.png)
Konfigurasi BGP Menggunakan Auth Key Pada Juniper SRX
Berikut ini langkah - langkah konfigurasi BGP menggunakan Authentication Key pada Juniper SRX :
1. Konfigurasi IP Address pada setiap interface.
vSRX1
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 100 vlan-id 100
set interfaces ge-0/0/0 unit 100 family inet address 1.1.1.1/30
set interfaces ge-0/0/0 unit 200 vlan-id 200
set interfaces ge-0/0/0 unit 200 family inet address 192.168.1.1/24
set interfaces ge-0/0/0 unit 100 vlan-id 100
set interfaces ge-0/0/0 unit 100 family inet address 1.1.1.1/30
set interfaces ge-0/0/0 unit 200 vlan-id 200
set interfaces ge-0/0/0 unit 200 family inet address 192.168.1.1/24
vSRX2
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 100 vlan-id 100
set interfaces ge-0/0/0 unit 100 family inet address 1.1.1.2/30
set interfaces ge-0/0/0 unit 201 vlan-id 201
set interfaces ge-0/0/0 unit 201 family inet address 192.168.2.1/24
set interfaces ge-0/0/0 unit 100 vlan-id 100
set interfaces ge-0/0/0 unit 100 family inet address 1.1.1.2/30
set interfaces ge-0/0/0 unit 201 vlan-id 201
set interfaces ge-0/0/0 unit 201 family inet address 192.168.2.1/24
2. Konfigurasi security zone bagi setiap interface, aktifkan juga services ping pada setiap interface.
vSRX1
set security zones security-zone trust interfaces ge-0/0/0.200 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.100 host-inbound-traffic system-services ping
vSRX2
set security zones security-zone trust interfaces ge-0/0/0.201 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.100 host-inbound-traffic system-services ping
3. Aktifkan protokol BGP pada interface yang akan digunakan untuk komunikasi protokol BGP.
vSRX1
set security zones security-zone untrust interfaces ge-0/0/0.100 host-inbound-traffic protocols bgp
vSRX2
set security zones security-zone untrust interfaces ge-0/0/0.100 host-inbound-traffic protocols bgp
4. Konfigurasi local-AS pada setiap SRX.
vSRX1
set routing-options autonomous-system 1111
vSRX2
set routing-options autonomous-system 1112
5. Konfigurasi group BGP pada setiap SRX(tipe peer, neighbor address, peer AS dan policy export).
vSRX1
set policy-options policy-statement export-to-vsrx2 from protocol direct
set policy-options policy-statement export-to-vsrx2 then accept
set policy-options policy-statement export-to-vsrx2 then accept
set protocols bgp group bgp-to-vsrx2 type external
set protocols bgp group bgp-to-vsrx2 export export-to-vsrx2
set protocols bgp group bgp-to-vsrx2 peer-as 1112
set protocols bgp group bgp-to-vsrx2 neighbor 1.1.1.2
set protocols bgp group bgp-to-vsrx2 export export-to-vsrx2
set protocols bgp group bgp-to-vsrx2 peer-as 1112
set protocols bgp group bgp-to-vsrx2 neighbor 1.1.1.2
set policy-options policy-statement export-to-vsrx1 from protocol direct
set policy-options policy-statement export-to-vsrx1 then accept
set policy-options policy-statement export-to-vsrx1 then accept
set protocols bgp group bgp-to-vsrx1 type external
set protocols bgp group bgp-to-vsrx1 export export-to-vsrx1
set protocols bgp group bgp-to-vsrx1 peer-as 1111
set protocols bgp group bgp-to-vsrx1 neighbor 1.1.1.1
set protocols bgp group bgp-to-vsrx1 export export-to-vsrx1
set protocols bgp group bgp-to-vsrx1 peer-as 1111
set protocols bgp group bgp-to-vsrx1 neighbor 1.1.1.1
6. Aktifkan konfigurasi dan lihat status neighbor BGP pada masing-masing SRX.
vSRX1
root# commit
root# run show bgp neighbor
Peer: 1.1.1.2+53894 AS 1112 Local: 1.1.1.1+179 AS 1111
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ export-to-vsrx2 ]
Options: <Preference PeerAS Refresh>
Holdtime: 90 Preference: 170
Number of flaps: 0
Peer ID: 1.1.1.2 Local ID: 1.1.1.1 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
BFD: disabled, down
Local Interface: ge-0/0/0.100
vSRX2Peer: 1.1.1.2+53894 AS 1112 Local: 1.1.1.1+179 AS 1111
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ export-to-vsrx2 ]
Options: <Preference PeerAS Refresh>
Holdtime: 90 Preference: 170
Number of flaps: 0
Peer ID: 1.1.1.2 Local ID: 1.1.1.1 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
BFD: disabled, down
Local Interface: ge-0/0/0.100
root# commit
root# run show bgp neighbor
Peer: 1.1.1.1+179 AS 1111 Local: 1.1.1.2+53894 AS 1112
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ export-to-vsrx1 ]
Options: <Preference PeerAS Refresh>
Holdtime: 90 Preference: 170
Number of flaps: 0
Peer ID: 1.1.1.1 Local ID: 1.1.1.2 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
BFD: disabled, down
Local Interface: ge-0/0/0.100
7. Konfigurasi policy agar komunikasi antar zone trust pada masing-masing SRX dapat berkomunikasi.
vSRX1
set security zones security-zone untrust address-book address vsrx2-local 192.168.2.0/24
set security policies from-zone untrust to-zone trust policy 1 match source-address vsrx2-local
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security zones security-zone untrust address-book address vsrx1-local 192.168.1.0/24
set security policies from-zone untrust to-zone trust policy 1 match source-address vsrx1-local
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 1 match destination-address any
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
8. Aktifkan konfigurasi dan coba kirimkan pesan ICMP(ping) dari interface trust SRX menuju interface trust SRX lain.
vSRX1
root# commitroot# run ping 192.168.2.1 source 192.168.1.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=25.501 ms
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=7.315 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=7.319 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=8.033 ms
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 7.315/12.042/25.501/7.776 ms
root# commit
root# run ping 192.168.1.1 source 192.168.2.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=17.444 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=13.558 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=14.128 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=10.219 ms
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.219/13.837/17.444/2.562 ms
9. Setelah berhasil, konfigurasi group BGP pada masing-masing SRX untuk menambahkan authentication key.
vSRX1
set protocols bgp authentication-key secure123
set protocols bgp authentication-key secure123
10. Aktifkan konfigurasi dan lihat status neighbor BGP pada masing-masing SRX. Jika koneksi telah terhubung, lakukan kembali pengiriman pesan ICMP seperti yang sebelumnya telah dilakukan.
vSRX1
root# commit
root# run show bgp neighbor
Peer: 1.1.1.2+50198 AS 1112 Local: 1.1.1.1+179 AS 1111
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ export-to-vsrx2 ]
Options: <Preference AuthKey PeerAS Refresh>
Authentication key is configured
Holdtime: 90 Preference: 170
Number of flaps: 1
Last flap event: RecvNotify
Error: 'Cease' Sent: 0 Recv: 1
Peer ID: 1.1.1.2 Local ID: 1.1.1.1 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
BFD: disabled, down
Local Interface: ge-0/0/0.100
Peer: 1.1.1.2+50198 AS 1112 Local: 1.1.1.1+179 AS 1111
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ export-to-vsrx2 ]
Options: <Preference AuthKey PeerAS Refresh>
Authentication key is configured
Holdtime: 90 Preference: 170
Number of flaps: 1
Last flap event: RecvNotify
Error: 'Cease' Sent: 0 Recv: 1
Peer ID: 1.1.1.2 Local ID: 1.1.1.1 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
BFD: disabled, down
Local Interface: ge-0/0/0.100
root# run ping 192.168.2.1 source 192.168.1.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=14.930 ms
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=6.463 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=6.757 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=6.430 ms
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.430/8.645/14.930/3.631 ms
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=14.930 ms
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=6.463 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=6.757 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=6.430 ms
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.430/8.645/14.930/3.631 ms
root# commit
root# run show bgp neighbor
Peer: 1.1.1.1+179 AS 1111 Local: 1.1.1.2+50198 AS 1112
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ export-to-vsrx1 ]
Options: <Preference AuthKey PeerAS Refresh>
Authentication key is configured
Holdtime: 90 Preference: 170
Number of flaps: 0
Peer ID: 1.1.1.1 Local ID: 1.1.1.2 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
BFD: disabled, down
Local Interface: ge-0/0/0.100
root# run ping 192.168.1.1 source 192.168.2.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=9.121 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=6.784 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=13.765 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=16.272 ms
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.784/11.486/16.272/3.735 ms
Untuk lebih lengkapnya bisa dilihat di video tutorial di bawah ini.
Posts
0 comments: