[j-nsp] next-hop driving me crazy
This should be simple but I can't get the behavior I want. Blackhole scenario. Customer set community, I want to see that community and set next-hop to an address I have with a discard. I've tried both a discard interface and a basic static route. Those seem ok either way. set routing-options static route 192.0.2.1/32 discard Route comes in and is accepted by policy. With no next-hop 192.0.2.1 action, I see it as a valid route so I know the policy is happening. When I add the next-hop action, the route becomes Next hop type: Unusable with Inactive reason: Unusable path. I don't see anything special about this and what I translated from my cisco versions doesn't look all that different from various black hole presentations I find. Anyone have a magic answer? Thanks, Eric ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Works fine for me in the lab on MX80+JUNOS 12.3 ( I use BGP-LU though, too busy to change to regular inet unicast:-) [edit logical-systems MX2-RR] aarseniev@mx80# run show route logical-system MX2-RR protocol bgp extensive inet.0: 29 destinations, 30 routes (27 active, 0 holddown, 2 hidden) 198.18.0.6/32 (1 entry, 1 announced) TSI: KRT in-kernel 198.18.0.6/32 - {indirect(1048668)} *BGPPreference: 170/-101 Next hop type: Indirect Address: 0x26e8010 Next-hop reference count: 6 Source: 198.18.0.11 Next hop type: Discard Protocol next hop: 192.0.2.1 Push 299904 Indirect next hop: 29941d8 1048668 INH Session ID: 0x280008 State: Active Int Ext Local AS: 50928 Peer AS: 50928 Age: 5:14 Metric2: 0 Validation State: unverified Task: BGP_50928.198.18.0.11+179 Announcement bits (2): 3-KRT 5-Resolve tree 2 AS path: 31133 50928 I (Looped: 50928) Communities: 5:5 Accepted Route Label: 299904 Localpref: 100 Router ID: 198.18.0.11 Secondary Tables: inet.3 Indirect next hops: 1 Protocol next hop: 192.0.2.1 Metric: 0 Push 299904 Indirect next hop: 29941d8 1048668 INH Session ID: 0x280008 [edit logical-systems MX2-RR] aarseniev@mx80# show policy-options policy-statement set-nh term 1 { from { protocol bgp; community 5:5; } then { next-hop 192.0.2.1; accept; } } [edit logical-systems MX2-RR] aarseniev@sadok# show routing-options static { route 192.0.2.1/32 discard; } - Original Message - From: Eric Krichbaum e...@telic.us To: juniper-nsp@puck.nether.net Sent: Friday, April 26, 2013 2:36 PM Subject: [j-nsp] next-hop driving me crazy This should be simple but I can't get the behavior I want. Blackhole scenario. Customer set community, I want to see that community and set next-hop to an address I have with a discard. I've tried both a discard interface and a basic static route. Those seem ok either way. set routing-options static route 192.0.2.1/32 discard Route comes in and is accepted by policy. With no next-hop 192.0.2.1 action, I see it as a valid route so I know the policy is happening. When I add the next-hop action, the route becomes Next hop type: Unusable with Inactive reason: Unusable path. I don't see anything special about this and what I translated from my cisco versions doesn't look all that different from various black hole presentations I find. Anyone have a magic answer? Thanks, Eric ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Hello, Use a ttl on the bgp session with the customer - Rgds, C. Le 26/04/2013 16:26, Alex Arseniev a écrit : Works fine for me in the lab on MX80+JUNOS 12.3 ( I use BGP-LU though, too busy to change to regular inet unicast:-) [edit logical-systems MX2-RR] aarseniev@mx80# run show route logical-system MX2-RR protocol bgp extensive inet.0: 29 destinations, 30 routes (27 active, 0 holddown, 2 hidden) 198.18.0.6/32 (1 entry, 1 announced) TSI: KRT in-kernel 198.18.0.6/32 - {indirect(1048668)} *BGPPreference: 170/-101 Next hop type: Indirect Address: 0x26e8010 Next-hop reference count: 6 Source: 198.18.0.11 Next hop type: Discard Protocol next hop: 192.0.2.1 Push 299904 Indirect next hop: 29941d8 1048668 INH Session ID: 0x280008 State: Active Int Ext Local AS: 50928 Peer AS: 50928 Age: 5:14 Metric2: 0 Validation State: unverified Task: BGP_50928.198.18.0.11+179 Announcement bits (2): 3-KRT 5-Resolve tree 2 AS path: 31133 50928 I (Looped: 50928) Communities: 5:5 Accepted Route Label: 299904 Localpref: 100 Router ID: 198.18.0.11 Secondary Tables: inet.3 Indirect next hops: 1 Protocol next hop: 192.0.2.1 Metric: 0 Push 299904 Indirect next hop: 29941d8 1048668 INH Session ID: 0x280008 [edit logical-systems MX2-RR] aarseniev@mx80# show policy-options policy-statement set-nh term 1 { from { protocol bgp; community 5:5; } then { next-hop 192.0.2.1; accept; } } [edit logical-systems MX2-RR] aarseniev@sadok# show routing-options static { route 192.0.2.1/32 discard; } - Original Message - From: Eric Krichbaum e...@telic.us To: juniper-nsp@puck.nether.net Sent: Friday, April 26, 2013 2:36 PM Subject: [j-nsp] next-hop driving me crazy This should be simple but I can't get the behavior I want. Blackhole scenario. Customer set community, I want to see that community and set next-hop to an address I have with a discard. I've tried both a discard interface and a basic static route. Those seem ok either way. set routing-options static route 192.0.2.1/32 discard Route comes in and is accepted by policy. With no next-hop 192.0.2.1 action, I see it as a valid route so I know the policy is happening. When I add the next-hop action, the route becomes Next hop type: Unusable with Inactive reason: Unusable path. I don't see anything special about this and what I translated from my cisco versions doesn't look all that different from various black hole presentations I find. Anyone have a magic answer? Thanks, Eric ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Hi Eric, Works fine here, as you configured it. Can you reply your inbound route-policy and the show route x.x.x.x/32 extensive? Thanks. Tim On 26-04-13 15:36, Eric Krichbaum wrote: This should be simple but I can't get the behavior I want. Blackhole scenario. Customer set community, I want to see that community and set next-hop to an address I have with a discard. I've tried both a discard interface and a basic static route. Those seem ok either way. set routing-options static route 192.0.2.1/32 discard Route comes in and is accepted by policy. With no next-hop 192.0.2.1 action, I see it as a valid route so I know the policy is happening. When I add the next-hop action, the route becomes Next hop type: Unusable with Inactive reason: Unusable path. I don't see anything special about this and what I translated from my cisco versions doesn't look all that different from various black hole presentations I find. Anyone have a magic answer? Thanks, Eric ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Eric. eBGP single hop will not let you change the NH by default. You can use the following knob to override this behavior: protocols { bgp { log-updown; group TRIGGER { accept-remote-nexthop; This can be applied @ proto group or neighbor. See http://www.juniper.net/techpubs/software/junos/junos94/swconfig-routing/accept-remote-nexthop.html for more info. Regards. david On Fri, Apr 26, 2013 at 10:35 AM, Tim Vollebregt t...@interworx.nl wrote: Hi Eric, Works fine here, as you configured it. Can you reply your inbound route-policy and the show route x.x.x.x/32 extensive? Thanks. Tim On 26-04-13 15:36, Eric Krichbaum wrote: This should be simple but I can't get the behavior I want. Blackhole scenario. Customer set community, I want to see that community and set next-hop to an address I have with a discard. I've tried both a discard interface and a basic static route. Those seem ok either way. set routing-options static route 192.0.2.1/32 discard Route comes in and is accepted by policy. With no next-hop 192.0.2.1 action, I see it as a valid route so I know the policy is happening. When I add the next-hop action, the route becomes Next hop type: Unusable with Inactive reason: Unusable path. I don't see anything special about this and what I translated from my cisco versions doesn't look all that different from various black hole presentations I find. Anyone have a magic answer? Thanks, Eric __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Thanks everyone. The policy straight to discard works for me, just annoyed me. I really didn't want to apply a knob (similar to the disable connected check on cisco) to do it. Trying to make these policies the same has proven an interesting exercise and at least now I am aware of the knobs to make it do the other. Eric -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of David Waldman Sent: Friday, April 26, 2013 10:59 AM To: Tim Vollebregt Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] next-hop driving me crazy Eric. eBGP single hop will not let you change the NH by default. You can use the following knob to override this behavior: protocols { bgp { log-updown; group TRIGGER { accept-remote-nexthop; This can be applied @ proto group or neighbor. See http://www.juniper.net/techpubs/software/junos/junos94/swconfig-routing/acce pt-remote-nexthop.html for more info. Regards. david On Fri, Apr 26, 2013 at 10:35 AM, Tim Vollebregt t...@interworx.nl wrote: Hi Eric, Works fine here, as you configured it. Can you reply your inbound route-policy and the show route x.x.x.x/32 extensive? Thanks. Tim On 26-04-13 15:36, Eric Krichbaum wrote: This should be simple but I can't get the behavior I want. Blackhole scenario. Customer set community, I want to see that community and set next-hop to an address I have with a discard. I've tried both a discard interface and a basic static route. Those seem ok either way. set routing-options static route 192.0.2.1/32 discard Route comes in and is accepted by policy. With no next-hop 192.0.2.1 action, I see it as a valid route so I know the policy is happening. When I add the next-hop action, the route becomes Next hop type: Unusable with Inactive reason: Unusable path. I don't see anything special about this and what I translated from my cisco versions doesn't look all that different from various black hole presentations I find. Anyone have a magic answer? Thanks, Eric __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.n ether.net/mailman/listinfo/juniper-nsp __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.ne ther.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Also, you can do then next-hop discard in your policy and you won't need the static route. On Fri, Apr 26, 2013 at 2:04 PM, Richard A Steenbergen r...@e-gerbil.netwrote: On Fri, Apr 26, 2013 at 11:14:39AM -0500, Eric Krichbaum wrote: Thanks everyone. The policy straight to discard works for me, just annoyed me. I really didn't want to apply a knob (similar to the disable connected check on cisco) to do it. Trying to make these policies the same has proven an interesting exercise and at least now I am aware of the knobs to make it do the other. It's technically a violation of the BGP spec to let the user arbitrarily rewrite the next-hop of a eBGP non-multihop route to something other than the directly connected interface, and the correct action when you do it is to reject the route for having an invalid next-hop. Of course, over here in reality land that's complete nonsense. There are perfectly legitimate reasons to do so, like the example you cited, but it took a LONG time to get this past the guys who defend the theory without regard to practice. You used to have to configure ebgp multihop everywhere to get it to relax those rules, which carries its own downsides like lack of fast external failover behavior. The commands like disable-connected-check and accept-remote-nexthop were the compromises between following the spec and satisfying the customer. ;) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp