[c-nsp] ASR9k: RIB/FIB convergence
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Thu Aug 2 13:52:24 EDT 2018
> Sebastian Neuner
> Sent: Thursday, August 02, 2018 6:19 PM
> To: 'Cisco Network Service Providers'
> Subject: Re: [c-nsp] ASR9k: RIB/FIB convergence
>
> Hi Thomas,
>
> we have seen similar effects in the past. I remember a case, where a
router
> with Trident cards and 4.3.1 (and newer routers around it) got stuck in a
> situation similar to yours. It even tried to forward packets to a port
that was
> admin-down.
>
> > Do you drop BGP updates on ingress with "as-path length ge 51" please? -
> not only it's a good practice, but apparently long as-paths caused RIB-FIB
> clogging in the past.
>
> This fixed our problem. After a whole night of debugging, I found this
mail
> thread, "[c-nsp] CEF issues this weekend".
>
> Some AS announced a prefix and prepended >500 times.
>
> Since then, we filter for as-path-length on ingress everywhere and haven't
> seen this behavior again.
>
Yup I remember that one very well.
Came in fairly quick succession (though not sure which one was first) to the
incident where some university advertised a prefix with some custom bgp
attribute and forgot to tell the world until it was too late.
I guess these two incidents then resulted in the long and painful road to
RFC 7606 - Revised Error Handling for BGP UPDATE Messages with various
success among vendors:
Good: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received from
neighbor x.x.x.x (VRF: INTERNET) - message length 103 bytes, error flags
0x00400000, action taken "DiscardAttr"
Bad: When the 'bgp-error-tolerance' feature - designed to help mitigate
remote session resets from malformed path attributes - is enabled, a BGP
UPDATE containing a specifically crafted set of transitive attributes can
cause the RPD routing process to crash and restart.
Also these are the reasons why I always recommend building a separate RRs
infrastructure (or plane) dedicated to carry internet prefixes -and keep it
separate from the RR infrastructure carrying prefixes for VPN services.
adam
netconsultings.com
::carrier-class solutions for the telecommunications industry::
More information about the cisco-nsp
mailing list