Knowledge Search


×
 

[Junos] Understanding the 'allow' option under protocol BGP

  [KB35070] Show Article Properties


Summary:

There is a knob called 'allow' under the protocol BGP group <> stanza. This knob enables BGP to accept sessions initiated by the remote peer in a specified subnet. Sometimes, this feature can be mixed up with firewall filter for incoming BGP sessions. However, it is not designed for filtering purposes.

Refer to the BGP Feature Guide for more details.

Solution:

In the configuration statement below, 2 BGP peers are configured; one follows the neighbor knob, the other follows the allow knob. Although peer IP address is identical, the configuration works independently and does not share attributes or the other property of the session.

set protocols bgp group test neighbor 10.0.0.22 metric-out 900
set protocols bgp group test allow 10.0.0.22/32

The sample configuration below has metric-out configured in the statement with "neighbor". A parameter in metric-out becomes effective only when configuration with "neighbor" is in use
and it does not when configuration with "allow" is in use. (With the configuration above, consequent BGP session depends on how BGP session is initiated.)

lab@R1_re# run show bgp neighbor    
Peer: 10.0.0.22+53008 AS 2     Local: 10.0.0.11+179 AS 1  <-- Local listens port 179, this is established by "allow" knob.
  Group: test                  Routing-Instance: master
  Forwarding routing-instance: master  
  Type: External    State: Established    Flags: <Unconfigured Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference PeerAS Refresh>
  Holdtime: 90 Preference: 170   <-- no MED parameter used because setting was only in 'neighbor' line.
  Number of flaps: 3
  Last flap event: RecvNotify
  Error: 'Cease' Sent: 0 Recv: 3
  Peer ID: 2.2.2.2         Local ID: 1.1.1.1           Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 0    SNMP index: 4294967295
  I/O Session Thread: bgpio-0 State: Enabled
  BFD: disabled, down
  Local Interface: ge-0/0/0.0                       
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  Restart flag received from the peer: Notification
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer does not support LLGR Restarter functionality
  Peer supports 4 byte AS extension (peer-as 2)
  Peer does not support Addpath
  Table inet.0 Bit: 20000
    RIB State: BGP restart is complete
    Send state: in sync
    Active prefixes:              0
    Received prefixes:            0
    Accepted prefixes:            0
    Suppressed due to damping:    0
    Advertised prefixes:          0
  Last traffic (seconds): Received 14   Sent 13   Checked 97  
  Input messages:  Total 6      Updates 1       Refreshes 0     Octets 162
  Output messages: Total 4      Updates 0       Refreshes 0     Octets 80
  Output Queue[1]: 0            (inet.0, inet-unicast)
  Trace options:  all
  Trace file: /var/log/bgp.log size 20971520 files 10

Peer: 10.0.0.22 AS 2           Local: 10.0.0.11 AS 1    
  Group: test                  Routing-Instance: master
  Forwarding routing-instance: master  
  Type: External    State: Active         Flags: <>
  Last State: Idle          Last Event: Start
  Last Error: None
  Options: <MetricOut Preference PeerAS Refresh>
  Holdtime: 90 Metric Out: 900 Preference: 170     <-- This neighbor has MED parameter, but not established since above worked earlier than this one.
  Number of flaps: 0
  Error: 'Cease' Sent: 0 Recv: 1
  Trace options:  all
  Trace file: /var/log/bgp.log size 20971520 files 10

 

With the 'allow' option, BGP always works in passive manner because this configuration is to accept dynamic BGP sessions. The behavior is similar to 'passive' knob, but the Flag is different. See example below.

Note: This is normal setting output, without "allow" or "passive".

set protocols bgp group test peer-as 2
set protocols bgp group test neighbor 10.0.0.22

lab@R1_re# run show bgp neighbor             
Peer: 10.0.0.22+179 AS 2       Local: 10.0.0.11+59643 AS 1    
  Group: test                  Routing-Instance: master
  Forwarding routing-instance: master  
  Type: External    State: Established    Flags: <Sync> <-- Flag shows "Sync".
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference PeerAS Refresh>
  Holdtime: 90 Preference: 170
  Number of flaps: 0
  Peer ID: 2.2.2.2         Local ID: 1.1.1.1           Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 0    SNMP index: 1     
  I/O Session Thread: bgpio-0 State: Enabled
  BFD: disabled, down
  Local Interface: ge-0/0/0.0                       
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  Restart flag received from the peer: Notification
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer does not support LLGR Restarter functionality
  Peer supports 4 byte AS extension (peer-as 2)
   Peer does not support Addpath
  Table inet.0 Bit: 20000
    RIB State: BGP restart is complete
    Send state: in sync
    Active prefixes:              0
    Received prefixes:            0
    Accepted prefixes:            0
    Suppressed due to damping:    0
    Advertised prefixes:          0
  Last traffic (seconds): Received 18   Sent 18   Checked 18  
  Input messages:  Total 2      Updates 1       Refreshes 0     Octets 42
  Output messages: Total 2      Updates 0       Refreshes 0     Octets 42
  Output Queue[1]: 0            (inet.0, inet-unicast)

 

Note: This is example output with "allow" option. It indicates this peer is "Unconfigured" in Flag field.

set protocols bgp group test peer-as 1
set protocols bgp group test allow 10.0.0.0/24

 lab@R2_re# run show bgp neighbor
Peer: 10.0.0.11+59643 AS 1      Local: 10.0.0.22+179 AS 2    
  Group: test                  Routing-Instance: master
  Forwarding routing-instance: master  
  Type: External    State: Established    Flags: <Unconfigured Sync>  <-- Flag shows "Unconfigured Sync".
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference PeerAS Refresh>
  Holdtime: 90 Preference: 170
  Number of flaps: 0
  Peer ID: 1.1.1.1         Local ID: 2.2.2.2           Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 0    SNMP index: 0     
  I/O Session Thread: bgpio-0 State: Enabled
  BFD: disabled, down
  Local Interface: ge-0/0/0.0                       
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  Restart flag received from the peer: Notification
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer does not support LLGR Restarter functionality
  Peer supports 4 byte AS extension (peer-as 1)
  Peer does not support Addpath
  Table inet.0 Bit: 20000
    RIB State: BGP restart is complete
    Send state: in sync
    Active prefixes:              0
    Received prefixes:            0
    Accepted prefixes:            0
    Suppressed due to damping:    0
    Advertised prefixes:          0
  Last traffic (seconds): Received 26   Sent 26   Checked 26  
  Input messages:  Total 3      Updates 1       Refreshes 0     Octets 105
  Output messages: Total 2      Updates 0       Refreshes 0     Octets 42
  Output Queue[1]: 0            (inet.0, inet-unicast)

 

Note: This is example output with "passive" option.

set protocols bgp group test peer-as 1
set protocols bgp group test neighbor 10.0.0.11 passive

lab@R2_re# run show bgp neighbor   
Sep 17 13:08:28
Peer: 10.0.0.11+60967 AS 1     Local: 10.0.0.22+179 AS 2    
  Group: test                  Routing-Instance: master
  Forwarding routing-instance: master  
  Type: External    State: Established    Flags: <Sync>  <-- Flag shows "Sync". Same as plain config.
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Options: <Preference Passive PeerAS Refresh>  <-- Options field has "Passive" parameter.
  Holdtime: 90 Preference: 170
  Number of flaps: 0
  Peer ID: 1.1.1.1         Local ID: 2.2.2.2           Active Holdtime: 90
  Keepalive Interval: 30         Group index: 0    Peer index: 0    SNMP index: 3     
  I/O Session Thread: bgpio-0 State: Enabled
  BFD: disabled, down
  Local Interface: ge-0/0/0.0                       
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  Restart flag received from the peer: Notification
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer does not support LLGR Restarter functionality
  Peer supports 4 byte AS extension (peer-as 1)
  Peer does not support Addpath
  Table inet.0 Bit: 20000
    RIB State: BGP restart is complete
    Send state: in sync
    Active prefixes:              0
    Received prefixes:            0
    Accepted prefixes:            0
    Suppressed due to damping:    0
    Advertised prefixes:          0
  Last traffic (seconds): Received 7    Sent 3    Checked 32  
  Input messages:  Total 4      Updates 1       Refreshes 0     Octets 124
  Output messages: Total 2      Updates 0       Refreshes 0     Octets 42
  Output Queue[1]: 0            (inet.0, inet-unicast)
  Trace options:  all
  Trace file: /var/log/bgp.log size 20971520 files 10

If neighbors' IP address is out of range of subnet specified in "allow" setting, BGP sends notification with reason "Connection attempt from unconfigured neighbor".

Note: This is the correct scenario traceoptions log. The neighbor is in the correct range.

set protocols bgp group test peer-as 1
set protocols bgp group test allow 10.0.0.0/24

Sep 17 12:54:01.723844 task_process_events_internal: accept ready for BGP_Listen.0.0.0.0+179
Sep 17 12:54:01.723911 task_accept: task BGP_Listen.0.0.0.0+179 socket 111 addr 0.0.0.0+179
Sep 17 12:54:01.724098 task_alloc: allocated task block for BGP_Proto priority 50
Sep 17 12:54:01.724146 task_set_option_internal: task BGP_Proto.10.0.0.11+52184 socket 110 option TOS(16) value 192
Sep 17 12:54:01.724167 bgp_listen_accept: accepting connection from 10.0.0.11+52184 (local 10.0.0.22+179)
Sep 17 12:54:01.724171 task_set_socket: task BGP_Proto.10.0.0.11+52184 socket 110
Sep 17 12:54:01.724333 task_set_option_internal: task BGP_Proto.10.0.0.11+52184 socket 110 option NonBlocking(8) value 1
Sep 17 12:54:01.724345 task_set_option_internal: task BGP_Proto.10.0.0.11+52184 socket 110 option RecvBuffer(0) value 16384
Sep 17 12:54:01.724355 task_set_option_internal: task BGP_Proto.10.0.0.11+52184 socket 110 option SendBuffer(1) value 16384
Sep 17 12:54:01.724361 task_set_option_internal: task BGP_Proto.10.0.0.11+52184 socket 110 option Linger(2) value { 0, 0 }
Sep 17 12:54:01.724497 task_timer_ucreate: created timer BGP_Proto.10.0.0.11+52184_Task parent  flags <>
Sep 17 12:54:01.724501 task_timer_ucreate: created timer BGP_Proto.10.0.0.11+52184_OpenTimeOut  flags <>
Sep 17 12:54:01.724522 task_timer_uset: timer BGP_Proto.10.0.0.11+52184_OpenTimeOut <Touched> set to interval 1:30 with jitter 0 at 12:55:31.723763
Sep 17 12:54:01.724542 task_process_events_internal: recv ready for BGP_Proto.10.0.0.11+52184
Sep 17 12:54:01.724584 task_process_events_internal: recv ready for BGP_Proto.10.0.0.11+52184
Sep 17 12:54:01.724677
Sep 17 12:54:01.724677 BGP RECV 10.0.0.11+52184 -> 10.0.0.22+179
Sep 17 12:54:01.724687 BGP RECV message type 1 (Open) length 63
Sep 17 12:54:01.724734 BGP RECV version 4 as 1 holdtime 90 id 1.1.1.1 parmlen 34
Sep 17 12:54:01.724741 BGP RECV MP capability AFI=1, SAFI=1
Sep 17 12:54:01.724743 BGP RECV Refresh capability, code=128
Sep 17 12:54:01.724744 BGP RECV Refresh capability, code=2
Sep 17 12:54:01.724773 BGP RECV Restart capability, code=64, time=120, flags=Notification
Sep 17 12:54:01.724799 BGP RECV 4 Byte AS-Path capability (65), as_num 1
Sep 17 12:54:01.724809 BGP RECV Long-Lived Graceful Restart capability, code=71

 

Note: This is  the wrong scenario traceoptions log. The router does not accept the out of range address and sends notification.

set protocols bgp group test peer-as 1
set protocols bgp group test allow 10.0.0.0/29

Sep 17 13:01:44.636566 task_process_events_internal: accept ready for BGP_Listen.0.0.0.0+179
Sep 17 13:01:44.636661 task_accept: task BGP_Listen.0.0.0.0+179 socket 116 addr 0.0.0.0+179
Sep 17 13:01:44.636812 bgp_listen_accept: Connection attempt from unconfigured neighbor: 10.0.0.11+51498
Sep 17 13:01:44.636850 task_alloc: allocated task block for BGP_Proto priority 50
Sep 17 13:01:44.636862 task_set_option_internal: task BGP_Proto.10.0.0.11+51498 socket 118 option TOS(16) value 192
Sep 17 13:01:44.636878 bgp_listen_accept: accepting connection from 10.0.0.11+51498 (local 10.0.0.22+179)
Sep 17 13:01:44.636916 task_set_option_internal: task BGP_Proto.10.0.0.11+51498 socket 118 option NonBlocking(8) value 1
Sep 17 13:01:44.636923 task_set_option_internal: task BGP_Proto.10.0.0.11+51498 socket 118 option RecvBuffer(0) value 16384
Sep 17 13:01:44.636926 task_set_option_internal: task BGP_Proto.10.0.0.11+51498 socket 118 option SendBuffer(1) value 16384
Sep 17 13:01:44.636930 task_set_option_internal: task BGP_Proto.10.0.0.11+51498 socket 118 option Linger(2) value { 0, 0 }
Sep 17 13:01:44.637019
Sep 17 13:01:44.637019 BGP SEND 10.0.0.22+179 -> 10.0.0.11+51498
Sep 17 13:01:44.637022 BGP SEND message type 1 (Open) length 29
Sep 17 13:01:44.637041 BGP SEND version 4 as 2 holdtime 90 id 2.2.2.2 parmlen 0
Sep 17 13:01:44.637047
Sep 17 13:01:44.637047 BGP SEND 10.0.0.22+179 -> 10.0.0.11+51498
Sep 17 13:01:44.637049 BGP SEND message type 3 (Notification) length 21
Sep 17 13:01:44.637056 BGP SEND Notification code 6 (Cease) subcode 5 (Connection Rejected)
Sep 17 13:01:44.637085 bgp_listen_accept:5276: NOTIFICATION sent to 10.0.0.11+51498 (proto): code 6 (Cease) subcode 5 (Connection Rejected), Reason: Connection attempt from unconfigured neighbor: 10.0.0.11+51498
Sep 17 13:01:44.637088 Notify sent to 10.0.0.11+51498 (proto), code 6, subcode 5

Related Links: