Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Back to discussions
Expand all | Collapse all

BGP Configuration for Internet Exchange (iX) - Help Needed

  • 1.  BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 11:20

    I am struggling to figure out how to configure eBGP with an internet exchange so that it accepts the neighbors from the route servers.  DE-CIX, my iX, offers guidance on how to configure Cisco but not on how to configure Juniper.

    I'm getting these errors repeatedly from all the neighbors in the subnet that I'm supposed to peer with:
    rpd[20053]: bgp_listen_accept:6485: NOTIFICATION sent to IP.AD.DR.ESS+8003 (proto): code 6 (Cease) subcode 5 (Connection Rejected), Reason: Connection attempt from unconfigured neighbor: IP.AD.DR.ESS+8003

    This is the configuration on our MX204:

    policy-options {
    prefix-list PL_DECIX_ROUTE_SERVERS_IN_4 {
        0.0.0.0/0;
    }
    prefix-list PL_DECIX_ROUTE_SERVERS_OUT_4;
    route-filter-list PUBLIC_IPRANGE {
        OUR.NET.BLO.CK/24 exact;
    }
    policy-statement ASBLACKLIST {
        term find-routes {
            from as-path ASBLK53667;
            then reject;
        }
    }
    policy-statement ADVERTISE {
        term IPRANGE_ONLY {
            from {
                route-filter-list PUBLIC_IPRANGE;
            }
            then accept;
        }
        term OTHERS {
            then reject;
        }
    }
    policy-statement RM_DECIX_ROUTE_SERVERS_IN_4 {
        term DE-CIX_ALLOW {
            from {
                route-filter 0.0.0.0/0 exact;
            }
            then accept;
        }
    }
    policy-statement RM_DECIX_ROUTE_SERVERS_OUT_4 {
        term DECIX_SETCOMMUNITY {
            from {
                route-filter OUR.NET.BLO.CK/24 exact;
            }
            then {
                community add DE-CIX_COMMUNITY;
            }
        }
    }
    community DE-CIX_COMMUNITY members [ 0:53907 65534:65534 ];
    as-path ASBLK53667 ".* 53667";
}
protocols {
    bgp {
        group de-cix-nyc {
            type external;
            route-server-client;
            preference 125;
            import RM_DECIX_ROUTE_SERVERS_IN_4;
            family inet {
                unicast;
            }
            export RM_DECIX_ROUTE_SERVERS_OUT_4;
            peer-as 63034;
            local-as [OurLocalAS];
            multipath {
                multiple-as;
            }
            neighbor 206.82.104.254 {
                description RS1.NYC.DE-CIX.NET;
            }
            neighbor 206.82.106.254 {
                description RS2.NYC.DE-CIX.NET;
            }
    }
}

    I am absolutely sure I'm missing something here or did something wrong, so I was hoping someone who has set up internet exchanges before has some advice on how to get this operational.

    Sincerely appreciate your time reading this and any advice you have for me.



    ------------------------------
    RYAN BLAKE
    ------------------------------


  • 2.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 11:29

    Hello

    Are You sure the DECIX configure them side ?
    i have setup with decix and don't have problem with them 



    ------------------------------
    --
    Grzegorz Dacka
    ------------------------------

    Original Message


  • 3.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 12:43

    Hello and yes, DE-CIX is configured properly as, prior to installing the Juniper MX204, I had a Cisco router installed and it worked without any issues other than not having the same throughput as the Juniper (and why I switched).

    So that's why I'm almost certain it's a "me" issue and not a "them" issue.

    Also, looking at show bgp summary, I see that one route server is showing established but the other one shows as "Active" without any packets passing through:

    Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
    206.82.104.254        63034          0          0       0       1     2:07:52 Active
    206.82.106.254        63034     110234     357453       0       0    15:04:46 Establ

    I'm not sure if that helps with troubleshooting or not, but thought I'd include it.  With regard to my upstream internet peers, they are all showing established with full BGP tables as expected.



    ------------------------------
    RYAN BLAKE
    ------------------------------

    Original Message


  • 4.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 13:08

    Hello!

    Are you able to ping 206.82.104.254 and perform telnet to 206.82.104.254 dst port 179 from your interface address provided by DE-CIX?



    ------------------------------
    Alexander Shikov
    ------------------------------

    Original Message


  • 5.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 13:25

    Yes on the ping and telnet shows established but immediately ends, which I'm thinking is expected?

    ping 206.82.106.254 count 4
    PING 206.82.106.254 (206.82.106.254): 56 data bytes
    64 bytes from 206.82.106.254: icmp_seq=0 ttl=64 time=10.026 ms
    64 bytes from 206.82.106.254: icmp_seq=1 ttl=64 time=10.164 ms
    64 bytes from 206.82.106.254: icmp_seq=2 ttl=64 time=10.092 ms
    64 bytes from 206.82.106.254: icmp_seq=3 ttl=64 time=9.962 ms

    --- 206.82.106.254 ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 9.962/10.061/10.164/0.075 ms

    ping 206.82.104.254 count 4
    PING 206.82.104.254 (206.82.104.254): 56 data bytes
    64 bytes from 206.82.104.254: icmp_seq=0 ttl=64 time=12.903 ms
    64 bytes from 206.82.104.254: icmp_seq=1 ttl=64 time=21.579 ms
    64 bytes from 206.82.104.254: icmp_seq=2 ttl=64 time=14.046 ms
    64 bytes from 206.82.104.254: icmp_seq=3 ttl=64 time=10.152 ms

    --- 206.82.104.254 ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 10.152/14.670/21.579/4.233 ms

    telnet:

    telnet interface xe-0/1/4.401 port 179 206.82.106.254
    Trying 206.82.106.254...
    Connected to rs2.nyc.de-cix.net.
    Escape character is '^]'.
    Connection closed by foreign host.

    telnet interface xe-0/1/4.401 port 179 206.82.104.254
    Trying 206.82.104.254...
    Connected to rs1.nyc.de-cix.net.
    Escape character is '^]'.
    Connection closed by foreign host.

    By the way, now it's showing the inverse:

    Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
    206.82.104.254        63034      50768     188681       0       1       50:43 Establ
      inet.0: 64892/185427/185427/0
    206.82.106.254        63034          0          0       0       1       36:21 Active



    ------------------------------
    RYAN BLAKE
    ------------------------------

    Original Message


  • 6.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 14:04

    > By the way, now it's showing the inverse:

    Looks a bit weird. 
    Have you checked the output of 'show bgp neighbor 206.82.106.254 extensive' output? Can you share it?
    I'd recommend to enable traceoptins for problematic peer:
    set protocols bgp group ... neighbor 206.82.106.254 traceoptions 206.82.106.254-bgp.log flag general
    commit

    ... and then check out entries of 206.82.106.254-bgp.log file. You can also add other trace flags to increase debug level, for example: state, normal, etc.

    btw, some useful information can be just in show log messages output. 



    ------------------------------
    Alexander Shikov
    ------------------------------

    Original Message


  • 7.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 14:06
    Edited by Ashm 08-24-2023 14:07

    I've checked once again you configuration and noted a setting I've not noted earlier.

    route-server-client;

    You definitely do not need it in confiuration. Could you please remove it and check whether it helps?



    ------------------------------
    Alexander Shikov
    ------------------------------

    Original Message


  • 8.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 14:15

    I removed this and now the sessions are showing as "Active" without any packets transferring.

    Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
    206.82.104.254        63034          0          0       0       2        1:10 Active
    206.82.106.254        63034          0          0       0       1     1:26:23 Active



    ------------------------------
    RYAN BLAKE
    ------------------------------

    Original Message


  • 9.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 14:23

    > I removed this and now the sessions are showing as "Active" without any packets transferring.

    Just wait a little. They should come up.



    ------------------------------
    Alexander Shikov
    ------------------------------

    Original Message


  • 10.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-24-2023 15:34

    Hi, it has been an hour and the BGP sessions are still showing as down.  Any ideas or suggestions?



    ------------------------------
    RYAN BLAKE
    ------------------------------

    Original Message


  • 11.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-25-2023 04:01

    Hello 

    Try ping but bind to src 

    run ping 206.82.104.254 source x.x.x.x (x.x.x.x is your IP from interface)
    If you use VRF or logical-system also You need put this information to ping

    Pls show 

    run show arp no-resolve |match 206.82.104.254

    run show arp no-resolve |match 206.82.106.254

    If You see mac and ping is work try establish session like I show You 

    let's try simple bgp session with minimum configuration.
    Import and export prefix setup reject 

    set protocols bgp group DECIX-IPv4-rt1 local-address x.x.x.x
    set protocols bgp group DECIX-IPv4-rt1 import Incoming-REJECT
    set protocols bgp group DECIX-IPv4-rt1 export Announce-REJECT
    set protocols bgp group DECIX-IPv4-rt1 peer-as xxxx
    set protocols bgp group DECIX-IPv4-rt1 local-as xxxx
    set protocols bgp group DECIX-IPv4-rt1 neighbor x.x.x.x

    set policy-options policy-statement Incoming-REJECT term 1 from protocol bgp
    set policy-options policy-statement Incoming-REJECT term 2 then reject

    set policy-options policy-statement Announce-REJECT term 1 from protocol bgp
    set policy-options policy-statement Announce-REJECT term 2 then reject

     







    ------------------------------
    --
    Grzegorz Dacka
    ------------------------------

    Original Message


  • 12.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-25-2023 11:25

    Hi Ryan,
    Maybe you need to add router-id or local-AS under routing-options.
    Can you paste your "routing-options" config Please.



    ------------------------------
    ZEESHAN SYED
    ------------------------------

    Original Message


  • 13.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-25-2023 10:59

    Hi,

    1) as written by Ashm, «route-server-client» is unrelevant. You are the client. DE-cix router-server is not your route-server client :) Drop this.

    2) your policies must be fixed, most notably for output policy. As BGP routes are by default permitted, and since you don't deny anything in policy «RM_DECIX_ROUTE_SERVERS_OUT_4», what you do here is set an community for some routes, and allow all the BGP routes to pass. Add to it a subsequent «term default then reject»

    3) are you sure you want/need some «preference 125», so your eBGP routes from DECIX are more preferred thant, by example, OSPF external routes?

    4) Have a look at the log you posted. What does it say? «NOTIFICATION sent to IP.AD.DR.ESS+8003 (proto): code 6 (Cease) subcode 5 (Connection Rejected)». That is, YOU sent a notification for a BGP peer that was trying to connect to YOUR router (but you didn't have a BGP neighbor configured for it). It's not a log saying that your connection attempt was rejected, but that you rejected a connection attempt.

    I would have a look a your interface configuration for your decix connecting link. Is the IP/mask good? Is it up? Do you see ARP entries under it? As wrote Grzegorz Dacka, you might be pinging/telneting decix using some interface that have nothing to do with your expected physical decix link.



    ------------------------------
    Olivier Benghozi
    ------------------------------

    Original Message


  • 14.  RE: BGP Configuration for Internet Exchange (iX) - Help Needed

    Posted 08-25-2023 12:04

    "I'm getting these errors repeatedly from all the neighbors in the subnet that I'm supposed to peer with:
    rpd[20053]: bgp_listen_accept:6485: NOTIFICATION sent to IP.AD.DR.ESS+8003 (proto): code 6 (Cease) subcode 5 (Connection Rejected), Reason: Connection attempt from unconfigured neighbor: IP.AD.DR.ESS+8003"

    Do you have the correct peer IPs configured locally in the BGP configuration? From the above error, it looks like the router is receiving BGP messages from a locally configured neighbor and is thus rejecting the BGP connection attempts. Please check if the IP of the peer mentioned in the above message is what you have configured locally under "protocols bgp".

    A packet capture using  "monitor capture interface <intf-name on which the BGP packets are supposed to be received/sent> no-resolved matching "tcp port 179" detail ", would also help in studying the BGP packets being exchanged.

    Also, I didn't understand "from all neighbors in the subnet".  There are only two BGP peers defined in the BGP configuration shared.

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message