Re: [j-nsp] VRF export/import of eBGP learned route
Hi, thanks for adding to this.
I've just removed the loops statement in there to see what would happen. It
seems to me like the AS number in routing-options is pretty much the source
of the looping trigger that occurs (the addition of a second internal AS to
the path).
Everything works well and loop free without the loops statement, seems I
won't have to go the tunnel way.
Thanks again!
On Fri, Jun 29, 2018 at 5:39 PM Niall Donaghy
wrote:
> Hi Alexander,
>
> In our network, inet.0 is AS20965 and IAS.inet.0 is AS21320.
> The IAS routing instance contains all commercial routes - public, private,
> and upstream peerings.
>
> Between inet.0 and IAS.inet.0 we have logical tunnels with BGP peerings.
>
> The routers are all configured with autonomous-system 20965, but to
> networks
> external to AS21320, we appear as AS21320, with the following
> configuration:
>
> set routing-instances IAS protocols bgp group SOMEGROUP neighbor x.x.x.x
> local-as 21320
> set routing-instances IAS protocols bgp group SOMEGROUP neighbor x.x.x.x
> local-as private
> set routing-instances IAS protocols bgp group SOMEGROUP neighbor x.x.x.x
> local-as no-prepend-global-as
>
> This keeps things tidy, loop-free, and BGP all the way, ie: no RIB groups
> or
> 'loops 2' statements, and we benefit from BGP path loop detection, and BGP
> policy controls between the two ASes.
>
> We've been running with 2.6M routes this way for 2.5 years+ and no issues.
>
> Happy to share if ever you want to refine your solution.
>
> Br,
> Niall
>
> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of
> Philippe Girard
> Sent: 29 June 2018 15:15
> To: Alexander Arseniev
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] VRF export/import of eBGP learned route
>
> Hello everyone
>
> Thank you so much for your suggestions. The solution in this case is to
> remove the autonomous-system statement completely from the routing-instance
> routing-options and apply the local-as statement under bgp with the private
> knob.
>
> protocols {
> bgp {
> local-as 456 loops 2 private
>
> This creates an internal table that looks just like it would under regular
> bgp inet.0.
>
> Thanks again!
>
> On Fri, Jun 29, 2018 at 4:07 AM Alexander Arseniev via juniper-nsp <
> juniper-nsp@puck.nether.net> wrote:
>
> > Hello,
> >
> > Does "no-prepend-global-as" help?
> >
> >
> > https://www.juniper.net/documentation/en_US/junos/topics/concept/bgp-l
> > ocal-as-introduction.html
> >
> > HTH
> >
> > Thx
> >
> > Alex
> >
> >
> > On 29/06/2018 04:58, Aaron Gould wrote:
> > > Use with caution in live environment as I'm going off of some
> > > testing I
> > was
> > > recently doing in my lab and I'm pretty sure I saw this same issue.
> > >
> > > Sounds like something I saw with my internet boundary pe's, would
> > > add my
> > AS
> > > on routes were learned from internet and send as vpnv4 routes into
> > > my internal ibgp environment and internal pe's were seeing their own
> > > AS and routes were being hidden as looped...
> > >
> > > Try this on PE1
> > >
> > > If pe1 ebgp group is called "ebgp-to-ix"...
> > > If IX ip that you neighbor with is 1.2.3.4...
> > > If vrf on PE1 and PE2 is called "my-vrf"...
> > >
> > > ...do this on PE1...
> > > set routing-instances my-vrf protocols bgp group ebgp-to-ix neighbor
> > 1.2.3.4
> > > local-as private
> > >
> > > ...now see if PE2 is still seeing its own AS as looped
> > >
> > > - Aaron
> > >
> > >
> > > ___
> > > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VRF export/import of eBGP learned route
Hi Alexander,
In our network, inet.0 is AS20965 and IAS.inet.0 is AS21320.
The IAS routing instance contains all commercial routes - public, private,
and upstream peerings.
Between inet.0 and IAS.inet.0 we have logical tunnels with BGP peerings.
The routers are all configured with autonomous-system 20965, but to networks
external to AS21320, we appear as AS21320, with the following configuration:
set routing-instances IAS protocols bgp group SOMEGROUP neighbor x.x.x.x
local-as 21320
set routing-instances IAS protocols bgp group SOMEGROUP neighbor x.x.x.x
local-as private
set routing-instances IAS protocols bgp group SOMEGROUP neighbor x.x.x.x
local-as no-prepend-global-as
This keeps things tidy, loop-free, and BGP all the way, ie: no RIB groups or
'loops 2' statements, and we benefit from BGP path loop detection, and BGP
policy controls between the two ASes.
We've been running with 2.6M routes this way for 2.5 years+ and no issues.
Happy to share if ever you want to refine your solution.
Br,
Niall
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of
Philippe Girard
Sent: 29 June 2018 15:15
To: Alexander Arseniev
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] VRF export/import of eBGP learned route
Hello everyone
Thank you so much for your suggestions. The solution in this case is to
remove the autonomous-system statement completely from the routing-instance
routing-options and apply the local-as statement under bgp with the private
knob.
protocols {
bgp {
local-as 456 loops 2 private
This creates an internal table that looks just like it would under regular
bgp inet.0.
Thanks again!
On Fri, Jun 29, 2018 at 4:07 AM Alexander Arseniev via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:
> Hello,
>
> Does "no-prepend-global-as" help?
>
>
> https://www.juniper.net/documentation/en_US/junos/topics/concept/bgp-l
> ocal-as-introduction.html
>
> HTH
>
> Thx
>
> Alex
>
>
> On 29/06/2018 04:58, Aaron Gould wrote:
> > Use with caution in live environment as I'm going off of some
> > testing I
> was
> > recently doing in my lab and I'm pretty sure I saw this same issue.
> >
> > Sounds like something I saw with my internet boundary pe's, would
> > add my
> AS
> > on routes were learned from internet and send as vpnv4 routes into
> > my internal ibgp environment and internal pe's were seeing their own
> > AS and routes were being hidden as looped...
> >
> > Try this on PE1
> >
> > If pe1 ebgp group is called "ebgp-to-ix"...
> > If IX ip that you neighbor with is 1.2.3.4...
> > If vrf on PE1 and PE2 is called "my-vrf"...
> >
> > ...do this on PE1...
> > set routing-instances my-vrf protocols bgp group ebgp-to-ix neighbor
> 1.2.3.4
> > local-as private
> >
> > ...now see if PE2 is still seeing its own AS as looped
> >
> > - Aaron
> >
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VRF export/import of eBGP learned route
Hello everyone
Thank you so much for your suggestions. The solution in this case is to
remove the autonomous-system statement completely from the routing-instance
routing-options and apply the local-as statement under bgp with the private
knob.
protocols {
bgp {
local-as 456 loops 2 private
This creates an internal table that looks just like it would under regular
bgp inet.0.
Thanks again!
On Fri, Jun 29, 2018 at 4:07 AM Alexander Arseniev via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:
> Hello,
>
> Does "no-prepend-global-as" help?
>
>
> https://www.juniper.net/documentation/en_US/junos/topics/concept/bgp-local-as-introduction.html
>
> HTH
>
> Thx
>
> Alex
>
>
> On 29/06/2018 04:58, Aaron Gould wrote:
> > Use with caution in live environment as I'm going off of some testing I
> was
> > recently doing in my lab and I'm pretty sure I saw this same issue.
> >
> > Sounds like something I saw with my internet boundary pe's, would add my
> AS
> > on routes were learned from internet and send as vpnv4 routes into my
> > internal ibgp environment and internal pe's were seeing their own AS and
> > routes were being hidden as looped...
> >
> > Try this on PE1
> >
> > If pe1 ebgp group is called "ebgp-to-ix"...
> > If IX ip that you neighbor with is 1.2.3.4...
> > If vrf on PE1 and PE2 is called "my-vrf"...
> >
> > ...do this on PE1...
> > set routing-instances my-vrf protocols bgp group ebgp-to-ix neighbor
> 1.2.3.4
> > local-as private
> >
> > ...now see if PE2 is still seeing its own AS as looped
> >
> > - Aaron
> >
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VRF export/import of eBGP learned route
Hello, Does "no-prepend-global-as" help? https://www.juniper.net/documentation/en_US/junos/topics/concept/bgp-local-as-introduction.html HTH Thx Alex On 29/06/2018 04:58, Aaron Gould wrote: Use with caution in live environment as I'm going off of some testing I was recently doing in my lab and I'm pretty sure I saw this same issue. Sounds like something I saw with my internet boundary pe's, would add my AS on routes were learned from internet and send as vpnv4 routes into my internal ibgp environment and internal pe's were seeing their own AS and routes were being hidden as looped... Try this on PE1 If pe1 ebgp group is called "ebgp-to-ix"... If IX ip that you neighbor with is 1.2.3.4... If vrf on PE1 and PE2 is called "my-vrf"... ...do this on PE1... set routing-instances my-vrf protocols bgp group ebgp-to-ix neighbor 1.2.3.4 local-as private ...now see if PE2 is still seeing its own AS as looped - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VRF export/import of eBGP learned route
I don't see this issue. Does it only happen when you have a different ASN inside the VRF? On Thu, Jun 28, 2018 at 10:44:07PM -0400, Philippe Girard wrote: > Grettings > > I'm setting up this VRF that hosts the full routing table. I have other > peerings or remote PEs that import IX routes through eBGP as well. > > The problem resides on something TAC tells me is Juniper specific, which is > to add my own internal ASN to the as-path when using vrf-import to get a > route that was learned through eBGP from another router to avoid potential > loops. > > So, let's say IX has AS 123 and I have AS 456 in the VRF, and my real > inet.0 AS is 789, what is seen by another PE than the one learning the > route directly from the IX is: > > IX -- eBGP - PE1 - iBGP inet-vpn - PE2 > > Route as-path seen by PE1: 123 XXX YYY I > Route as-path seen by PE2: 456 123 XXX YYY I > > The behaviour is the same on all Junos routing devices in my core (MX + > QFX5100) and I have to configure routing-options autonomous-system 456 > loops 2 for the other peers to accept routes imported by eBGP on another > node. > > Obviously, the "real" as-path is as follows, since the AS doing the > underlay iBGP has ASN 789. > > 456 [789] 456 123 XXX YYY I > > I've tried independant domain but that makes me unable to filter any bgp > attribute in vrf-imports and exports. I've also tried an "option A" peering > between the routers and that revealed the underlay AS in the path. Using > remove-private created a loop by re-sending the learned routes towards the > edge. > > Would anybody have an idea on how to achieve the equivalent of having and > inet.0 iBGP mesh and importing routes without the own as prepending that > takes place as described? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VRF export/import of eBGP learned route
Use with caution in live environment as I'm going off of some testing I was recently doing in my lab and I'm pretty sure I saw this same issue. Sounds like something I saw with my internet boundary pe's, would add my AS on routes were learned from internet and send as vpnv4 routes into my internal ibgp environment and internal pe's were seeing their own AS and routes were being hidden as looped... Try this on PE1 If pe1 ebgp group is called "ebgp-to-ix"... If IX ip that you neighbor with is 1.2.3.4... If vrf on PE1 and PE2 is called "my-vrf"... ...do this on PE1... set routing-instances my-vrf protocols bgp group ebgp-to-ix neighbor 1.2.3.4 local-as private ...now see if PE2 is still seeing its own AS as looped - Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] VRF export/import of eBGP learned route
Grettings I'm setting up this VRF that hosts the full routing table. I have other peerings or remote PEs that import IX routes through eBGP as well. The problem resides on something TAC tells me is Juniper specific, which is to add my own internal ASN to the as-path when using vrf-import to get a route that was learned through eBGP from another router to avoid potential loops. So, let's say IX has AS 123 and I have AS 456 in the VRF, and my real inet.0 AS is 789, what is seen by another PE than the one learning the route directly from the IX is: IX -- eBGP - PE1 - iBGP inet-vpn - PE2 Route as-path seen by PE1: 123 XXX YYY I Route as-path seen by PE2: 456 123 XXX YYY I The behaviour is the same on all Junos routing devices in my core (MX + QFX5100) and I have to configure routing-options autonomous-system 456 loops 2 for the other peers to accept routes imported by eBGP on another node. Obviously, the "real" as-path is as follows, since the AS doing the underlay iBGP has ASN 789. 456 [789] 456 123 XXX YYY I I've tried independant domain but that makes me unable to filter any bgp attribute in vrf-imports and exports. I've also tried an "option A" peering between the routers and that revealed the underlay AS in the path. Using remove-private created a loop by re-sending the learned routes towards the edge. Would anybody have an idea on how to achieve the equivalent of having and inet.0 iBGP mesh and importing routes without the own as prepending that takes place as described? Thanks Phil. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
