O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

17.1. Configure BGP with an External Peer

Problem

You want to configure BGP between a ScreenOS firewall and a peer device in a different AS.

Solution

As depicted in Figure 17-1, the ScreenOS firewall is in AS 64515 and the EBGP peer is in AS 65500. The e0/0 interface of the firewall is in the Untrust zone, which is hosted in the trust-vr (the default VR for all route-mode zones).

EBGP configuration

Figure 17-1. EBGP configuration

Configure the following on the ScreenOS firewall.

First, make sure you have correctly assigned the interface zone, IP address, and mode on the BGP-speaking interface:

External_fw-> set interface ethernet0/0 zone Untrust
	External_fw-> set interface ethernet0/0 ip 10.0.0.1/24
	External_fw->set interface ethernet0/0 route

Next, define the router ID and enable BGP with the correct local AS number:

	External_fw-> set vrouter trust-vr
	External_fw(trust-vr)-> set router-id 10.1.1.1
	External_fw(trust-vr)-> set protocol bgp 64515
	External_fw(trust-vr/bgp)-> set enable
	External_fw(trust-vr/bgp)->exit

Finally, define the EBGP neighbor, and enable BGP at the interface level:

	External_fw (trust-vr)-> set protocol bgp neighbor 10.0.0.253
	remote-as 65500
	External_fw (trust-vr)-> set protocol bgp neighbor 10.0.0.253 enable
	External_fw (trust-vr)-> exit

	External_fw->set interface ethernet0/0 protocol bgp

This configuration starts BGP on the firewall, and permits it to receive all route advertisements from ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required