08-23-2013 12:17 AM - edited 03-04-2019 08:51 PM
Hi,
My LAB has three AS 100 ,200,300 ...I want to permit only AS 200 to R3(AS 300),but when I checked R8,R7 which are belong to AS 100 are also able to see inside networks of AS 300.
Please help me in this.
I attached config and diagram with this message.
Thanks,
Anand Solgama
Solved! Go to Solution.
08-23-2013 04:30 AM
Hi Anand,
You currently only accept routes from AS200 on R3 but R1 accepts any routes, which explains why AS100 and AS300 can communicate with one another.
Regards
08-23-2013 04:30 AM
Hi Anand,
You currently only accept routes from AS200 on R3 but R1 accepts any routes, which explains why AS100 and AS300 can communicate with one another.
Regards
08-23-2013 10:01 AM
You are right AS 100 can come from R1 side too but in my LAB why it is coming from R3 side where I already block it still AS 100 can see AS 300
08-23-2013 10:02 AM
And yes it is not going from R1 but that is not my worry ,I am worry because AS 100 should not pass AS 300 on R3 where I used ip as-path permit ^200$ command
08-23-2013 10:28 AM
Hi Anand,
Did you clear the session after applying the policy ("clear ip bgp * soft in" on R3)? Also after clearing the session, could you post the "show ip bgp
Regards
08-23-2013 10:40 AM
This is output of R3 wher I specified as-path command to permit only AS 200 !!!!
R3#sh ip bg
R3#sh ip bgp
BGP table version is 13, local router ID is 192.168.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 112.112.112.1 1 32768 ?
* 11.11.11.0/24 11.11.11.2 0 0 200 i
*> 0.0.0.0 0 32768 i
*> 12.12.12.0/24 112.112.112.2 65 32768 ?
*> 13.13.13.0/24 112.112.112.1 129 32768 ?
*> 14.14.14.0/24 112.112.112.1 20 32768 ?
*> 111.111.111.0/24 112.112.112.1 128 32768 ?
*> 112.112.112.0/24 0.0.0.0 0 32768 ?
*> 192.168.1.0 112.112.112.1 74 32768 ?
*> 192.168.2.0 112.112.112.2 74 32768 ?
*> 192.168.3.0 0.0.0.0 0 32768 ?
*> 200.200.200.0 112.112.112.1 1 32768 ?
*> 201.201.201.0 11.11.11.2 0 0 200 i
08-23-2013 10:57 AM
Hi Anand,
The only two routes that are received from R9 via BGP are 11.11.11.0/24 and 201.201.201.0/24 and they respect the filter you have put in place. All other routes are locally originated (weight 32768) and probably redistributed from OSPF.
Regards
08-23-2013 11:47 AM
You are right great observation thanks but still why 14.14.14.0/24 network still showing in R7 and R8 (AS 100) from R9.???
R8#sh ip bgp
BGP table version is 17, local router ID is 201.201.201.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i10.10.10.0/24 10.10.10.1 0 100 0 i
*> 0.0.0.0 0 32768 i
*> 11.11.11.0/24 201.201.201.2 0 0 200 i
* 12.12.12.0/24 201.201.201.2 0 200 300 ?
*>i 10.10.10.1 65 100 0 300 ?
*>i13.13.13.0/24 10.10.10.1 65 100 0 300 ?
* 201.201.201.2 0 200 300 ?
*> 14.14.14.0/24 201.201.201.2 0 200 300 ?
* 111.111.111.0/24 201.201.201.2 0 200 300 ?
*>i 10.10.10.1 0 100 0 300 ?
* 112.112.112.0/24 201.201.201.2 0 200 300 ?
*>i 10.10.10.1 0 100 0 300 ?
* 192.168.1.0 201.201.201.2 0 200 300 ?
*>i 10.10.10.1 0 100 0 300 ?
* 192.168.2.0 201.201.201.2 0 200 300 ?
*>i 10.10.10.1 74 100 0 300 ?
*>i192.168.3.0 10.10.10.1 74 100 0 300 ?
Network Next Hop Metric LocPrf Weight Path
* 201.201.201.2 0 200 300 ?
*>i200.200.200.0 10.10.10.1 0 100 0 i
* 201.201.201.0 201.201.201.2 0 0 200 i
*> 0.0.0.0 0 32768 i
R7#sh ip bgp
BGP table version is 17, local router ID is 200.200.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i10.10.10.0/24 10.10.10.2 0 100 0 i
*> 0.0.0.0 0 32768 i
*>i11.11.11.0/24 10.10.10.2 0 100 0 200 i
*> 12.12.12.0/24 200.200.200.2 65 0 300 ?
*> 13.13.13.0/24 200.200.200.2 65 0 300 ?
*>i14.14.14.0/24 10.10.10.2 0 100 0 200 300 ?
*> 111.111.111.0/24 200.200.200.2 0 0 300 ?
*> 112.112.112.0/24 200.200.200.2 0 0 300 ?
*> 192.168.1.0 200.200.200.2 0 0 300 ?
*> 192.168.2.0 200.200.200.2 74 0 300 ?
*> 192.168.3.0 200.200.200.2 74 0 300 ?
* 200.200.200.0 200.200.200.2 0 0 300 i
*> 0.0.0.0 0 32768 i
*>i201.201.201.0 10.10.10.2 0 100 0 i
08-23-2013 11:50 AM
I guess because 14.14.14.0/24 network has no route from R1 side so it chooses R3, because on R3 I redistribute external route also of OSPF but not on R1 side and 14.14.14.0/24 is RIP network in my LAB ...So In short R7,R8 can reach to my 14.14.14.0/24 network through R9-->R3 path.....
But here also it should be stoped by my as-path and route-map which allow only AS 200 not AS 100
08-23-2013 12:15 PM
Anand,
R3 filters routes inbound from R9. Routes advertised from R3 to R9 are not filtered, so there is no reason for 14.14.14.0/24 not to be advertised to R9 (AS200) and then to R7 and R8 (AS100).
Regards
08-23-2013 12:26 PM
Ok u mean I have to use outbound filter but if I use it effects on R9 as well but why only 14.14.14.0/24 network is in R7 thorugh AS 200 why not all???
08-23-2013 12:35 PM
Anand,
Well as you mentioned, 14.14.14.0/24 is not know via ospf on R1 and doesn't get redistributed in BGP. On the other hand, 14.14.14.0/24 does get redistributed in BGP on R3, which makes it the only BGP path advertised to R9 and then to R7 and R8, hence these routers selecting the path via AS200.
Regards
08-23-2013 12:46 PM
Thanks last question friend u helped me a lot that is there any way to stop that AS 100 to see 14.14.14.0/24 ???
And yes ur reply means that if I advertise from AS 300 to AS 200 from there it reachs to AS 100 means my as-path ^200$ permit command fail. and allow AS 100 as well
I have one option can I use community no-advrtise but I guess it will stop to advertise to AS 200 as well!!!!
08-23-2013 01:00 PM
Anand,
> Thanks last question friend u helped me a lot that is there any way
> to stop that AS 100 to see 14.14.14.0/24 ???
You are welcome. There are many way to prevent 14.14.14.0/24 from being learnt in AS100. In my last message, I suggested you apply on R8 bgp session to R9 the same inbound filter you have on R3 bgp session to R9.
> And yes ur reply means that if I advertise from AS 300 to AS 200 from
> there it reachs to AS 100 means my as-path ^200$ permit command fail.
> and allow AS 100 as well
No, the as-path filter does not fail. You need to remember that the filter on R3 is inbound and therefore only affects routes learned from R9 and not the routes advertised to R9.
> I have one option can I use community no-advrtise but I guess
> it will stop to advertise to AS 200 as well!!!!
Again, my suggestion would be to add on R8 bgp session to R9, the same filter you have on R3 bgp session to R9.
Regards
08-23-2013 12:28 PM
In short I am saying that why my as-path command not stoping any routes coming from AS 100 because I only allowed AS 200 not 100 ....it is like I want to allow specified person ABC but not any one like XYZ
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: