[j-nsp] Junos L3VPN & AS-PATH LOOP

[Guillermo Fernando Cotone]

Hey Rati,

I'd suggest to check out independent-domain
<https://www.juniper.net/documentation/en_US/junos/topics/topic-map/l3-vpns-as-configuration.html#id-configuring-layer-3-vpns-to-carry-ibgp-traffic>
feature,
with or without the "no-attrset" knob. We've used it in the past for
similar use-cases.

Best,
Guillermo

On Fri, Feb 21, 2020 at 4:06 PM Saku Ytti <saku at ytti.fi> wrote:

> Hey Rati,
>
>
> > As soon I apply as-override feature on FW to hide originating AS and
> > rewrite it to 20, then everything works as expected.
> > Is there a special knob in Junos to Advertise "looped" routes over the
> > iBGP L3VPN? I've reproduced the same setup in Cisco XR/XE and works fine
> > without as-override to hide/rewrite originating-as.
>
> IOS does not check AS_PATH in iBGP sessions, JunOS does. Neither is
> wrong or right, standard is unopinionated here. I like IOS behaviour
> better.
>
> I hope the implication is clear here, to allow loops, in IOS it's
> enough to allow it once on incoming eBGP session, on JunOS you need to
> allow also on all the iBGP sessions. Basically no one runs multivendor
> network with normalised BGP settings, there are all kind of small
> different behaviours and standard people use is 'what ever vendor
> does'. If you want JunOS to behave same as IOS, just allow arbitrary
> loops in all iBGP sessions.
>
> I would discourage setup where you need to do this. But I admit
> network-based-FW is the one place where this really does make things
> whole lot easier. I consider network-based-firewall mandatory feature
> AS_PATH manipulation. So rewrite the AS_PATH, entirely, on the FW, to
> remove the loops. Many FW support this.
>
> --
>   ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>