Hi all,
I have a pretty fancy example that bothers me quite a bit. So, I’m asking you if someone already has similar behavior.
Let’s suppose that I have an edge router that connects to several upstreams and several exchanges. I may have some customers who need the full routing table and another edge router that needs to know the routes from the first edge.
The example will be IPv4 because it is more interesting; some details are removed;
I’m receiving 957959 prefixes from one of my upstreams.
[@edge-02]/routing/bgp/session> print detail where name=“RETN-IPv4-1”
Flags: E - established
0 E name=“RETN-IPv4-1”
.capabilities=mp,rr,gr,as4,llgr .afi=ip .hold-time=1m30s .messages=40673417 .bytes=3219963311 .gr-time=120 .eor=ip
local.role=ebgp-peer .capabilities=mp,rr,gr,as4 .afi=ip .messages=230193 .bytes=4373802 .eor=“”
output.affinity=alone .procid=35 .filter-chain=retn-bgp-out-4 .network=retn-bgp4-out .remove-private-as=yes
input.procid=34 .filter=retn-bgp-in-4 ebgp
hold-time=1m30s keepalive-time=30s uptime=11w2d22h15m12s790ms last-started=2024-09-01 23:30:41 prefix-count=957959
Active routes in the main routing table with the intra-AS routes as well:
[@edge-02]/routing/route> print count-only where active && afi =ip4
979108
Advertised routes to our customer with an eBGB session, filtering RFC5735, no-export, RPKI Filtering and adding our originated prefixes:
[@edge-02] /routing/bgp/advertisements> print count-only where peer =CUSTOMER1-v4-1
969549
12k prefixes more (than the one advertised from our upstream) seems reasonable: 3 exchanges are added and two other upstreams, some customers with their prefixes
But now, let’s sync our edge-03 with an iBGP session with the same filter chain of the previous session, RFC5735, no-export, RPKI,… (this is a test session, the other end discards the prefixes)
[@edge-02] /routing/bgp/advertisements> print count-only where peer =edge-03-v4-1
763981
no such item (4)
At his point, something is missing! Magic!
[edge-03] /routing/bgp/session> print detail where name=“edge-02-v4-1”
Flags: E - established
9 E name=“edge-02-v4-1”
.capabilities=mp,rr,gr,as4 .afi=ip .messages=327118
.bytes=31324144 .eor=“”
local.role=ibgp .capabilities=mp,rr,gr,as4 .afi=ip .messages=155
.bytes=2945 .eor=“”
output.affinity=alone .procid=33 .filter-chain=catch4-in
input.procid=32 .filter=catch4-in ibgp
nexthop-choice=force-self multihop=yes hold-time=3m keepalive-time=1m uptime=2h34m27s420ms last-started=2024-11-20 19:33:12
prefix-count=763987
Edge-03 is just confirming that it is receiving the same number of routes (there are a lot of updates in between, at least six prefixes).
OK. I just did something very wrong! But the two sessions share the same filters…
I’ll pick a /8 to dig into the details:
[edge-02] /routing/route> print count-only where active && dst-address in 200.0.0.0/8
12400
[edge-02] /routing/bgp/advertisements> print count-only where peer =CUSTOMER1-v4-1 && dst in 200.0.0.0/8
12357
[edge-02] /routing/bgp/advertisements> print count-only where peer =edge-03-v4-1 && dst in 200.0.0.0/8
11119
And a /21 to be even more detailed:
[edge-02] /routing/route> print count-only where active && dst-address in 200.1.120.0/21
6
[edge-02] /routing/bgp/advertisements> print count-only where peer =CUSTOMER1-v4-1 && dst in 200.1.120.0/21
6
[edge-02] /routing/bgp/advertisements> print count-only where peer =edge-03-v4-1 && dst in 200.1.120.0/21
5
Yes, the error is getting smaller 
So, where could possibly be my fault? (… and don’t say not updating to the next stable)
This is the filter chain, as simple as that, for both sessions, but the same behavior can be achieved with just an accept filter rule:
182 chain=catchv4-out rule=“jump rfc5735” (reject chain)
183 chain=catchv4-out rule=“if ( bgp-communities includes no-export ) { reject;}” (reject)
184 chain=catchv4-out rule=“jump originated-IPv4-out” (accept, just to be sure)
185 chain=catchv4-out rule=“jump bgp_rpki” (invalid reject chain)
186 chain=catchv4-out rule=“accept;” (accept all others)
Hints and other experiences are much appreciated!