BGP Outbound Route-Map Question

jpl861 · ‎10-18-2014

Hi Experts,

Just need your help again. I was trying to do some lab and I came across this weird behaviour with BGP outbound route-map. The diagram is simple.

Please see attached diagram. Sorry for the very poor illustration. R6 has iBGP peering to both R4 and R1. Both R1 and R4 have eBGP peering to R5. No IGP running on any routers as well to keep things simple. There are 2 things to do.

* Create a static route for 160.1.0.0/16 pointing to Null0 on both R1 and R4 and advertise to BGP via network statement but only R5 should be able to see the 160.1.0.0/16 route. R6 should not receive it.

* Advertise R5's /32 loopback interface to BGP but ensure R6 to have that route in its routing table. Don't use next-hop-self on both R1 and R4. Don't advertise WAN link via network command.

I'll just illustrate R4 and R6 here to keep things straight forward.

R4#sh ip bgp
BGP table version is 5, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 150.1.5.5/32     155.1.45.5               0             0 100 i
*> 160.1.0.0        0.0.0.0                  0         32768 i

R6#sh ip bgp
BGP table version is 11, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
* i150.1.5.5/32     155.1.45.5               0    100      0 100 i
* i                 155.1.0.5                0    100      0 100 i

The first task was achieved as the 160.0.0.0/16 route is not present in R6's table. I used these commands in R4.

router bgp 65000
no synchronization
bgp log-neighbor-changes
network 160.1.0.0
neighbor 155.1.45.5 remote-as 100
neighbor 155.1.146.6 remote-as 65000
neighbor 155.1.146.6 route-map R6_OUT out
no auto-summary

route-map R6_OUT deny 5
match ip address prefix-list AGGR
route-map R6_OUT permit 1000

ip prefix-list AGGR seq 5 permit 160.1.0.0/16

So with the configuration above, it is clear that R4 is hitting route-map line 5 to deny 160.1.0.0/16 being advertised to R6. I tried to remove line 5 to validate as well if the /16 route will be advertised to R6 and it did so route-map configuration above is confirmed working.

Next, advertise loopback 0 of R5 to R6 and make sure it is a valid route in BGP table without the use of next-hop-self or WAN advertisement.

I used the following configuration.

ip prefix-list R5_LINK seq 5 permit 155.1.45.5/32

route-map R6_OUT permit 10
match ip route-source R5_LINK
set ip next-hop 155.1.146.4

I inserted line 10 in between route-map 5 and 1000. So R4 would check its route table for routes with 155.1.45.5 as route-source then advertise it to R6 with next-hop address of 155.1.146.4. It worked!

R6#sh ip bgp
BGP table version is 15, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i150.1.5.5/32     155.1.146.4              0    100      0 100 i
* i                 155.1.0.5                0    100      0 100 i
*>i160.1.0.0        155.1.146.4              0    100      0 i

As you can see above, 150.1.5.5 route is now a valid BGP route but surprisingly, the 160.1.0.0/16 route is there! From what I have seen, BGP skipped line 5 and started at 10. Even if I insert the same rule as line 5 and make it as line 15, it's not working. The /16 route is still being advertised. If I remove the match ip route-source clause in sequence 10 then it will withdraw the 160.1.0.0/16 route again. Looks like "match ip route-source" is not very friendly with direct filtering to BGP neighbors but I saw this being used with BGP inject-map and it worked well.

R4#sh route-map
route-map R6_OUT, deny, sequence 5
Match clauses:
    ip address prefix-lists: AGGR
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 10
Match clauses:
    ip route-source (access-lists): R5_LINK
Set clauses:
    ip next-hop 155.1.146.4
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 1000
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Any thoughts why this is happening?

Thanks in advance.

milan.kulik · ‎10-19-2014

Hi, what about the other router? Are you advertising the prefixes ti it? How the the route-maps look on it? Best regards, Milan

jpl861 · ‎10-20-2014

I have not touched the other router which is R1. I just left it to its default state. I do think the behavior will be the same as I have done the same task with another set of equipment.

milan.kulik · ‎10-20-2014

Hi,

actually, the correct syntax should be:

route-map R6_OUT permit 10
match ip route-source prefix-list R5_LINK
set ip next-hop 155.1.146.4

See http://www.cisco.com/c/en/us/td/docs/ios/iproute_pi/command/reference/iri_book/iri_pi1.html#wp1042869

for details.

Possibly your route-map is not interpreted correctly, as it's using a non-existing ACL so matching anything?

But even then the deny withing the previous route-map section should work :-(

In any case, I'd try the prefix-list keyword used.

Best regards,

Milan

jpl861 · ‎10-21-2014

Thanks for catching that one. I checked my lab again and I used it with prefix-list command on the match statement. It's just here in GNS3 where I had a typo but yeah you are right, the deny statement is prior to the incorrect route-map so it should be read first. I tried to rebuild again the lab and I still got the same result.

R4#sh route-map
route-map TO_R6, deny, sequence 10
Match clauses:
    ip address prefix-lists: AGGR
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TO_R6, permit, sequence 20
Match clauses:
    ip route-source prefix-lists: R5_LINK
Set clauses:
    ip next-hop 155.1.146.4
Policy routing matches: 0 packets, 0 bytes
route-map TO_R6, permit, sequence 1000
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

R4#sh ip prefix-list detail
Prefix-list with the last deletion/insertion: TO-R6
ip prefix-list AGGR:
   count: 1, range entries: 0, sequences: 5 - 5, refcount: 2
   seq 5 permit 160.1.0.0/16 (hit count: 12, refcount: 1)
ip prefix-list R5_LINK:
   count: 1, range entries: 0, sequences: 5 - 5, refcount: 2
   seq 5 permit 155.1.45.5/32 (hit count: 3, refcount: 1)

R6#sh ip bgp
BGP table version is 7, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i150.1.5.5/32     155.1.146.4              0    100      0 100 i
*>i160.1.0.0        155.1.146.4              0    100      0 i

milan.kulik · ‎10-22-2014

Hi,

I made a small test in my lab and it worked correctly.

So either there is a bug in your GNS3 or you didn't wait a moment to refresh your BGP table after modifying the route-map (or you should issue "clear ip bgp * soft" after the change)?

Best regards,

Milan

Akash Agrawal · ‎10-21-2014

Hi John,

I did a small lab to test feature "match ip route-source" and it is working fine. Please check below config and output.

R4 does not have 172.16.16.0/24 and also routes for which next-hop is not 1.1.1.1. In case you still facing issue, please share output of "debug ip bgp updates out"

Topology

R1--ebgp--R3---ibgp---R4

R3#show ip b su | b Nei
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 100 34 36 29 0 0 00:27:37 7
4.4.4.4 4 300 9 12 29 0 0 00:04:12 0
R3#

R3#sh route-map TO-R4
route-map TO-R4, deny, sequence 10
Match clauses:
ip address prefix-lists: DENY-PREFIX
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TO-R4, permit, sequence 20
Match clauses:
ip route-source (access-lists): 20
Set clauses:
Policy routing matches: 0 packets, 0 bytes
R3#

R3#show ip prefix-list DENY-PREFIX
ip prefix-list DENY-PREFIX: 1 entries
seq 5 permit 172.16.16.0/24
R3#

R3#sh ip access-lists 20
Standard IP access list 20
20 permit 1.1.1.1 (25 matches)
R3#

R3#show ip b
BGP table version is 29, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* 172.16.8.0/22 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.16.0/24 1.1.1.1 0 0 100 i
*> 172.16.17.0/24 1.1.1.1 0 0 100 i
*> 172.16.19.0/24 1.1.1.1 0 0 100 i
*> 172.16.20.0/22 1.1.1.1 0 0 100 i
* 172.16.24.0/30 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.80.0/22 1.1.1.1 0 0 100 i
R3#

R4#show ip b
BGP table version is 53, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
r>i172.16.17.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.19.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.20.0/22 1.1.1.1 0 100 0 100 i
*>i172.16.80.0/22 1.1.1.1 0 100 0 100 i
R4#

--Pls dont forget to rate helpful posts--

Regards,

Akash