Mailing List Archive: Junos L3VPN & AS-PATH LOOP

Junos L3VPN & AS-PATH LOOP

iinfo83 at gmail

Feb 21, 2020, 6:45 AM

Post #1 of 7 (1842 views)

Hi Everyone,

I'm experiencing strange behavior with Junos L3VPN , Below is a
simplified diagram of what I'm running. There is two PE routers, R1
connected to the firewall with two sub-interfaces each in VRF RED and
BLUE respectively, and R2 where customers are connected, and direct
routes are redistributed to BGP L3VPN.
Between the FW and R1, there is an eBGP session to leak the routes
between the two VRF RED & BLUE. Due to the default behavior of the
as-path loop check, I have BGP Loops(Allowas-in) applied on R1 to accept
routes from FW in each VRF Subinterface. The problem starts here. On R1
I see that leaked Routes from the FW are accepted/installed in RIB in
VRF RED&BLUE , but these routes are not get advertised to R2 via iBGP
L3VPN session!.

As soon I apply as-override feature on FW to hide originating AS and
rewrite it to 20, then everything works as expected.
Is there a special knob in Junos to Advertise "looped" routes over the
iBGP L3VPN? I've reproduced the same setup in Cisco XR/XE and works fine
without as-override to hide/rewrite originating-as.

Thanks!

          +---------

          |   AS20       |
          |     FW        |
          +-------+-
                  |     |
   VRF RED |     |VRF BLUE
                  |     |
                  |     |
          +-------+|
          | AS10       |
          |    R1 - PE |
          +---------|
                  |
                  |
                  |
+-----------------+
|                                   |
|          MPLS CLOUD     |
|                                   |
+-----------------+
                  |
                  |
                  |
         +--------+
         |   AS10       |
         |       R2-PE |
         +---+-----
             |          |
VRF RED|          |VRF BLUE
             |          |
             |          |
             +          +

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Junos L3VPN & AS-PATH LOOP [ In reply to ]

Feb 21, 2020, 7:03 AM

Post #2 of 7 (1842 views)

Hey Rati,

> As soon I apply as-override feature on FW to hide originating AS and
> rewrite it to 20, then everything works as expected.
> Is there a special knob in Junos to Advertise "looped" routes over the
> iBGP L3VPN? I've reproduced the same setup in Cisco XR/XE and works fine
> without as-override to hide/rewrite originating-as.

IOS does not check AS_PATH in iBGP sessions, JunOS does. Neither is
wrong or right, standard is unopinionated here. I like IOS behaviour
better.

I hope the implication is clear here, to allow loops, in IOS it's
enough to allow it once on incoming eBGP session, on JunOS you need to
allow also on all the iBGP sessions. Basically no one runs multivendor
network with normalised BGP settings, there are all kind of small
different behaviours and standard people use is 'what ever vendor
does'. If you want JunOS to behave same as IOS, just allow arbitrary
loops in all iBGP sessions.

I would discourage setup where you need to do this. But I admit
network-based-FW is the one place where this really does make things
whole lot easier. I consider network-based-firewall mandatory feature
AS_PATH manipulation. So rewrite the AS_PATH, entirely, on the FW, to
remove the loops. Many FW support this.

--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Junos L3VPN & AS-PATH LOOP [ In reply to ]

guillermo.cotone at gmail

Feb 21, 2020, 11:42 AM

Post #3 of 7 (1839 views)

Hey Rati,

I'd suggest to check out independent-domain
<https://www.juniper.net/documentation/en_US/junos/topics/topic-map/l3-vpns-as-configuration.html#id-configuring-layer-3-vpns-to-carry-ibgp-traffic>
feature,
with or without the "no-attrset" knob. We've used it in the past for
similar use-cases.

Best,
Guillermo

On Fri, Feb 21, 2020 at 4:06 PM Saku Ytti <saku@ytti.fi> wrote:

> Hey Rati,
>
>
> > As soon I apply as-override feature on FW to hide originating AS and
> > rewrite it to 20, then everything works as expected.
> > Is there a special knob in Junos to Advertise "looped" routes over the
> > iBGP L3VPN? I've reproduced the same setup in Cisco XR/XE and works fine
> > without as-override to hide/rewrite originating-as.
>
> IOS does not check AS_PATH in iBGP sessions, JunOS does. Neither is
> wrong or right, standard is unopinionated here. I like IOS behaviour
> better.
>
> I hope the implication is clear here, to allow loops, in IOS it's
> enough to allow it once on incoming eBGP session, on JunOS you need to
> allow also on all the iBGP sessions. Basically no one runs multivendor
> network with normalised BGP settings, there are all kind of small
> different behaviours and standard people use is 'what ever vendor
> does'. If you want JunOS to behave same as IOS, just allow arbitrary
> loops in all iBGP sessions.
>
> I would discourage setup where you need to do this. But I admit
> network-based-FW is the one place where this really does make things
> whole lot easier. I consider network-based-firewall mandatory feature
> AS_PATH manipulation. So rewrite the AS_PATH, entirely, on the FW, to
> remove the loops. Many FW support this.
>
> --
> ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Junos L3VPN & AS-PATH LOOP [ In reply to ]

mark.tinka at seacom

Feb 22, 2020, 6:29 AM

Post #4 of 7 (1838 views)

On 21/Feb/20 17:03, Saku Ytti wrote:

> IOS does not check AS_PATH in iBGP sessions, JunOS does. Neither is
> wrong or right, standard is unopinionated here. I like IOS behaviour
> better.

I'm with Saku - I prefer the Cisco philosophy as well.

This is the reason for a full iBGP mesh when trying to get your internal
routers to talk iBGP to one another (assuming you do not go with route
reflectors), because by default in Cisco-land, AS_PATH's do not exist
for iBGP NLRI.

As such, the only way to circumvent the possibility of creating a loop
in your network is to go with the n-squared iBGP mesh "problem".

Mark.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Junos L3VPN & AS-PATH LOOP [ In reply to ]

Feb 23, 2020, 12:46 AM

Post #5 of 7 (1835 views)

On Sat, 22 Feb 2020 at 16:31, Mark Tinka <mark.tinka@seacom.mu> wrote:

> As such, the only way to circumvent the possibility of creating a loop
> in your network is to go with the n-squared iBGP mesh "problem".

I hope in common case, it's actually just adding one line in templates
and repushing :)
set protocols bgp group iBGP family inet unicast loops 10

So from expressiveness point-of-view, junos can approximate ios
behaviour, so either point-of-view can be implemented. But I'm not
sure if ios can approximate junos behaviour, maybe with some crazy
as_path regexg, something like /(\d+) (?!\1 ?)+(\d+ ?)* \1/ (that
already has problems, but didn't spend too much time:)

--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Junos L3VPN & AS-PATH LOOP [ In reply to ]

mark.tinka at seacom

Feb 23, 2020, 2:37 AM

Post #6 of 7 (1835 views)

On 23/Feb/20 10:46, Saku Ytti wrote:

>
> So from expressiveness point-of-view, junos can approximate ios
> behaviour, so either point-of-view can be implemented. But I'm not
> sure if ios can approximate junos behaviour, maybe with some crazy
> as_path regexg, something like /(\d+) (?!\1 ?)+(\d+ ?)* \1/ (that
> already has problems, but didn't spend too much time:)

I haven't quite thought about that, to be honest :-).

In my mind, that's right up there with exotic things like running 2 RPKI
validators from 2 different vendors. You can, but unlike DNS or IXP
route servers, the attempt seems too "fancy" for the expected value.

Mark.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Junos L3VPN & AS-PATH LOOP [ In reply to ]

iinfo83 at gmail

Feb 23, 2020, 12:29 PM

Post #7 of 7 (1832 views)

Thank you all for an interesting discussion, my first guess was to use BGP
loops for L3VPN iBGP, but two "looped" AS in AS-PATH tricked me and that's
why routes were not installed in PE2. Debugging showed the route-rejection
message on PE2.

independent-domain is an excellent feature and works well but hides BGP
attributes ( such as Local-pref) in SP CORE.
I tried to use no-attrset but seems the same, at least in the SRX platform.

Thanks!
On Sun, Feb 23, 2020 at 11:38 AM Mark Tinka <mark.tinka@seacom.mu> wrote:

>
>
> On 23/Feb/20 10:46, Saku Ytti wrote:
>
> >
> > So from expressiveness point-of-view, junos can approximate ios
> > behaviour, so either point-of-view can be implemented. But I'm not
> > sure if ios can approximate junos behaviour, maybe with some crazy
> > as_path regexg, something like /(\d+) (?!\1 ?)+(\d+ ?)* \1/ (that
> > already has problems, but didn't spend too much time:)
>
> I haven't quite thought about that, to be honest :-).
>
> In my mind, that's right up there with exotic things like running 2 RPKI
> validators from 2 different vendors. You can, but unlike DNS or IXP
> route servers, the attempt seems too "fancy" for the expected value.
>
> Mark.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp