SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Unable to advertise connected routes in BGP

    Posted 04-16-2019 15:56

    Good afternoon,

    I have a VSRX in AWS.  It works quite well for the most part, but I am unable to adverise connected routes to some BGP neighbors.

     

    Specifically, I have a few interfaces with addresses in 10.132.0.0/16:

    ec2-user@VSRX2> show interfaces terse
    Interface Admin Link Proto Local Remote

    ...

    ge-0/0/0.0 up up inet 10.132.0.52/28
    ge-0/0/1.0 up up inet 10.132.0.85/28
    ...
    fxp0.0 up up inet 10.132.0.22/28

    ...

    I have a prefix list containing 10.132.0.0/16, and a routing policy that should accept that:

    prefix-list TRANSIT-VPC {
    10.132.0.0/16;
    }

    policy-statement TRANSIT-VPC-NETS {
    term accept {
    from {
    prefix-list-filter TRANSIT-VPC longer;
    }
    then accept;
    }
    term reject {
    then reject;
    }
    }

     

    This policy is applied to BGP neighbors:

    neighbor 169.254.15.237 {
    description "Corporate VPC #1";
    hold-time 30;
    import CORPORATE-VPC;
    export [ CORIOS-NETS-PREPEND TRANSIT-VPC-NETS ];
    peer-as 64512;
    local-as 65000;
    }
    neighbor 169.254.15.85 {
    description "Corporate VPC #2";
    hold-time 30;
    import CORPORATE-VPC;
    export [ CORIOS-NETS-PREPEND TRANSIT-VPC-NETS ];
    peer-as 64512;
    local-as 65000;
    }

     

    But when I check the routes being advertised to the peers, I do not see my 10.132 networks:

    ec2-user@VSRX2> show route protocol bgp advertising-protocol bgp 169.254.15.237

    inet.0: 73 destinations, 80 routes (73 active, 0 holddown, 0 hidden)
    Prefix Nexthop MED Lclpref AS path
    * 10.1.10.0/24 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.0/24 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.50/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.51/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.53/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.55/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.56/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.62/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.63/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.65/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.66/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.68/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.69/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.70/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.71/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.73/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.77/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.79/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.81/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.84/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.86/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.88/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.92/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.95/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.102/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.104/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.118/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.122/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.126/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.132/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.145/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.146/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.147/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.148/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.149/32 Self 1 1 1 1 [65000] 64513 I

     

    Thanks in advance for your help.

     



  • 2.  RE: Unable to advertise connected routes in BGP

    Posted 04-16-2019 17:18
    To advertise 10.132.0.0/16 prefix, it should have exact same prefix in routing table as active route.
    show route 10.132.0.0/16 exact
    In this case, it does not have /16 prefix in routing table but other /28 prefixes. To advertise 10.132.0.0/16, you can create aggregate route or match each /28 prefixes in the prefix list.
    set routing-options aggregate route 10.132.0.0/16



  • 3.  RE: Unable to advertise connected routes in BGP

    Posted 04-16-2019 18:28

    Hi Dramage,

     

    I did some testing 

     

    on this device I configured the /16 on the lo0 interface 

    {master:0}[edit]
    root@SW1# show interfaces lo0                             
    unit 0 {
        family inet {
            address 1.1.1.1/32;
            address 1.2.1.1/16;
        }

    then advertised the route with a policy with route filter (should work the same with the prefix list)

    root@SW1# show policy-options 
    policy-statement test {
        from {
            route-filter 1.2.0.0/16 longer;
        }
        then accept;
    }
    root@SW1# show protocols bgp 
    group TEST {
        export test;
        neighbor 10.10.31.93 {
            peer-as 11111;
        }
    }

    note that I used "longer" as you did, lets see the BGP peer's routing table:

    root@SW2# run show route 1.2/16    
    
    inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    1.2.1.1/32         *[BGP/170] 00:07:18, localpref 100
                          AS path: 22222 I, validation-state: unverified
                        > to 10.10.31.92 via et-0/0/53.10

    now I am going to change the policy on the first one to "orlonger" meaning /16 and anything longer 

    {master:0}[edit policy-options]
    root@SW1# show 
    policy-statement test {
        from {
            route-filter 1.2.0.0/16 orlonger;
        }
        then accept;
    }

    Now let us look at the peer table:

    {master:0}[edit]
    root@SW2# run show route 1.2/16    
    
    inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    1.2.0.0/16         *[BGP/170] 00:00:02, localpref 100
                          AS path: 22222 I, validation-state: unverified
                        > to 10.10.31.92 via et-0/0/53.10
    1.2.1.1/32         *[BGP/170] 00:09:36, localpref 100
                          AS path: 22222 I, validation-state: unverified
                        > to 10.10.31.92 via et-0/0/53.10

    you can try that, you can also see the routes like this:

    SW1:

    {master:0}[edit policy-options]
    root@SW1# run show route advertising-protocol bgp 10.10.31.93  <----------neighbor
    
    inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
      Prefix                  Nexthop              MED     Lclpref    AS path
    * 1.2.0.0/16              Self                                    I
    * 1.2.1.1/32              Self                                    I
    

    SW2

    root@SW2# run show route receive-protocol bgp 10.10.31.92 
    
    inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
      Prefix                  Nexthop              MED     Lclpref    AS path
    * 1.2.0.0/16              10.10.31.92                             22222 I
    * 1.2.1.1/32              10.10.31.92                             22222 I
    
    inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

     

    That should do it, Hope it helps!

     



  • 4.  RE: Unable to advertise connected routes in BGP

    Posted 04-16-2019 21:40

    Hello,

     


    @dramage wrote:

    <skip>

     

    neighbor 169.254.15.237 {
    description "Corporate VPC #1";
    hold-time 30;
    import CORPORATE-VPC;
    export [ CORIOS-NETS-PREPEND TRANSIT-VPC-NETS ];
    peer-as 64512;
    local-as 65000;
    }
    neighbor 169.254.15.85 {
    description "Corporate VPC #2";
    hold-time 30;
    import CORPORATE-VPC;
    export [ CORIOS-NETS-PREPEND TRANSIT-VPC-NETS ];
    peer-as 64512;
    local-as 65000;
    }

     

    <skip>

     

     

    Please show us Your policy CORIOS-NETS-PREPEND.

    If it matches 10.132/16 subnets, then they won't get processed by TRANSIT-VPC-NETS policy.

    HTH

    Thx

    Alex



  • 5.  RE: Unable to advertise connected routes in BGP

    Posted 04-17-2019 10:12

    Hi Alex,

    The routing policy doesn't reference 10.132.0.0/16, but it does have 10.132.3.0/24 in it:

    ec2-user@VSRX2> show configuration policy-options policy-statement CORIOS-NETS-PREPEND
    term accept {
    from {
    prefix-list-filter CORIOS-NETS orlonger;
    }
    then {
    as-path-prepend "1 1 1 1";
    accept;
    }
    }
    term accept-no-prepend {
    from {
    route-filter 10.132.3.0/24 exact;
    }
    then accept;
    }
    term reject {
    then reject;
    }



  • 6.  RE: Unable to advertise connected routes in BGP

    Posted 04-17-2019 10:28
    Remove term reject from CORIOS-NETS-PREPEND policy which is blocking the advetisement.



  • 7.  RE: Unable to advertise connected routes in BGP

    Posted 04-17-2019 11:38

    I've pared things down a little bit, we only have one export policy on the BGP neighbor now:

     

    ec2-user@VSRX2> show configuration protocols bgp group aws neighbor 169.254.15.237
    description "Corporate VPC #1";
    hold-time 30;
    import CORPORATE-VPC;
    export CORIOS-NETS-PREPEND;
    peer-as 64512;
    local-as 65000;

     

    The CORIOS-NETS-PREPEND routing policy looks like this:

     

    term accept {
    from {
    prefix-list-filter CORIOS-NETS orlonger;
    }
    then {
    as-path-prepend "1 1 1 1";
    accept;
    }
    }
    term transit-nets {
    from {
    route-filter 10.132.0.48/28 exact;
    }
    then accept;
    }

     

    I'm now seeing some other nets being advertised, but 10.132.0.48/28:

     

    ec2-user@VSRX2> show route protocol bgp advertising-protocol bgp 169.254.15.237

    inet.0: 78 destinations, 85 routes (78 active, 0 holddown, 0 hidden)
    Prefix Nexthop MED Lclpref AS path
    * 10.1.10.0/24 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.0/24 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.50/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.51/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.53/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.55/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.56/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.62/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.63/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.65/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.66/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.67/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.68/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.69/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.70/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.71/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.72/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.73/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.75/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.76/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.77/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.78/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.79/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.81/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.84/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.86/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.88/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.92/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.102/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.104/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.118/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.122/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.126/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.132/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.139/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.143/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.145/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.147/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.148/32 Self 1 1 1 1 [65000] 64513 I
    * 10.1.11.149/32 Self 1 1 1 1 [65000] 64513 I
    * 10.50.0.0/24 Self 1 1 1 1 64512 I
    * 10.129.0.0/16 Self 1 1 1 1 64512 I



  • 8.  RE: Unable to advertise connected routes in BGP
    Best Answer

    Posted 04-17-2019 11:57
    10.132.0.48/28 is a direct route. So just modify your show command by removing " protocol bgp"

    show route advertising-protocol bgp 169.254.15.237



  • 9.  RE: Unable to advertise connected routes in BGP

    Posted 04-17-2019 12:33

    I think this was my problem all along.  I see the route now.  Thank you for your assistance.



  • 10.  RE: Unable to advertise connected routes in BGP

    Posted 04-17-2019 10:34

    Hello,

     


    @dramage wrote:

     

    ec2-user@VSRX2> show configuration policy-options policy-statement CORIOS-NETS-PREPEND
    <skip>
    term reject {
    then reject;
    }


     

    The above "term reject" matches EVERYTHING not matched above and completely blocks Your 2nd policy from being evaluated.

    Please remove "term reject" from policy CORIOS-NETS-PREPEND and You should be golden.

    HTH

    Thx

    Alex



  • 11.  RE: Unable to advertise connected routes in BGP

    Posted 04-17-2019 10:52
    That's true the reject is blocking all the other advertisements, you will probably need to do both things if you want to advertise the x x.0.0/16 because "longer" is greater than not equal or greater