Create and Maintain Routing Filters on a Juniper Router running Junos
- Juniper router(s) running Junos
- Netconf enabled on SSH (and required ports open tcp/830)
- Juniper JunOS Py-JunOS-Eznc Python Packages on your host
- BGPQ4 installed on the host where you plan to run these scripts (Debian/Ubuntu apt-get install bgpq4)
You want to run strict IRR filters on your customer/peer BGP sessions and have a Juniper router. This collection of scripts essentially wraps around BGPQ4 to generate prefix lists, then builds filter config that can be read by our python to push them to the actual router using netconf.
I've included everything you need to make this pretty self-contained and so the scripts here do everything you need to build a route-filter from a list of prefixes generated by BGPQ4.
Given the scripts essentially push JunOS routing policy to a Juniper router, I've also included some functionality I'm using personally, to sync other policies to the router - such as import/export filters etc.
This collection has everything you need in one place. You need to configure a couple of things here. We're expecting you to install this into /usr/share/junos-irrupdater/ on your host;
config/routers.confspecify here the username and password required to interact with your router.config/email.confspecify here the details of your email server, recipient and sender. You can also choose to enable emails upon update, and/or upon error.config/peers.confspecify here, as comma separated lines the ASN and AS-SET of your peers. You'll need todo this everytime you add a new peer that you need filters for.config/sessions.confthis file contains the combination of the ASN and the router hostname/ip it's on. You'll need to update this everytime you setup a new peer on an IX/PNI/New Router. As a third parameter you can specify eitheripv4|ipv6so that only a particlar affinity is pushed to the router. If you don't specify, then both ipv4 and ipv6 are pushed (default).config/other-policies.confthis file contains a combination of router hostname/policy-name. You can list out there the routers you wish to maintain other policies on, outside of those being generated by the bgpq4 scripts e.g. I'm using this to maintain my RPKI filters, import filters and export filters across my routers.
Once you've got the configuration set, you can simply schedule a couple of things to run in cron and you should be all set.
-
buildprefixes.shrun this on some schedule. It'll use bgpq4 to build the prefix lists and the actual filters to be pushed to the router. It'll take time to run depending on the number of peers you have, and how many prefixes they have. It pulls the prefixes for your peers based onconfig/peers.conf. -
pushfilters.shrun this on a schedule, or directly after buildprefixes.sh. Essentially this calls the python code to push the filters to your routers. It'll loop through everything in theconfig/sessions.conffile automatically. -
push-other-policies.shrun this on a schedule. This calls the python code to loop through theconfig/other-policies.conffile and sync your other policies with the router.
The scripts here generate filters that can be used as part of your policy chain. This results in filters named as follows;
as32934-import-ipv4for Facebook on IPv4as32934-import-ipv6for Facebook on IPv6
The filter has two terms. One to parse through the prefixes and move to the next policy in the chain upon matching, and another which is a reject. So using this as part of your import filter chain, will match the prefixes, and then skip to your next policy-statement in the chain upon a match (We're also aggregating the prefixes here, and allowing upto a /24 in IPv4 and a /48 in IPv6) or simply reject if the prefix doesn't match. As an example my policy chain looks like this for Facebook at SFMIX ( import [ first-import as32934-import-ipv4 sfmix-import rpki final-import ] Where I'm rejecting bogons/bad paths etc in the first filter, then adding various bits of TE/RPKI checks etc with the others.
Sure. I'm actually using this to maintain all of the import/export filters for BGP on my routers. Simply create your policy in the filters/ directory, in standard JunOS format (with .txt as the file extension - the filename must match the filter name e.g. example-filter must be example-filter.txt) and follow the examples above to place the right combination of router name and policy name in the config/other-policies.conf file. Then running push-other-policies.sh script on a schedule to loop through these.
I've given an example in the filters/ directory of the policy format. Note that the scripts will only push things in the policy-options policy-statement <policy-name> heirarchy. You could modify the bin/junos-irrupdater.py file if you wanted to extend this to other parts of the config.
-
You can customise the filters if you so wish, by editing the
bin/junos-filtergen.pyscript, to include other terms, add communities or the such (The version I'm running locally, I'm adding an origin community per peer using large communities, which are added using the generated import filter as part of my policy chain). -
You can help by making it better! Whilst I've been using Juniper for years, I've recently integrated Juniper alongside Mikrotik in my personal network. If you need a Mikrotik version of this, you can find it at Edgenative/mikrotik-irrupdater
Let me know, I'd love to hear from you!
I'm running a modified version of this internally, which supports generating export filters for your own as-set incase you want to filter your exports, it also supports generating customer filters along side peer, so you can accept longer prefixes incase of rtbh on ipv4 /32 for example. Let me know if you'd like a copy of those modifications.