09-07-2023 11:39 AM - last edited on 10-10-2023 05:01 AM by Translator
Hello, I'm trying to understand how
BGP aggregate-address
command actually works. The network is shown below:
The whole network is configured and it's ready to go. On D1 router from BGP 64530 I managed to aggregate 4
IP addresses: 10.10.154.208
10.10.189.0
10.10.198.0
10.16.0.0
I put them into 10.0.0.0/11 on D1 router so he can route them out of the network. It works as expected:
D1 suspended these routes from advertising. But let's say I also want to summarize 192.168.150.0 and 192.168.100.0 which are VLAN 150 and VLAN 100 respectively. If that command is issued like this:
aggregate-address 192.168.0.0 255.255.0.0 summary-only route-map SELECT_VLAN
ip access-list extended 150
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
deny ip any any
route-map SELECT_VLAN permit 10
match ip address 150
This unfortunately does not work. Access-list 150 only shows the matching for deny statement and for
192.168.100.0/24 address
and never for .150. This then results in unexpected result where D1 starts to suspend every route that starts with 192.168.x.x. As you can see from the image below:
D1 is putting every route that he receives to suspend even though I stated that ip access list should match only VLAN 150 / 100. What causes this to happen? He should suspend only 192.168.100.0 and 192.168.150.0 but not every route.
To my understanding this means that one should aggregate addresses only on edge routers like Edge-A and Edge-B in this network right?
Let's take all IP addresses that start with 192.168 prefix. Those are:
192.168.33.1 /24
192.168.34.1 /24
192.168.40.1 /24
192.168.31.1 /24
192.168.32.1 /24
192.168.20.1 /24
192.168.30.1 /24
192.168.100.1 /24
192.168.150.1 /24
Summary address of these is: 192.168.0.0/16
The configuration of Edge-B for example goes like this:
!
router bgp 300
bgp router-id 5.5.5.5
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 170.255.255.254 remote-as 100
neighbor 202.0.0.2 remote-as 200
neighbor 202.1.0.1 remote-as 150
neighbor 203.200.200.205 remote-as 62100
!
address-family ipv4
network 13.13.13.0 mask 255.255.255.128
aggregate-address 192.168.0.0 255.255.0.0 as-set summary-only
neighbor 170.255.255.254 activate
neighbor 202.0.0.2 activate
neighbor 202.1.0.1 activate
neighbor 203.200.200.205 activate
exit-address-family
!
I used
as-set
command so that he can advertise their AS numbers respectively to the ISP_2 router. My guess is that this should be done the same for Edge-A as well?
If we take a look at Edge-B's BGP table, it looks like this:
First
IP address is 192.168.0.0/16
and rest are suspended. Then on ISP_2 we can see:
ISP_2 can successfully
ping
any network and his routing table has been sliced down to being smaller by a large margin.
Conclusion from this is that I should now aggregate all addresses that start with 172.x.x.x.x + the 176 one which will result in 160.0.0.0/3 (for an example) and then put this only on edge routers so they can share this with ISP_1 and ISP_2 routers?
Is there any reason why D1 router for an example cannot aggregate only certain IP addresses that I want but instead he suspends everything? Is my
route-map
wrong or ip access list ?
I know there are a lot of commands to use like:
no export
advertise-map
attribute-map
, but should these commands ever be used in a network like this? Any purpose? Because I don't understand why would I do
no export
command on one router and then use
attribute-map
to modify the behavior on another router to have it set to "none" so he can advertise this route. I just don't see the concept of this.
Or using
advertise-map
command to only aggregate certain addresses. Is there any benefit of these? Since my BGP in network is only advertising LAN networks together with loopbacks from 1 to n which are considered as a LAN network as well. No interfaces are being advertised and IGP is used between iBGP routers. I really don't know...
I followed this guideline:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/5441-aggregation.html
Any help is appreciated!
Solved! Go to Solution.
09-12-2023 02:56 PM
In its true usage route summarization is used to reduce routing tables and route propagation. So to answer your question at its basic form is you would summarize routes on routers pointing to devices that don't need the full routing table. Customer routers do not need the full routing table (usually). especially if there is one one way out why would you? If you can only leave your network one way all you really need is a default route. But the summarization helps out a bit by condensing larger network advertisements.
If your plan is to advertise them to the next router (from Customer->ISP or vice versa) just to have the ISP summarize then why not summarize before sending the routes to reduce traffic on the link.
Like I mentioned before if there is multiple connections then summarization has slightly different affects as the core of routing is more specific routes are chosen. So if one ISP is advertising specific routes and another ISP is advertising the summary and you're connected to both then the routes of the more specific ISP will be chosen.
To answer your question "kinda" about having access to both ISP and customer networks is that BGP can be manipulated to choose ingress and egress routes form either perspective so its up to you as far as how you want the routes to flow in your networks. The ISP
-David
09-07-2023 01:40 PM - last edited on 10-10-2023 05:11 AM by Translator
Hello,
Let see if we can help unpack all of this. First BGP is a very dynamic and widely used protocol. Its the routing protocol of the internet. You need to be able to configure/tweak routes sometimes very specifically. So if you have to ask is there a reason for this command the answer is likely yes there is, or at least there WAS at some point.
Im not sure about the
route-map
in your initial problem but maybe you can try creating a prefix list and matching it in the
route-map
ip prefix-list BGP_SUMMARY permit 192.168.100.0/24
ip prefix-list BGP_SUMMARY permit 192.168.150.0/24
When you aggregate BGP routes some path information is lost like AS path, MED, communities, etc.
Advertise-map
specifying the routes whose attributes should be "advertised" via the aggregate.
-this means you can pick out individual route attributes to selectively advertise in your aggregation.
For example lets say you have the routes:
192.168.33.1 /24 (5:5)
192.168.34.1 /24
192.168.40.1 /24
192.168.31.1 /24
192.168.32.1 /24
192.168.20.1 /24
192.168.30.1 /24
192.168.100.1 /24
192.168.150.1 /24
Lets say
route 192.168.31.1 /24
has a community of 5:5. You can use a
route-map
matching on that community with the
advertise-map
and only routes with that community will be advertised.
No-export
- is great for just suppressing a bunch of routes to eBGP neighbors instead of denying with an ACL. Lets say you aggregate the above 192.168.X.X routes and put no export. Those routes will not leave the BGP AS but will be advertised to iBGP peers.
Since you are losing attributes in the aggregate the
Attribute-map
allows you to put in your own attributes, again manipulating the routes as you see fit.
For your comment:
Because I don't understand why would I do
no export
command on one router and then use
attribute-map
to modify the behavior on another router to h
Because I don't understand why would I dono exportcommand on one router and then useattribute-mapto modify the behavior on another router to have it set to "none" so he can advertise this route. I just don't see the concept of this.
Remembering its the internet routing protocol and there are much more complex environments that what you have. There is plenty of advertise this or don't advertise that or add this community or remove this community or change attributes on this route happening everywhere. Like I said you need to be able to modify everything at any given point in the network.
This link may help a bit as well:
-David
09-07-2023 02:18 PM - last edited on 10-10-2023 05:14 AM by Translator
Hello @StefanStefanR ,
first of all, you are creating aggregate addresses that include prefixes that are not contiguous .
Then about your configuration :
>>
aggregate-address 192.168.0.0 255.255.0.0 summary-only route-map SELECT_VLAN
ip access-list extended 150
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
deny ip any any
route-map SELECT_VLAN permit 10
match ip address 150
Here, the
route-map
invoked in the aggregate-address is used to check something in order to decide if the aggregate address should be generated or not.
But you try to match on an IP extended ACL with source IP addresses the two subnets you would like to match.
The command is not doing what you would like to do.
You should use the
unsuppress-map
with a prefix-list that says wihat component routes should still be advertised.
As I have written above you are creating aggregate addresses that are too big or too short in prefix length.
The use of commands shown in the link you have provided has to be considered as a show case of what it can be done with BGP and the manipulation of BGP attributes on the created aggregate address.
So the setting of BGP community
no-export
later overriden with BGP community none is to be considered an example of what can be done.
Hope to help
Giuseppe
09-12-2023 02:10 PM - last edited on 10-10-2023 05:41 AM by Translator
Hello, I'm truly sorry for such a late response but I was busy and haven't been able to do the network properly until today. I must say that BGP aggregation is very hard indeed to do and it took me quite some time to understand it.
I did follow your rules and thank you all for the big help. Also that page about route aggregation really helped. Now to the details and what I did:
By the way, I did try
ip prefix-list
but it still wasn't working correctly. I then figured out that I haven't understood the concept of aggregation.
I figured one thing. The reason why D1 suppresses all routes is because of what @Giuseppe Larosa said. I did an ip access-list with too large prefixes so this was the intended behavior. I then realized that it's stupid to summarize only those
two addresses 192.168.150.0 and 192.168.100.0
to go out. So instead, I put the commands on D1 so that he aggregates all IP addresses that are coming to him, so that D2 and D3 have a lower BGP table as well as routing table.
The
network is 192.168.0.0 255.255.192.0.
After I did the command:
aggregate-address 192.168.0.0 255.255.192.0 summary-only as-path
, for some reasons. Edge-A router was STILL getting the
192.168.0.0/18 address
in his BGP table.
I was confused. Why would he get this route when I did put
as-path
command? Then I realized that his path for 192.168.0.0 shows 64530, 100, 150. There isn't his
as-path
attribute at all for the route so he naturally installs it. C3 of course didn't install this because he has
AS path
in that route.
So how did I stop this? @David Ruess Thank you, I now realize what
no-export
command actually is and how good it is. To get rid of 192.168.0.0/18 on Edge-A (since it's worthless to have it right?), I did this on D1:
route-map SET_NO_EXPORT permit 10
match ip address 1
set community no-export
!
access-list 1 permit 192.168.0.0 0.0.63.255
neighbor 90.0.0.1 send-community
neighbor 90.0.0.1 route-map SET_NO_EXPORT out
I did the same for C3 neighbor but I think it's pointless since he didn't receive the route in the first place. I'm going to delete that later.
With this
no-export
command, I managed to get rid of
192.168.0.0/18
network on Edge-A router. Also had to do the hard reset with:
clear ip bgp*
. The soft reset
clear ip bgp *
soft didn't work at all sadly.
But now I have one question if you don't mind helping me.
Where should I summarize routes for let's say ISP_1 and ISP_2 router so they don't have a big routing table? Let's say that this is a real network and ISP's are connected with the rest of the internet. How to make a proper command of aggregation?
Should I aggregate 172.x.x.x and 192.168.x.x addresses on Edge-A and Edge-B, then use
no-export
commands to make sure they are only put on ISP's ?
Or should I use aggregate commands on ISP_1 and ISP_2 routers so they can advertise these routes farther in the network? Or this job should be from the inside?
It's a genuine question regarding the whole internet. I'm curious how would a network engineer solve this if he had access to both ISP routers and Edge routers. Would a better solution be to automatically summarize them at the Edge routers or advertise everything to ISP and then ISP does the summarize?
Later on I will do all other commands such as:
suppress-map
unsuppress-map
advertise-map
and
attribute-map
to showcase all possibilities.
09-12-2023 02:56 PM
In its true usage route summarization is used to reduce routing tables and route propagation. So to answer your question at its basic form is you would summarize routes on routers pointing to devices that don't need the full routing table. Customer routers do not need the full routing table (usually). especially if there is one one way out why would you? If you can only leave your network one way all you really need is a default route. But the summarization helps out a bit by condensing larger network advertisements.
If your plan is to advertise them to the next router (from Customer->ISP or vice versa) just to have the ISP summarize then why not summarize before sending the routes to reduce traffic on the link.
Like I mentioned before if there is multiple connections then summarization has slightly different affects as the core of routing is more specific routes are chosen. So if one ISP is advertising specific routes and another ISP is advertising the summary and you're connected to both then the routes of the more specific ISP will be chosen.
To answer your question "kinda" about having access to both ISP and customer networks is that BGP can be manipulated to choose ingress and egress routes form either perspective so its up to you as far as how you want the routes to flow in your networks. The ISP
-David
09-12-2023 03:23 PM - last edited on 10-10-2023 05:51 AM by Translator
Hey David. I have now an issue here.
After doing the send-community and
route-map SET_NO_EXPORT for 90.0.0.1
neighbor and C3 neighbor, now they do not get any route from D1 at all. 10.255.255.0 is not sent together with 192.168.150.0 and 192.168.100.0.
I figured out that his has to be the
route-map
issue since it just has one permit statement to
allow 192.168.0.0/18
and then set it to
no export
This does the thing, but the
route-map
suddenly blocks everything else.
Is there any fix to this issue? I'm completely at the edge.
What I did is:
ip access-list extended RESTORE
permit ip any any
!
!
ip prefix-list NO_EXPORT seq 5 permit 192.168.0.0/18
!
route-map SET_NO_EXPORT permit 10
match ip address prefix-list NO_EXPORT
set community no-export
!
route-map SET_NO_EXPORT permit 20
match ip address RESTORE
!
IP addresses are restored and C3 / Edge-A have gotten the networks in their routing table. But now with this new command added,
route-map
isn't working at all.
No export
command is set off and
192.168.0.0/18
has returned to C3 router. (This time it's on C3 because I did all resets and Edge-A didn't manage to learn for it first).
BIG EDIT FIX:
Okay, after some throughout process of my mind, I was thinking... What to do. Then I remembered that on C3 I can actually put
set community none
command. How dumb I am. This is part of the configuration on C3;
neighbor 150.224.224.198 remote-as 64530
neighbor 150.224.224.198 route-map ALLOW in
ip access-list extended YES
permit ip 10.255.255.0 0.0.0.63 any
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
deny ip any any
route-map ALLOW permit 10
match ip address YES
set community none
After doing these commands. C3 how has
10.255.255.0/26
entry in this table together with
192.168.100.0/150.0
He started to communicate with D1 correctly and uses that link as a possible route. While not having
192.168.0.0/18
in his route at all!
I guess I did it now correctly finally. All I had to do was make an ip access-list and allow only certain routes but leave
192.168.0.0/18
out. Then put that
route-map
inside as an incoming packet and that's it.
I never thought this would be the solution (at least I think this is the best one I can make).
As for the rest of the network, will aggregate on edge routers as you suggested to reduce the traffic and then make sure those networks are only sent to the corresponding ISP and not everyone. I do hope it will work. I can already foresee the trouble ahead as doing summary-only will suppress all routes so others will have only a single path to some networks. This might cause errors in the future if one link fails. I don't know how I'd do this.
My brute force would be to simply do unsuppressed
route-map
for each neighbor that needs it. Though this would require a lot of networks to write down. Maybe
ip prefix-list
can do this faster? With the /ge and /le commands? Will check it though later still not sure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide