Routing

Hi all.

 

I am new to the Juniper devices, and am having some trouble with hidden routes. I am hopeing some of the forum members can lend me a helping hand to resolve my issues.

 

Please bear in mind that I have limited Juniper device exposure, with the vast majority of my time spent on the Cisco devices, so I might not know the Juniper terminology as well as a Juniper veteran 🙂

 

Any help is most aperciated.

 

My requirement is to get all those 744 hidden routes into the backend routing instance, that is explained below and outlined below.

 

The cisco side reports that they are receiving the prefixes I have advertised out to them perfectly.

 

==================

-1st my topology:

 

One Juniper EX-4550 virtual chassis switch, with two aggregated interfaces to two Cisco devices.

 

Link1:

-------

 

Juniper EX-4550

  interface ae1.901

  vlan-id 901

  inet address 172.31.106.11/31

 

-----------to----------->

 

Cisco1

ip address 172.31.106.10/31

 

Link 2:

--------

 

Juniper EX-4550

  interface ae2.903

  inet address 172.31.106.13/31

  vlan-id 903

-----------to----------->

 

Cisco2

ip address 172.31.106.12/31

 

==============

 

I am running a backend routing instance configured as follows:

 

==============

>show configuration routing-instances

 

backend {

    instance-type virtual-router;

    interface ae1.901;

    interface ae2.903;

    interface vlan.0;

    interface vlan.1;

    interface vlan.2;

    routing-options {

        interface-routes {

            rib-group inet backend;

        }

    }

    protocols {

       bgp {

            log-updown;

            family inet {

                unicast;

            }

            local-as 65514;

            group AS65514 {

                type external;

                description "eBGP to cisco for Backend;";

                import BACKEND-IMPORT;

                export BACKEND-EXPORT;

                peer-as 4802;

                neighbor 172.31.106.10 {

                    description "eBGP link to cisco1";

                    authentication-key "xxxx"; ## SECRET-DATA

                }

                neighbor 172.31.106.12 {

                    description "eBGP link to cisco2";

                    authentication-key "xxxx"; ## SECRET-DATA

                }

            }

        }

    }

}

 

>show route instance backend detail backend:

 

  Router ID: 10.8.252.254

  Type: virtual-router    State: Active

  Interfaces:

    vlan.2

    vlan.1

    vlan.0

    ae2.903

    ae1.901

  Tables:

    backend.inet.0         : 754 routes (10 active, 0 holddown, 744 hidden)

 

{master:0}

 

==================

 

My policy-statements are configured as follows:

 

===================

 

policy-statement BACKEND-EXPORT {

    term 10 {

        from {

            route-filter 10.8.254.0/24 exact;

            route-filter 10.8.253.0/24 exact;

            route-filter 10.8.252.0/24 exact;

        }

        then {

            metric 50;

            community add POP-CBR;

            next-hop self;

            accept;

        }

    }

    term default-reject {

        then reject;

    }

}

policy-statement BACKEND-IMPORT {

    term 10 {

        from {

            route-filter 10.5.0.0/16 orlonger;

            route-filter 10.23.0.0/16 orlonger;

        }

        then {

            preference 20;

            accept;

        }

    }

    term default-reject {

        then reject;

    }

}

 

========================

 

BGP is up and running:

 

========================

 

> show bgp neighbor 172.31.106.10 instance backend

 

Peer: 172.31.106.10+179 AS 4802 Local: 172.31.106.11+57352 AS 65514

  Description: eBGP link cisco1

  Type: External    State: Established    Flags: <Sync>

 Last State: OpenConfirm   Last Event: RecvKeepAlive

  Last Error: None

  Export: [ BACKEND-EXPORT ] Import: [ BACKEND-IMPORT ]

  Options: <Preference AuthKey LogUpDown AddressFamily PeerAS LocalAS Refresh>

  Authentication key is configured

  Address families configured: inet-unicast

  Holdtime: 90 Preference: 170 Local AS: 65514 Local System AS: 0

  Number of flaps: 0

  Peer ID: 203.215.20.250  Local ID: 172.31.106.11     Active Holdtime: 90

  Keepalive Interval: 30         Group index: 0    Peer index: 0

  BFD: disabled, down

  Local Interface: ae1.901

  NLRI for restart configured on peer: inet-unicast

  NLRI advertised by peer: inet-unicast

  NLRI for this session: inet-unicast

  Peer supports Refresh capability (2)

  Stale routes from peer are kept for: 300

  Restart time requested by this peer: 120

  NLRI that peer supports restart for: inet-unicast

  NLRI peer can save forwarding state: inet-unicast

  NLRI that restart is negotiated for: inet-unicast

  NLRI of received end-of-rib markers: inet-unicast

  NLRI of all end-of-rib markers sent: inet-unicast

  Peer does not support 4 byte AS extension

  Peer does not support Addpath

  Table backend.inet.0 Bit: 10000

    RIB State: BGP restart is complete

    RIB State: VPN restart is complete

    Send state: in sync

    Active prefixes:              0

    Received prefixes:            372

    Accepted prefixes:            0

    Suppressed due to damping:    0

    Advertised prefixes:          3

  Last traffic (seconds): Received 20   Sent 4    Checked 42

  Input messages:  Total 9561   Updates 114     Refreshes 1     Octets 186307

  Output messages: Total 9565   Updates 4       Refreshes 0     Octets 181951

  Output Queue[0]: 0

 

{master:0}

 

>ping routing-instance backend 172.31.106.10 detail

 

PING 172.31.106.10 (172.31.106.10): 56 data bytes

64 bytes from 172.31.106.10 via ae1.901: icmp_seq=0 ttl=255 time=1.219 ms

64 bytes from 172.31.106.10 via ae1.901: icmp_seq=1 ttl=255 time=0.992 ms

64 bytes from 172.31.106.10 via ae1.901: icmp_seq=2 ttl=255 time=1.319 ms

64 bytes from 172.31.106.10 via ae1.901: icmp_seq=3 ttl=255 time=1.073 ms

^C

--- 172.31.106.10 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.992/1.151/1.319/0.127 ms

 

> show route receive protocol bgp 172.31.106.10 all detail table backend.inet.0

 

backend.inet.0: 380 destinations, 754 routes (10 active, 0 holddown, 744 hidden)

  10.0.13.4/31 (2 entries, 0 announced)

     Nexthop: 172.31.106.10

     AS path: 4802 65513 ? (Looped: 4802)

 etc... for 744 hidden routes

 

> show route table backend.inet.0 hidden extensive

 

backend.inet.0: 380 destinations, 754 routes (10 active, 0 holddown, 744 hidden)

10.0.13.4/31 (2 entries, 0 announced)

         BGP                 /-101

                Next hop type: Router

                Address: 0x28d8fcc

                Next-hop reference count: 372

                Source: 172.31.106.12

                Next hop: 172.31.106.12 via ae2.903, selected

                Session Id: 0x7

                State: <Hidden Ext>

                Peer AS:  4802

                Age: 1d 22:13:05

                Validation State: unverified

                Task: BGP_4802_65514.172.31.106.12+179

                AS path: 4802 65513 ? (Looped: 4802)

                Localpref: 100

                Router ID: 203.215.20.249

         BGP                 /-101

                Next hop type: Router

                Address: 0x28d8d20

                Next-hop reference count: 372

                Source: 172.31.106.10

                Next hop: 172.31.106.10 via ae1.901, selected

                Session Id: 0x4

                State: <Hidden Ext>

                Peer AS:  4802

                Age: 3d 0:15:34

                Validation State: unverified

                Task: BGP_4802_65514.172.31.106.10+179

                AS path: 4802 65513 ? (Looped: 4802)

                Localpref: 100

                Router ID: 203.215.20.250

 etc... for 744 hidden routes

 

=======================================

 

Once again, many thanks for any help and guidance.

 

Conlan

Can you define your AS under instance "routing-options" and deactivate local-as under bgp

Morning Krasi.

 

Thanks for responding to my post. I have made the change as you suggested, but the routes are still hidden in the backend.inet.0 table. The configuration now looks as follows:

 

========================

> show configuration routing-instances:

backend {
instance-type virtual-router;

/*

/* rest of configuration as in original post */

/*

Protocols bgp {

bgp {
log-updown;
family inet {
unicast;
}
group AS65514 {
type external;
description "eBGP to cbr-tact-bdr for Backend;";
import BACKEND-IMPORT;
export BACKEND-EXPORT;
peer-as 4802;
local-as 65514;

/*

/*rest of configuration*/

 

================================

 

My didden 10.5.0.0 and 10.23.0.0 hidden routes are still looking as follows:

 

================================

>show route table backend.inet.0 extensive hidden 10.23.2.0

 

backend.inet.0: 381 destinations, 755 routes (11 active, 0 holddown, 744 hidden)
10.23.2.0/24 (2 entries, 0 announced)
BGP /-101
Next hop type: Router
Address: 0x28d8fcc
Next-hop reference count: 373
Source: 172.31.106.12
Next hop: 172.31.106.12 via ae2.903, selected
Session Id: 0x7
State: <Hidden Ext>
Peer AS: 4802
Age: 2d 19:48:03
Validation State: unverified
Task: BGP_4802_65514.172.31.106.12+179
AS path: 4802 65513 ? (Looped: 4802)
Localpref: 100
Router ID: 203.215.20.249
BGP /-101
Next hop type: Router, Next hop index: 1422
Address: 0x28d8d20
Next-hop reference count: 374
Source: 172.31.106.10
Next hop: 172.31.106.10 via ae1.901, selected
Session Id: 0x4
State: <Hidden Ext>
Peer AS: 4802
Age: 3d 21:50:32
Validation State: unverified
Task: BGP_4802_65514.172.31.106.10+179
AS path: 4802 65513 ? (Looped: 4802)
Localpref: 100
Router ID: 203.215.20.250

{master:0}
root@ihc-tact-core1>

 

=============================

 

The thing that is making me wonder is the AS path: 4802 65513 ? (Looped: 4802) part.

 

I do have an iBGP global configuration [AS4802] configured for public traffic, and I am now wondering if this has something to do with my issue. I did not originally suspect it would be part of the issue, as the globally configured iBGP it is working perfectly.

 

I wonder if the router believes there is a loop because it can see a globally configured iBGP peer on AS4802, and then an eBGP peer in the routing-instances backend configuration, also to AS4802... Is there enough seperation here at this level [routing-instance backend eBGP and global iBGP to AS4802]?

 

I am now wondering if changing the routing-instance backend into a virtual-router backend will not resolve my issue.

 

EDIT:

 

Reading your post now, I see you have also picked up on this Sohanpal.

AS_PATH loop detection is performed using both local-as and global-as. Please see:

 

https://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/local-as-edit-protocols-bgp.html

 

As long as a prefix has your AS in the path and you don't have the 'loops' statement in your routing-option autonomous-system , then the prefix will be rejected.

Hi mihaigabriel

 

 

Thanks for your time and link.

 

Will give it a read. Looks as if it might just be what I need 🙂

 

Okay. I just took a brief look. 

1- Why do you need internal and external BGP; who are the internal peers? You have only one device (VC) peering with two external device/peers. You have another AS 65513 but not showing where this AS is. Anyways you have 4802 defined as internal under protocols bgp but in the backend instance you have defined peering with 4802 as external with 65514. So the routes are in the master routing instance bgp rib which are exported to the 65513 and back to backend which also has 4208, hence the looped detection. The peer-as in the back end should be I am guessing 65513.

However, 65513 and 65514 are internal (like non routable Internal IP addresses).

So I think your AS is 4802 and you peer with the AS on the CISCO. What is the CISCO AS? It seems like a complicated set up which acan be simplified. I have to think it over, but I am hardpressed for time now. I think someone will get to it before I do.

Hi mihaigabriel

 

You were spot on. The URL you sent was the start of some research for me, and I have now solved the issue of my hidden routes, and have a better understanding of how Juniper works in this sort of scenario.

 

I must say the Juniper documentation I came accross is not very helpful, but I managed to figure it out in the end 🙂 It does nothing to help a person understand and learn about things, and mainly just the syntax required for a command.

 

Thanks for pointing me in the right direction 🙂

 

Regards.

Hi Conlan,

 

I believe thats due to import policy on this router which is accepting below prefixes and denyting everything else,

 

            route-filter 10.5.0.0/16 orlonger;

            route-filter 10.23.0.0/16 orlonger;

 

Can you provide us output of "show route protocol bgp hidden terse table BACKEND"?

In a second look, I noticed something which i missed in first instance,

 

AS path: 4802 65513 ? (Looped: 4802)

 

Is AS4802 configured as local-as under any routing-instance? What is Global AS?

Hi lyndidon.

 

Many thanks for the detailed response. I am in a position to disable the import policy and will post my results once I have done this.

 

I agree with the next hop being automatically changed with an eBGP peer, and is only there as a result of me inheriting this configuration recently.

 

Thanks for the heads up about the "accept" termination action on a next hop policy 🙂 I am not familiar with the Juniper policy coding and workings, but I am taking this opportunity to expand my knowledge and exposure to the Juniper world. Always good to learn something new.

 

Unfortunately, having inherited this whole configuration just recently, and being thrown into the deep end [no complaints my end, perfect opportunity to grow] , I am not sure of the reason for the metric 50 value.

 

My objectives for this configuration are folows:

 

My main objective is to understand how to get the '10.5.0.0/16 or longer' and '10.23.0.0/16 orlonger' prefixes "unhidden" in AS65514 routing table backend.inet.0, as well as understanding why they were hidden. The routing is easily fixed with static routes [done], but my main objective is to learn and get exposure to exactly this sort of thing on Juniper devices.

 

The public will access virtual machines via the public IP's on AS4802 [the iBGP peering with Cisco's], and the backend monitoring traffic between AS65513 and AS65514, using AS4802 as a transit AS [the eBGP peering between the Cisco's].

 

I have the virtual machines and AS4802 access and routing all in place and working [still to do a cleanup of the configuration of a few things, after I get the AS65514 hidden routes sorted out and a better understanding of what possible impact my changes can have].

 

I do have a question. What is the backend.mdt.0 table. I am about to google it now 🙂

 

More to follow.

 

Regards and many thanks for your time.

 

Conlan

 

EDIT:

 

I am more inclined to think that I need to change the routing-instance to a virtual router after more poking around. The output is clearly showing a loop with AS4802. There is not enough separation between the inet.0 table and the backend.inet.0 tables with the backend routing-instance. Maybe I should create the backend.inet.0 table under the routing-instance backend part of the configuration, and not the global part of the configuration?

 

I did remove the import policy on the backend routing instance, but this did not result in the routes being placed into the backend.inet.0 table. The routes are still reported as looped:

 

> show route receive-protocol bgp 172.31.106.12 all detail table backend.inet.0

 

backend.inet.0: 381 destinations, 755 routes (11 active, 0 holddown, 744 hidden)

 

10.5.16.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.19.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.22.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.42.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.44.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.45.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.46.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.240.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.250.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.251.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.252.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.253.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

etc...

 

Same for the 10.23.0.0/x routes in the backend routing-instance

 

=====================

 

As requested I have enclosed the outputs you have requested with a few comments on each.

 

> show bgp group

Group Type: External Local AS: 65514
Name: AS65514 Index: 0 Flags: <>
Export: [ BACKEND-EXPORT ]
Options: <LocalAS>
Holdtime: 0 Local AS: 65514 Local System AS: 0
Total peers: 2 Established: 2
172.31.106.10+179
172.31.106.12+179
backend.inet.0: 0/744/0/0

 

Group Type: Internal AS: 4802 Local AS: 4802
Name: AS4802 Index: 1 Flags: <>
Export: [ BORDER-EXPORT ]
Options: <LocalAS>
Holdtime: 0 Local AS: 4802 Local System AS: 0
Total peers: 2 Established: 2
203.215.12.255+47887
203.215.12.254+179
inet.0: 1/2/2/0

Groups: 2 Peers: 4 External: 2 Internal: 2 Down peers: 0 Flaps: 1
Table Tot Paths Act Paths Suppressed History Damp State Pending
backend.inet.0
744 0 0 0 0 0
backend.mdt.0
0 0 0 0 0 0
inet.0
2 1 0 0 0 0

 

{master:0}

 

=======================

 

> show route protocol bgp

 

inet.0: 212 destinations, 213 routes (212 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

 

0.0.0.0/0 *[BGP/170] 6d 02:30:56, MED 0, localpref 100, from 203.215.12.254
AS path: I, validation-state: unverified
> to 203.215.12.10 via ae2.902
[BGP/170] 6d 02:39:12, MED 0, localpref 100, from 203.215.12.255
AS path: I, validation-state: unverified
> to 203.215.12.8 via ae1.902

backend.inet.0: 381 destinations, 755 routes (11 active, 0 holddown, 744 hidden)

{master:0}

 

Default route originated by the Cisco BGP router, this is exactly what I need for the inet.0 table, so very happy with this 🙂 All otherroutes blocked by the BORDER-IMPORT policy.

 

======================

 

> show configuration routing-options

 

rib-groups {
backend {
import-rib backend.inet.0;
}
inet {
import-rib inet.0;
}
}

 

====================

 

> show configuration protocols bgp

 

log-updown;
family inet {
unicast {
rib-group inet inet;
}
}
local-as 4802;
group AS4802 {
type internal;
description "iBGP to Cisco1 and Cisco2";
local-address 203.215.12.250;
import BORDER-IMPORT;
export BORDER-EXPORT;
peer-as 4802;
neighbor 203.215.12.255 {
description "iBGP to Cisco1";
authentication-key "xxxx"; ## SECRET-DATA
}
neighbor 203.215.12.254 {
description "iBGP link to Cisco2";
authentication-key "xxxx"; ## SECRET-DATA
}
}

{master:0}

 

 

==========================

 

> show bgp neighbor 172.31.106.12 instance backend

 

Peer: 172.31.106.12+179 AS 4802 Local: 172.31.106.13+64789 AS 65514
Description: eBGP link to Cisco2
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ BACKEND-EXPORT ] Import: [ BACKEND-IMPORT ]
Options: <Preference AuthKey LogUpDown AddressFamily PeerAS LocalAS Refresh>
Authentication key is configured
Address families configured: inet-unicast
Holdtime: 90 Preference: 170 Local AS: 65514 Local System AS: 0
Number of flaps: 0
Peer ID: 203.215.20.249 Local ID: 172.31.106.11 Active Holdtime: 90
Keepalive Interval: 30 Group index: 0 Peer index: 1
BFD: disabled, down
Local Interface: ae2.903
NLRI for restart configured on peer: inet-unicast
NLRI advertised by peer: inet-unicast
NLRI for this session: inet-unicast
Peer supports Refresh capability (2)
Stale routes from peer are kept for: 300
Restart time requested by this peer: 120
NLRI that peer supports restart for: inet-unicast
NLRI peer can save forwarding state: inet-unicast
NLRI that restart is negotiated for: inet-unicast
NLRI of received end-of-rib markers: inet-unicast
NLRI of all end-of-rib markers sent: inet-unicast
Peer does not support 4 byte AS extension
Peer does not support Addpath
Table backend.inet.0 Bit: 10000
RIB State: BGP restart is complete
RIB State: VPN restart is complete
Send state: in sync
Active prefixes: 0
Received prefixes: 372
Accepted prefixes: 0
Suppressed due to damping: 0
Advertised prefixes: 3
Last traffic (seconds): Received 14 Sent 27 Checked 35
Input messages: Total 19082 Updates 208 Refreshes 0 Octets 372217
Output messages: Total 19082 Updates 10 Refreshes 0 Octets 362931
Output Queue[0]: 0

{master:0}

==================================

 

> show route receive-protocol bgp 172.31.106.12 all detail table backend.inet.0

 

backend.inet.0: 381 destinations, 755 routes (11 active, 0 holddown, 744 hidden)

 

10.5.16.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.19.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.22.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.42.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.44.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.45.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.46.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.240.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.250.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.251.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.252.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

 

10.5.253.0/24 (2 entries, 0 announced)
Nexthop: 172.31.106.12
AS path: 4802 65513 ? (Looped: 4802)

etc...

 

Same for all the 10.23.0.0/x routes

Probably the key is here?


AS path: 4802 65513 ? (Looped: 4802)