junos-irrupdater

Update IRR Routing Filters on a Juniper Router running Junos

Prerequisits

• Juniper router(s) running Junos
• Netconf enabled on SSH
• Juniper JunOS Py-JunOS-Eznc Python Packages on your host
• BGPQ4 installed on the host where you plan to run these scripts (Debian/Ubuntu apt-get install bgpq4)

What is this for?

You want to run strict IRR filters on your customer/peer BGP sessions and have a Juniper router. This collection of scripts essentially wraps around BGPQ4 to generate prefix lists, then builds filter config that can be read by our python to push them to the actual router using netconf.

We've included everything you need to make this pretty self-contained and so the scripts here do everything you need to build a route-filter from a list of prefixes generated by BGPQ4.

How do I configure it?

This collection has everything you need in one place. You need to configure a couple of things here. We're expecting you to install this into /usr/share/junos-irrupdater/ on your host;

• config/routers.conf specify here the username and password required to interact with your router.
• config/peers.conf specify here, as comma separated lines the ASN and AS-SET of your peers. You'll need todo this everytime you add a new peer that you need filters for.
• config/sessions.conf this file contains the combination of the ASN and the router hostname/ip it's on. You'll need to update this everytime you setup a new peer on an IX/PNI/New Router.

Automate it?

Once you've got the configuration set, you can simply schedule a couple of things to run in cron and you should be all set.

• buildprefixes.sh run this on some schedule. It'll use bgpq4 to build the prefix lists and the actual filters to be pushed to the router. It'll take time to run depending on the number of peers you have, and how many prefixes they have. It pulls the prefixes for your peers based on config/peers.conf.

• pushfilters.sh run this on a schedule, or directly after buildprefixes.sh. Essentially this calls the python code to push the filters to your routers. It'll loop through everything in the config/sessions.conf file automatically.

How do I use it on the router?

The scripts here generate filters that can be used as part of your policy chain. This results in filters named as follows;

• as32934-import-ipv4 for Facebook on IPv4
• as32934-import-ipv6 for Facebook on IPv6

The filter has two terms. One to parse through the prefixes and move to the next policy in the chain upon matching, and another which is a reject. So using this as the first filter in your chain, will match the prefixes, and then skip to your next policy-statement in the chain upon a match (We're also aggregating the prefixes here, and allowing upto a /24 in IPv4 and a /48 in IPv6) or simply reject if the prefix doesn't match.

What else?

The code is still pretty alpha really. You can help by making it better! Whilst I've been using Juniper for years, I've recently integrated Juniper alongside Mikrotik in my personal network. If you need a Mikrotik version of this, you can find it at Edgenative/mikrotik-irrupdater

Was this useful?

Let me know, I'd love to hear from you!