[j-nsp] Optimizing the FIB on MX
Alexander Arseniev
arseniev at btinternet.com
Fri Feb 19 04:26:09 EST 2016
Hello,
"condition" is not supported in forwarding-table export policy, only in
BGP/IGP export policy.
You have to insert a "BGP-exporter" intermediate node between
peer|upstream and Your MX, this could be a logical system on MX itself.
Thx
Alex
On 18/02/2016 10:14, Vincent Bernat wrote:
> ❦ 17 février 2016 21:07 GMT, Alexander Arseniev <arseniev at btinternet.com> :
>
>> True, one cannot match on "next-hop" in "condition", only on exact
>> prefix+table name.
>> But this can be done using "route isolation" approach.
>> So, the overall approach is:
>> 1/ create a separate table and leak a 0/0 route there matching on 0/0
>> exact + next-hop ("isolate the interested route"). Use
>> "instance-import" + policy.
>> 2/ create condition
>>
>> policy-options {
>> condition default-to-upstream {
>> if-route-exists {
>> 0.0.0.0/0;
>> table isolate-0/0.inet.0;
>> }
>> }
>>
>> 3/ use condition to match & reject the specifics:
>>
>> policy-options {
>> policy-statement reject-same-nh-as-0/0 {
>> term 1 {
>> from {
>> protocol bgp;
>> route-filter 0/0 longer;
>> condition default-to-upstream;
>> next-hop 198.18.1.1;
>> }
>> then reject;
>> }
>> term 2 {
>> from {
>> protocol bgp;
>> route-filter 0/0 longer;
>> next-hop 198.18.1.1;
>> }
>> then accept;
>> }
> Just by curiosity, I tried your approach and it almost work. However,
> for some reason, the condition can match when there is no route in the
> associated table. I didn't do exactly as you proposed, so maybe I am
> doing something wrong. I am not really interested in getting to the
> bottom of this matter. I just post my current configuration in case
> somebody is interested:
>
> https://github.com/vincentbernat/network-lab/blob/d984d6c5f847b96a131b240d91346b46bfaecac9/lab-vmx-fullview/vMX1.conf#L106-L115
>
> If I enable term 4, it catches all routes whose next-hop is
> 192.0.2.129 despite the condition being false. In the RIB, I have many
> routes whose next-hop is 192.0.2.129:
>
> root at vMX1# run show route next-hop 192.0.2.129
>
> inet.0: 1110 destinations, 1869 routes (1110 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 0.0.0.0/0 [BGP/140] 00:38:12, MED 10, localpref 100
> AS path: 65002 ?, validation-state: unverified
> > to 192.0.2.129 via ge-0/0/1.0
> [OSPF/150] 00:37:31, metric 10, tag 0
> > to 192.0.2.129 via ge-0/0/1.0
> 1.0.240.0/20 *[BGP/140] 00:38:12, MED 10, localpref 100
> AS path: 65002 3257 3356 4651 9737 23969 I, validation-state: unverified
> > to 192.0.2.129 via ge-0/0/1.0
> 1.1.1.0/24 *[BGP/140] 00:38:12, MED 10, localpref 100
> AS path: 65002 8758 15576 6772 13030 226 I, validation-state: unverified
> > to 192.0.2.129 via ge-0/0/1.0
> [...]
>
> But none of them make it to the FIB:
>
> root at vMX1# run show route forwarding-table matching 1.1.1.0/24
> Routing table: default.inet
> Internet:
>
> Routing table: __master.anon__.inet
> Internet:
>
> The peer.inet.0 table is empty:
>
> root at vMX1# run show route summary
> Autonomous system number: 64512
> Router ID: 192.0.2.128
>
> inet.0: 1110 destinations, 1869 routes (1110 active, 0 holddown, 0 hidden)
> Direct: 3 routes, 3 active
> Local: 3 routes, 3 active
> OSPF: 2 routes, 1 active
> BGP: 1861 routes, 1103 active
>
> upstream.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
> BGP: 1 routes, 1 active
>
> Adding a static route to peer.inet.0 doesn't help (I added a discard
> route). Switching the default to the peer doesn't change anything (term
> 3 also matches anything). Tested on vMX 14.1R1. Maybe a bug in
> if-route-exists?
More information about the juniper-nsp
mailing list