Mailing List Archive

On Wed, Jan 29, 2003 at 02:17:15AM -0500, Richard A Steenbergen wrote:
> For example, you have a customer with a /24 implemented as a .1/24
> address on an interface, and you need to announce that /24 for them.
> The interface route will override the static route because of
> preference, the route with the community tags attached will never
> get into the rib, and the route will never be announced. (or somewhat
> conversely say the /24 is used inside your network and redistributed
> via an IGP, the static would win and you would need to specify a
> working next-hop in your holddown route).

Don't mix customer prefixes with your own infrastructure addressing.
Always save at least a few infrastructure addresses for customers,
namely the preferrably /31 (but is often /30 due to code limitations)
ptp links, and one loopback per customer (e.g. for bgp router-id per
neighbor). keep N for gre, hsrp/vrrp, and other off-one situations
(plan accordingly; N is often larger with a smaller customer base).

With proper address planning, you can easily avoid this situation.
A good policy would be to dictate that customers not implenting BGP
get static routes only (no customer addressing allowed in your IGP
ever), but directly to your outgoing interface, while still giving
them an infrastructure address on (from your perspective) far-end
interfaces. You can then classify these customer static routes to
be redistributed into your IBGP.

Sorry to go to the competitor's documentation, and I would write
it in RPSL, but that would mean digressing a little further off-topic.
This is a very good reference on "access engineering" BGP4+CIDR best
practices:

ftp://ftp-eng.cisco.com:/cons/workshops/isp-workshop/StudentCD-Rev-E/Adv_BGP/a3-1up.PDF

dre

dre (andre@operations.net) wrote:
> On Wed, Jan 29, 2003 at 02:17:15AM -0500, Richard A Steenbergen wrote:
> > For example, you have a customer with a /24 implemented as a .1/24
> > address on an interface, and you need to announce that /24 for them.
> > The interface route will override the static route because of
> > preference, the route with the community tags attached will never
> > get into the rib, and the route will never be announced. (or somewhat
> > conversely say the /24 is used inside your network and redistributed
> > via an IGP, the static would win and you would need to specify a
> > working next-hop in your holddown route).
>
> Don't mix customer prefixes with your own infrastructure addressing.
> Always save at least a few infrastructure addresses for customers,
> namely the preferrably /31 (but is often /30 due to code limitations)
> ptp links, and one loopback per customer (e.g. for bgp router-id per
> neighbor). keep N for gre, hsrp/vrrp, and other off-one situations
> (plan accordingly; N is often larger with a smaller customer base).
>
> With proper address planning, you can easily avoid this situation.
> A good policy would be to dictate that customers not implenting BGP
> get static routes only (no customer addressing allowed in your IGP
> ever), but directly to your outgoing interface, while still giving
> them an infrastructure address on (from your perspective) far-end
> interfaces. You can then classify these customer static routes to
> be redistributed into your IBGP.
>
> Sorry to go to the competitor's documentation, and I would write
> it in RPSL, but that would mean digressing a little further off-topic.
> This is a very good reference on "access engineering" BGP4+CIDR best
> practices:
>
> ftp://ftp-eng.cisco.com:/cons/workshops/isp-workshop/StudentCD-Rev-E/Adv_BGP/a3-1up.PDF

Well, so a question from my side arise:

If a customer is having a /24 assigned PI prefix and you have a mixed
network (Cisco/Juniper) AND customer is static routed, how can this be
archieved without messing things around ?

(currently we use "advertise-inactive" but i'll rather have this clean
running)

IGP is IS-IS
EGP is BGP4

--jan

On Wed, Jan 29, 2003 at 12:33:49AM -0800, dre wrote:
> Don't mix customer prefixes with your own infrastructure addressing.
> Always save at least a few infrastructure addresses for customers,
> namely the preferrably /31 (but is often /30 due to code limitations)
> ptp links, and one loopback per customer (e.g. for bgp router-id per
> neighbor). keep N for gre, hsrp/vrrp, and other off-one situations
> (plan accordingly; N is often larger with a smaller customer base).

You miss my point. Say a customer comes to you with their own /24, but
they don't speak BGP (it happens). You have to announce it for them, and
put it on an interface for them. If you want to use a static route for a
holddown, you're either gonna be putting it on the interface as 2 /25s, or
bust.

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

On Wed, Jan 29, 2003 at 02:17:15AM -0500, Richard A Steenbergen wrote:
| I have a question about which technique people use to originate BGP
| routes.

[ ... ]

richard,

you may explore the possibilities that the "generate" route type does
give you; [located unter routing-options]

/hannes

On Wed, Jan 29, 2003 at 08:10:37AM -0500, Richard A Steenbergen wrote:
| On Wed, Jan 29, 2003 at 12:33:49AM -0800, dre wrote:
| > Don't mix customer prefixes with your own infrastructure addressing.
| > Always save at least a few infrastructure addresses for customers,
| > namely the preferrably /31 (but is often /30 due to code limitations)
| > ptp links, and one loopback per customer (e.g. for bgp router-id per
| > neighbor). keep N for gre, hsrp/vrrp, and other off-one situations
| > (plan accordingly; N is often larger with a smaller customer base).
|
| You miss my point. Say a customer comes to you with their own /24, but
| they don't speak BGP (it happens). You have to announce it for them, and
| put it on an interface for them. If you want to use a static route for a
| holddown, you're either gonna be putting it on the interface as 2 /25s, or
| bust.

why relying on a static route if we have a direct route ?

policy-options {
policy-statement adv-customer-xyz {
from {
protocol direct;
route-filter 192.168.1.0/24;
}
then accept;
}
}
protocols {
bgp {
group to-my-upstream {
export adv-customer-xyz;
}
}
}

should do the trick ...

/hannes

On Wed, Jan 29, 2003 at 02:50:37PM +0100, Hannes Gredler wrote:
>
> why relying on a static route if we have a direct route ?
>
> policy-options {
> policy-statement adv-customer-xyz {
> from {
> protocol direct;
> route-filter 192.168.1.0/24;
> }
> then accept;
> }
> }
> protocols {
> bgp {
> group to-my-upstream {
> export adv-customer-xyz;
> }
> }
> }
>
> should do the trick ...

Because then I lose the ability to easily tag that /24 with communities,
as-path, etc, as I would when defining a static holddown route. At best, I
end up with a REALLY ugly policy-statement to do it.

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

On Wed, Jan 29, 2003 at 11:22:29AM -0500, Richard A Steenbergen wrote:
> On Wed, Jan 29, 2003 at 02:50:37PM +0100, Hannes Gredler wrote:
> >
> > why relying on a static route if we have a direct route ?
> >
> > policy-options {
> > policy-statement adv-customer-xyz {
> > from {
> > protocol direct;
> > route-filter 192.168.1.0/24;
> > }
> > then accept;
> > }
> > }
> > protocols {
> > bgp {
> > group to-my-upstream {
> > export adv-customer-xyz;
> > }
> > }
> > }
> >
> > should do the trick ...
>
> Because then I lose the ability to easily tag that /24 with communities,
> as-path, etc, as I would when defining a static holddown route. At best, I
> end up with a REALLY ugly policy-statement to do it.

What is the "non-ugly" way you would use with a static route? For the
(admittedly few) static routes we pull into BGP, our policies are not
unlike the example above (s/direct/static/). We just use the 'then'
section to set attributes.

-c

On Wed, Jan 29, 2003 at 02:46:22PM +0100, Hannes Gredler wrote:
> On Wed, Jan 29, 2003 at 02:17:15AM -0500, Richard A Steenbergen wrote:
> | I have a question about which technique people use to originate BGP
> | routes.
>
> [ ... ]
>
> richard,
>
> you may explore the possibilities that the "generate" route type does
> give you; [located unter routing-options]

So, on that subject, would you (or someone) care to explain the difference
between "generate" and just setting a route on 0.0.0.0/0? I'm afraid I
don't see the purpose of it.

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

On Wed, Jan 29, 2003 at 08:10:37AM -0500, Richard A Steenbergen wrote:
>
> You miss my point. Say a customer comes to you with their own /24, but
> they don't speak BGP (it happens). You have to announce it for them, and
> put it on an interface for them. If you want to use a static route for a
> holddown, you're either gonna be putting it on the interface as 2 /25s, or
> bust.
On Wed, Jan 29, 2003 at 01:12:42PM +0100, Jan Czmok wrote:
>
> If a customer is having a /24 assigned PI prefix and you have a mixed
> network (Cisco/Juniper) AND customer is static routed, how can this be
> archieved without messing things around ?
>
> (currently we use "advertise-inactive" but i'll rather have this clean
> running)

I know this is not an acceptable answer, but wouldn't people with PI
blocks (especially /24's) want to multi-home them, and ... "therefore
BGP"? Maybe it would be a good idea to partner with another ISP to make
single-homed customers transition easily to multi-homing for this exact
situation. This sounds more like a policy issue than a technical issue
to me. Am I wrong?

If people are willing to spend the end-user initial fee of $2500 for a PI
block, then they should also be willing to spend the $500 for an ASN, $300
for a RADB maintainer object, and $10-2000 for a router that is capable of
speaking BGP (could be a 486 FreeBSD box running Zebra for all you care).

For the grandfathered people and the ARIN-player-haters who use MAIL-FROM:,
all I have to say to you people is "get with the program".

dre

Richard,

you can still play with those nice parameters even importing from direct,
static or agregate. One way of injecting the next-hop information from
prefixes you learn from an eBGP peer is importing it from the direct
protocol (juniper parlance) into BGP. Thus you don't have to run an IGP in
passive on that interface or set next-hop-self.
I added some examples:

routing-options {
static {
route 172.16.0.0/19 {
next-hop 1.1.1.1;
preference 254;
community 65001:55111;
}
}
aggregate {
route 128.0.0.0/16 community 65001:111;
}
autonomous-system 65001;
}
policy-options {
policy-statement originate-network {
term originate-network {
from protocol aggregate;
then accept;
}
}
policy-statement distribute-links {
term external-links {
from {
protocol direct;
route-filter 1.1.1.1/30 exact;
route-filter 2.2.2.2/30 exact;
}
then {
origin igp;
community set idc-identifier;
accept;
}
}
}
policy-statement other-idc-blocks {
term other-idc {
from {
protocol static;
route-filter 172.16.0.0/19 exact;
}
then {
local-preference 60;
origin igp;
community set idc-identifier;
accept;
}
}
}
}
protocols {
bgp {
group internal {
type internal;
export [ originate-network distribute-links other-idc-blocks ];
}
group rr-clients {
type internal;
export [ originate-network distribute-links other-idc-blocks ];
}
group ISP-1 {
type external;
export [ originate-network allow-transit ];
}
}
}


Fernando Krahe
PGP Key: 0x6582579A (F163 9323 129C 2602 792F A881 123C 9E3F 6582 579A)


----- Original Message -----
From: "Richard A Steenbergen" <ras@e-gerbil.net>
To: "Hannes Gredler" <hannes@juniper.net>
Cc: "dre" <andre@operations.net>; <juniper-nsp@puck.nether.net>
Sent: Wednesday, January 29, 2003 1:22 PM
Subject: Re: [j-nsp] BGP origination


> On Wed, Jan 29, 2003 at 02:50:37PM +0100, Hannes Gredler wrote:
> >
> > why relying on a static route if we have a direct route ?
> >
> > policy-options {
> > policy-statement adv-customer-xyz {
> > from {
> > protocol direct;
> > route-filter 192.168.1.0/24;
> > }
> > then accept;
> > }
> > }
> > protocols {
> > bgp {
> > group to-my-upstream {
> > export adv-customer-xyz;
> > }
> > }
> > }
> >
> > should do the trick ...
>
> Because then I lose the ability to easily tag that /24 with communities,
> as-path, etc, as I would when defining a static holddown route. At best, I
> end up with a REALLY ugly policy-statement to do it.
>
> --
> Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

On Wed, Jan 29, 2003 at 08:47:30AM -0800, Clayton Fiske wrote:
>
> What is the "non-ugly" way you would use with a static route? For the
> (admittedly few) static routes we pull into BGP, our policies are not
> unlike the example above (s/direct/static/). We just use the 'then'
> section to set attributes.

For example, here is a pretty nice way to put in a holddown route tagged
with all the necessary communities, exempted from being announced to
Cogent, with as as-path attached:

route 10.0.0.0/24 {
discard;
community [ ASN:TAGS ASN:MORETAGS 16631:666 ];
as-path {
path 1234;
}
}

Works great with aggregates, works badly when you need to announce it as
the same length as its use internally.

The problem with the technique you're talking about is you need a term for
almost each prefix... Very ugly.

Using a prefix-list for the common configurations is mostly functional,
but still extremely limiting when you need to do something custom. For
example:

prefix-list bgp-global {
10.0.0.0/16;
...
}
prefix-list bgp-providerX-only {
10.0.0.0/19
...
}
prefix-list bgp-providerY-only {
10.0.32.0/19
...
}
...

I suppose you could combine it with extra policy-statement terms for the
custom jobs, but I'm really trying to avoid creating unmaintainable
spaghetti configs where you have to look all over to figure out whats
going on. I'm still hoping someone has a more creative technique I'm not
considering.

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

On Wed, Jan 29, 2003 at 11:22:29AM -0500, Richard A Steenbergen wrote:
| On Wed, Jan 29, 2003 at 02:50:37PM +0100, Hannes Gredler wrote:
| >
| > why relying on a static route if we have a direct route ?
| >
| > policy-options {
| > policy-statement adv-customer-xyz {
| > from {
| > protocol direct;
| > route-filter 192.168.1.0/24;
| > }
| > then accept;
| > }
| > }
| > protocols {
| > bgp {
| > group to-my-upstream {
| > export adv-customer-xyz;
| > }
| > }
| > }
| >
| > should do the trick ...
|
| Because then I lose the ability to easily tag that /24 with communities,
| as-path, etc, as I would when defining a static holddown route. At best, I
| end up with a REALLY ugly policy-statement to do it.

you still have the ability to add your community,
as-path stuff in the "then" portion of the policy;

so whats missing ?

/hannes

On Wed, Jan 29, 2003 at 11:56:20AM -0500, Richard A Steenbergen wrote:
| On Wed, Jan 29, 2003 at 02:46:22PM +0100, Hannes Gredler wrote:
| > On Wed, Jan 29, 2003 at 02:17:15AM -0500, Richard A Steenbergen wrote:
| > | I have a question about which technique people use to originate BGP
| > | routes.
| >
| > [ ... ]
| >
| > richard,
| >
| > you may explore the possibilities that the "generate" route type does
| > give you; [located unter routing-options]
|
| So, on that subject, would you (or someone) care to explain the difference
| between "generate" and just setting a route on 0.0.0.0/0? I'm afraid I
| don't see the purpose of it.

"generate" creates a local route which inherits elements from the
contributing routes [AS_PATH, ORIGIN, metric etc.]

a route pointing to 0/0 just inherits the next-hop ...

/hannes

On Wed, Jan 29, 2003 at 11:56:20AM -0500, Richard A Steenbergen wrote:
> So, on that subject, would you (or someone) care to explain the difference
> between "generate" and just setting a route on 0.0.0.0/0? I'm afraid I
> don't see the purpose of it.

As I understand it, a generated route takes the next-hop of a
contributing route, whereas an aggregate route has a next-hop of
discard.

Either way, I don't think generated routes will work for your
case because the contributing route still has to be more specific.

-c

On Wed, Jan 29, 2003 at 12:13:53PM -0500, Richard A Steenbergen wrote:
> On Wed, Jan 29, 2003 at 08:47:30AM -0800, Clayton Fiske wrote:
> >
> > What is the "non-ugly" way you would use with a static route? For the
> > (admittedly few) static routes we pull into BGP, our policies are not
> > unlike the example above (s/direct/static/). We just use the 'then'
> > section to set attributes.
>
> For example, here is a pretty nice way to put in a holddown route tagged
> with all the necessary communities, exempted from being announced to
> Cogent, with as as-path attached:
>
> route 10.0.0.0/24 {
> discard;
> community [ ASN:TAGS ASN:MORETAGS 16631:666 ];
> as-path {
> path 1234;
> }
> }
>
> Works great with aggregates, works badly when you need to announce it as
> the same length as its use internally.
>
> The problem with the technique you're talking about is you need a term for
> almost each prefix... Very ugly.

Doesn't this method require a statement per (aggregate) prefix as well?

-c

On Wed, Jan 29, 2003 at 09:31:03AM -0800, Clayton Fiske wrote:
>
> Doesn't this method require a statement per (aggregate) prefix as well?

A route per route is a lot better than a policy-statement term per route.

I'm sorry if I'm the only person on the planet who tries to make the
configs as clean as possible, but it seems like such a loss to have the
very nice functionality of being able to directly attach community tags,
as paths, etc, to a route, and then not be able to use that functionality.

I suppose what I'm really thinking about is something along the lines of a
prefix-list which lets you specify all those per-route options, or some
other way to get those routes with options into the system without having
to make them "actual" routes which compete against other routes for their
existance.

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

On Wed, Jan 29, 2003 at 12:45:17PM -0500, Richard A Steenbergen wrote:
> I'm sorry if I'm the only person on the planet who tries to make the
> configs as clean as possible, but it seems like such a loss to have the
> very nice functionality of being able to directly attach community tags,
> as paths, etc, to a route, and then not be able to use that functionality.
>
> I suppose what I'm really thinking about is something along the lines of a
> prefix-list which lets you specify all those per-route options, or some
> other way to get those routes with options into the system without having
> to make them "actual" routes which compete against other routes for their
> existance.

It sounds like something along the lines of a "match-same-length"
setting for generated routes would do what you want. Perhaps a
feature request for future releases?

-c

Hi,

On Wed, Jan 29, 2003 at 08:10:37AM -0500, Richard A Steenbergen wrote:
> You miss my point. Say a customer comes to you with their own /24, but
> they don't speak BGP (it happens). You have to announce it for them, and
> put it on an interface for them. If you want to use a static route for a
> holddown, you're either gonna be putting it on the interface as 2 /25s, or
> bust.

The latter is actually what we do in the "customer PI case". Put a /24
as a static null route into our routers, and redistribute that to BGP.
In the IGP, the customer route is routed as two /25s - which has the
advantage that tricks like dial-backup work just as easily as for PA
customers, and still any internal instability won't affect the BGP
advertisement.

It's a bit ugly for troubleshooting, though.

gert
--
Gert Doering
Mobile communications ... right now writing from * Braunschweig *

At 12:13 PM 2/1/2003 +0100, Gert Doering wrote:
>Hi,
>
>On Wed, Jan 29, 2003 at 08:10:37AM -0500, Richard A Steenbergen wrote:
> > You miss my point. Say a customer comes to you with their own /24, but
> > they don't speak BGP (it happens). You have to announce it for them, and
> > put it on an interface for them. If you want to use a static route for a
> > holddown, you're either gonna be putting it on the interface as 2 /25s, or
> > bust.
>
>The latter is actually what we do in the "customer PI case". Put a /24
>as a static null route into our routers, and redistribute that to BGP.
>In the IGP, the customer route is routed as two /25s - which has the
>advantage that tricks like dial-backup work just as easily as for PA
>customers, and still any internal instability won't affect the BGP
>advertisement.

I personally try to do everything in my power to keep customer routes out
of my IGP. The above method works, but tends to break that rule. In the
cases where one cannot do as dre recommends, which is to allocate a
/31(/30) for the dmz link, then I would prefer to redistribute direct into
BGP using prefix lists to clarify and then actions to assign communities as
many have noted. Even in the case where you have different classes of
routes to be redistributed, you could easily use a multi-term direct-to-bgp
policy that matches various prefixes lists and assigns different
communities respectively. In this case, you get very simply provisioning
in that direct-to-bgp stays the same, and one simply needs to populate a
prefix list within the provisioning steps, and you keep your IGP
clean. Further, this actually leads to less config bloat that per route
communities.

If you have the case where each route needs very different sets of
communities, you might be working with a very unscalable community set
which could benefit from some tweaks :-)

Pete



>It's a bit ugly for troubleshooting, though.
>
>gert
>--
>Gert Doering
>Mobile communications ... right now writing from * Braunschweig *
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp