[j-nsp] Route Precedence

Jonathan Lassoff jof at thejof.com
Wed Jul 13 03:22:46 EDT 2011 

On Tue, Jul 12, 2011 at 11:35 PM, Chris <lists at blackhat.bz> wrote:
> On 13/07/2011 2:27 PM, Chris wrote:
>> <snip>
>>
> To add to the already long email, here is some more examples of whats
> happening:
>
> From the 10.10.10.100 device, trying to ping the 'acc-bdr1' (J6350)
> device works:
>
> traceroute to 99.99.99.242 (99.99.99.242), 30 hops max, 40 byte packets
>  1  10.10.10.254 (10.10.10.254)  0.996 ms  0.699 ms  0.66 ms
>  2  99.99.99.242 (99.99.99.242)  1.928 ms  1.589 ms  1.978 ms
>
> Yet if I try it from a device that I CANT ping from acc-bdr1 (the source
> being 10.10.10.30):
>
> [root at acc-nx4cs ~]# traceroute -n 99.99.99.242
> traceroute to 99.99.99.242 (99.99.99.242), 30 hops max, 40 byte packets
>  1  10.10.10.254  4.021 ms  3.981 ms  3.958 ms
>  2  * * *
>  3  * * *
>  4  * * *

Wow. Weird situation. In the case of the traceroute above (from
10.10.10.30 to 99.99.99.242), it only gets back ICMP messages from
your EX but not the J series. What route does the EX show for
99.99.99.242?

In the case of the static route that you added to the J series, the
route may not have been installed by default as "indirect next-hops"
are disabled by default. Since the router has no directly-connected
interface to 10.10.10.0/24, it's not sure that's what you want to do
and will just take the route it already has (the one learned via
iBGP).
You can set "routing-options forwarding-table indirect-next-hop" to
enable this functionality.

I would just trace down the path to the host that isn't working and
look at the routing and switching tables of anything along the path
and debug the path from the source to the destination, and then back
again. A route may just be missing somewhere (though this wouldn't
explain why only some IP-paths break).

Out of curiosity, is there any discernible pattern to the unreachable
IPs (every other, every four, etc.)?
All the times that I've seen the some-IPs-are-reachable-but-not-others
problem, it's been due to a link aggregation or ECMP configuration
that has a failed link or IP path along the way that isn't being
communicated (and shutdown) by higher layers.

Cheers,
jof

More information about the juniper-nsp mailing list