Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco? I successfully have cisco-cisco and juniper-juniper without problems. When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me. -Randy -- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ----
We are using global addresses, but on the Cisco side, it is seeing the Link-Local as the next-hop. -Randy -- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ---- ----- Original Message -----
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop
use global v6 addresses
Randy Carpenter wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
Any reasons against exchanging v6 prefixes over a v4 session?
BGP is working fine, it is when they are trying to forward the packets back to me. They are seeing the Link-Local as the next-hop, which, for some reason, they cannot get to. -Randy -- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ---- ----- Original Message -----
Randy Carpenter wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
Any reasons against exchanging v6 prefixes over a v4 session?
Randy Carpenter wrote:
BGP is working fine, it is when they are trying to forward the packets back to me. They are seeing the Link-Local as the next-hop, which, for some reason, they cannot get to.
-Randy
Sorry Randy, I'd skimmed through your initial mail too quickly and missed the point.
On 12/7/2011 4:30 PM, Randy Carpenter wrote:
BGP is working fine, it is when they are trying to forward the packets back to me. They are seeing the Link-Local as the next-hop, which, for some reason, they cannot get to.
Your subject is misleading. It appears to be an NDP problem. Check configs and firewall rules on both sides to make sure NDP isn't being interrupted. I've not seen any NDP compatibility problems between IOS 12.2SR, 12.3T, and Junos 9.3, 9.6, 10.4. However, there are several vendor commands as well as firewall rulesets, which could NDP itself. Jack
In a message written on Wed, Dec 07, 2011 at 04:54:13PM -0500, Randy Carpenter wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
In a message written on Wed, Dec 07, 2011 at 04:42:33PM -0600, Jack Bates wrote:
Your subject is misleading. It appears to be an NDP problem. Check configs and firewall rules on both sides to make sure NDP isn't being interrupted.
+1, although the original post may have a clue. For those used to M and T series boxes configuring an SRX on the command line you may be surprised to find a security {} top level section with all new never seen before security policies that may, for instance, block NDP. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On Dec 7, 2011, at 2:27 PM, Vlad Galu wrote:
Randy Carpenter wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
Any reasons against exchanging v6 prefixes over a v4 session?
Multiple single points of failure. Complexity of the configuration More difficult to troubleshoot Unnecessary cross-protocol dependencies. Just to name the ones that come to mind instantly. Any reason for it? Owen
Try setting local-address in the bgp neighbor config on the Juniper side? --Peter On Dec 7, 2011, at 4:54 PM, Randy Carpenter <rcarpen@network1.net> wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
-Randy
-- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ----
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default? I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one. -Randy On Dec 7, 2011, at 17:53, Peter Rubenstein <peter216@gmail.com> wrote:
Try setting local-address in the bgp neighbor config on the Juniper side?
--Peter
On Dec 7, 2011, at 4:54 PM, Randy Carpenter <rcarpen@network1.net> wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
-Randy
-- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ----
On Wed, 7 Dec 2011, Randy Carpenter wrote:
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
Do you have any possibly-overly-strict firewall filters applied to the interface on the Juniper box?
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
I have IPv6 BGP sessions, using v6 addresses, up and traffic moving, using Juniper M-series on my end, and various gear on the remote end, including some Cisco devices. Haven't run into any funky NDP-ish issues in the 3 years it's been running. have you opened a case with JTAC? jms
On 12/7/2011 6:53 PM, Randy Carpenter wrote:
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
Might check the cisco provider to see if they have something weird on your interface filtering/config. port mirroring ndp traffic or running ndp tracing flags might provide you with more clues. You also mentioned success with cisco to cisco, but you were unclear if that was with the same cisco provider you are having problems with. Another possibility for a workaround or additional testing is them placing a manual neighbor entry into the cisco. I've never tried it with a link-local, though. Jack
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Dec 7, 2011, at 4:53 PM, Randy Carpenter wrote:
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
We faced a problem with Cisco routers where it will have partial reachability over IPv6, in the same LAN. Looking further, We found that it was having problem with Neighbor solicitations. The solution then was to remove the IPv6 configs from the interface and putting them back. This problem was quite unpredictable and we were unable to reproduce.
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
-Randy
On Dec 7, 2011, at 17:53, Peter Rubenstein <peter216@gmail.com> wrote:
Try setting local-address in the bgp neighbor config on the Juniper side?
--Peter
On Dec 7, 2011, at 4:54 PM, Randy Carpenter <rcarpen@network1.net> wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
-Randy
-- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ----
Regards, Vicky Shrestha -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iQEcBAEBAgAGBQJO4GuKAAoJEGi4SIJCvhMLpjYIAIhTUjsmoy9TSqKayfITZFJZ DtDaNq+l/GUxmfUecsacbmEQmS0iXbj66Lm400JvKsO9hPjUbpN73jJM/GqT45Gl DWF6+jqVfC+Nes/FUylS0kcWxWDjehETpfo3IO3kuA5hJQ0ELHyiVU1ReHwtCkoV Zy4HHP0spfO4g6KORZqEtHa6tM13QGZg7CLOCHaUJi8IVl3quCnrn/oUyjcl1PFI dNwlY1pr22ArA4TgKzKUimUNNxLhjld+UsIdAdyf7xN3HN9Ki6gqsnXiuAqFWPqW E2lA4ViKwOHwyaE82iSAGl9A9qcrPJd7lCVGbiP9aW9Y2ZcS4kVEZkc3gXPkiAg= =253w -----END PGP SIGNATURE-----
On Thu, Dec 8, 2011 at 11:53 AM, Randy Carpenter <rcarpen@network1.net> wrote:
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
Just to begin with: 0) Does your Juniper device have the neighbor cache entry for Cisco link-local address? What is the state of the entry? Can you get packet capture on both sides? 1) is Cisco sending NS packets? 2) is your Juniper receiving them? 3) is Juniper device sending anything back? 4) are those NA reaching Cisco? Any switch on the path? [lazy mode on] I'd also suggest: - debug ipv6 nd on cisco - checking for bugs for IOS and JunOS versions you are using
On Dec 7, 2011, at 17:53, Peter Rubenstein <peter216@gmail.com> wrote:
Try setting local-address in the bgp neighbor config on the Juniper side?
--Peter
On Dec 7, 2011, at 4:54 PM, Randy Carpenter <rcarpen@network1.net> wrote:
Does anyone have any suggestions on setting up BGP peering between Juniper (SRX) and Cisco?
I successfully have cisco-cisco and juniper-juniper without problems.
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
-Randy
-- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ----
-- SY, Jen Linkova aka Furry
----- Original Message -----
On Thu, Dec 8, 2011 at 11:53 AM, Randy Carpenter <rcarpen@network1.net> wrote:
Tried that. I agree with others that it is an NDP issue. NDP for the GUA is fine, but just not for the link local. Is there something that would block only link local by default?
I should add that I have another uplink to a different provider that works perfectly. The other end is Juniper for that one.
Just to begin with: 0) Does your Juniper device have the neighbor cache entry for Cisco link-local address? What is the state of the entry?
Sometimes it does, sometimes I can't seem to get it.
Can you get packet capture on both sides?
We have done this.
1) is Cisco sending NS packets?
Yes.
2) is your Juniper receiving them?
It does not appear to. Tracing v6 stuff on juniper seems to be hit or miss.
3) is Juniper device sending anything back?
No. (because of #2)
4) are those NA reaching Cisco?
No. (because of #2)
Any switch on the path?
It is an L2 circuit that rides a couple of different pieces of gear before it lands at the other side.
[lazy mode on] I'd also suggest: - debug ipv6 nd on cisco - checking for bugs for IOS and JunOS versions you are using
On Fri, Dec 09, 2011 at 11:38:44AM -0500, Randy Carpenter wrote:
1) is Cisco sending NS packets?
Yes.
2) is your Juniper receiving them?
It does not appear to. Tracing v6 stuff on juniper seems to be hit or miss. [...]
Any switch on the path?
It is an L2 circuit that rides a couple of different pieces of gear before it lands at the other side.
Sounds like this equipment having problems with IPv6 multicast... Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
On Sat, Dec 10, 2011 at 9:55 AM, Daniel Roesen <dr@cluenet.de> wrote:
Any switch on the path?
It is an L2 circuit that rides a couple of different pieces of gear before it lands at the other side.
Sounds like this equipment having problems with IPv6 multicast...
Yep, that's why I was asking - but it doesn't explain how/why ND for GUA works in this case. -- SY, Jen Linkova aka Furry
On Thu, Dec 8, 2011 at 8:54 AM, Randy Carpenter <rcarpen@network1.net> wrote:
When I am trying to peer to one of my upstreams (who has cisco) with my Juniper SRX, They are seeing the link-local address as the next-hop, but are unable to get an ND entry for it, and thus cannot forward traffic to me.
on second thought - why are they using link-local as the next-hop in the first place if the eBGP session is established over GUA? -- SY, Jen Linkova aka Furry
On Friday, December 09, 2011 08:57:39 PM Jen Linkova wrote:
on second thought - why are they using link-local as the next-hop in the first place if the eBGP session is established over GUA?
This topic was heavily discussed on 'ipv6-ops' back in February. You may take a look here for all the details on this: http://lists.cluenet.de/pipermail/ipv6-ops/2011- February/004887.html Cheers, Mark.
participants (12)
-
Daniel Roesen -
Jack Bates -
Jen Linkova -
Justin M. Streiner -
Leo Bicknell -
Mark Tinka -
Owen DeLong -
Peter Rubenstein -
Randy Bush -
Randy Carpenter -
Vicky Shrestha -
Vlad Galu