Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

JUNOS BGP: How to drain a BGP peering router gracefully without bgp session reset

As many of us found out the hard way, certain export policy changes at neighbor level will hard reset the bgp session due to Junos internal architecture of update groups.

When a peering BGP router (or any bgp router for that matter) needs to be drained for maintenance, there aren't many obvious options:
1. disable bgp.
2. set import/export policies at neighbor level that reject everything.
3. disable interfaces towards bgp neighbors.

1st resets BGP sessions and maybe disturbs company agreements, 2nd could hard reset the session (same as 1st) and 3rd is the worst for obvious reasons.

Another hack is to use an empty routing policy with a default action "next policy" (no term, just default action) as the first import and export policy for that group. Something like below:


This policy is applied first before any other policies for that bgp group. Due to "next policy" default action, it will do nothing, just instruct bgp prefix evaluation to proceed to next policy, but the important thing to note is that it is evaluated first.


When the BGP router needs to be drained, a JUNOS apply group will modify the empty policy adding a term to it:


Once we apply the DRAIN group, Junos adds the term to the empty policy and, as explained in documentation, inside a routing policy terms take precedence over default action.

_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com