[j-nsp] BGP Peering Policies - Best Practices

Niall Donaghy niall.donaghy at geant.org
Wed May 22 09:39:40 EDT 2019 

Hi Adam,

Yes I can show:

- When we had the internet table in inet.0, with uRPF loose, we did not have any problem.
- When we moved internet into its own VRF, we had to disable uRPF loose to cure the issue of some packet loss (as I described).

So you see, coming at it from the other direction - the problem was created by moving out of inet.0 vs. solved by moving into inet.0. :-)

Convoluted setup, spaghetti ... yes yes - I'm not advocating, recommending, defending.

Take my input for what it is - a real-world example which was asked for.
The takeaway is not that I was able to give examples, but that these examples ought to serve as a caution to those trying to mix multiple VRFs - internet in one of those. 
uRPF behaviour may cause problems for you.
urpf-fail-filters may or may not provide a workaround for you.

Br,
Niall

-----Original Message-----
From: adamv0025 at netconsultings.com [mailto:adamv0025 at netconsultings.com] 
Sent: 22 May 2019 14:22
To: Niall Donaghy <niall.donaghy at geant.org>; 'Louis Kowolowski' <louisk at cryptomonkeys.org>; 'Mark Tinka' <mark.tinka at seacom.mu>
Cc: juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] BGP Peering Policies - Best Practices

> From: Niall Donaghy <niall.donaghy at geant.org>
> Sent: Wednesday, May 22, 2019 12:31 PM
> 
> OP>> Are there non-technical reasons for leaving the Internet on the
default
> RIB?
> Adam> Are there technical reasons please?
> 
> How about:
> 
>   uRPF causing discarded packets in a multi-VRF environment, eg:
>     - Internet VRF, Private VRF #1, Private VRF #2.
>     - Customers connect to all and advertise same prefixes to all.
>     - Peers connect to perhaps Internet and a Private VRF and 
> advertise
same
> prefixes to all.
>     - Private VRFs reach Internet VRF via default routes over logical
tunnels
> (BGP).
>     - uRPF loose causes discards for some asymmetric traffic flows
crossing
> multiple VRFs.
> 
I have a sympathy for your convoluted setup, however the above argument is a strawman logical fallacy unless you can show how moving to Internet in a default table would have helped to solve the uRPF problem.

adam

More information about the juniper-nsp mailing list