[j-nsp] R: Cisco-style "allowas-in" OR: Inter-connecting VPNs (+default VRF) using eBGP

Massimiliano Galizia XMG (RM/TEI) massimiliano.xmg.galizia at ericsson.com
Tue May 15 07:40:36 EDT 2007


I'm not sure to completely understand your issue, so don't curse me if I ask you this question: is your trouble caused by AS PATH number? Since it is the first thing a router examines to detect loops, a repeated AS number in the path makes routes go in the waste.
Did you try to put the "loops 2" statement in the autonomous-system configuration?
Infact this is one way to alter AS PATH behaviour. You can allow the local AS # to appear in the path as many as 10 times.


MASSIMILIANO GALIZIA
-----Messaggio originale-----
Da: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] Per conto di Phil Mayers
Inviato: martedì 15 maggio 2007 13.15
A: juniper-nsp
Oggetto: [j-nsp] Cisco-style "allowas-in" OR: Inter-connecting VPNs (+default VRF) using eBGP

All,

I'm running a (slightly more complex) version of the network shown here:

http://picasaweb.google.co.uk/phil.mayers/NetworkDiagrams/photo#5064742915858918722

Important things to note: there are only 6 physical routers in this 
network. rtr-A and rtr-B are 6500s running MPLS L3 VPNs. The cisco 
implementation mandates that the BGP process "inside" the VPN be the 
same AS# as the other VPNs and the non-VPN.

The network basically works; as long as I use "allowas-in 1" on the VPN 
and non-VPN eBGP peerings it's all good and the routes propagate between 
the VRFs and into the non-VRF.

However, the two Junipers ignore the routes from the VPNs, presumably 
because they've got their own AS# in, though there's no logging in the 
(oh so awful) traceing. What's slightly odd is that the ciscos seem to 
need no special handling in order to accept iBGP routes with their own 
as# in - the "allowas-in" command is only needed for the eBGP peerings.

Can anyone comment on the expected behaviour, any workarounds available 
to me (make the junipers accepts the routes) or any possible alternative 
techniques?

Things I've tried:

  * remove-private-as on the firewall->nonVRF eBGP peering does not 
appear to work, presumably because we *are using* private as# at both ends.

  * Ciscos' "local-as" command on the vrf->firewall eBGP peerings does 
not appear to do what I expected: instead of masquerading the routes as 
e.g. 64582, is appears to *prepend* it.

Comments appreciated.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list