Advertisements
Home

BGP Configuration on JunOS

2 Comments

Play time with JunOS BGP !!!

This article will cover e-BGP, i-BGP, Route Advertisement, and Local Preference configuration on JunOS

Network Design

e-BGP configuration

e-BGP on J1 (J2 and J3 can be done accordingly)

set router-id first…

And then set neighborship

i-BGP configuration

i-BGP on J2 (J3 can be done accordingly)

We can see that J2 has 2 groups…1 for i-BGP peers and 1 for e-BGP peers

BGP Neighborship

Lets take a look at BGP Neighborship on J3 after all converges

show bgp summary

 

BGP Route Advertisement

BGP Route Advertisement on J1 (J2 and J3 can be done accordingly)

Set policy for advertising the routes, for example we want J1 to advertise 1.1.1.1 from its loopback

Then export the policy into BGP group external

Route advertisement verification on J2

Route advertisement on J2 is slightly a little bit different, we export the policy ABOVE the BGP group (right after we set protocol bgp)

So, both internal and external BGP get the routes

Verification on J1

Configuring Path Modification via Local Preference

Accourding to “show route protocol bgp”, we get information that route 2.2.2.2 can be reach via em0.0 (through J2)

Now lets change it…route 2.2.2.2 will be reached via em1.0 (through J3)

Configure local preference on R1

Import the policy into BGP group *screenshot missing…I forgot haha*

Verification

Advertisements

(Additional) ISE Internal Authentication using Cisco AnyConnect

Leave a comment

Klo komputer kita ga punya dot1x, tapi pengen pake dot1x…kita bisa pake 3rd party software seperti Cisco AnyConnect

AnyConnect yang mana tapi?? Pake AnyConnect Secure Mobility Client

Requirement:

  • Like the first lab
  • CCO Login alias Cisco.com login untuk download file
  • File AnyConnect (4.x atau 3.x), contohnya anyconnect-win-3.1.05187-pre-deploy-k9.iso
  • (optional) AnyConnect Profile Editor seperti anyconnect-profileeditor-3.1.06073-k9.msi
  • Jangan SALAH download yaks (gw pake windows..download-nya ya untuk windows)

Note: ga bisa login pake user account biasa, biasanya yang bisa download adalah account dari vendor atau dari certified learning partner (klo dapet di 4shared/torrent silahkan2 saja)

Contohnya dibawah ini

=======================================================

Cisco NAM (Network Access manager)

Cisco NAM inilah yang akan provide authentikasi untuk dot1x, darimana ini dapetnya? Dari file Cisco AnyConnect yang kita download tadi

Nah, setelah download…install setup.exe, pilih AnyConnect NAM (Network Access Manager), trus klik install selected

Nanti disuru restart kompie, ikutin aja (kalau sudah nanti dikanan bawah layar kompie ada icon Cisco AnyConnect)

Klik kanan -> pilih Open AnyConnect

Nanti ada tulisan AnyConnect-nya authenticating…otomatis ke detect konek via “wired”

Nah, kata2 “wired” ini adalah profile default di dalam Cisco AnyConnect, kita ga bisa edit default-nya ini…klo mau edit, kita harus download Cisco AnyConnect Profile Editor (that’s why I told you to download both files)

Default profile “wired”-nya AnyConnect ini authenticating via certificates…berarti kita harus edit…klo edit berarti kita harus install Profile Editor

Tinggal install…klik Custom

Pilih NAM Profile Editor aja, next2 aja terus

Nah, tinggal cari di start menu itu NAM Profile Editor (RUN AS ADMINISTRATOR!!! gw abis 1 jam gara2 ga bisa nge-save editan profile gw T_T )

Klik Network tree (dibawah Authentication Policy) -> klik default profile “wired” -> klik edit

Pilih Certificates tab (dibawah User Auth tab) -> pilih option Include Root Certificate Authority (CA) Certificates -> klik add -> files of type-nya pilih all files (biar keliatan semua, default-nya hanya detect .pem format) -> trus masukin certificate-nya, recommended pake Base-64 Certificate

Dapet dari mana itu Base-64 certificate? Ya dari PKI Server….download lagi

note: klo kita udah install itu CA di local computer…ya ga usa di setting ini (biarkan saja option “Trust any Root Certificate...”

Klo udah di add di NAM Profile Editor, langsung pilih tab credentials tab (dibawahnya PAC Files tab) untuk klik done (kenapa harus disini sih tombol done nya)

Trus kita save as…format-nya XML

Jgn di rubah folder-nya…soalnya NAM Profile Editor-nya nyari config disitu

Klo sudah..klik lagi AnyConnect icon di kanan bawah layar monitor -> pilih Network Repair

Nanti ada muncul authentikasi dari AnyConnect…input deh

Hasilnya klo bener seperti dibawah ini…Connected

Older Entries