[j-nsp] KB20870 workaround creates problems with Hub and Spoke downstream hubs?
Olivier Benghozi
olivier.benghozi at wifirst.fr
Thu Feb 15 04:33:17 EST 2018
Hi Sebastian,
This is an old workaround by the way.
Simpler workaround: use advertise-from-main-vpn-tables knob available since 12.3 (required if you have NSR anyway):
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/advertise-from-main-vpn-table-edit-protocols-bgp.html <https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/advertise-from-main-vpn-table-edit-protocols-bgp.html>
https://www.juniper.net/documentation/en_US/junos/topics/reference/requirements/nsr-system-requirements.html#nsr-bgp <https://www.juniper.net/documentation/en_US/junos/topics/reference/requirements/nsr-system-requirements.html#nsr-bgp>
And NSP-J archives https://lists.gt.net/nsp/juniper/56263#56263 <https://lists.gt.net/nsp/juniper/56263#56263>
So you might add this knob and remove the fantom session.
Now, if you see some VPN routes no longer advertised toward other PEs, it probably means that your VRF export policies must be modified (and of course the doc is silent about that).
What we observed is that you can no longer rely on the classic "routing policies accept BGP routes by default", translated here to "(e)BGP routes are exported by default to other i-MP-BGP neighbors", probably since they are now exported to another table bgp.l3vpn.0, not directly to other neighbors.
So one must instead explicitly "accept" BGP routes in the VRF export policies (in addition to setting RT ext-community).
Olivier
> On 15 feb 2018 at 08:30, Sebastian Wiesinger <sebastian at karotte.org> wrote :
>
> we configured the workaround mentioned in KB20870 to prevent unwanted
> VPN BGP session flaps when configuring eBGP/route-reflector clients. A
> problem we noticed is that when using a Hub&Spoke hub on the affected
> router and when a downstream hub is used as well, it seems that the
> downstream hub stops exporting any VRF routes to other PEs.
>
> Has anyone else noticed this and maybe even have a workaround? We'll
> probably try and replicate it in the lab, but it looks strange. This
> occured with JunOS 13.3 and 16.1.
>
> Background for KB20870:
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB20870
> https://www.juniper.net/documentation/en_US/junos/topics/example/bgp-vpn-session-flap-prevention.html
>
> Downstream Hub:
> https://www.juniper.net/documentation/en_US/junos/topics/example/vpn-hub-spoke-topologies-one-interface.html
More information about the juniper-nsp
mailing list