[j-nsp] prefix-limit effectiveness

Dan Farrell danno at appliedi.net
Fri Sep 4 16:25:15 EDT 2009

A follow up from months ago- despite the fact that I was rejecting all of the routes from my upstream peer on this router, and limiting the total to 5000, it was still crowding out memory, and not all of the routes from OSPF neighbors were making it into the routing table. Even though these routes were 'hidden' they were still taking up space (which is to be expected.)

The "keep none" command in this particular peer configuration is what did the trick- it actually removes the routes, not just positing them as 'hidden' which then cleared up space in the router, and all of my OSPF routes finally had room to populate within the 5000 prefix limit.

Just thought I'd drop this nugget here in case anyone runs into the same issue. 



-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Dan Farrell
Sent: Monday, February 09, 2009 11:33 AM
To: Richard A Steenbergen
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] prefix-limit effectiveness

Thanks for the information... I will let you know how it goes (though it seems you already know hehehe, since this was your baby.)



-----Original Message-----
From: Richard A Steenbergen [mailto:ras at e-gerbil.net]
Sent: Thursday, February 05, 2009 7:04 PM
To: Dan Farrell
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] prefix-limit effectiveness

On Thu, Feb 05, 2009 at 02:05:14PM -0800, Dan Farrell wrote:
> Then I limit the number of prefixes it will even look at to 5000 -
> import default-route;
> family inet {
>     unicast {
>         prefix-limit {
>             maximum 5000;
> This is effective- I have only the default to use from my upstream.
> But I keep generating tons of log messages because I keep getting (and
> rejecting) tons of routes. Without asking the upstream to not
> advertise the full route table, is there something I can do on my end
> to limit the syslog messages I keep getting?
> Feb  5 19:00:43  nap-r2-edge-2 rpd[82464]: RPD_RT_PREFIX_LIMIT_REACHED: Number of prefixes (4000) in table inet.0 still exceeds or equals configured maximum (4000)

Well technically speaking you can always filter by regexp anything that
you send to system, but what you really want is accepted-prefix-limit
instead of prefix-limit above.

Prefix-limit is applied to all routes received by the router, even if
they are rejected by your import policy. Basically this protects router
DRAM from something going wild and sending you a billion routes, but is
less useful as a policy protection, or in your case to limit the number
of routes being installed to FIB.

Accepted-prefix-limit is a relatively new feature added in 9.2 (and
pardon me while I do a little dance about it, but this is one of my
feature requests which I've been asking for for 6 years and it just
finally got implemented! :P) which limits the number of routes AFTER
your import policy has been applied. In the example above, even though
you are receiving a full table, you are rejecting all but 1 route in
policy, so the value that would be evaluated yb accepted-prefix-limit is

Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the juniper-nsp mailing list