[j-nsp] next-hop driving me crazy
This should be simple but I can't get the behavior I want. Blackhole scenario. Customer set community, I want to see that community and set next-hop to an address I have with a discard. I've tried both a discard interface and a basic static route. Those seem ok either way. set routing-options static route 192.0.2.1/32 discard Route comes in and is accepted by policy. With no next-hop 192.0.2.1 action, I see it as a valid route so I know the policy is happening. When I add the next-hop action, the route becomes Next hop type: Unusable with Inactive reason: Unusable path. I don't see anything special about this and what I translated from my cisco versions doesn't look all that different from various black hole presentations I find. Anyone have a magic answer? Thanks, Eric ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Works fine for me in the lab on MX80+JUNOS 12.3 ( I use BGP-LU though, too
busy to change to regular inet unicast:-)
[edit logical-systems MX2-RR]
aarseniev@mx80# run show route logical-system MX2-RR protocol bgp extensive
inet.0: 29 destinations, 30 routes (27 active, 0 holddown, 2 hidden)
198.18.0.6/32 (1 entry, 1 announced)
TSI:
KRT in-kernel 198.18.0.6/32 - {indirect(1048668)}
*BGPPreference: 170/-101
Next hop type: Indirect
Address: 0x26e8010
Next-hop reference count: 6
Source: 198.18.0.11
Next hop type: Discard
Protocol next hop: 192.0.2.1
Push 299904
Indirect next hop: 29941d8 1048668 INH Session ID: 0x280008
State: Active Int Ext
Local AS: 50928 Peer AS: 50928
Age: 5:14 Metric2: 0
Validation State: unverified
Task: BGP_50928.198.18.0.11+179
Announcement bits (2): 3-KRT 5-Resolve tree 2
AS path: 31133 50928 I (Looped: 50928)
Communities: 5:5
Accepted
Route Label: 299904
Localpref: 100
Router ID: 198.18.0.11
Secondary Tables: inet.3
Indirect next hops: 1
Protocol next hop: 192.0.2.1 Metric: 0
Push 299904
Indirect next hop: 29941d8 1048668 INH Session ID:
0x280008
[edit logical-systems MX2-RR]
aarseniev@mx80# show policy-options policy-statement set-nh
term 1 {
from {
protocol bgp;
community 5:5;
}
then {
next-hop 192.0.2.1;
accept;
}
}
[edit logical-systems MX2-RR]
aarseniev@sadok# show routing-options
static {
route 192.0.2.1/32 discard;
}
- Original Message -
From: Eric Krichbaum e...@telic.us
To: juniper-nsp@puck.nether.net
Sent: Friday, April 26, 2013 2:36 PM
Subject: [j-nsp] next-hop driving me crazy
This should be simple but I can't get the behavior I want.
Blackhole scenario. Customer set community, I want to see that community
and set next-hop to an address I have with a discard. I've tried both a
discard interface and a basic static route. Those seem ok either way.
set routing-options static route 192.0.2.1/32 discard
Route comes in and is accepted by policy. With no next-hop 192.0.2.1
action, I see it as a valid route so I know the policy is happening. When
I
add the next-hop action, the route becomes Next hop type: Unusable with
Inactive reason: Unusable path. I don't see anything special about this
and what I translated from my cisco versions doesn't look all that
different
from various black hole presentations I find.
Anyone have a magic answer?
Thanks,
Eric
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Hello,
Use a ttl on the bgp session with the customer -
Rgds,
C.
Le 26/04/2013 16:26, Alex Arseniev a écrit :
Works fine for me in the lab on MX80+JUNOS 12.3 ( I use BGP-LU though,
too busy to change to regular inet unicast:-)
[edit logical-systems MX2-RR]
aarseniev@mx80# run show route logical-system MX2-RR protocol bgp
extensive
inet.0: 29 destinations, 30 routes (27 active, 0 holddown, 2 hidden)
198.18.0.6/32 (1 entry, 1 announced)
TSI:
KRT in-kernel 198.18.0.6/32 - {indirect(1048668)}
*BGPPreference: 170/-101
Next hop type: Indirect
Address: 0x26e8010
Next-hop reference count: 6
Source: 198.18.0.11
Next hop type: Discard
Protocol next hop: 192.0.2.1
Push 299904
Indirect next hop: 29941d8 1048668 INH Session ID:
0x280008
State: Active Int Ext
Local AS: 50928 Peer AS: 50928
Age: 5:14 Metric2: 0
Validation State: unverified
Task: BGP_50928.198.18.0.11+179
Announcement bits (2): 3-KRT 5-Resolve tree 2
AS path: 31133 50928 I (Looped: 50928)
Communities: 5:5
Accepted
Route Label: 299904
Localpref: 100
Router ID: 198.18.0.11
Secondary Tables: inet.3
Indirect next hops: 1
Protocol next hop: 192.0.2.1 Metric: 0
Push 299904
Indirect next hop: 29941d8 1048668 INH Session
ID: 0x280008
[edit logical-systems MX2-RR]
aarseniev@mx80# show policy-options policy-statement set-nh
term 1 {
from {
protocol bgp;
community 5:5;
}
then {
next-hop 192.0.2.1;
accept;
}
}
[edit logical-systems MX2-RR]
aarseniev@sadok# show routing-options
static {
route 192.0.2.1/32 discard;
}
- Original Message - From: Eric Krichbaum e...@telic.us
To: juniper-nsp@puck.nether.net
Sent: Friday, April 26, 2013 2:36 PM
Subject: [j-nsp] next-hop driving me crazy
This should be simple but I can't get the behavior I want.
Blackhole scenario. Customer set community, I want to see that
community
and set next-hop to an address I have with a discard. I've tried both a
discard interface and a basic static route. Those seem ok either way.
set routing-options static route 192.0.2.1/32 discard
Route comes in and is accepted by policy. With no next-hop 192.0.2.1
action, I see it as a valid route so I know the policy is happening.
When I
add the next-hop action, the route becomes Next hop type: Unusable
with
Inactive reason: Unusable path. I don't see anything special about
this
and what I translated from my cisco versions doesn't look all that
different
from various black hole presentations I find.
Anyone have a magic answer?
Thanks,
Eric
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Hi Eric, Works fine here, as you configured it. Can you reply your inbound route-policy and the show route x.x.x.x/32 extensive? Thanks. Tim On 26-04-13 15:36, Eric Krichbaum wrote: This should be simple but I can't get the behavior I want. Blackhole scenario. Customer set community, I want to see that community and set next-hop to an address I have with a discard. I've tried both a discard interface and a basic static route. Those seem ok either way. set routing-options static route 192.0.2.1/32 discard Route comes in and is accepted by policy. With no next-hop 192.0.2.1 action, I see it as a valid route so I know the policy is happening. When I add the next-hop action, the route becomes Next hop type: Unusable with Inactive reason: Unusable path. I don't see anything special about this and what I translated from my cisco versions doesn't look all that different from various black hole presentations I find. Anyone have a magic answer? Thanks, Eric ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Eric. eBGP single hop will not let you change the NH by default. You can
use the following knob to override this behavior:
protocols {
bgp {
log-updown;
group TRIGGER {
accept-remote-nexthop;
This can be applied @ proto group or neighbor. See
http://www.juniper.net/techpubs/software/junos/junos94/swconfig-routing/accept-remote-nexthop.html
for
more info.
Regards.
david
On Fri, Apr 26, 2013 at 10:35 AM, Tim Vollebregt t...@interworx.nl wrote:
Hi Eric,
Works fine here, as you configured it.
Can you reply your inbound route-policy and the show route x.x.x.x/32
extensive?
Thanks.
Tim
On 26-04-13 15:36, Eric Krichbaum wrote:
This should be simple but I can't get the behavior I want.
Blackhole scenario. Customer set community, I want to see that community
and set next-hop to an address I have with a discard. I've tried both a
discard interface and a basic static route. Those seem ok either way.
set routing-options static route 192.0.2.1/32 discard
Route comes in and is accepted by policy. With no next-hop 192.0.2.1
action, I see it as a valid route so I know the policy is happening.
When I
add the next-hop action, the route becomes Next hop type: Unusable with
Inactive reason: Unusable path. I don't see anything special about this
and what I translated from my cisco versions doesn't look all that
different
from various black hole presentations I find.
Anyone have a magic answer?
Thanks,
Eric
__**_
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp
__**_
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Thanks everyone. The policy straight to discard works for me, just annoyed
me. I really didn't want to apply a knob (similar to the disable connected
check on cisco) to do it. Trying to make these policies the same has proven
an interesting exercise and at least now I am aware of the knobs to make it
do the other.
Eric
-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of
David Waldman
Sent: Friday, April 26, 2013 10:59 AM
To: Tim Vollebregt
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] next-hop driving me crazy
Eric. eBGP single hop will not let you change the NH by default. You can
use the following knob to override this behavior:
protocols {
bgp {
log-updown;
group TRIGGER {
accept-remote-nexthop;
This can be applied @ proto group or neighbor. See
http://www.juniper.net/techpubs/software/junos/junos94/swconfig-routing/acce
pt-remote-nexthop.html
for
more info.
Regards.
david
On Fri, Apr 26, 2013 at 10:35 AM, Tim Vollebregt t...@interworx.nl wrote:
Hi Eric,
Works fine here, as you configured it.
Can you reply your inbound route-policy and the show route x.x.x.x/32
extensive?
Thanks.
Tim
On 26-04-13 15:36, Eric Krichbaum wrote:
This should be simple but I can't get the behavior I want.
Blackhole scenario. Customer set community, I want to see that
community and set next-hop to an address I have with a discard. I've
tried both a discard interface and a basic static route. Those seem ok
either way.
set routing-options static route 192.0.2.1/32 discard
Route comes in and is accepted by policy. With no next-hop 192.0.2.1
action, I see it as a valid route so I know the policy is happening.
When I
add the next-hop action, the route becomes Next hop type: Unusable
with Inactive reason: Unusable path. I don't see anything special
about this and what I translated from my cisco versions doesn't look
all that different from various black hole presentations I find.
Anyone have a magic answer?
Thanks,
Eric
__**_
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.n
ether.net/mailman/listinfo/juniper-nsp
__**_
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.ne
ther.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] next-hop driving me crazy
Also, you can do then next-hop discard in your policy and you won't need the static route. On Fri, Apr 26, 2013 at 2:04 PM, Richard A Steenbergen r...@e-gerbil.netwrote: On Fri, Apr 26, 2013 at 11:14:39AM -0500, Eric Krichbaum wrote: Thanks everyone. The policy straight to discard works for me, just annoyed me. I really didn't want to apply a knob (similar to the disable connected check on cisco) to do it. Trying to make these policies the same has proven an interesting exercise and at least now I am aware of the knobs to make it do the other. It's technically a violation of the BGP spec to let the user arbitrarily rewrite the next-hop of a eBGP non-multihop route to something other than the directly connected interface, and the correct action when you do it is to reject the route for having an invalid next-hop. Of course, over here in reality land that's complete nonsense. There are perfectly legitimate reasons to do so, like the example you cited, but it took a LONG time to get this past the guys who defend the theory without regard to practice. You used to have to configure ebgp multihop everywhere to get it to relax those rules, which carries its own downsides like lack of fast external failover behavior. The commands like disable-connected-check and accept-remote-nexthop were the compromises between following the spec and satisfying the customer. ;) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
