Solved: BGP Announcing more specific routes (/23 in two /24)

Plinio Brandao · ‎03-14-2014

Hi Community,
We are facing some problems about the BGP configuration and we'd like to know if you can help us with this issue.

Description:
We have a /23 prefix and we are trying to announce two /24 to the ISP.
We know that for BGP announce a prefix it should be present in the routing table and a solution for this more specific announce is to use ip routes to Null0.
However, we are getting some problems with packets that are being dropped.

For instance, If my 2 routers have a LAN segment on /23:
r1: g0/0 - 190.25.3.252/23
r2: g0/0 - 190.25.3.253/23
fw: e0/0 - 190.25.3.250/23

I can ping each other.

If I put the following config, I lose the connectivity:
ip route 190.25.2.0 255.255.255.0 Null0 254
ip route 190.25.3.0 255.255.255.0 Null0 254

I think that is an expected behavior because at this moment I have a more specific route pointing to Null0. So when a traffic comes from Internet to IP 190.25.2.10, for example, instead of the traffic goes to fw, it's dropped.

r1#sh ip route 190.25.2.0
Routing entry for 190.25.2.0/24
Known via "static", distance 254, metric 0 (connected)
Advertised by bgp 65001
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
r1#
r1#sh ip route 190.25.3.0
Routing entry for 190.25.2.0/24
Known via "static", distance 254, metric 0 (connected)
Advertised by bgp 65001
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
r1#

The question is: how can I solve this issue? What would be the best practice?

At this moment, we have just one ISP for this example, but will be two or more.

Thank you very much. I'll provide a image from the topology to clarify this issue.

Jon Marshall · ‎03-14-2014

You beat me to it

Good idea to use the outgoing interface and not the next hop IP.

So it's all working now ?

Jon

View solution in original post

Jon Marshall · ‎03-14-2014

The requirement for BGP to advertise the network is that the route must be in the IP routing table but it doesn't say anything about what the next hop is as long as it is reachable.

So why not try changing the next hop to be the firewall for the routes you are adding.

Jon

JohnTylerPearce · ‎03-14-2014

Plinio,

I agree 100% with Jon Marshall on this one. I know what you're thinking, but in this instance, you do not need to do that.

For instance, If my 2 routers have a LAN segment on /23:
r1: g0/0 - 190.25.3.252/23
r2: g0/0 - 190.25.3.253/23
fw: e0/0 - 190.25.3.250/23

I can ping each other.

If I put the following config, I lose the connectivity:
ip route 190.25.2.0 255.255.255.0 Null0 254
ip route 190.25.3.0 255.255.255.0 Null0 254

You do not need the Null0 routes. On your picture, these LAN routes go back towards your Firewall, so as Jon Marshall suggested I would do this.

ip route 190.25.2.0 255.255.255.0 [firewall-nexthop]

ip route 190.25.3.0 255.255.255.0 [firewall-nexthop]

Plinio Brandao · ‎03-14-2014

Hi Guys,

Thank you for your feedback.

I made the changes, but I got the following result:

With routes pointing to Null0, I have the following output:

r1#sh ip bgp nei x.x.x.x advertised-routes

BGP table version is 7, local router ID is 10.4.27.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 190.25.2.0/24 0.0.0.0 0 32768 i

*> 190.25.2.0/23 0.0.0.0 0 32768 i

*> 190.25.3.0/24 0.0.0.0 0 32768 i

Total number of prefixes 3

r1#

After this config:

ip route 190.25.2.0 255.255.255.0 190.25.3.250

ip route 190.25.3.0 255.255.255.0 190.25.3.250

I have the following output:

r1#sh ip bgp nei x.x.x.x advertised-routes

BGP table version is 11, local router ID is 10.4.27.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 190.25.2.0/24 190.25.3.250 0 32768 i

*> 190.25.2.0/23 0.0.0.0 0 32768 i

Total number of prefixes 2

r1#

The second /24 (190.25.3.0/24) isn't advertise.

Maybe I think that I have to change this design.

Jon Marshall · ‎03-14-2014

Can you post -

"sh ip route 190.25.2.0 255.255.254.0"

"sh ip route 190.25.2.0 255.255.255.0"

"sh ip route 190.25.3.0 255.255.255.0"

Jon

Plinio Brandao · ‎03-14-2014

Sure Joh,

r1#sh ip route 190.25.2.0 255.255.254.0
Routing entry for 190.25.2.0/23
Known via "connected", distance 0, metric 0 (connected, via interface)
Advertised by bgp 65001
Routing Descriptor Blocks:
* directly connected, via Ethernet0/0
Route metric is 0, traffic share count is 1
r1#
r1#
r1#
r1#sh ip route 190.25.2.0 255.255.255.0
Routing entry for 190.25.2.0/24
Known via "static", distance 1, metric 0
Advertised by bgp 65001
Routing Descriptor Blocks:
* 190.25.3.250
Route metric is 0, traffic share count is 1
r1#
r1#
r1#sh ip route 190.25.3.0 255.255.255.0
% Subnet not in table
r1#
r1#
r1#sh run | i ip route
ip route 190.25.2.0 255.255.255.0 190.25.2.250 name BGP
ip route 190.25.3.0 255.255.255.0 190.25.3.250 name BGP
r1#

I don't know if the route is not instaled because of the configuration of the interface that is a /23.

Plinio Brandao · ‎03-14-2014

Jon,

I fix the problem using this config:

ip route 190.25.2.0 255.255.255.0 Ethernet0/0

ip route 190.25.3.0 255.255.255.0 Ethernet0/0

r1#sh ip bgp nei x.x.x.x advertised-routes

BGP table version is 15, local router ID is 10.4.27.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 190.25.2.0/24 0.0.0.0 0 32768 i

*> 190.25.2.0/23 0.0.0.0 0 32768 i

*> 190.25.3.0/24 0.0.0.0 0 32768 i

Total number of prefixes 3

r1#

I think that can be a valid solution, ok?

Jon Marshall · ‎03-14-2014

You beat me to it

Good idea to use the outgoing interface and not the next hop IP.

So it's all working now ?

Jon

Plinio Brandao · ‎03-14-2014

Hi Jon,

Yes, everything is working fine and as expected.

I appreciate your attention.

Thank you very much.

Jon Marshall · ‎03-14-2014

No problem but can you have a read of my last post just to be sure you understand what is happening.

Jon

Jon Marshall · ‎03-14-2014

In terms of whether it is valid it depends.

When you configure a static route with a next hop IP then you router simply needs to ARP for the next hop IP and the firewall responds because it owns that IP.

When you configure a static route pointing out of an interface then the router has to ARP for all destinations in that subnet. If the destination IP is on the other side of the firewall then the firewall has to be running proxy arp to reply with it's own mac address.

So -

1) are the /24 networks on the other side of the firewall

2) is the firewall running proxy arp on the interface facing the router

Jon

Plinio Brandao · ‎03-14-2014

Jon,

In this scenario we have just 4 host using this /23 (2 firewall and the 2 routers).

On firewall, we have an outisde interface that is part of the /23 and one interface that is the inside (10.x.x.x).

So, in this case, we will not have hosts on /23 (/24 and /24). We will have just NAT translations.

I'm not sure just about why the route to the 2nd /24 was not being shown in the routing table. The router was considering just the first /24 and the /23.

Thank you again.

Jon Marshall · ‎03-14-2014

Okay that makes sense.

If the firewall is only using those IPs for NAT then it should work okay because the firewall will respond to an ARP request for any of those addresses if it has a NAT statement for it which is exactly what you want to happen.

Jon