Juniper IRR ASN route-filters

Categories: Juniper

Problem definition: We need to define routing policies for filtering received from BGP peers for our Juniper routers.

Most ISPs publish their prefixes and routing policies via IRRs. We can use bgpq4 to read this information and produce the config snippets.

Lets try for Google IPv4:

./bgpq4 -AJE -4 -R 24 -l ASN-15169-v4 AS15169

Output:

policy-options {
 policy-statement ASN-15169-v4 {
replace:
  from {
    route-filter 8.8.4.0/24 exact;
    route-filter 8.8.8.0/24 exact;
    route-filter 8.15.202.0/24 exact;
    route-filter 8.34.208.0/20 prefix-length-range /21-/24;
    route-filter 8.35.192.0/20 prefix-length-range /21-/24;
    route-filter 23.236.48.0/20 upto /24;
    route-filter 23.251.128.0/19 upto /24;
    route-filter 34.64.0.0/10 upto /24;
    route-filter 34.128.0.0/10 upto /24;
    route-filter 35.184.0.0/13 upto /24;
    route-filter 35.192.0.0/11 prefix-length-range /12-/24;
    route-filter 35.224.0.0/12 upto /24;
    route-filter 35.240.0.0/13 upto /24;
    route-filter 45.121.228.0/23 prefix-length-range /24-/24;
    route-filter 45.121.230.0/23 upto /24;
    route-filter 64.15.112.0/20 prefix-length-range /23-/24;
    route-filter 64.233.160.0/19 upto /24;
    route-filter 66.102.0.0/20 upto /24;
    route-filter 66.249.64.0/19 upto /24;
    route-filter 70.32.128.0/19 upto /24;
    route-filter 72.14.192.0/18 upto /24;
    route-filter 74.114.24.0/21 upto /24;
    route-filter 74.125.0.0/16 upto /24;
    route-filter 74.125.57.240/29 exact;
    route-filter 89.207.231.0/24 exact;
    route-filter 103.62.64.0/23 prefix-length-range /24-/24;
    route-filter 103.62.66.0/23 upto /24;
    route-filter 104.132.0.0/14 upto /24;
    route-filter 104.154.0.0/15 upto /24;
    route-filter 104.196.0.0/14 upto /24;
    route-filter 104.237.160.0/19 upto /24;
    route-filter 107.167.160.0/19 upto /24;
    route-filter 107.178.192.0/18 upto /24;
    route-filter 108.59.80.0/20 upto /24;
    route-filter 108.170.192.0/18 upto /24;
    route-filter 108.177.0.0/17 upto /24;
    route-filter 108.177.16.128/25 exact;
    route-filter 108.177.16.128/26 exact;
    route-filter 113.197.106.0/24 exact;
    route-filter 130.211.0.0/16 upto /24;
    route-filter 136.22.64.0/23 upto /24;
    route-filter 136.22.86.0/23 upto /24;
    route-filter 136.112.0.0/12 upto /24;
    route-filter 136.146.52.0/22 upto /24;
    route-filter 142.250.0.0/15 upto /24;
    route-filter 146.148.0.0/17 upto /24;
    route-filter 162.216.148.0/22 upto /24;
    route-filter 162.222.176.0/21 upto /24;
    route-filter 164.163.191.32/27 exact;
    route-filter 172.102.8.0/21 upto /24;
    route-filter 172.110.32.0/21 upto /24;
    route-filter 172.217.0.0/16 upto /24;
    route-filter 172.253.0.0/16 upto /24;
    route-filter 173.194.0.0/16 upto /24;
    route-filter 173.255.112.0/20 upto /24;
    route-filter 185.25.28.0/23 upto /24;
    route-filter 192.104.160.0/23 upto /24;
    route-filter 192.158.28.0/22 upto /24;
    route-filter 192.178.0.0/15 upto /24;
    route-filter 193.186.4.0/24 exact;
    route-filter 199.36.154.0/23 upto /24;
    route-filter 199.36.156.0/23 prefix-length-range /24-/24;
    route-filter 199.192.112.0/22 upto /24;
    route-filter 199.223.232.0/21 upto /24;
    route-filter 207.223.160.0/20 upto /24;
    route-filter 208.65.152.0/22 prefix-length-range /23-/24;
    route-filter 208.68.108.0/22 upto /24;
    route-filter 208.76.68.0/22 upto /24;
    route-filter 208.81.188.0/22 upto /24;
    route-filter 208.87.172.0/22 upto /24;
    route-filter 208.117.224.0/19 prefix-length-range /23-/24;
    route-filter 209.85.128.0/17 upto /24;
    route-filter 209.107.176.0/20 upto /24;
    route-filter 216.33.229.144/29 exact;
    route-filter 216.58.192.0/19 upto /24;
    route-filter 216.73.80.0/20 upto /24;
    route-filter 216.239.32.0/19 upto /24;
    route-filter 216.252.220.0/22 upto /24;
  }
 }
}

Now lets repeat for IPv6:

./bgpq4 -AJE -6 -R 48 -l ASN-15169-v6 AS15169

Output:

policy-options {
 policy-statement ASN-15169-v6 {
replace:
  from {
    route-filter 2001:1900:2292::/48 exact;
    route-filter 2001:4860::/32 upto /48;
    route-filter 2401:fa00::/32 upto /48;
    route-filter 2404:6800::/32 upto /48;
    route-filter 2404:f340::/32 upto /48;
    route-filter 2600:1900::/28 upto /48;
    route-filter 2600:2d00::/28 upto /48;
    route-filter 2602:ff11::/36 upto /48;
    route-filter 2604:31c0::/32 upto /48;
    route-filter 2605:ef80::/32 upto /48;
    route-filter 2607:8780::/32 upto /48;
    route-filter 2607:f8b0::/32 upto /48;
    route-filter 2620:0:890::/48 exact;
    route-filter 2620:0:1000::/40 upto /48;
    route-filter 2620:33:c000::/48 exact;
    route-filter 2620:5b:a000::/48 exact;
    route-filter 2620:11a:a000::/40 upto /48;
    route-filter 2620:120:e000::/40 upto /48;
    route-filter 2620:15c::/36 upto /48;
    route-filter 2800:3f0::/32 upto /48;
    route-filter 2a00:1450::/32 upto /48;
    route-filter 2a00:79e0::/31 upto /48;
    route-filter 2c0f:fb50::/32 upto /48;
  }
 }
}

Now lets go load these filters into the BGP router, we will enter configuration mode and then use the “load replace relative terminal” command, paste the new route filter that we got from the bgpq4 command above then Ctrl-D to end.

With the load command the relative keyword is optional but if you are using logical systems you can “edit logical-system <LS-name>” and then continue as normal as it would then perform the operation within that logical system. Otherwise it does no harm if you are not once you are at the root edit level. This isn’t an issue with routing-instances as they use the

[edit]
david.mcken@hostname1# load replace relative terminal
[Type ^D at a new line to end input]
policy-options {
 policy-statement ASN-15169-v6 {
replace:
  from {
    route-filter 2001:1900:2292::/48 exact;
    route-filter 2001:4860::/32 upto /48;
    route-filter 2401:fa00::/32 upto /48;
    route-filter 2404:6800::/32 upto /48;
    route-filter 2404:f340::/32 upto /48;
    route-filter 2600:1900::/28 upto /48;
    route-filter 2600:2d00::/28 upto /48;
    route-filter 2602:ff11::/36 upto /48;
    route-filter 2604:31c0::/32 upto /48;
    route-filter 2605:ef80::/32 upto /48;
    route-filter 2607:8780::/32 upto /48;
    route-filter 2607:f8b0::/32 upto /48;
    route-filter 2620:0:890::/48 exact;
    route-filter 2620:0:1000::/40 upto /48;
    route-filter 2620:33:c000::/48 exact;
    route-filter 2620:5b:a000::/48 exact;
    route-filter 2620:11a:a000::/40 upto /48;
    route-filter 2620:120:e000::/40 upto /48;
    route-filter 2620:15c::/36 upto /48;
    route-filter 2800:3f0::/32 upto /48;
    route-filter 2a00:1450::/32 upto /48;
    route-filter 2a00:79e0::/31 upto /48;
    route-filter 2c0f:fb50::/32 upto /48;
  }
 }
}
*press Control-D at this point*
load complete

[edit]
david.mcken@hostname# show | compare
[edit policy-options]
+   policy-statement ASN-15169-v6 {
+       from {
+           route-filter 2001:1900:2292::/48 exact;
+           route-filter 2001:4860::/32 upto /48;
+           route-filter 2401:fa00::/32 upto /48;
+           route-filter 2404:6800::/32 upto /48;
+           route-filter 2404:f340::/32 upto /48;
+           route-filter 2600:1900::/28 upto /48;
+           route-filter 2600:2d00::/28 upto /48;
+           route-filter 2602:ff11::/36 upto /48;
+           route-filter 2604:31c0::/32 upto /48;
+           route-filter 2605:ef80::/32 upto /48;
+           route-filter 2607:8780::/32 upto /48;
+           route-filter 2607:f8b0::/32 upto /48;
+           route-filter 2620:0:890::/48 exact;
+           route-filter 2620:0:1000::/40 upto /48;
+           route-filter 2620:33:c000::/48 exact;
+           route-filter 2620:5b:a000::/48 exact;
+           route-filter 2620:11a:a000::/40 upto /48;
+           route-filter 2620:120:e000::/40 upto /48;
+           route-filter 2620:15c::/36 upto /48;
+           route-filter 2800:3f0::/32 upto /48;
+           route-filter 2a00:1450::/32 upto /48;
+           route-filter 2a00:79e0::/31 upto /48;
+           route-filter 2c0f:fb50::/32 upto /48;
+       }
+   }

This can be automated by taking the output from the bgpq4 command and saving it to a file, scp it across to the router in your home directory and then changing the load command to “load replace relative AS-15169-v4.txt”. The same caveats apply for logical systems and this can actually work well if you have to load the same config snippet into multiple LSes.

«
»