Solved: Re: BGP aggregate-address, how it works?

StefanStefanR · ‎09-07-2023

Hello, I'm trying to understand how

BGP aggregate-address

command actually works. The network is shown below:

The whole network is configured and it's ready to go. On D1 router from BGP 64530 I managed to aggregate 4

IP addresses: 10.10.154.208
10.10.189.0
10.10.198.0

10.16.0.0

I put them into 10.0.0.0/11 on D1 router so he can route them out of the network. It works as expected:

D1 suspended these routes from advertising. But let's say I also want to summarize 192.168.150.0 and 192.168.100.0 which are VLAN 150 and VLAN 100 respectively. If that command is issued like this:

aggregate-address 192.168.0.0 255.255.0.0 summary-only route-map SELECT_VLAN

ip access-list extended 150
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
deny ip any any

route-map SELECT_VLAN permit 10
match ip address 150

This unfortunately does not work. Access-list 150 only shows the matching for deny statement and for

192.168.100.0/24 address

and never for .150. This then results in unexpected result where D1 starts to suspend every route that starts with 192.168.x.x. As you can see from the image below:

D1 is putting every route that he receives to suspend even though I stated that ip access list should match only VLAN 150 / 100. What causes this to happen? He should suspend only 192.168.100.0 and 192.168.150.0 but not every route.

To my understanding this means that one should aggregate addresses only on edge routers like Edge-A and Edge-B in this network right?

Let's take all IP addresses that start with 192.168 prefix. Those are:

192.168.33.1 /24
192.168.34.1 /24
192.168.40.1 /24
192.168.31.1 /24
192.168.32.1 /24
192.168.20.1 /24
192.168.30.1 /24
192.168.100.1 /24
192.168.150.1 /24

Summary address of these is: 192.168.0.0/16

The configuration of Edge-B for example goes like this:

!
router bgp 300
bgp router-id 5.5.5.5
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 170.255.255.254 remote-as 100
neighbor 202.0.0.2 remote-as 200
neighbor 202.1.0.1 remote-as 150
neighbor 203.200.200.205 remote-as 62100
!
address-family ipv4
network 13.13.13.0 mask 255.255.255.128
aggregate-address 192.168.0.0 255.255.0.0 as-set summary-only
neighbor 170.255.255.254 activate
neighbor 202.0.0.2 activate
neighbor 202.1.0.1 activate
neighbor 203.200.200.205 activate
exit-address-family
!

I used

as-set

command so that he can advertise their AS numbers respectively to the ISP_2 router. My guess is that this should be done the same for Edge-A as well?

If we take a look at Edge-B's BGP table, it looks like this:

First

IP address is 192.168.0.0/16

and rest are suspended. Then on ISP_2 we can see:

ISP_2 can successfully

ping

any network and his routing table has been sliced down to being smaller by a large margin.

Conclusion from this is that I should now aggregate all addresses that start with 172.x.x.x.x + the 176 one which will result in 160.0.0.0/3 (for an example) and then put this only on edge routers so they can share this with ISP_1 and ISP_2 routers?

Is there any reason why D1 router for an example cannot aggregate only certain IP addresses that I want but instead he suspends everything? Is my

route-map

wrong or ip access list ?

I know there are a lot of commands to use like:

no export

advertise-map

attribute-map

, but should these commands ever be used in a network like this? Any purpose? Because I don't understand why would I do

no export

command on one router and then use

attribute-map

to modify the behavior on another router to have it set to "none" so he can advertise this route. I just don't see the concept of this.

Or using

advertise-map

command to only aggregate certain addresses. Is there any benefit of these? Since my BGP in network is only advertising LAN networks together with loopbacks from 1 to n which are considered as a LAN network as well. No interfaces are being advertised and IGP is used between iBGP routers. I really don't know...

I followed this guideline:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/5441-aggregation.html

Any help is appreciated!

David Ruess · ‎09-12-2023

In its true usage route summarization is used to reduce routing tables and route propagation. So to answer your question at its basic form is you would summarize routes on routers pointing to devices that don't need the full routing table. Customer routers do not need the full routing table (usually). especially if there is one one way out why would you? If you can only leave your network one way all you really need is a default route. But the summarization helps out a bit by condensing larger network advertisements.

If your plan is to advertise them to the next router (from Customer->ISP or vice versa) just to have the ISP summarize then why not summarize before sending the routes to reduce traffic on the link.

Like I mentioned before if there is multiple connections then summarization has slightly different affects as the core of routing is more specific routes are chosen. So if one ISP is advertising specific routes and another ISP is advertising the summary and you're connected to both then the routes of the more specific ISP will be chosen.

To answer your question "kinda" about having access to both ISP and customer networks is that BGP can be manipulated to choose ingress and egress routes form either perspective so its up to you as far as how you want the routes to flow in your networks. The ISP

-David

View solution in original post

David Ruess · ‎09-07-2023

Hello,

Let see if we can help unpack all of this. First BGP is a very dynamic and widely used protocol. Its the routing protocol of the internet. You need to be able to configure/tweak routes sometimes very specifically. So if you have to ask is there a reason for this command the answer is likely yes there is, or at least there WAS at some point.

Im not sure about the

route-map

in your initial problem but maybe you can try creating a prefix list and matching it in the

route-map

ip prefix-list BGP_SUMMARY permit 192.168.100.0/24

ip prefix-list BGP_SUMMARY permit 192.168.150.0/24

When you aggregate BGP routes some path information is lost like AS path, MED, communities, etc.

Advertise-map

specifying the routes whose attributes should be "advertised" via the aggregate.

-this means you can pick out individual route attributes to selectively advertise in your aggregation.

For example lets say you have the routes:

192.168.33.1 /24 (5:5)
192.168.34.1 /24
192.168.40.1 /24
192.168.31.1 /24
192.168.32.1 /24
192.168.20.1 /24
192.168.30.1 /24
192.168.100.1 /24
192.168.150.1 /24

Lets say

route 192.168.31.1 /24

has a community of 5:5. You can use a

route-map

matching on that community with the

advertise-map

and only routes with that community will be advertised.

No-export

- is great for just suppressing a bunch of routes to eBGP neighbors instead of denying with an ACL. Lets say you aggregate the above 192.168.X.X routes and put no export. Those routes will not leave the BGP AS but will be advertised to iBGP peers.

Since you are losing attributes in the aggregate the

Attribute-map

allows you to put in your own attributes, again manipulating the routes as you see fit.

For your comment:

Because I don't understand why would I do

no export

command on one router and then use

attribute-map

to modify the behavior on another router to h

Because I don't understand why would I do
no export
command on one router and then use
attribute-map
to modify the behavior on another router to have it set to "none" so he can advertise this route. I just don't see the concept of this.

Remembering its the internet routing protocol and there are much more complex environments that what you have. There is plenty of advertise this or don't advertise that or add this community or remove this community or change attributes on this route happening everywhere. Like I said you need to be able to modify everything at any given point in the network.

This link may help a bit as well:

https://learningnetwork.cisco.com/s/article/BGP-Zero-to-Hero-Part-6--BGP-Aggregation---Load-sharing-balancing

-David

Giuseppe Larosa · ‎09-07-2023

Hello @StefanStefanR ,

first of all, you are creating aggregate addresses that include prefixes that are not contiguous .

Then about your configuration :

>>

aggregate-address 192.168.0.0 255.255.0.0 summary-only route-map SELECT_VLAN

ip access-list extended 150
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
deny ip any any

route-map SELECT_VLAN permit 10
match ip address 150

Here, the

route-map

invoked in the aggregate-address is used to check something in order to decide if the aggregate address should be generated or not.

But you try to match on an IP extended ACL with source IP addresses the two subnets you would like to match.

The command is not doing what you would like to do.

You should use the

unsuppress-map

with a prefix-list that says wihat component routes should still be advertised.

As I have written above you are creating aggregate addresses that are too big or too short in prefix length.

The use of commands shown in the link you have provided has to be considered as a show case of what it can be done with BGP and the manipulation of BGP attributes on the created aggregate address.

So the setting of BGP community

no-export

later overriden with BGP community none is to be considered an example of what can be done.

Hope to help

Giuseppe

StefanStefanR · ‎09-12-2023

Hello, I'm truly sorry for such a late response but I was busy and haven't been able to do the network properly until today. I must say that BGP aggregation is very hard indeed to do and it took me quite some time to understand it.

I did follow your rules and thank you all for the big help. Also that page about route aggregation really helped. Now to the details and what I did:

By the way, I did try

ip prefix-list

but it still wasn't working correctly. I then figured out that I haven't understood the concept of aggregation.

I figured one thing. The reason why D1 suppresses all routes is because of what @Giuseppe Larosa said. I did an ip access-list with too large prefixes so this was the intended behavior. I then realized that it's stupid to summarize only those

two addresses 192.168.150.0 and 192.168.100.0

to go out. So instead, I put the commands on D1 so that he aggregates all IP addresses that are coming to him, so that D2 and D3 have a lower BGP table as well as routing table.

The

network is 192.168.0.0 255.255.192.0.

After I did the command:

aggregate-address 192.168.0.0 255.255.192.0 summary-only as-path

, for some reasons. Edge-A router was STILL getting the

192.168.0.0/18 address

in his BGP table.

I was confused. Why would he get this route when I did put

as-path

command? Then I realized that his path for 192.168.0.0 shows 64530, 100, 150. There isn't his

as-path

attribute at all for the route so he naturally installs it. C3 of course didn't install this because he has

AS path

in that route.

So how did I stop this? @David Ruess Thank you, I now realize what

no-export

command actually is and how good it is. To get rid of 192.168.0.0/18 on Edge-A (since it's worthless to have it right?), I did this on D1:

route-map SET_NO_EXPORT permit 10
match ip address 1
set community no-export
!
access-list 1 permit 192.168.0.0 0.0.63.255

neighbor 90.0.0.1 send-community
neighbor 90.0.0.1 route-map SET_NO_EXPORT out

I did the same for C3 neighbor but I think it's pointless since he didn't receive the route in the first place. I'm going to delete that later.

With this

no-export

command, I managed to get rid of

192.168.0.0/18

network on Edge-A router. Also had to do the hard reset with:

clear ip bgp*

. The soft reset

clear ip bgp *

soft didn't work at all sadly.

But now I have one question if you don't mind helping me.

Where should I summarize routes for let's say ISP_1 and ISP_2 router so they don't have a big routing table? Let's say that this is a real network and ISP's are connected with the rest of the internet. How to make a proper command of aggregation?

Should I aggregate 172.x.x.x and 192.168.x.x addresses on Edge-A and Edge-B, then use

no-export

commands to make sure they are only put on ISP's ?

Or should I use aggregate commands on ISP_1 and ISP_2 routers so they can advertise these routes farther in the network? Or this job should be from the inside?

It's a genuine question regarding the whole internet. I'm curious how would a network engineer solve this if he had access to both ISP routers and Edge routers. Would a better solution be to automatically summarize them at the Edge routers or advertise everything to ISP and then ISP does the summarize?

Later on I will do all other commands such as:

suppress-map

unsuppress-map

advertise-map

and

attribute-map

to showcase all possibilities.

David Ruess · ‎09-12-2023

In its true usage route summarization is used to reduce routing tables and route propagation. So to answer your question at its basic form is you would summarize routes on routers pointing to devices that don't need the full routing table. Customer routers do not need the full routing table (usually). especially if there is one one way out why would you? If you can only leave your network one way all you really need is a default route. But the summarization helps out a bit by condensing larger network advertisements.

If your plan is to advertise them to the next router (from Customer->ISP or vice versa) just to have the ISP summarize then why not summarize before sending the routes to reduce traffic on the link.

Like I mentioned before if there is multiple connections then summarization has slightly different affects as the core of routing is more specific routes are chosen. So if one ISP is advertising specific routes and another ISP is advertising the summary and you're connected to both then the routes of the more specific ISP will be chosen.

To answer your question "kinda" about having access to both ISP and customer networks is that BGP can be manipulated to choose ingress and egress routes form either perspective so its up to you as far as how you want the routes to flow in your networks. The ISP

-David

StefanStefanR · ‎09-12-2023

Hey David. I have now an issue here.

After doing the send-community and

route-map SET_NO_EXPORT for 90.0.0.1

neighbor and C3 neighbor, now they do not get any route from D1 at all. 10.255.255.0 is not sent together with 192.168.150.0 and 192.168.100.0.

I figured out that his has to be the

route-map

issue since it just has one permit statement to

allow 192.168.0.0/18

and then set it to

no export

This does the thing, but the

route-map

suddenly blocks everything else.

Is there any fix to this issue? I'm completely at the edge.

What I did is:

ip access-list extended RESTORE
permit ip any any
!
!
ip prefix-list NO_EXPORT seq 5 permit 192.168.0.0/18
!
route-map SET_NO_EXPORT permit 10
match ip address prefix-list NO_EXPORT
set community no-export
!
route-map SET_NO_EXPORT permit 20
match ip address RESTORE
!

IP addresses are restored and C3 / Edge-A have gotten the networks in their routing table. But now with this new command added,

route-map

isn't working at all.

No export

command is set off and

192.168.0.0/18

has returned to C3 router. (This time it's on C3 because I did all resets and Edge-A didn't manage to learn for it first).

BIG EDIT FIX:

Okay, after some throughout process of my mind, I was thinking... What to do. Then I remembered that on C3 I can actually put

set community none

command. How dumb I am. This is part of the configuration on C3;

neighbor 150.224.224.198 remote-as 64530
neighbor 150.224.224.198 route-map ALLOW in

ip access-list extended YES
permit ip 10.255.255.0 0.0.0.63 any
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
deny ip any any

route-map ALLOW permit 10
match ip address YES
set community none

After doing these commands. C3 how has

10.255.255.0/26

entry in this table together with

192.168.100.0/150.0

He started to communicate with D1 correctly and uses that link as a possible route. While not having

192.168.0.0/18

in his route at all!

I guess I did it now correctly finally. All I had to do was make an ip access-list and allow only certain routes but leave

192.168.0.0/18

out. Then put that

route-map

inside as an incoming packet and that's it.

I never thought this would be the solution (at least I think this is the best one I can make).

As for the rest of the network, will aggregate on edge routers as you suggested to reduce the traffic and then make sure those networks are only sent to the corresponding ISP and not everyone. I do hope it will work. I can already foresee the trouble ahead as doing summary-only will suppress all routes so others will have only a single path to some networks. This might cause errors in the future if one link fails. I don't know how I'd do this.

My brute force would be to simply do unsuppressed

route-map

for each neighbor that needs it. Though this would require a lot of networks to write down. Maybe

ip prefix-list

can do this faster? With the /ge and /le commands? Will check it though later still not sure.