Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
-Randy
When I am trying to peer to one of my upstreams (who has cisco) with
my Juniper SRX, They are seeing the link-local address as the
next-hop
use global v6 addresses
We are using global addresses, but on the Cisco side, it is seeing the Link-Local as the next-hop.
-Randy
Randy Carpenter wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
Any reasons against exchanging v6 prefixes over a v4 session?
BGP is working fine, it is when they are trying to forward the packets back to me. They are seeing the Link-Local as the next-hop, which, for some reason, they cannot get to.
-Randy
Randy Carpenter wrote:
BGP is working fine, it is when they are trying to forward the packets back to me. They are seeing the Link-Local as the next-hop, which, for some reason, they cannot get to.
-Randy
Sorry Randy, I'd skimmed through your initial mail too quickly and missed the point.
Your subject is misleading. It appears to be an NDP problem. Check configs and firewall rules on both sides to make sure NDP isn't being interrupted.
I've not seen any NDP compatibility problems between IOS 12.2SR, 12.3T, and Junos 9.3, 9.6, 10.4. However, there are several vendor commands as well as firewall rulesets, which could NDP itself.
Jack
Try setting local-address in the bgp neighbor config on the Juniper side?
--Peter
In a message written on Wed, Dec 07, 2011 at 04:54:13PM -0500, Randy Carpenter wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
In a message written on Wed, Dec 07, 2011 at 04:42:33PM -0600, Jack Bates wrote:
Your subject is misleading. It appears to be an NDP problem. Check
configs and firewall rules on both sides to make sure NDP isn't being
interrupted.
+1, although the original post may have a clue.
For those used to M and T series boxes configuring an SRX on the
command line you may be surprised to find a security {} top level
section with all new never seen before security policies that may,
for instance, block NDP.
Multiple single points of failure.
Complexity of the configuration
More difficult to troubleshoot
Unnecessary cross-protocol dependencies.
Just to name the ones that come to mind instantly.
Any reason for it?
Owen
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
-Randy
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
Do you have any possibly-overly-strict firewall filters applied to the interface on the Juniper box?
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
I have IPv6 BGP sessions, using v6 addresses, up and traffic moving, using Juniper M-series on my end, and various gear on the remote end, including some Cisco devices. Haven't run into any funky NDP-ish issues in the 3 years it's been running.
have you opened a case with JTAC?
jms
Might check the cisco provider to see if they have something weird on your interface filtering/config.
port mirroring ndp traffic or running ndp tracing flags might provide you with more clues.
You also mentioned success with cisco to cisco, but you were unclear if that was with the same cisco provider you are having problems with.
Another possibility for a workaround or additional testing is them placing a manual neighbor entry into the cisco. I've never tried it with a link-local, though.
Jack
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
We faced a problem with Cisco routers where it will have partial reachability over IPv6, in the same LAN. Looking further, We found that it was having problem with Neighbor solicitations.
The solution then was to remove the IPv6 configs from the interface and putting them back. This problem was quite unpredictable and we were unable to reproduce.
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
-Randy
Try setting local-address in the bgp neighbor config on the Juniper side?
--Peter
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
-Randy
--
> Randy Carpenter
> Vice President - IT Services
> Red Hat Certified Engineer
> First Network Group, Inc.
> (800)578-6381, Opt. 1
----
Regards,
Vicky Shrestha
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
Just to begin with:
0) Does your Juniper device have the neighbor cache entry for Cisco
link-local address? What is the state of the entry?
Can you get packet capture on both sides?
1) is Cisco sending NS packets?
2) is your Juniper receiving them?
3) is Juniper device sending anything back?
4) are those NA reaching Cisco?
Any switch on the path?
[lazy mode on] I'd also suggest:
- debug ipv6 nd on cisco
- checking for bugs for IOS and JunOS versions you are using
on second thought - why are they using link-local as the next-hop in
the first place if the eBGP session is established over GUA?
This topic was heavily discussed on 'ipv6-ops' back in
February. You may take a look here for all the details on
this:
http://lists.cluenet.de/pipermail/ipv6-ops/2011-
February/004887.html
Cheers,
Mark.
> Tried that. I agree with others that it is an NDP issue. NDP for
> the GUA is fine, but just not for the link local. Is there
> something that would block only link local by default?
>
> I should add that I have another uplink to a different provider
> that works perfectly. The other end is Juniper for that one.Just to begin with:
0) Does your Juniper device have the neighbor cache entry for Cisco
link-local address? What is the state of the entry?
Sometimes it does, sometimes I can't seem to get it.
Can you get packet capture on both sides?
We have done this.
1) is Cisco sending NS packets?
Yes.
2) is your Juniper receiving them?
It does not appear to. Tracing v6 stuff on juniper seems to be hit or miss.
3) is Juniper device sending anything back?
No. (because of #2)
4) are those NA reaching Cisco?
No. (because of #2)
Any switch on the path?
It is an L2 circuit that rides a couple of different pieces of gear before it lands at the other side.
> 1) is Cisco sending NS packets?
Yes.
> 2) is your Juniper receiving them?
It does not appear to. Tracing v6 stuff on juniper seems to be hit or miss.
[...]
> Any switch on the path?
It is an L2 circuit that rides a couple of different pieces of gear before it lands at the other side.
Sounds like this equipment having problems with IPv6 multicast...
Best regards,
Daniel
Yep, that's why I was asking - but it doesn't explain how/why ND for
GUA works in this case.