[j-nsp] Cisco-style "allowas-in" OR: Inter-connecting VPNs (+default VRF) using eBGP

Phil Mayers p.mayers at imperial.ac.uk
Tue May 15 07:15:12 EDT 2007


All,

I'm running a (slightly more complex) version of the network shown here:

http://picasaweb.google.co.uk/phil.mayers/NetworkDiagrams/photo#5064742915858918722

Important things to note: there are only 6 physical routers in this 
network. rtr-A and rtr-B are 6500s running MPLS L3 VPNs. The cisco 
implementation mandates that the BGP process "inside" the VPN be the 
same AS# as the other VPNs and the non-VPN.

The network basically works; as long as I use "allowas-in 1" on the VPN 
and non-VPN eBGP peerings it's all good and the routes propagate between 
the VRFs and into the non-VRF.

However, the two Junipers ignore the routes from the VPNs, presumably 
because they've got their own AS# in, though there's no logging in the 
(oh so awful) traceing. What's slightly odd is that the ciscos seem to 
need no special handling in order to accept iBGP routes with their own 
as# in - the "allowas-in" command is only needed for the eBGP peerings.

Can anyone comment on the expected behaviour, any workarounds available 
to me (make the junipers accepts the routes) or any possible alternative 
techniques?

Things I've tried:

  * remove-private-as on the firewall->nonVRF eBGP peering does not 
appear to work, presumably because we *are using* private as# at both ends.

  * Ciscos' "local-as" command on the vrf->firewall eBGP peerings does 
not appear to do what I expected: instead of masquerading the routes as 
e.g. 64582, is appears to *prepend* it.

Comments appreciated.


More information about the juniper-nsp mailing list