Issues with EX4200 – RPD_RT_PREFIX_LIMIT_REACHED: Number of prefixes (16384) in table inet.0 reached configured maximum (16384).

The problem

Recently I decided to use a Juniper EX4200 switch as a core router, taking in a default route + few thousands (after selective filtering) IX routes.

EX4200 is a device capable of taking in 16k IPv4 routes and 4k IPv6 routes in FIB, so there should be no issues, right? I set up the sessions and configured filters to not exchange any routes to make sure everything is correct.

protocols {
  bgp {
    local-as 23456;
    group IX {
      type external;
      family inet {
        unicast {
          accepted-prefix-limit {
            maximum 12000;
            teardown 90 idle-timeout forever;
      neighbor {
        description "IX RS1";
        import reject-all;
        export reject-all;
        peer-as 65000;
policy-options {
  policy-statement reject-all {
    then reject;

However, the following message started filling up my logs:

RPD_RT_PREFIX_LIMIT_REACHED: Number of prefixes (16384) in table inet.0 reached configured maximum (16384)

That makes no sense, I’m rejecting all routes from the session! Running show route summary, however, shows some very conflicting information:

> show route summary
inet.0: 16384 destinations, 32749 routes (168 active, 0 holddown, 32432 hidden)
Limit/Threshold: 16384/16384 destinations
    BGP:    32731 routes,    151 active

This creates more questions than it answers. Why are there so many routes, destinations, and why are all hidden? What gives?

Turns out that the default JunOS behaviour is to keep all routes received over BGP in a separate RIB, even before any filtering happens (adj-rib-in-pre: Contains the NLRI updates received from the neighbor before any local input policy filters have been applied. Source). While this is a good behaviour for a switch with a highly performant control plane, or a router, it would completely destroy lower powered devices – like the EX4200.

As such, the EX4200 has set limits of 16384 prefixes for RIB as well.

So, how can we fix this?

The solution

The fix is quite simple. We just need to tell the switch to not keep rejected routes. This can be done by simply adding keep none to the session/group configuration.

Documentation for the “keep” statement