Routing

Expand all | Collapse all

bgp peering between routing-instance

Jump to Best Answer
  • 1.  bgp peering between routing-instance

    Posted 08-20-2019 10:38

    Hi there i have the following scenario
    2 physical router named A and B
    for each router i created 1 routing-instance as per following

    A-vSPINE -> Router A routing-instance vSPINE
    B-vLEAF -> Router B routing-instance vLEAF

    Naming convention
    A-GRT -> Router A Global Routing Table, master
    A-vSPINE -> Router A routing-instance vSPINE
    B-GRT -> Router B Global Routing Table, master
    B-vLEAF -> Router B routing-instance vLEAF


    Target: from router A-vSPINE I want to create 2 bgp session

    - router A-vSPINE to router B-GRT
    - router A-vSPINE to router B-vLEAF

    juniper.jpg
    IP:
    A-GRT -> 10.93.102.64/31 (network 10.93.102.64/31)
    A-vSPINE -> 10.93.102.66/31 (network 10.93.102.66/31)
    B-GRT -> 10.93.102.65/31 (network 10.93.102.64/31)
    B-vLEAF -> 10.93.102.67/31 (network 10.93.102.66/31)

    Routing table of router A-vSPINE (import from master to vSPINE and viceversa done)

    To B-GRT

    Router-A> show route 10.93.102.65

    inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.93.102.64/31 *[Direct/0] 08:09:46
    > via irb.608

    vSPINE.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.93.102.64/31 *[Direct/0/-251] 03:24:38
    > via irb.608


    To B-vLEAF
    Router-A> show route 10.93.102.67

    inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.93.102.66/31 *[Direct/0/-251] 01:20:19
    > via irb.609

    vSPINE.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.93.102.66/31 *[Direct/0] 07:39:21
    > via irb.609


    Same on router-B(import from master to vSPINE and viceversa done)

    Router-B> show route 10.93.102.66

    inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.93.102.66/31 *[Direct/0/-251] 03:17:19
    > via irb.609

    vLEAF.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.93.102.66/31 *[Direct/0] 07:40:08
    > via irb.609


    Test

    I can ping all needed ip from router A and B and from master and routing-instance

    Router-A> ping 10.93.102.65
    PING 10.93.102.65 (10.93.102.65): 56 data bytes
    64 bytes from 10.93.102.65: icmp_seq=0 ttl=64 time=1.060 ms
    64 bytes from 10.93.102.65: icmp_seq=1 ttl=64 time=1.115 ms
    ^C
    --- 10.93.102.65 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 1.060/1.087/1.115/0.028 ms

    {master:0}

    Router-A> ping 10.93.102.65 routing-instance vSPINE
    PING 10.93.102.65 (10.93.102.65): 56 data bytes
    64 bytes from 10.93.102.65: icmp_seq=0 ttl=64 time=1.385 ms
    64 bytes from 10.93.102.65: icmp_seq=1 ttl=64 time=1.043 ms
    ^C
    --- 10.93.102.65 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 1.043/1.214/1.385/0.171 ms

    {master:0}
    Router-A>

    Problem

    Router-A> show bgp summary
    Groups: 2 Peers: 2 Down peers: 1
    Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
    10.93.102.65 65201 0 0 0 0 40:07 Active
    10.93.102.67 65202 91 91 0 0 39:51 Establ
    vSPINE.inet.0: 0/0/0/0

    Error

    task_connect: task BGP_65201_65210.10.93.102.65+179 addr 10.93.102.65+179: No route to host
    BGP_CONNECT_FAILED: bgp_connect_start: connect 10.93.102.65 (External AS 65201): No route to host

     

     

    Question:

    what should i check further? The routing-table are clean.

     

    Thanks.



  • 2.  RE: bgp peering between routing-instance

     
    Posted 08-20-2019 12:34
    Please check if there is a firewall filter on loopback configured on B-GRT which is dropping the BGP packets (TCP port 179). Please take tcpdump on irb.608 on B-GRT and confirm if the BGP packets are making upto this irb monitor traffic interface irb.608 no-resolve matching "port 179" detail


  • 3.  RE: bgp peering between routing-instance

    Posted 08-20-2019 12:55

    Hi thank you for your inputs.

    No filter applied.

    Monitor might be an option yes, i try once back in the lab.

     

     



  • 4.  RE: bgp peering between routing-instance

     
    Posted 08-20-2019 13:58

    If you don't see bgp packet in tcpdump, that means BGP packets are not making to the Host/RE.

     

    In that case try to apply a firewall filter and see if the packets are making to the PFE or not. You can use firewall filter like below:

     

    set firewall family inet filter test interface-specific
    set firewall family inet filter test term bgp-in from address 10.93.102.65/32
    set firewall family inet filter test term bgp-in from protocol tcp
    set firewall family inet filter test term bgp-in from port bgp
    set firewall family inet filter test term bgp-in then syslog
    set firewall family inet filter test term bgp-in then log
    set firewall family inet filter test term bgp-in then count bgp-in-count
    set firewall family inet filter test term bgp-in then accept
    set firewall family inet filter test term bgp-out from address 10.93.102.65/32
    set firewall family inet filter test term bgp-out from protocol tcp
    set firewall family inet filter test term bgp-out from port bgp
    set firewall family inet filter test term bgp-out then syslog
    set firewall family inet filter test term bgp-out then log
    set firewall family inet filter test term bgp-out then count bgp-out-count
    set firewall family inet filter test term bgp-out then accept
    set firewall family inet filter test term default then accept

    set interfaces irb.608 family inet filter input test
    set interfaces irb.608 family inet filter output test


    show firewall log
    show firewall << for counter and countername
    show firewall counter <countername>



  • 5.  RE: bgp peering between routing-instance

     
    Posted 08-20-2019 14:08

    Hello,

    Can you please provide your BGP configuration. Do you have 10.93.102.65 defined under the main instance?

    Thanks !



  • 6.  RE: bgp peering between routing-instance

    Posted 08-21-2019 02:32

    filter can not be applied

     

    show configuration firewall family inet filter test
    interface-specific;
    term bgp-in {
        from {
            ##
            ## Warning: configuration block ignored: unsupported platform (qfx5200-32c-32q)
            ##
            address {
                10.93.102.65/32;
            }
            protocol tcp;
            ##
            ## Warning: value port ignored: unsupported platform (qfx5200-32c-32q)
            ##
            port bgp;
        }
        then {
            count bgp-in-count;
            log;
            syslog;
            accept;
        }
    }

     

    BGP Config


    -------------------------ROUTER B-----------------------
    Router-B>show configuration protocols bgp group ls-210

    type external;
    local-address 10.93.102.65;
    family inet {
    unicast;
    }
    peer-as 65210;
    local-as 65201;
    neighbor 10.93.102.66;

     

    -------------------------------ROUTER A ----------------------------------------------------
    Router-A> show configuration routing-instances vSPINE protocols bgp group sl-201
    type external;
    local-address 10.93.102.66;
    family inet {
    unicast;
    }
    peer-as 65201;
    local-as 65210;
    neighbor 10.93.102.65;

     

    --------------------------Routing table on Router-A

     

    Router-A> show route 10.93.102.65 extensive

    inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    10.93.102.64/31 (1 entry, 1 announced)
    *Direct Preference: 0
    Next hop type: Interface, Next hop index: 0
    Address: 0xb622210
    Next-hop reference count: 2
    Next hop: via irb.608, selected
    State: <Active Int>
    Age: 1d 0:16:22
    Validation State: unverified
    Task: IF
    Announcement bits (1): 1-rt-export
    AS path: I

     

    vSPINE.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

    10.93.102.64/31 (1 entry, 1 announced)
    TSI:
    KRT in-kernel 10.93.102.64/31 -> {Table}
    *Direct Preference: 0/-251
    Next hop type: Interface, Next hop index: 0
    Address: 0xb622210
    Next-hop reference count: 2
    Next hop: via irb.608, selected
    State: <Secondary Active Int>
    Age: 19:31:14
    Validation State: unverified
    Task: IF
    Announcement bits (1): 0-KRT
    AS path: I
    Primary Routing Table inet.0

     

    -----------------------Routing table router-B

     

    Rouetr-B> show route 10.93.102.66 detail

    inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    10.93.102.66/31 (1 entry, 1 announced)
    *Direct Preference: 0/-251
    Next hop type: Interface, Next hop index: 0
    Address: 0xc2bd270
    Next-hop reference count: 2
    Next hop: via irb.609, selected
    State: <Secondary Active Int>
    Age: 19:30:13
    Validation State: unverified
    Task: IF
    Announcement bits (1): 0-KRT
    AS path: I

     

    Primary Routing Table vLEAF.inet.0

    vLEAF.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

    10.93.102.66/31 (1 entry, 1 announced)
    *Direct Preference: 0
    Next hop type: Interface, Next hop index: 0
    Address: 0xc2bd270
    Next-hop reference count: 2
    Next hop: via irb.609, selected
    State: <Active Int>
    Age: 23:53:02
    Validation State: unverified
    Task: IF
    Announcement bits (1): 1-rt-export
    AS path: I

     

    ----------------------IP schema

    10.93.102.66 -> RouterA routing-instance vSPINE

    10.93.102.65 -> RouterB routing-instance master

     

    In my opinion here the problem is the way how the router is managing bgp session between different routing-instance.

    Filter and bgp does not play any role here.

     

     

     

     



  • 7.  RE: bgp peering between routing-instance

     
    Posted 08-21-2019 04:52

    Hi FabNewCert,

     

    The filter-match conditions "from address" and "from port" are invalid for this platform.  You can use these instead:

     

    from source-address ....

    from destination-address

    Or

    from source-port

    from destination-port

     

    Example:

    root@#QFX5200#show firewall family inet filter test
    interface-specific;
    term 1 {
    from {
    source-address {
    1.1.1.1/32;
    }
    protocol tcp;
    source-port 179;
    }
    then accept;
    }

     

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).



  • 8.  RE: bgp peering between routing-instance

     
    Posted 08-21-2019 07:15

    Peer 10.93.102.65 is directly connected to irb.608, the main routing-instance is inet.0
    Now your BGP is in routing-instance vSPINE. vSPINE has the direct route from route leaking (rib-group I guess)

    I am pretty sure if you move Peer 10.93.102.65 to global-instance, it can come up ?



  • 9.  RE: bgp peering between routing-instance
    Best Answer

     
    Posted 08-21-2019 07:21

    Discussed internally on this:

    that’s expected
    The interface has to be in the VRF itself (not via route leaking) 

     

    You may need to change the way to want to design this. Move the irb to routing-instance itself. If needed, do route-leaking in another direction: vSPINE.inet.0 -> inet.0 as well.

     

    Let me see if I can find any public document on it 



  • 10.  RE: bgp peering between routing-instance

    Posted 08-22-2019 00:52

    Hallo Mengzhe Hu,

     

    Correct the problem here has nothing to do with filter or whatever. Looks to me that basically is not possible to create bgp session between different routing-instance between 2 different devices but i am wondering about it.

    In a few words i want to reach the below

    JuniperForum.jpg

     

    Problem is with BGP session number 3.

    For both router A and B the route-leaking between the 2 routing-instance aka master and vSPINE (routerB) is done via simple import policy that works as show my routing table above, on both directions.

    Same for route-leaking between the 2 routing-instance aka master and vLEAF (routerA), on btoh directions.

    Impossible to find specific documentation for this specific case but something werid is happening here.

     

    Thanks for your time, you have more inputs please share.