Home » Uncategorized » JunOS: BGP ‘passive’ knob suppresses BGP down traps

This configuration knob is useful if you want to suppress BGP down traps.

Q. When might you want to do this?

A. If you are provisioning new sessions and you don’t want your NMS to alert your NOC. eg: I find this is great for setting up new sessions at internet exchanges, as you don’t know when the peer will get around to configuring their end.

set protocols bgp group iBGP neighbor 10.10.10.13 passive

Here’s the output from my testing with Wireshark.

# mx3 - set iBGP w/ mx4 to be a passive session
edit private
set protocols bgp group iBGP neighbor 10.10.10.13 passive
commit comment "test" and-quit


# mx4 - bring iBGP w/ mx3 down
edit private
deactivate protocols bgp group iBGP neighbor 10.10.10.12
commit comment "bring down BGP w/ mx3 - test" and-quit


# mx4 - BGP down
Sep 23 14:29:51.323 2015 mx4.cbg.uk.re0 rpd[2760]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 10.10.10.12 (Internal AS 64512) changed state from Established to Idle (event Stop) (instance master)

# mx3 - BGP

Sep 23 14:29:51.321 2015 mx3.cbg.uk.re0 rpd[1860]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 10.10.10.13 (Internal AS 64512) changed state from Established to Idle (event RecvNotify) (instance master)
Sep 23 14:29:51.321 2015 mx3.cbg.uk.re0 rpd[1860]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 10.10.10.13 (Internal AS 64512) changed state from Established to Idle (event RecvNotify) (instance master)
Sep 23 14:29:51.321 2015 mx3.cbg.uk.re0 rpd[1860]: bgp_read_v4_message:10804: NOTIFICATION received from 10.10.10.13 (Internal AS 64512): code 6 (Cease) subcode 3 (Peer Unconfigured)

# mx3 - deactivate session
set protocols bgp group iBGP neighbor 10.10.10.13 passive
deactivate protocols bgp group iBGP neighbor 10.10.10.13


# mx3 - send routing protocol traps to neteam-server...
@mx3.cbg.uk.re0> show configuration snmp trap-group test | display set
set snmp trap-group test version v2
set snmp trap-group test categories routing
set snmp trap-group test targets 172.16.113.2

# mx3 - activate BGP neighbour again...
activate protocols bgp group iBGP neighbor 10.10.10.13

# neteam-server - monitor for traps...
$ sudo tcpdump -i eth0:1 port 162
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0:1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:14:25.348333 IP mx3.cbg.uk.re0.57237 > 172.16.113.2.snmp-trap: C=test V2Trap(125) system.sysUpTime.0=130556412 S:1.1.4.1.0=15.7.2 15.3.1.14.10.10.10.11=00_00 15.3.1.2.10.10.10.11=1 S:1.1.4.3.0=E:2636.1.1.1.2.25
16:15:38.359733 IP mx3.cbg.uk.re0.57237 > 172.16.113.2.snmp-trap: C=test V2Trap(125) system.sysUpTime.0=130563713 S:1.1.4.1.0=15.7.2 15.3.1.14.10.10.10.11=00_00 15.3.1.2.10.10.10.11=2 S:1.1.4.3.0=E:2636.1.1.1.2.25
16:16:53.349739 IP mx3.cbg.uk.re0.57237 > 172.16.113.2.snmp-trap: C=test V2Trap(125) system.sysUpTime.0=130571212 S:1.1.4.1.0=15.7.2 15.3.1.14.10.10.10.11=00_00 15.3.1.2.10.10.10.11=1 S:1.1.4.3.0=E:2636.1.1.1.2.25
16:18:06.361113 IP mx3.cbg.uk.re0.57237 > 172.16.113.2.snmp-trap: C=test V2Trap(125) system.sysUpTime.0=130578513 S:1.1.4.1.0=15.7.2 15.3.1.14.10.10.10.11=00_00 15.3.1.2.10.10.10.11=2 S:1.1.4.3.0=E:2636.1.1.1.2.25
16:19:21.351131 IP mx3.cbg.uk.re0.57237 > 172.16.113.2.snmp-trap: C=test V2Trap(125) system.sysUpTime.0=130586012 S:1.1.4.1.0=15.7.2 15.3.1.14.10.10.10.11=00_00 15.3.1.2.10.10.10.11=1 S:1.1.4.3.0=E:2636.1.1.1.2.25

# We see the control case (ie: non passive, down session) keeps spewing traps.
# We see the passive session has generated no traps.

# mx4 - activate BGP neighbor w/ mx3, ie: 10.10.10.12
activate protocols bgp group iBGP neighbor 10.10.10.12

# neteam-server receives UP trap - yay!
16:23:12.002565 IP mx3.cbg.uk.re0.57237 > 172.16.113.2.snmp-trap: C=test V2Trap(125) system.sysUpTime.0=130609079 S:1.1.4.1.0=15.7.1 15.3.1.14.10.10.10.13=00_00 15.3.1.2.10.10.10.13=6 S:1.1.4.3.0=E:2636.1.1.1.2.25

# Final test - block BGP messages at firewall level
[edit firewall family inet filter router-access]
@mx4.cbg.uk.re0# show | compare
[edit firewall family inet filter router-access]
 term block-ntp { ... }
+ term block_bgp_mx3 {
+ from {
+ source-address {
+ 10.10.10.12/32;
+ }
+ protocol tcp;
+ port bgp;
+ }
+ then {
+ discard;
+ }
+ }
 term default { ... }

# Check BGP actually went down...
# mx4 saw...
Sep 23 15:28:24.009 2015 mx4.cbg.uk.re0 rpd[2760]: bgp_hold_timeout:4487: NOTIFICATION sent to 10.10.10.12 (Internal AS 64512): code 4 (Hold Timer Expired Error), Reason: holdtime expired for 10.10.10.12 (Internal AS 64512), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 4234639542 snd_nxt: 4234639599 snd_wnd: 16384 rcv_nxt: 3797800221 rcv_adv: 3797816605, hold timer out 90s, hold timer remain 0s
Sep 23 15:28:24.009 2015 mx4.cbg.uk.re0 rpd[2760]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 10.10.10.12 (Internal AS 64512) changed state from Established to Idle (event HoldTime) (instance master)

# mx3 saw...
Sep 23 15:28:24.008 2015 mx3.cbg.uk.re0 rpd[1860]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 10.10.10.13 (Internal AS 64512) changed state from Established to Idle (event RecvNotify) (instance master)

# Check SNMP traps...
# Just the non-passive session generating traps as before - no traps related to 10.10.10.13 session...

Conclusion: Setting passive will suppress BGP down traps for these sessions.