Routing

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Send IP prefixes to another BGP peer through community mataching

    Posted 12-30-2021 08:51
    Hi,

    I am trying to advertise IP prefixes receiving from a BGP announcement to another BGP peer through community matching. But it's not happening in my case and it actually sends all prefixes that I receive from BGP peers.  For testing, I have added another rule which matches all traffic and denies and it works perfectly and no prefixes are announced at that time. It means no policy statement is not matching and it passes all prefixes to its peer.

    Sample Output and Configuration are given below:

    RECEIVING FROM PEER

    run show route 43.xxx.xxx.0/22 detail

    inet.0: 470 destinations, 532 routes (470 active, 0 holddown, 0 hidden)
    43.xxx.xxx.0/22 (1 entry, 1 announced)
    *BGP Preference: 170/-101
    Next hop type: Indirect, Next hop index: 0
    Address: 0x82e4abc
    Next-hop reference count: 578
    Source: 192.168.199.25
    Next hop type: Router, Next hop index: 7035
    Next hop: 192.168.199.25 via ae25.0, selected
    Session Id: 0x2f
    Protocol next hop: 192.168.199.25
    Indirect next hop: 0x52e6a08 7039 INH Session ID: 0x33
    State: <Active Int Ext>
    Local AS: 2xxx Peer AS: 2xxx
    Age: 1:26:26 Metric: 0 Metric2: 0
    Validation State: unverified
    Task: BGP_2xxx.192.168.199.25
    Announcement bits (3): 0-KRT 2-BGP_RT_Background 3-Resolve tree 3
    AS path: I
    Communities: 2xxx:90
    Accepted
    Localpref: 100
    Router ID: 192.168.1.253


    10.250.250.224/30 (2 entries, 1 announced)
    *BGP Preference: 170/-101
    Next hop type: Indirect, Next hop index: 0
    Address: 0x82e3d9c
    Next-hop reference count: 123
    Source: 192.168.199.21
    Next hop type: Router, Next hop index: 7033
    Next hop: 192.168.199.21 via ae18.0, selected
    Session Id: 0x19
    Protocol next hop: 192.168.199.98
    Indirect next hop: 0x52e6808 7034 INH Session ID: 0x2e
    State: <Active Int Ext>
    Local AS: 2xxx Peer AS: 2xxx
    Age: 1:28:09 Metric: 0 Metric2: 0
    Validation State: unverified
    Task: BGP_2xxx.192.168.199.21
    Announcement bits (3): 0-KRT 2-BGP_RT_Background 3-Resolve tree 3
    AS path: I (Originator)
    Cluster list: xxxxxx
    Originator ID: xxxxx
    Communities: 2xxx:1000
    Accepted
    Localpref: 100
    Router ID: 12x.xxx.xxx.xxx

    SENDEING TO PEER

    run show route advertising-protocol bgp 202.xxx.xxx.110

    inet.0: 470 destinations, 532 routes (470 active, 0 holddown, 0 hidden)
    Prefix Nexthop MED Lclpref AS path
    * 0.0.0.0/0 Self I
    * 10.250.250.224/30 Self I
    * 43.xxx.xxx.0/22 Self I


    COMMUNITY TAGGING and POLICY CONFIGURATION

    community AGG-1_COOMUNITY members [ 2xxx:50 2xxx:60 2xxx:70 ];
    community AGG-2_COMMUNITY members [ 2xxx:80 2xxx:85 2xxx:90 ];

    policy-statement FOR_NETFLIX_ONLY {
    term AGGE-1_ANNOUCE_PERFIX {
    from community AGG-1_COOMUNITY;
    then accept;
    }
    term AGGE-2_ANNOUCE_PERFIX {
    from community AGG-2_COMMUNITY;
    then accept;

    Thanks.

    Ankan




    ------------------------------
    ANKAN BHOWMIK
    ------------------------------


  • 2.  RE: Send IP prefixes to another BGP peer through community mataching

    Posted 12-31-2021 05:33
    Hi Ankan,
    In your export policy you must add last term that reject anything else, because bgp by default exports all bgp prefixes that it receives from peers. It could be like this:
    term AGGE-2_ANNOUCE_PERFIX
    (...)
    term REJECT-OTHERS {
    then reject;
    }

    Here you can find default implicit policies that are applied to different routing protocols https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/policy-routing-policies-actions-defaults.html

    Regards
    Miroslaw


  • 3.  RE: Send IP prefixes to another BGP peer through community mataching

    Posted 12-31-2021 05:33
    Hi,

    This is expected BGP behaviour. All BGP learned routes are advertised through all BGP peerings (according to iBGP/eBGP rules) unless they are explicitly rejected by a policy. So in your case, you just need to add a finial term rejecting all prefixes. Your two first terms will allow what you want based on communities, all unmatched prefixes will reach the last term and be rejected. 

    Regards,
    C

    ------------------------------
    Christophe Lemaire
    ------------------------------



  • 4.  RE: Send IP prefixes to another BGP peer through community mataching

    Posted 12-31-2021 08:54
    Hi Christopher,

    Thanks for your reply. As I said I have already applied a reject rule for matching all traffic and it denies all and no prefixes will announce on applying the nat rule.

     term REJECT_ALL {
            then {
                 reject;
            }
        }
    }

    aaa@CONTENT-SW# run show route advertising-protocol bgp 202.xxx.xxx.110

    # commit confirmed will be rolled back in 5 minutes

    Currently reject rule is deactivated and it starts announcing all as per the default BGP behavior. 

    Another thing I want to know is the policy rules are just the opposite of the firewall rule. I mean to say if I don't write any reject rule in the below then will it be permitted all traffic whereas in firewall rule it rejects all.

    Thanks

    Ankan





  • 5.  RE: Send IP prefixes to another BGP peer through community mataching

    Posted 01-02-2022 05:24
    Hi Ankan,

    You have to apply the REJECT_ALL term as last term in your policy. You have to accept first then reject all other prefixes. 

    policy-statement FOR_NETFLIX_ONLY {
    term AGGE-1_ANNOUCE_PERFIX {
    from community AGG-1_COOMUNITY;
    then accept;
    }
    term AGGE-2_ANNOUCE_PERFIX {
    from community AGG-2_COMMUNITY;
    then accept;
    }
     term REJECT_ALL {
            then {
                 reject;
            }
        }
    }

    I would not compare policies and firewall filters. The first one is to manipulate routing information while the last one is to allow or block actual traffic. It is not at all the same purpose. 

    Regards,
    C

    ------------------------------
    Christophe LemaireChristophe Lemaire
    ------------------------------



  • 6.  RE: Send IP prefixes to another BGP peer through community mataching

    Posted 01-03-2022 05:44
    Hi,

    Your route policy is looking exactly the communities you describe in the community member statement. For route 43.xxx.xxx.0/22 the only community present is Communities: 2xxx:90 but policy is looking for community AGG-2_COMMUNITY members [ 2xxx:80 2xxx:85 2xxx:90 ] all three communities at the same time (it is running as and operator) since all three communities is not present in the route, it is not matching the policy. either add another community with only 2xxx:90 as a match criteria or add other communities the the route entry via another route policy and it should fix your issue.

    community AGG-3_COOMUNITY members 2xxx:90

    policy-statement FOR_NETFLIX_ONLY {
    term AGGE-1_ANNOUCE_PERFIX {
    from community AGG-1_COOMUNITY;
    then accept;
    }
    term AGGE-2_ANNOUCE_PERFIX {
    from community AGG-2_COMMUNITY;
    then accept;
    term AGGE-3_ANNOUCE_PERFIX {
    from community AGG-3_COMMUNITY;
    then accept;

    ------------------------------
    MEHMET SUEL
    ------------------------------



  • 7.  RE: Send IP prefixes to another BGP peer through community mataching

    Posted 01-04-2022 05:27
    Hi Mehmet,

    Thanks for your reply. It's working as expected now. My understanding was wrong and I thought the community matching is either or but my policy means that the prefix should be tagged with all three communities & then only the policy will work.

    The default BGP behavior is to advertise all routes to its peers and in this case, we need a REJECT statement to reject other traffic which does not match the above policy term but my question is shall I need it for all situations? I mean say that, is policy-option has a default permit?  

    Thanks again for your kind response

    Ankan






  • 8.  RE: Send IP prefixes to another BGP peer through community mataching

    Posted 01-04-2022 07:04
    Hi,

    Default policy action is defined by the routing policy it is applied to. Since we are talking about BGP, default behavior is sending all active bgp routes to peers. So the policy is working as matching routes regarding the community and then applying default action as sending all routes to peers. If you want to only advertise select routes from policy you need to add reject action as last term.

    Regards,

    ------------------------------
    MEHMET SUEL
    ------------------------------