[j-nsp] Route Precedence

Chris lists at blackhat.bz
Wed Jul 13 02:27:21 EDT 2011


Hi all,

I have a pair of EX4200's which are running iBGP to a pair of J6350's.

I am seeing some strange behaviour with the routing on them. The
EX4200's have a few different VLANs setup:

vlan 50 - Used to connect to a J6350
vlan 100 - The VLAN the devices I am trying to reach are on

The devices on vlan 100 are on the 10.10.10.0/24 range, with the
EX4200's being the gateway for that network (it has been assigned
10.10.10.254). The problem I am seeing is from the EX4200's I can reach
any device in that network fine. From the J6350's I can reach SOME
devices but not others. I have not been able to find a pattern for this
- an example device I have plugged in is a Dell blade chassis. It has a
management controller that sits on 10.10.10.100 which I can get to from
both the EX4200's and the J6350's. Each blade in the chassis is also
assigned an IP for management through the same controller, in this case
10.10.10.101-117. I can't reach the individual blade management IP's
from the J6350's yet from the EX4200's I can reach them fine. It has me
a bit confused as it uses the same port on the EX4200's.

For the below examples, here is the IP addressing (these are obviously
not real):
99.99.99.240/30 - acc-core vlan50 (99.99.99.241) and acc-bdr1 ge-0/0/0
(99.99.99.242)
99.99.99.253 - acc-core lo0

On the J6350's the route for 10.10.10.0/24 is learnt via iBGP:

root at acc-bdr1> show route 10.10.10.0

inet.0: 363930 destinations, 363932 routes (170427 active, 0 holddown,
193504 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24      *[BGP/170] 00:49:35, localpref 100, from 99.99.99.253
                      AS path: I
                    > to 99.99.99.241 via ge-0/0/0.0

That route does seem to work, if I ping any IP in 10.10.10.0/24 (even
the 'non-working' IPs) and run a tcpdump on the J6350 I can see the
traffic heading out to the EX4200's.

As a test, I added a static route for 10.10.10.101/32 with a next hop of
10.10.10.254 on the J6350. This doesn't show in the routing table on the
J6350:

root at acc-bdr1> show configuration routing-options static route
10.10.10.101/32
next-hop 10.10.10.254;

root at acc-bdr1> show route 10.10.10.101

inet.0: 363933 destinations, 363935 routes (170429 active, 0 holddown,
193505 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24      *[BGP/170] 00:54:12, localpref 100, from 99.99.99.253
                      AS path: I
                    > to 99.99.99.241 via ge-0/0/0.0

On the EX4200 the route is there correctly:
root at acc-core> show route 10.10.10.101

inet.0: 16384 destinations, 16384 routes (16384 active, 0 holddown, 0
hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24      *[Direct/0] 00:55:58
                    > via vlan.100

After the route was added, the EX4200 had the power cut and restored and
I could magically ping 10.10.10.101 from the J6350 with no other config
changes. The power was cut again, and I then lost the ability to ping it
from the J6350, but I could still ping it from the EX4200. I have no
idea why this is so I am a bit confused.

The J6350 has no filters in place currently, it is running the router
config too with the security features disabled.

Is there anything obvious I'm missing?

Thanks


More information about the juniper-nsp mailing list