As many of us found out the hard way, certain export policy changes at neighbor level will hard reset the bgp session due to Junos internal architecture of update groups.
When a peering BGP router (or any bgp router for that matter) needs to be drained for maintenance, there aren't many obvious options:
1. disable bgp.
2. set import/export policies at neighbor level that reject everything.
3. disable interfaces towards bgp neighbors.
1st resets BGP sessions and maybe disturbs company agreements, 2nd could hard reset the session (same as 1st) and 3rd is the worst for obvious reasons.
Another hack is to use an empty routing policy with a default action "next policy" (no term, just default action) as the first import and export policy for that group. Something like below:
Code:
user@JUNOS-ROUTER# show policy-options policy-statement EMPTY-POLICY | display inheritance
then next policy;
This policy is applied first before any other policies for that bgp group. Due to "next policy" default action, it will do nothing, just instruct bgp prefix evaluation to proceed to next policy, but the important thing to note is that it is evaluated first.
Code:
[edit]
user@JUNOS-ROUTER# show protocols bgp
group test-bgp-group {
type internal;
import [ EMPTY-POLICY import-1 import-2 ];
export [ EMPTY-POLICY import-1 import-2 ];
peer-as 65530;
neighbor 10.0.0.1;
}
When the BGP router needs to be drained, a JUNOS apply group will modify the empty policy adding a term to it:
Code:
[edit]
user@JUNOS-ROUTER# show groups
DRAIN {
policy-options {
policy-statement EMPTY-POLICY {
term reject-term {
then reject;
}
}
}
}
Once we apply the DRAIN group, Junos adds the term to the empty policy and, as explained in documentation, inside a routing policy terms take precedence over default action.
Code:
[edit]
user@JUNOS-ROUTER# show policy-options policy-statement EMPTY-POLICY
then next policy;
[edit]
user@JUNOS-ROUTER# show policy-options policy-statement EMPTY-POLICY | display inheritance
##
## 'reject-term' was inherited from group 'DRAIN'
##
term reject-term {
##
## 'then' was inherited from group 'DRAIN'
## 'reject' was inherited from group 'DRAIN'
##
then reject;
}
then next policy;
As many of us found out the hard way, certain export policy changes at neighbor level will hard reset the bgp session due to Junos internal architecture of update groups.
When a peering BGP router (or any bgp router for that matter) needs to be drained for maintenance, there aren't many obvious options:
1. disable bgp.
2. set import/export policies at neighbor level that reject everything.
3. disable interfaces towards bgp neighbors.
1st resets BGP sessions and maybe disturbs company agreements, 2nd could hard reset the session (same as 1st) and 3rd is the worst for obvious reasons.
Another hack is to use an empty routing policy with a default action "next policy" (no term, just default action) as the first import and export policy for that group. Something like below:
[code]user@JUNOS-ROUTER# show policy-options policy-statement EMPTY-POLICY | display inheritance
then next policy;[/code]
This policy is applied first before any other policies for that bgp group. Due to "next policy" default action, it will do nothing, just instruct bgp prefix evaluation to proceed to next policy, but the important thing to note is that it is evaluated first.
[code]
[edit]
user@JUNOS-ROUTER# show protocols bgp
group test-bgp-group {
type internal;
import [ EMPTY-POLICY import-1 import-2 ];
export [ EMPTY-POLICY import-1 import-2 ];
peer-as 65530;
neighbor 10.0.0.1;
}
[/code]
When the BGP router needs to be drained, a JUNOS apply group will modify the empty policy adding a term to it:
[code][edit]
user@JUNOS-ROUTER# show groups
DRAIN {
policy-options {
policy-statement EMPTY-POLICY {
term reject-term {
then reject;
}
}
}
}[/code]
Once we apply the DRAIN group, Junos adds the term to the empty policy and, as explained in documentation, inside a routing policy terms take precedence over default action.
[code]
[edit]
user@JUNOS-ROUTER# show policy-options policy-statement EMPTY-POLICY
then next policy;
[edit]
user@JUNOS-ROUTER# show policy-options policy-statement EMPTY-POLICY | display inheritance
##
## 'reject-term' was inherited from group 'DRAIN'
##
term reject-term {
##
## 'then' was inherited from group 'DRAIN'
## 'reject' was inherited from group 'DRAIN'
##
then reject;
}
then next policy;[/code]
News 
Site map 
SitemapIndex 
RSS Feed 