Routing
Routing

bgp peering between routing-instance

[ Edited ]
‎08-20-2019 10:37 AM

Hi there i have the following scenario
2 physical router named A and B
for each router i created 1 routing-instance as per following

A-vSPINE -> Router A routing-instance vSPINE
B-vLEAF -> Router B routing-instance vLEAF

Naming convention
A-GRT -> Router A Global Routing Table, master
A-vSPINE -> Router A routing-instance vSPINE
B-GRT -> Router B Global Routing Table, master
B-vLEAF -> Router B routing-instance vLEAF


Target: from router A-vSPINE I want to create 2 bgp session

- router A-vSPINE to router B-GRT
- router A-vSPINE to router B-vLEAF

juniper.jpg
IP:
A-GRT -> 10.93.102.64/31 (network 10.93.102.64/31)
A-vSPINE -> 10.93.102.66/31 (network 10.93.102.66/31)
B-GRT -> 10.93.102.65/31 (network 10.93.102.64/31)
B-vLEAF -> 10.93.102.67/31 (network 10.93.102.66/31)

Routing table of router A-vSPINE (import from master to vSPINE and viceversa done)

To B-GRT

Router-A> show route 10.93.102.65

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.93.102.64/31 *[Direct/0] 08:09:46
> via irb.608

vSPINE.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.93.102.64/31 *[Direct/0/-251] 03:24:38
> via irb.608


To B-vLEAF
Router-A> show route 10.93.102.67

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.93.102.66/31 *[Direct/0/-251] 01:20:19
> via irb.609

vSPINE.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.93.102.66/31 *[Direct/0] 07:39:21
> via irb.609


Same on router-B(import from master to vSPINE and viceversa done)

Router-B> show route 10.93.102.66

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.93.102.66/31 *[Direct/0/-251] 03:17:19
> via irb.609

vLEAF.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.93.102.66/31 *[Direct/0] 07:40:08
> via irb.609


Test

I can ping all needed ip from router A and B and from master and routing-instance

Router-A> ping 10.93.102.65
PING 10.93.102.65 (10.93.102.65): 56 data bytes
64 bytes from 10.93.102.65: icmp_seq=0 ttl=64 time=1.060 ms
64 bytes from 10.93.102.65: icmp_seq=1 ttl=64 time=1.115 ms
^C
--- 10.93.102.65 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.060/1.087/1.115/0.028 ms

{master:0}

Router-A> ping 10.93.102.65 routing-instance vSPINE
PING 10.93.102.65 (10.93.102.65): 56 data bytes
64 bytes from 10.93.102.65: icmp_seq=0 ttl=64 time=1.385 ms
64 bytes from 10.93.102.65: icmp_seq=1 ttl=64 time=1.043 ms
^C
--- 10.93.102.65 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.043/1.214/1.385/0.171 ms

{master:0}
Router-A>

Problem

Router-A> show bgp summary
Groups: 2 Peers: 2 Down peers: 1
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.93.102.65 65201 0 0 0 0 40:07 Active
10.93.102.67 65202 91 91 0 0 39:51 Establ
vSPINE.inet.0: 0/0/0/0

Error

task_connect: task BGP_65201_65210.10.93.102.65+179 addr 10.93.102.65+179: No route to host
BGP_CONNECT_FAILED: bgp_connect_start: connect 10.93.102.65 (External AS 65201): No route to host

 

 

Question:

what should i check further? The routing-table are clean.

 

Thanks.

9 REPLIES 9
Routing

Re: bgp peering between routing-instance

‎08-20-2019 12:34 PM
Please check if there is a firewall filter on loopback configured on B-GRT which is dropping the BGP packets (TCP port 179). Please take tcpdump on irb.608 on B-GRT and confirm if the BGP packets are making upto this irb monitor traffic interface irb.608 no-resolve matching "port 179" detail
Routing

Re: bgp peering between routing-instance

‎08-20-2019 12:54 PM

Hi thank you for your inputs.

No filter applied.

Monitor might be an option yes, i try once back in the lab.

 

 

Routing

Re: bgp peering between routing-instance

‎08-20-2019 01:57 PM

If you don't see bgp packet in tcpdump, that means BGP packets are not making to the Host/RE.

 

In that case try to apply a firewall filter and see if the packets are making to the PFE or not. You can use firewall filter like below:

 

set firewall family inet filter test interface-specific
set firewall family inet filter test term bgp-in from address 10.93.102.65/32
set firewall family inet filter test term bgp-in from protocol tcp
set firewall family inet filter test term bgp-in from port bgp
set firewall family inet filter test term bgp-in then syslog
set firewall family inet filter test term bgp-in then log
set firewall family inet filter test term bgp-in then count bgp-in-count
set firewall family inet filter test term bgp-in then accept
set firewall family inet filter test term bgp-out from address 10.93.102.65/32
set firewall family inet filter test term bgp-out from protocol tcp
set firewall family inet filter test term bgp-out from port bgp
set firewall family inet filter test term bgp-out then syslog
set firewall family inet filter test term bgp-out then log
set firewall family inet filter test term bgp-out then count bgp-out-count
set firewall family inet filter test term bgp-out then accept
set firewall family inet filter test term default then accept

set interfaces irb.608 family inet filter input test
set interfaces irb.608 family inet filter output test


show firewall log
show firewall << for counter and countername
show firewall counter <countername>

Routing

Re: bgp peering between routing-instance

‎08-20-2019 02:07 PM

Hello,

Can you please provide your BGP configuration. Do you have 10.93.102.65 defined under the main instance?

Thanks !

Routing

Re: bgp peering between routing-instance

[ Edited ]
‎08-21-2019 02:32 AM

filter can not be applied

 

show configuration firewall family inet filter test
interface-specific;
term bgp-in {
    from {
        ##
        ## Warning: configuration block ignored: unsupported platform (qfx5200-32c-32q)
        ##
        address {
            10.93.102.65/32;
        }
        protocol tcp;
        ##
        ## Warning: value port ignored: unsupported platform (qfx5200-32c-32q)
        ##
        port bgp;
    }
    then {
        count bgp-in-count;
        log;
        syslog;
        accept;
    }
}

 

BGP Config


-------------------------ROUTER B-----------------------
Router-B>show configuration protocols bgp group ls-210

type external;
local-address 10.93.102.65;
family inet {
unicast;
}
peer-as 65210;
local-as 65201;
neighbor 10.93.102.66;

 

-------------------------------ROUTER A ----------------------------------------------------
Router-A> show configuration routing-instances vSPINE protocols bgp group sl-201
type external;
local-address 10.93.102.66;
family inet {
unicast;
}
peer-as 65201;
local-as 65210;
neighbor 10.93.102.65;

 

--------------------------Routing table on Router-A

 

Router-A> show route 10.93.102.65 extensive

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
10.93.102.64/31 (1 entry, 1 announced)
*Direct Preference: 0
Next hop type: Interface, Next hop index: 0
Address: 0xb622210
Next-hop reference count: 2
Next hop: via irb.608, selected
State: <Active Int>
Age: 1d 0:16:22
Validation State: unverified
Task: IF
Announcement bits (1): 1-rt-export
AS path: I

 

vSPINE.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

10.93.102.64/31 (1 entry, 1 announced)
TSI:
KRT in-kernel 10.93.102.64/31 -> {Table}
*Direct Preference: 0/-251
Next hop type: Interface, Next hop index: 0
Address: 0xb622210
Next-hop reference count: 2
Next hop: via irb.608, selected
State: <Secondary Active Int>
Age: 19:31:14
Validation State: unverified
Task: IF
Announcement bits (1): 0-KRT
AS path: I
Primary Routing Table inet.0

 

-----------------------Routing table router-B

 

Rouetr-B> show route 10.93.102.66 detail

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
10.93.102.66/31 (1 entry, 1 announced)
*Direct Preference: 0/-251
Next hop type: Interface, Next hop index: 0
Address: 0xc2bd270
Next-hop reference count: 2
Next hop: via irb.609, selected
State: <Secondary Active Int>
Age: 19:30:13
Validation State: unverified
Task: IF
Announcement bits (1): 0-KRT
AS path: I

 

Primary Routing Table vLEAF.inet.0

vLEAF.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

10.93.102.66/31 (1 entry, 1 announced)
*Direct Preference: 0
Next hop type: Interface, Next hop index: 0
Address: 0xc2bd270
Next-hop reference count: 2
Next hop: via irb.609, selected
State: <Active Int>
Age: 23:53:02
Validation State: unverified
Task: IF
Announcement bits (1): 1-rt-export
AS path: I

 

----------------------IP schema

10.93.102.66 -> RouterA routing-instance vSPINE

10.93.102.65 -> RouterB routing-instance master

 

In my opinion here the problem is the way how the router is managing bgp session between different routing-instance.

Filter and bgp does not play any role here.

 

 

 

 

Routing

Re: bgp peering between routing-instance

‎08-21-2019 04:52 AM

Hi FabNewCert,

 

The filter-match conditions "from address" and "from port" are invalid for this platform.  You can use these instead:

 

from source-address ....

from destination-address

Or

from source-port

from destination-port

 

Example:

root@#QFX5200#show firewall family inet filter test
interface-specific;
term 1 {
from {
source-address {
1.1.1.1/32;
}
protocol tcp;
source-port 179;
}
then accept;
}

 

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Routing

Re: bgp peering between routing-instance

‎08-21-2019 07:15 AM

Peer 10.93.102.65 is directly connected to irb.608, the main routing-instance is inet.0
Now your BGP is in routing-instance vSPINE. vSPINE has the direct route from route leaking (rib-group I guess)

I am pretty sure if you move Peer 10.93.102.65 to global-instance, it can come up ?


Mengzhe Hu
JNCIE x 3 (SP DC ENT)
Routing
Solution
Accepted by topic author FabNewCert
4 weeks ago

Re: bgp peering between routing-instance

‎08-21-2019 07:21 AM

Discussed internally on this:

that’s expected
The interface has to be in the VRF itself (not via route leaking) 

 

You may need to change the way to want to design this. Move the irb to routing-instance itself. If needed, do route-leaking in another direction: vSPINE.inet.0 -> inet.0 as well.

 

Let me see if I can find any public document on it 


Mengzhe Hu
JNCIE x 3 (SP DC ENT)
Routing

Re: bgp peering between routing-instance

a month ago

Hallo Mengzhe Hu,

 

Correct the problem here has nothing to do with filter or whatever. Looks to me that basically is not possible to create bgp session between different routing-instance between 2 different devices but i am wondering about it.

In a few words i want to reach the below

JuniperForum.jpg

 

Problem is with BGP session number 3.

For both router A and B the route-leaking between the 2 routing-instance aka master and vSPINE (routerB) is done via simple import policy that works as show my routing table above, on both directions.

Same for route-leaking between the 2 routing-instance aka master and vLEAF (routerA), on btoh directions.

Impossible to find specific documentation for this specific case but something werid is happening here.

 

Thanks for your time, you have more inputs please share.