Solved: Re: BGP and route-map processing

verma-rohit · ‎12-10-2019

Hi,

I am aware that when there is a match in route-map, processing stops. However I have across a situation where route-maps processing is posing a challenge to me.

It is a lengthy post, so please stick with me.

Host-A ( AS 64886 ) -----> WAN

Host-A is connected to WAN and is running BGP. Host-A as a route map configured on WAN peer.

-------------------------------------------------------------------------------------

Default Route and communities on local Router ( Host-A)
------------------------------------------------------------------------------
Host-A#show bgp vpnv4 unicast vrf blue 0.0.0.0
BGP routing table entry for 192.168.1.1:100:0.0.0.0/0, version 435894
BGP Bestpath: deterministic-med
Paths: (2 available, best #1, table blue)
Multipath: eBGP iBGP
Advertised to update-groups:
1 5 8
Refresh Epoch 1
65000 9318, (Received from a RR-client)
192.168.5.2 (metric 11) (via default)
Origin IGP, metric 0, localpref 950, valid, internal, multipath, best
Community: 163:17243 2002:35 2002:57 2002:1004
Extended Community: RT:8:100
mpls labels in/out nolabel/17
rx pathid: 0, tx pathid: 0x0

----------------------------------------------------------------------------------
When default route is received on WAN side, it has as-path prepended to it.

XXXXXXXX--#show bgp vpnv4 unicast vrf B0001 neighbors 9.194.65.253 routes

*> 0.0.0.0 192.168.1.1 0 64886 64886 64886 65000 9318 i

-----------------------------------------------------------------------------------
Route-map rm_to_ce_blue is applied on WAN peer .I am aware the processing stops when there is a match. However
sequence 100 and 220 is getting processed. Isn't processing suppose to stop when seq 100 matches ?

route-map rm_to_ce_blue deny 100
description ** Deny prefixes matching policy **
match policy-list rp_lolo_source rp_site_multi_source ( shared below )

route-map rm_to_ce_blue permit 200 ( No match )
description ** Set no-export on neighbor-scope site prefixes from same block and AS **
match ip address prefix-list pl_site_allocation_blue pl_site_allocation_global
match policy-list rp_neighbor_scope
continue 300
set community no-export additive

route-map rm_to_ce_blue permit 210 ( No Match )
description ** Set no-export on local-scope site prefixes from same AS or adjacent AS **
match ip address prefix-list pl_site_allocation_blue pl_site_allocation_global
match policy-list rp_local_scope
match policy-list rp_adjacent_asn rp_same_asn
match ipv6 address prefix-list pl6_site_allocation_blue
continue 300
set community no-export additive

route-map rm_to_ce_blue permit 220 ( match )
description ** Prepend AS on regional default route prefix **
match ip address prefix-list pl_default_route
match policy-list rp_regional_scope
match ipv6 address prefix-list pl6_none
continue 300
set as-path prepend 64886 64886 ( shared below )

Policy-Lists & associated Communities
-------------------------------------

Host-A#show ip policy-list rp_site_multi_source
policy-list rp_site_multi_source permit
Match clauses:
community (community-list filter): 102

Host-A#show ip community-list 102
Community (expanded) access list 102
deny _2002:57_
deny _2002:59_
permit _2002:35_

Host-A#show ip prefix-list pl_default_route
ip prefix-list pl_default_route: 2 entries
seq 100 permit 0.0.0.0/0
seq 1000 deny 0.0.0.0/0 le 32

Host-A#show ip policy-list rp_regional_scope
policy-list rp_regional_scope permit
Match clauses:
community (community-list filter): 57

Host-A#show ip community-list 57
Community standard list 57
permit 2002:57

Host-A#show ipv6 prefix-list pl6_none
ipv6 prefix-list pl6_none: 1 entries
seq 1000 deny ::/0 le 128

ip prefix-list pl_site_allocation_blue does not have 0.0.0.0/0 in it.

Jaderson Pessoa · ‎12-11-2019

@verma-rohit

Now if default route-route is matched by seq 100 why it is matched again by seq 220. Seq 100 matched the default route
and it should filter out the default route. I am unable to get my head around as to why the default route was again processed
by SEQ 220

SEQ100: match only _2002:35_

SEQ220: match only 2002:57 and prepend aspath. Now my question is: "163:17243 2002:35 2002:57 2002:1004" community 2002:57 exist? Yes, then allowed. So community 2002:35 is part of path of community 2002:57, right? why not it wont be prepend? I think that it will be prepended;

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

Jaderson Pessoa · ‎12-10-2019

.

Jaderson Pessoa
*** Rate All Helpful Responses ***

verma-rohit · ‎12-10-2019

@Jaderson Pessoa : i think you missed your post on solution.

Jaderson Pessoa · ‎12-10-2019

@verma-rohit ahah sorry..

route-map rm_to_ce_blue deny 100
description ** Deny prefixes matching policy **
match policy-list rp_lolo_source rp_site_multi_source ( shared below ) (What have under this policy in bold)?

Host-A#show ip policy-list rp_site_multi_source
policy-list rp_site_multi_source permit
Match clauses:
community (community-list filter): 102

Host-A#show ip community-list 102
Community (expanded) access list 102
deny _2002:57_ < will not be checked for this community-list
deny _2002:59_ < will not be checked for this community-list
permit _2002:35_ < will be checked

Host-A#show bgp vpnv4 unicast vrf blue 0.0.0.0
BGP routing table entry for 192.168.1.1:100:0.0.0.0/0, version 435894
BGP Bestpath: deterministic-med
Paths: (2 available, best #1, table blue)
Multipath: eBGP iBGP
Advertised to update-groups:
1 5 8
Refresh Epoch 1
65000 9318, (Received from a RR-client)
192.168.5.2 (metric 11) (via default)
Origin IGP, metric 0, localpref 950, valid, internal, multipath, best
Community: 163:17243 2002:35 2002:57 2002:1004
Extended Community: RT:8:100
mpls labels in/out nolabel/17
rx pathid: 0, tx pathid: 0x0

It is appear good, but there is two statements under your route-map "route-map rm_to_ce_blue deny 100", could you share what have under this policy? rp_lolo_source

Jaderson Pessoa
*** Rate All Helpful Responses ***

verma-rohit · ‎12-10-2019

ip policy-list rp_lolo_source permit
match community 25
!

ip community-list 25 permit 2002:25

deny _2002:57_ < will not be checked for this community-list
deny _2002:59_ < will not be checked for this community-list
permit _2002:35_ < will be checked

_2002:57_ should be checked as default route has the same value. Once it matches, processing should stop. As route map and community are both denied, resulting in default route permission.

Jaderson Pessoa · ‎12-10-2019

@verma-rohit Please, share configurations below;

prefix-list pl_site_allocation_blue

pl_site_allocation_global

rp_neighbor_scope

rp_local_scope

rp_adjacent_asn

rp_same_asn

Jaderson Pessoa
*** Rate All Helpful Responses ***

verma-rohit · ‎12-10-2019

ip prefix-list pl_site_allocation_global seq 100 permit 129.95.0.0/19 le 32
ip prefix-list pl_site_allocation_global seq 1000 deny 0.0.0.0/0 le 32

ip prefix-list pl_site_allocation_blue seq 100 permit 129.192.216.0/21 le 32
ip prefix-list pl_site_allocation_blue seq 110 permit 129.192.224.0/21 le 32
ip prefix-list pl_site_allocation_blue seq 120 permit 129.192.232.0/21 le 32
ip prefix-list pl_site_allocation_blue seq 130 permit 129.192.212.0/23 le 32
ip prefix-list pl_site_allocation_blue seq 140 permit 129.192.214.0/23 le 32
ip prefix-list pl_site_allocation_blue seq 150 permit 129.192.241.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 160 permit 129.190.52.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 170 permit 129.190.82.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 200 permit 129.190.202.0/27 le 32
ip prefix-list pl_site_allocation_blue seq 210 permit 129.185.226.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 220 permit 129.185.229.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 230 permit 129.185.232.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 240 permit 129.190.39.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 250 permit 129.198.82.0/23 le 32
ip prefix-list pl_site_allocation_blue seq 260 permit 129.192.152.0/22 le 32
ip prefix-list pl_site_allocation_blue seq 270 permit 129.192.156.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 280 permit 129.190.159.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 290 permit 129.192.130.0/24 le 32
ip prefix-list pl_site_allocation_blue seq 300 permit 129.190.63.128/27 le 32
ip prefix-list pl_site_allocation_blue seq 310 permit 129.198.81.0/25 le 32
ip prefix-list pl_site_allocation_blue seq 320 permit 129.190.118.0/26 le 32
ip prefix-list pl_site_allocation_blue seq 1000 deny 0.0.0.0/0 le 32

ip policy-list rp_neighbor_scope permit
match community 51
!
ip community-list 51 permit 2002:51

ip policy-list rp_local_scope permit
match community 52
!
ip community-list 52 permit 2002:52

ip policy-list rp_adjacent_asn permit
match as-path 11
!
ip as-path access-list 11 deny .+_.+

ip policy-list rp_same_asn permit
match as-path 1
!
ip as-path access-list 1 permit ^$

Jaderson Pessoa · ‎12-10-2019

@verma-rohit hello,

well, everything is working as normall behavior.

Host-A#show bgp vpnv4 unicast vrf blue 0.0.0.0
BGP routing table entry for 192.168.1.1:100:0.0.0.0/0, version 435894
BGP Bestpath: deterministic-med
Paths: (2 available, best #1, table blue)
Multipath: eBGP iBGP
Advertised to update-groups:
1 5 8
Refresh Epoch 1
65000 9318, (Received from a RR-client)
192.168.5.2 (metric 11) (via default)
Origin IGP, metric 0, localpref 950, valid, internal, multipath, best
Community: 163:17243 2002:35 2002:57 2002:1004
Extended Community: RT:8:100
mpls labels in/out nolabel/17
rx pathid: 0, tx pathid: 0x0

route-map rm_to_ce_blue deny 100 < everything that match here will to next statement
description ** Deny prefixes matching policy **
match policy-list rp_lolo_source rp_site_multi_source ( shared below )

""

Host-A#show ip policy-list rp_site_multi_source
policy-list rp_site_multi_source permit
Match clauses:
community (community-list filter): 102

Host-A#show ip community-list 102
Community (expanded) access list 102
deny _2002:57_
deny _2002:59_
permit _2002:35_

""

The statement 100 above will deny community 2002:35

There is no match here

route-map rm_to_ce_blue permit 200 ( No match )
description ** Set no-export on neighbor-scope site prefixes from same block and AS **
match ip address prefix-list pl_site_allocation_blue pl_site_allocation_global
match policy-list rp_neighbor_scope
continue 300
set community no-export additive

There is no match here
route-map rm_to_ce_blue permit 210 ( No Match )
description ** Set no-export on local-scope site prefixes from same AS or adjacent AS **
match ip address prefix-list pl_site_allocation_blue pl_site_allocation_global
match policy-list rp_local_scope
match policy-list rp_adjacent_asn rp_same_asn
match ipv6 address prefix-list pl6_site_allocation_blue
continue 300
set community no-export additive

route-map rm_to_ce_blue permit 220 ( match )
description ** Prepend AS on regional default route prefix **
match ip address prefix-list pl_default_route
match policy-list rp_regional_scope < here you are allowing everything between "_2002:57_" and prepend it. So

(163:17243 2002:35 2002:57 2002:1004) << 2002:35 was denied from statement 100, now is allowed from statement 220, because is part of _2002:57_
match ipv6 address prefix-list pl6_none
continue 300
set as-path prepend 64886 64886 ( shared below )

what you want to do?

Jaderson Pessoa
*** Rate All Helpful Responses ***

verma-rohit · ‎12-10-2019

Thanks Jaderson:

I am confused on sequence 100 processing.

route-map rm_to_ce_blue deny 100    < everything that match here will to next statement
description ** Deny prefixes matching policy **
match policy-list rp_lolo_source rp_site_multi_source ( shared below )

 

""

Host-A#show ip policy-list rp_site_multi_source
policy-list rp_site_multi_source permit
Match clauses:
community (community-list filter): 102

Host-A#show ip community-list 102
Community (expanded) access list 102
deny _2002:57_
deny _2002:59_
permit _2002:35_

1. Default route is marked as 163:17243 2002:35 2002:57 2002:1004.

2. Community list 102 deny route which has community value _2002:57_. Route map also has a deny clause, don't you think it will

it will permit the route with community 2002:57 and stop further processing.

3. Ig no, how route-map with deny and community-list with deny is processed ?

Jaderson Pessoa · ‎12-10-2019

it is not processed, it is ignored. But in your statement you have one permit line, in this case is not ignored.

Jaderson Pessoa
*** Rate All Helpful Responses ***

verma-rohit · ‎12-10-2019

route-map rm_to_ce_blue deny 100 < everything that match here will to next statement
description ** Deny prefixes matching policy **
match policy-list rp_lolo_source rp_site_multi_source ( shared below )

Isn't route-map stop processing when there is a match? Why it never quit after seq 100.

Jaderson Pessoa · ‎12-11-2019

@verma-rohit Hello,

Look it:

"The configuration is as follows: Any thing that matches the policy list rp_lolo_source rp_site_multi_source should be processed by the statement 100 of the route-map rm_to_ce_blue. All other prefixes should fall to the next statement for processing"

Here you will find a good explanation/discussion about.

https://learningnetwork.cisco.com/thread/125089

Jaderson Pessoa
*** Rate All Helpful Responses ***

verma-rohit · ‎12-11-2019

Host-A#show bgp vpnv4 unicast vrf blue 0.0.0.0
BGP routing table entry for 192.168.1.1:100:0.0.0.0/0, version 435894
BGP Bestpath: deterministic-med
Paths: (2 available, best #1, table blue)
Multipath: eBGP iBGP
Advertised to update-groups:
1 5 8
Refresh Epoch 1
65000 9318, (Received from a RR-client)
192.168.5.2 (metric 11) (via default)
Origin IGP, metric 0, localpref 950, valid, internal, multipath, best
Community: 163:17243 2002:35 2002:57 2002:1004
Extended Community: RT:8:100
mpls labels in/out nolabel/17
rx pathid: 0, tx pathid: 0x0

 

 

 

route-map rm_to_ce_blue deny 100    < everything that match here will to next statement
description ** Deny prefixes matching policy **
match policy-list rp_lolo_source rp_site_multi_source ( shared below )

 

""

Host-A#show ip policy-list rp_site_multi_source
policy-list rp_site_multi_source permit
Match clauses:
community (community-list filter): 102

Host-A#show ip community-list 102
Community (expanded) access list 102
deny _2002:57_
deny _2002:59_
permit _2002:35_

 

""

The statement 100 above will deny community 2002:35

 

There is no match here 

route-map rm_to_ce_blue permit 200 ( No match )
description ** Set no-export on neighbor-scope site prefixes from same block and AS **
match ip address prefix-list pl_site_allocation_blue pl_site_allocation_global
match policy-list rp_neighbor_scope
continue 300
set community no-export additive

 

There is no match here 
route-map rm_to_ce_blue permit 210 ( No Match )
description ** Set no-export on local-scope site prefixes from same AS or adjacent AS **
match ip address prefix-list pl_site_allocation_blue pl_site_allocation_global
match policy-list rp_local_scope
match policy-list rp_adjacent_asn rp_same_asn
match ipv6 address prefix-list pl6_site_allocation_blue
continue 300
set community no-export additive

 

route-map rm_to_ce_blue permit 220 ( match )
description ** Prepend AS on regional default route prefix **
match ip address prefix-list pl_default_route
match policy-list rp_regional_scope   < here you are allowing everything between "_2002:57_" and prepend it. So

(163:17243 2002:35 2002:57 2002:1004)  <<  2002:35 was denied from statement 100, now is allowed from statement 220, because is part of _2002:57_
match ipv6 address prefix-list pl6_none
continue 300
set as-path prepend 64886 64886 ( shared below )

route-map rm_to_ce_blue deny 100 < everything that match here will to next statement
description ** Deny prefixes matching policy **
match policy-list rp_lolo_source rp_site_multi_source ( shared below )

Host-A#show ip policy-list rp_site_multi_source
policy-list rp_site_multi_source permit
Match clauses:
community (community-list filter): 102

Host-A#show ip community-list 102
Community (expanded) access list 102
deny _2002:57_ ! IGNORE
deny _2002:59_ ! IGNORE
permit _2002:35_ ! PERMIT

It means default route is matched and denied by route-map> Remaining routes will be further processes by route-map sequences.

route-map rm_to_ce_blue permit 220 ( match )
description ** Prepend AS on regional default route prefix **
match ip address prefix-list pl_default_route
match policy-list rp_regional_scope < here you are allowing everything between "_2002:57_" and prepend it. So

(163:17243 2002:35 2002:57 2002:1004) << 2002:35 was denied from statement 100, now is allowed from statement 220, because is part of _2002:57_
match ipv6 address prefix-list pl6_none
continue 300
set as-path prepend 64886 64886 ( shared below )

Now if default route-route is matched by seq 100 why it is matched again by seq 220. Seq 100 matched the default route
and it should filter out the default route. I am unable to get my head around as to why the default route was again processed
by SEQ 220

Jaderson Pessoa · ‎12-11-2019

@verma-rohit

Now if default route-route is matched by seq 100 why it is matched again by seq 220. Seq 100 matched the default route
and it should filter out the default route. I am unable to get my head around as to why the default route was again processed
by SEQ 220

SEQ100: match only _2002:35_

SEQ220: match only 2002:57 and prepend aspath. Now my question is: "163:17243 2002:35 2002:57 2002:1004" community 2002:57 exist? Yes, then allowed. So community 2002:35 is part of path of community 2002:57, right? why not it wont be prepend? I think that it will be prepended;

Jaderson Pessoa
*** Rate All Helpful Responses ***

Giuseppe Larosa · ‎12-11-2019

Hello @Jaderson Pessoa , @verma-rohit ,

+5 for @Jaderson Pessoa the book mentioned is likely CCIE R/S practical studies volume II or CCIE R/S R&S ufficial version 5.0 by @Peter Palùch

Again we can translate a route-map with multiple clauses like a if ....endif ordered list of checks

routes are suppressed only if:

a) prefix A.B.C.D/n is suppressed not advertised or not received if it matches a deny m route-map for any applicable attribute of the prefix

b) the prefix A.B.C.D/n is never a match for all the following route-map clauses if ... endif blocks and there is the implicit deny any logic like in IP ACL or there is an explicit deny any any

When used with BGP or other protocols route-maps should have a final block like permit 65000 with no match if the first blocks use a negative logic.

Hope to help

Giuseppe