cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2385
Views
0
Helpful
18
Replies

bgp guru

whanson
Level 2
Level 2

I am trying to impact the incoming traffic on a particular subnet. I have two connections to the same ISP same AS at different locations and another connction to a separate ISP. I use filter list to control the advertised routes and all is well but there is one subnet that comes in location A isp A and I want it to come in location B isp A so I added a route map at location A for the specific subnet and set the metric so I should theoretically come in location B but instead I lost all connectivity for all subnets. If I use a route-map out does that override a filter list? As ever thx

2 Accepted Solutions

Accepted Solutions

Hi,

It seems that your route-map parker-subnet-att on the site A is missing the "permit any" block at its end. Currently, it reads as follows:

route-map parker-subnet-att permit 10

match ip address 30

set metric 100

The ACL 30 permits a single network 3.3.3.0/24. All other networks are not matched by the ACL 30, therefore, the only block of your route map does not apply to them. The next implicit invisible block of the route-map works like "deny any" and prevents all other routes from being advertised.

I believe that your route-map should correctly read as follows:

route-map parker-subnet-att permit 10

match ip address 30

set metric 100

route-map parker-subnet-att permit 20

! Nothing written here, just exit

Best regards,

Peter

View solution in original post

Hello Bill,

Peter has found the problem: the way you terminate the route-map.

As Paolo has noted there is no use here in thinking of filter types order the end result is that you are only permitting the subnet with the modified IP subnet the one permitted by ACL 30.

When dealing with BGP route maps (or for redistribution) it is important to take care of how the route map has to be terminated:

if a filtering action is desired no empty final clause is needed if the route-map is used only for modifying some attributes on some prefixes then an empty final clause may be needed or an additional clause with the appropriate match.

By the way, it is possible to include the match on as paths in the route map so that you have a single filter applied outbound a neighbor:

route-map parker-subnet-att permit 10

match ip address 30

match as-path 1

set metric 100

route-map parker-subnet-att permit 20

match as-path 1

match ip address prefix adv-55555

in this case an empty final clause is not needed but second block takes care of the prefixes you want to advertise.

I usually write the filters in this different way to make more clear how the filters works.

Hope to help

Giuseppe

View solution in original post

18 Replies 18

paolo bevilacqua
Hall of Fame
Hall of Fame

That is a but difficult to put in words, but let me try.

BGP simply applies user configuration in a fixed order, that honestly I don't recall now, but can be easily be found.

There is no overriding per-se like it won't do a certain thing if you did another, and everything simply depends by the details of your lists, ACLs, etc.

Hi,

here is the order Paolo mentioned:

For inbound updates the order of preference is:

1. route-map

2. filter-list

3. prefix-list, distribute-list

For outbound updates the order of preference is:

1. prefix-list, distribute-list

2. filter-list

3. route-map

See

http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml#one

BR,

Milan

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

Regarding the order of different policy mechanisms, the "BGP Frequently Asked Questions" article at

http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml#one

says:

The order of preference varies based on whether the attributes are applied for inbound updates or outbound updates.

For inbound updates the order of preference is:

1. route-map

2. filter-list

3. prefix-list, distribute-list

For outbound updates the order of preference is:

1. prefix-list, distribute-list

2. filter-list

3. route-map

Note: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor prefix-list or neighbor distribute-list) can be applied to each inbound or outbound direction for a particular neighbor.

Best regards,

Peter

Ah, so there is some exclusive commands, I didn't remembered that.

Thanks for adding the list here, I knew you guys know.

okay this is a snippet of what I have. As soon as I add the route-map parker to site A I can no longer access anything. A traceroute shows that the route ends in the ISP

Hi,

It seems that your route-map parker-subnet-att on the site A is missing the "permit any" block at its end. Currently, it reads as follows:

route-map parker-subnet-att permit 10

match ip address 30

set metric 100

The ACL 30 permits a single network 3.3.3.0/24. All other networks are not matched by the ACL 30, therefore, the only block of your route map does not apply to them. The next implicit invisible block of the route-map works like "deny any" and prevents all other routes from being advertised.

I believe that your route-map should correctly read as follows:

route-map parker-subnet-att permit 10

match ip address 30

set metric 100

route-map parker-subnet-att permit 20

! Nothing written here, just exit

Best regards,

Peter

So you are saying that the route-map overrides the prefix-list

Hello,

I would not exactly say that it "overrides" the prefix list. It simply comes after the prefix list - see the sequence of steps described earlier. Even if the prefix-list permits a network, that network will have to go through the route-map. If the route-map drops it, then it will not be advertised. Of course, if a prefix-list drops a network, it will not even reach the route-map so it also won't be advertised.

Best regards,

Peter

Yes you are, You are saying that even though I have a filter list that says what networks to advertize that is fine but since I have a route map that only includes one network that is the end all.

So in essence the filter list was overriden by the route-map.

Hello,

In your particular case, yes, the route-map seems to override the prefix list.

But consider the other possibility: a prefix list denies a network and the route-map subsequently permits it. Will the route-map in this case override the prefix list? No, it will not. The prefix list dropped the network before it even reached the route-map.

In the outbound direction, a route-map can "override" a prefix list in the sense that if a network was permitted by the prefix list, it may be subsequently dropped by the route-map. However, the converse is not true. A route-map can not make a network to be advertised after it was first dropped by the prefix list. Therefore, it would be incorrect to state in a general sense that the route-map always overrides the prefix list.

Best regards,

Peter

Seems to me you are trying to twist the correct explanations received to match the answer you're expecting.

Nothing overrides anything, you begin with all the prefixes in BGP table and these are reduced in steps by the filters applied.

While you're there, why not rating the useful answer using the scrollbox below.

Hello Bill,

Peter has found the problem: the way you terminate the route-map.

As Paolo has noted there is no use here in thinking of filter types order the end result is that you are only permitting the subnet with the modified IP subnet the one permitted by ACL 30.

When dealing with BGP route maps (or for redistribution) it is important to take care of how the route map has to be terminated:

if a filtering action is desired no empty final clause is needed if the route-map is used only for modifying some attributes on some prefixes then an empty final clause may be needed or an additional clause with the appropriate match.

By the way, it is possible to include the match on as paths in the route map so that you have a single filter applied outbound a neighbor:

route-map parker-subnet-att permit 10

match ip address 30

match as-path 1

set metric 100

route-map parker-subnet-att permit 20

match as-path 1

match ip address prefix adv-55555

in this case an empty final clause is not needed but second block takes care of the prefixes you want to advertise.

I usually write the filters in this different way to make more clear how the filters works.

Hope to help

Giuseppe

Mohamed Sobair
Level 7
Level 7

Hi,

Pls post your current config in order to have better result.

HTH

Mohamed

Configuration had been already posted and extensively discussed.

Review Cisco Networking for a $25 gift card