vSRX
vSRX

Unable to advertise connected routes in BGP

‎04-16-2019 03:56 PM

Good afternoon,

I have a VSRX in AWS.  It works quite well for the most part, but I am unable to adverise connected routes to some BGP neighbors.

 

Specifically, I have a few interfaces with addresses in 10.132.0.0/16:

ec2-user@VSRX2> show interfaces terse
Interface Admin Link Proto Local Remote

...

ge-0/0/0.0 up up inet 10.132.0.52/28
ge-0/0/1.0 up up inet 10.132.0.85/28
...
fxp0.0 up up inet 10.132.0.22/28

...

I have a prefix list containing 10.132.0.0/16, and a routing policy that should accept that:

prefix-list TRANSIT-VPC {
10.132.0.0/16;
}

policy-statement TRANSIT-VPC-NETS {
term accept {
from {
prefix-list-filter TRANSIT-VPC longer;
}
then accept;
}
term reject {
then reject;
}
}

 

This policy is applied to BGP neighbors:

neighbor 169.254.15.237 {
description "Corporate VPC #1";
hold-time 30;
import CORPORATE-VPC;
export [ CORIOS-NETS-PREPEND TRANSIT-VPC-NETS ];
peer-as 64512;
local-as 65000;
}
neighbor 169.254.15.85 {
description "Corporate VPC #2";
hold-time 30;
import CORPORATE-VPC;
export [ CORIOS-NETS-PREPEND TRANSIT-VPC-NETS ];
peer-as 64512;
local-as 65000;
}

 

But when I check the routes being advertised to the peers, I do not see my 10.132 networks:

ec2-user@VSRX2> show route protocol bgp advertising-protocol bgp 169.254.15.237

inet.0: 73 destinations, 80 routes (73 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 10.1.10.0/24 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.0/24 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.50/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.51/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.53/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.55/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.56/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.62/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.63/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.65/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.66/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.68/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.69/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.70/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.71/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.73/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.77/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.79/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.81/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.84/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.86/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.88/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.92/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.95/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.102/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.104/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.118/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.122/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.126/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.132/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.145/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.146/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.147/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.148/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.149/32 Self 1 1 1 1 [65000] 64513 I

 

Thanks in advance for your help.

 

10 REPLIES 10
vSRX

Re: Unable to advertise connected routes in BGP

‎04-16-2019 05:18 PM
To advertise 10.132.0.0/16 prefix, it should have exact same prefix in routing table as active route.
show route 10.132.0.0/16 exact
In this case, it does not have /16 prefix in routing table but other /28 prefixes. To advertise 10.132.0.0/16, you can create aggregate route or match each /28 prefixes in the prefix list.
set routing-options aggregate route 10.132.0.0/16

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Unable to advertise connected routes in BGP

‎04-16-2019 06:27 PM

Hi Dramage,

 

I did some testing 

 

on this device I configured the /16 on the lo0 interface 

{master:0}[edit]
root@SW1# show interfaces lo0                             
unit 0 {
    family inet {
        address 1.1.1.1/32;
        address 1.2.1.1/16;
    }

then advertised the route with a policy with route filter (should work the same with the prefix list)

root@SW1# show policy-options 
policy-statement test {
    from {
        route-filter 1.2.0.0/16 longer;
    }
    then accept;
}
root@SW1# show protocols bgp 
group TEST {
    export test;
    neighbor 10.10.31.93 {
        peer-as 11111;
    }
}

note that I used "longer" as you did, lets see the BGP peer's routing table:

root@SW2# run show route 1.2/16    

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.2.1.1/32         *[BGP/170] 00:07:18, localpref 100
                      AS path: 22222 I, validation-state: unverified
                    > to 10.10.31.92 via et-0/0/53.10

now I am going to change the policy on the first one to "orlonger" meaning /16 and anything longer 

{master:0}[edit policy-options]
root@SW1# show 
policy-statement test {
    from {
        route-filter 1.2.0.0/16 orlonger;
    }
    then accept;
}

Now let us look at the peer table:

{master:0}[edit]
root@SW2# run show route 1.2/16    

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.2.0.0/16         *[BGP/170] 00:00:02, localpref 100
                      AS path: 22222 I, validation-state: unverified
                    > to 10.10.31.92 via et-0/0/53.10
1.2.1.1/32         *[BGP/170] 00:09:36, localpref 100
                      AS path: 22222 I, validation-state: unverified
                    > to 10.10.31.92 via et-0/0/53.10

you can try that, you can also see the routes like this:

SW1:

{master:0}[edit policy-options]
root@SW1# run show route advertising-protocol bgp 10.10.31.93  <----------neighbor

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 1.2.0.0/16              Self                                    I
* 1.2.1.1/32              Self                                    I

SW2

root@SW2# run show route receive-protocol bgp 10.10.31.92 

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 1.2.0.0/16              10.10.31.92                             22222 I
* 1.2.1.1/32              10.10.31.92                             22222 I

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

 

That should do it, Hope it helps!

 

I help you, you help me... please share a Kudos or accepted solution whenever you feel I have helped with your problem! Smiley Happy
vSRX

Re: Unable to advertise connected routes in BGP

[ Edited ]
‎04-16-2019 09:40 PM

Hello,

 


@dramage wrote:

<skip>

 

neighbor 169.254.15.237 {
description "Corporate VPC #1";
hold-time 30;
import CORPORATE-VPC;
export [ CORIOS-NETS-PREPEND TRANSIT-VPC-NETS ];
peer-as 64512;
local-as 65000;
}
neighbor 169.254.15.85 {
description "Corporate VPC #2";
hold-time 30;
import CORPORATE-VPC;
export [ CORIOS-NETS-PREPEND TRANSIT-VPC-NETS ];
peer-as 64512;
local-as 65000;
}

 

<skip>

 

 

Please show us Your policy CORIOS-NETS-PREPEND.

If it matches 10.132/16 subnets, then they won't get processed by TRANSIT-VPC-NETS policy.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
vSRX

Re: Unable to advertise connected routes in BGP

‎04-17-2019 10:11 AM

Hi Alex,

The routing policy doesn't reference 10.132.0.0/16, but it does have 10.132.3.0/24 in it:

ec2-user@VSRX2> show configuration policy-options policy-statement CORIOS-NETS-PREPEND
term accept {
from {
prefix-list-filter CORIOS-NETS orlonger;
}
then {
as-path-prepend "1 1 1 1";
accept;
}
}
term accept-no-prepend {
from {
route-filter 10.132.3.0/24 exact;
}
then accept;
}
term reject {
then reject;
}

vSRX

Re: Unable to advertise connected routes in BGP

‎04-17-2019 10:27 AM
Remove term reject from CORIOS-NETS-PREPEND policy which is blocking the advetisement.

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Unable to advertise connected routes in BGP

‎04-17-2019 10:34 AM

Hello,

 


@dramage wrote:

 

ec2-user@VSRX2> show configuration policy-options policy-statement CORIOS-NETS-PREPEND
<skip>
term reject {
then reject;
}


 

The above "term reject" matches EVERYTHING not matched above and completely blocks Your 2nd policy from being evaluated.

Please remove "term reject" from policy CORIOS-NETS-PREPEND and You should be golden.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
vSRX

Re: Unable to advertise connected routes in BGP

‎04-17-2019 10:51 AM
That's true the reject is blocking all the other advertisements, you will probably need to do both things if you want to advertise the x x.0.0/16 because "longer" is greater than not equal or greater
I help you, you help me... please share a Kudos or accepted solution whenever you feel I have helped with your problem! Smiley Happy
vSRX

Re: Unable to advertise connected routes in BGP

‎04-17-2019 11:37 AM

I've pared things down a little bit, we only have one export policy on the BGP neighbor now:

 

ec2-user@VSRX2> show configuration protocols bgp group aws neighbor 169.254.15.237
description "Corporate VPC #1";
hold-time 30;
import CORPORATE-VPC;
export CORIOS-NETS-PREPEND;
peer-as 64512;
local-as 65000;

 

The CORIOS-NETS-PREPEND routing policy looks like this:

 

term accept {
from {
prefix-list-filter CORIOS-NETS orlonger;
}
then {
as-path-prepend "1 1 1 1";
accept;
}
}
term transit-nets {
from {
route-filter 10.132.0.48/28 exact;
}
then accept;
}

 

I'm now seeing some other nets being advertised, but 10.132.0.48/28:

 

ec2-user@VSRX2> show route protocol bgp advertising-protocol bgp 169.254.15.237

inet.0: 78 destinations, 85 routes (78 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 10.1.10.0/24 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.0/24 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.50/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.51/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.53/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.55/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.56/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.62/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.63/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.65/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.66/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.67/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.68/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.69/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.70/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.71/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.72/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.73/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.75/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.76/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.77/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.78/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.79/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.81/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.84/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.86/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.88/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.92/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.102/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.104/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.118/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.122/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.126/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.132/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.139/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.143/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.145/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.147/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.148/32 Self 1 1 1 1 [65000] 64513 I
* 10.1.11.149/32 Self 1 1 1 1 [65000] 64513 I
* 10.50.0.0/24 Self 1 1 1 1 64512 I
* 10.129.0.0/16 Self 1 1 1 1 64512 I

vSRX
Solution
Accepted by topic author dramage
‎04-17-2019 12:32 PM

Re: Unable to advertise connected routes in BGP

‎04-17-2019 11:56 AM
10.132.0.48/28 is a direct route. So just modify your show command by removing " protocol bgp"

show route advertising-protocol bgp 169.254.15.237

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Unable to advertise connected routes in BGP

‎04-17-2019 12:32 PM

I think this was my problem all along.  I see the route now.  Thank you for your assistance.