> Sebastian Neuner > Sent: Thursday, August 02, 2018 6:19 PM > To: 'Cisco Network Service Providers' > Subject: Re: [c-nsp] ASR9k: RIB/FIB convergence > > Hi Thomas, > > we have seen similar effects in the past. I remember a case, where a router > with Trident cards and 4.3.1 (and newer routers around it) got stuck in a > situation similar to yours. It even tried to forward packets to a port that was > admin-down. > > > Do you drop BGP updates on ingress with "as-path length ge 51" please? - > not only it's a good practice, but apparently long as-paths caused RIB-FIB > clogging in the past. > > This fixed our problem. After a whole night of debugging, I found this mail > thread, "[c-nsp] CEF issues this weekend". > > Some AS announced a prefix and prepended >500 times. > > Since then, we filter for as-path-length on ingress everywhere and haven't > seen this behavior again. > Yup I remember that one very well. Came in fairly quick succession (though not sure which one was first) to the incident where some university advertised a prefix with some custom bgp attribute and forgot to tell the world until it was too late. I guess these two incidents then resulted in the long and painful road to RFC 7606 - Revised Error Handling for BGP UPDATE Messages with various success among vendors: Good: %ROUTING-BGP-3-MALFORM_UPDATE : Malformed UPDATE message received from neighbor x.x.x.x (VRF: INTERNET) - message length 103 bytes, error flags 0x00400000, action taken "DiscardAttr" Bad: When the 'bgp-error-tolerance' feature - designed to help mitigate remote session resets from malformed path attributes - is enabled, a BGP UPDATE containing a specifically crafted set of transitive attributes can cause the RPD routing process to crash and restart. Also these are the reasons why I always recommend building a separate RRs infrastructure (or plane) dedicated to carry internet prefixes -and keep it separate from the RR infrastructure carrying prefixes for VPN services.
adam netconsultings.com ::carrier-class solutions for the telecommunications industry:: _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
