\n
 <\/div>\n
In order to make sure the daemon will start when the system boots, use the \u2018chkconfig bgpd on\u2019 command.<\/div>\n
Now we are ready to set up BGP <\/div>\n
 <\/div>\n
\n
[root@router-3 quagga]# telnet localhost 2605\nTrying 127.0.0.1...\nConnected to localhost.\nEscape character is '^]'.\n\nHello, this is Quagga (version 0.99.9).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\n\nUser Access Verification\n\nPassword: \nrouter-3><\/span> enable\nPassword: \nrouter-3# conf t\nrouter-3(config)# router bgp 65000\nrouter-3(config-router)# network 192.168.3.0\/24\nrouter-3(config-router)# neighbor 192.168.0.8 remote-as 65000\nrouter-3(config-router)# exit                 \nrouter-3(config)# write\nConfiguration saved to \/etc\/quagga\/bgpd.conf\nrouter-3(config)# exit\nrouter-3# exit<\/pre>\n<\/div>\n
At this point, the 192.168.3.0\/24 network will be redistributed into BGP<\/p>\n
There is another way of doing this, using the redistribute command, which may be more generic (but less specific if you want to) :<\/p>\n
\n
[root@router-3 ~]# telnet localhost 2605\nTrying 127.0.0.1...\nConnected to localhost.\nEscape character is '^]'.\n\nHello, this is Quagga (version 0.99.9).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\n\nUser Access Verification\n\nPassword: \nrouter-3><\/span> enable\nPassword: \nrouter-3# conf t\nrouter-3(config)# router bgp 65000\nrouter-3(config-router)# no network 192.168.3.0\/24\nrouter-3(config-router)# exit\nrouter-3(config)# write\nConfiguration saved to \/etc\/quagga\/bgpd.conf\n\n#At this point, the 192.168.3.0 network is not being redistributed anymore. On ssg5-1 and ssg5-2, the network will be gone\n\n#Since this is a connected net, we can redistribute this network using the redistribute command :\n\nrouter-3(config-router)# redistribute connected\nrouter-3(config-router)# exit\nrouter-3(config)# write\nConfiguration saved to \/etc\/quagga\/bgpd.conf\nrouter-3(config)# <\/pre>\n<\/div>\n
 <\/p>\n
 <\/p>\n
Set up ScreenOS to complete the peer with the Linux router<\/h3>\n
On ssg5-1 (192.168.0.8), set up the peer as well :<\/p>\n
\n
ssg5-1-><\/span> set vrouter trust-vr proto bgp neighbor 192.168.100.100 remote-as 65000\nssg5-1-><\/span> set vrouter trust-vr proto bgp neighbor 192.168.100.100 enable <\/pre>\n<\/div>\n
\n
ssg5-1-><\/span> get vrouter trust-vr proto bgp neighbor \nPeer AS Remote IP       Local IP          Wt Status   State     ConnID Up\/Down\n--------------------------------------------------------------------------------\n  65000 192.168.0.30    192.168.0.8      100 Enabled  ESTABLISH      3 20:40:49\n  65000 192.168.100.100 192.168.0.8      100 Enabled  ESTABLISH     38 00:01:28<\/pre>\n<\/div>\n
\n
ssg5-1-><\/span> get route proto bgp\n\n\nIPv4 Dest-Routes for <<\/span>untrust-vr<\/span>><\/span> (0 entries)\n--------------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\nN: NHRP\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2 trailing B: backup route\n\n\nIPv4 Dest-Routes for <<\/span>trust-vr<\/span>><\/span> (36 entries)\n--------------------------------------------------------------------------------------\n         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys\n--------------------------------------------------------------------------------------\n*      1072     192.168.3.0\/24         eth0\/1     192.168.0.7  iB  250      0     Root\n*      1044     192.168.2.0\/24         eth0\/1    192.168.0.30  iB  250      0     Root<\/pre>\n<\/div>\n
So the route from router-3 (Linux) has now been added into the routing table of ssg5-1, which is what we have expected<\/p>\n
 <\/p>\n
Verify that everyting works<\/h3>\n
On Linux, the routing table looks fine :<\/p>\n
\n
[root@router-3 quagga]# telnet localhost 2601\nTrying 127.0.0.1...\nConnected to localhost.\nEscape character is '^]'.\n\nHello, this is Quagga (version 0.99.9).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\n\nUser Access Verification\n\nPassword: \nrouter-3><\/span> enable\nPassword: \nrouter-3# sh ip route\nCodes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,\n       I - ISIS, B - BGP, ><\/span> - selected route, * - FIB route\n\nB><\/span>* 10.2.0.0\/24 [200\/0] via 192.168.0.8 (recursive via 192.168.100.2), 00:03:42\nC><\/span>* 127.0.0.0\/8 is directly connected, lo\nK><\/span>* 192.168.0.0\/24 via 192.168.100.2, eth0\nB><\/span>* 192.168.1.0\/24 [200\/0] via 192.168.0.8 (recursive via 192.168.100.2), 00:03:42\nC><\/span>* 192.168.3.0\/24 is directly connected, eth1\nB   192.168.100.0\/24 [200\/0] via 192.168.0.7, 00:03:42\nC><\/span>* 192.168.100.0\/24 is directly connected, eth0\nB><\/span>* 192.168.132.0\/24 [200\/0] via 192.168.0.1 (recursive via 192.168.100.2), 00:03:42<\/pre>\n<\/div>\n
As you can see, despite the fact that the linux host and ssg5-1 are not directly connected, the routes table still looks fine. Network 192.168.1.0\/24, which is a connected network behind ssg5-1, shows up in the routing table as reachable via 192.168.0.8, but recursive via 192.168.100.2 \u2013 BGP has ensured that the path towards the 192.168.1.0\/24 network works and figured out the next hop itself.<\/p>\n
Now you can use the same procedure to set up more peers (peer linux with ssg5-2). This should make the 192.168.2.0\/24 network visible as well<\/p>\n
 <\/p>\n
Ok, so the routing tables on ssg5-1, ssg5-2 and router-3 are correct. But if you try to route from ssg5-1 towards 192.168.3.8, it doesn\u2019t seem to work !<\/p>\n
\n
ssg5-1-><\/span> trace-route 192.168.3.8 \nType escape sequence to escape\n\nSend ICMP echos to 192.168.3.8, timeout is 2 seconds,  maximum hops are 32, \n1       3ms     2ms     2ms     192.168.0.7\n2       *       *       *\n3       *       *       *\n4       *       *       *\n5       *       *       *\n6       Trace aborted<\/pre>\n<\/div>\n
 <\/p>\n
This is normal. We did not redistribute the new route (towards the 192.168.3.0\/24 network) to OSPF, so router-1 doesn\u2019t know about this new network yet<\/p>\n
On ssg5-1, we need to create a new ACL (or edit the existing ACL) and route-map, and add this new network, so it can be redistributed from BGP into OSPF<\/p>\n
\n
ssg5-1-><\/span> get vrouter trust-vr route-map RedistBGPintoOSPF\nRoute-map (RedistBGPintoOSPF)\n----------------------\n        Entry (10) - Action (permit)\n        ----------------------------\n                Match Fields\n                ------------\n                ip-address:              5 (access-list)\n\n                Set Fields\n                ----------\n\n\nssg5-1-><\/span> get vrouter trust-vr route-map RedistBGPintoOSPF config\nset route-map name "RedistBGPintoOSPF" permit 10\nset match ip 5\nexit<\/pre>\n<\/div>\n
 <\/div>\n
Ok, so we need to edit access-list 5<\/div>\n
 <\/div>\n
\n
ssg5-1-><\/span> set vrouter trust-vr\nssg5-1(trust-vr)-><\/span> get access-list\nIPv4 Access Lists\n------------------------------------------------\nAccess list (1)\n----------------\n        Sequence 10: 0.0.0.0\/0          -><\/span> Permit\nAccess list (5)\n----------------\n        Sequence 10: 192.168.2.0\/24             -><\/span> Permit\nIPv6 Access Lists\n------------------------------------------------\n\n#edit the existing access-list that was used to redistribute from BGP into OSPF\n\nssg5-1(trust-vr)-><\/span> set access-list 5 permit ip 192.168.3.0\/24 20\nssg5-1(trust-vr)-><\/span> exit<\/pre>\n<\/div>\n
On router-1 and router-2, the new route should be visible in the OSPF routing table. Furtmore, the trace-route from ssg5-1 towards 192.168.3.8 should now work :<\/p>\n
\n
ssg5-1-><\/span> trace-route 192.168.3.8                                \nType escape sequence to escape\n\nSend ICMP echos to 192.168.3.8, timeout is 2 seconds,  maximum hops are 32, \n1       3ms     2ms     1ms     192.168.0.7\n2       3ms     2ms     3ms     192.168.3.8<\/pre>\n<\/div>\n
 <\/p>\n
Everything works\u2026<\/h3>\n
\u2026 but hosts on the 192.168.3.0\/24 network cannot access the internet<\/p>\n
Reason : router-3 does not have a default gateway.  ssg5-1 has a connection to the internet (not shown on diagram), so the only thing you need to do is to distribute the default route on ssg5-1 into bgp<\/p>\n
\n
ssg5-1-><\/span> set vrouter trust-vr proto bgp network 0.0.0.0\/0\nssg5-1><\/span> get vrouter trust-vr proto bgp network\n\nnetwork            weight check reachable-prefix   rib-in route-map\n--------------------------------------------------------------------------------\n10.2.0.0\/24         32768 yes   10.2.0.0\/24        yes    null\n192.168.1.0\/24      32768 yes   192.168.1.0\/24     yes    null\n0.0.0.0\/0           32768 yes   0.0.0.0\/0          yes    null<\/pre>\n<\/div>\n
Check routing table on router-3, you should now see the default route. If not, make sure router-3 does not have an access list\/setting to reject incoming default route<\/p>\n
By default, bgpd itself does not advertise a default route, even if it is in the local routing table. You can change this behaviour using the no neighbor <peerip> default-originat<\/em><\/strong><\/p>\n
 <\/p>\n
 <\/p>\n
Notes :  <\/h3>\n
No Sync<\/h4>\n
In my first post about BGP, I discussed the \u201cunset vrouter trust-vr proto bgp sync\u201d command, that will ensure new routes are not being checked in IGP routing tables.  In quagga, you can set the same behaviour with the following procedure :<\/p>\n
\n
[root@router-3 ~]# telnet localhost 2605\nTrying 127.0.0.1...\nConnected to localhost.\nEscape character is '^]'.\n\nHello, this is Quagga (version 0.99.9).\nCopyright 1996-2005 Kunihiro Ishiguro, et al.\n\n\nUser Access Verification\n\nPassword: \nrouter-3><\/span> enable\nPassword: \nPassword: \nrouter-3# conf t\nrouter-3(config)# router bgp 65000\nrouter-3(config-router)# no bgp network import-check<\/font><\/strong> \nrouter-3(config-router)# exit\nrouter-3(config)# exit\nrouter-3# write\nConfiguration saved to \/etc\/quagga\/bgpd.conf<\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
In this post, I\u2019m going to show you how to set up a Linux host (Fedora Core 9) and use it as a BGP enabled router.  In order to fully understand the setup & configuration, please have a look at this blog post first, because I\u2019ll use the setup in that post as a foundation … Continue reading \"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[554,64,164,127],"tags":[3742,3735,1408,1308,131],"class_list":["post-1064","post","type-post","status-publish","format-standard","hentry","category-juniper","category-linux","category-networking","category-security","tag-networking","tag-juniper-netscreen-screenos","tag-routing","tag-bgp","tag-linux"],"yoast_head":"\nUsing Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS - Corelan | Exploit Development & Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS - Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"In this post, I\u2019m going to show you how to set up a Linux host (Fedora Core 9) and use it as a BGP enabled router.  In order to fully understand the setup & configuration, please have a look at this blog post first, because I\u2019ll use the setup in that post as a foundation … Continue reading "Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2008-11-16T19:50:16+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/16\\\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/16\\\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Using Fedora 9 as an OSPF \\\/ BGP router (Quagga \\\/ Zebra) and set up BGP between Linux and Juniper ScreenOS\",\"datePublished\":\"2008-11-16T19:50:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/16\\\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\\\/\"},\"wordCount\":1356,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"networking\",\"juniper netscreen screenos\",\"routing\",\"bgp\",\"Linux and Unix\"],\"articleSection\":[\"Juniper\",\"Linux and Unix\",\"Networking\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/16\\\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/16\\\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\\\/\",\"name\":\"Using Fedora 9 as an OSPF \\\/ BGP router (Quagga \\\/ Zebra) and set up BGP between Linux and Juniper ScreenOS - Corelan | Exploit Development & Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2008-11-16T19:50:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/16\\\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/16\\\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/11\\\/16\\\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using Fedora 9 as an OSPF \\\/ BGP router (Quagga \\\/ Zebra) and set up BGP between Linux and Juniper ScreenOS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS - Corelan | Exploit Development & Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/","og_locale":"en_US","og_type":"article","og_title":"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS - Corelan | Exploit Development & Vulnerability Research","og_description":"In this post, I\u2019m going to show you how to set up a Linux host (Fedora Core 9) and use it as a BGP enabled router.  In order to fully understand the setup & configuration, please have a look at this blog post first, because I\u2019ll use the setup in that post as a foundation … Continue reading \"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS\"","og_url":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/","og_site_name":"Corelan | Exploit Development & Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2008-11-16T19:50:16+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS","datePublished":"2008-11-16T19:50:16+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/"},"wordCount":1356,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["networking","juniper netscreen screenos","routing","bgp","Linux and Unix"],"articleSection":["Juniper","Linux and Unix","Networking","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/","url":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/","name":"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS - Corelan | Exploit Development & Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2008-11-16T19:50:16+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2008\/11\/16\/using-fedora-9-as-an-ospf-bgp-router-quagga-zebra-and-set-up-bgp-between-linux-and-juniper-screenos\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Using Fedora 9 as an OSPF \/ BGP router (Quagga \/ Zebra) and set up BGP between Linux and Juniper ScreenOS"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":15693,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1064","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=1064"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1064\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=1064"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=1064"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=1064"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}