Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
933
Views
0
Helpful
4
Replies

BGP Prepending Issue

jahetrick
Level 1
Level 1

‎11-17-2015 01:23 PM - edited ‎03-05-2019 02:46 AM

Hi,

I've recently upgraded two edge routers used for BGP, from 2921s on IOS 15.0(ar)M15 to 4451s on IOS-XE 03.13.02.S

I use BGP prepending to influence inbound routing from my ISP (each router has a dedicated circuit to the same ISP). Using the old hardware, for the last 5 years, prepending worked exactly as I'd expect, I could move some or all networks to the "Prepend List" on one router, and do the inverse on the other router (move them to the "No Prepend List") and it would change the ISPs perfered inbound route to me.

Now using the new hardware, I noticed that if I remove all networks from a list, pre-pending doesn't work. As long as I leave at least one network on a list, everything works as expected.  I'm scratching my head trying to figure out why.

Does it have something to do with differences between IOS and IOS-XE? I noticed there's a "Continue Clause" available with the route map command in XE, maybe that changed the behavior?  OR did the version of IOS I was on have a bug, and acutally shouldn't have worked the way it was configured, but did anyway?

See relevant config below, some items altered for obvious reasons:

Router A Normal Config:

router bgp 1
 network 1.1.1.0 mask 255.255.255.0
 network 2.2.2.0 mask 255.255.255.192
 network 3.3.3.0 mask 255.255.255.192
 neighbor 4.4.4.4 remote-as 2
 neighbor 4.4.4.4 route-map BGP_Nets_Out out

ip access-list standard BGP_No_Prepend
 permit 1.1.1.0 0.0.0.255
 permit 2.2.2.0 0.0.0.63

ip access-list standard BGP_Prepend
 permit 3.3.3.0 0.0.0.63

route-map BGP_Nets_Out permit 10
 match ip address BGP_No_Prepend

route-map BGP_Nets_Out permit 20
 match ip address BGP_Prepend
 set as-path prepend 1 1 1 1 1


Router B Normal Config:

router bgp 1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 network 2.2.2.0 mask 255.255.255.192
 network 3.3.3.0 mask 255.255.255.192
 neighbor 5.5.5.5 remote-as 2
 neighbor 5.5.5.5 route-map BGP_Nets_Out out

ip access-list standard BGP_No_Prepend
 permit 3.3.3.0 0.0.0.63

ip access-list standard BGP_Prepend
 permit 1.1.1.0 0.0.0.255
 permit 2.2.2.0 0.0.0.63

route-map BGP_Nets_Out permit 10
 match ip address BGP_No_Prepend

route-map BGP_Nets_Out permit 20
 match ip address BGP_Prepend
 set as-path prepend 1 1 1 1 1


Example of a WORKING altered config:

Router A:
ip access-list standard BGP_No_Prepend
 permit 1.1.1.0 0.0.0.255

ip access-list standard BGP_Prepend
 permit 3.3.3.0 0.0.0.63
 permit 2.2.2.0 0.0.0.63

Router B:
ip access-list standard BGP_No_Prepend
 permit 3.3.3.0 0.0.0.63
 permit 2.2.2.0 0.0.0.63

ip access-list standard BGP_Prepend
 permit 1.1.1.0 0.0.0.255


Example of a NON-WORKING altered config:

Router A:
ip access-list standard BGP_No_Prepend
 
ip access-list standard BGP_Prepend
 permit 1.1.1.0 0.0.0.255
 permit 3.3.3.0 0.0.0.63
 permit 2.2.2.0 0.0.0.63

Router B:
ip access-list standard BGP_No_Prepend
 permit 1.1.1.0 0.0.0.255
 permit 2.2.2.0 0.0.0.63
 permit 3.3.3.0 0.0.0.63

ip access-list standard BGP_Prepend

For the instances when it doesn't work, I've contacted the ISP, and they say they no longer see any pre-pending comming from my routers.  Could it have something to do with a different behavor in IOS XE, matching the implicit deny all in the now empty ACLs?
 
Thanks for any advice you can share!

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

‎11-17-2015 03:22 PM

Jonathan,

At least for the case when the BGP_No_Prepend ACL is empty, I think I can understand the behavior: An empty named ACL appears to behave as if it was a "permit any" ACL. Your route-map appears to first evaluate the BGP_No_Prepend ACL (block 10), only then it evaluates the BGP_Prepend ACL (block 20). That would mean that the first route-map block essentially catches all advertised prefixes, causing none of them to be AS-prepended.

In general, it does not make much sense to have empty ACLs. Note that with numbered ACLs, it is not even possible to create an empty numbered ACL because the number and the entry are inseparably tied together in an access-list acl-number command. With named ACLs, you can create an empty ACL but the intention is ambiguous - is it an incomplete ACL that should be treated as if it wasn't even there, or is it an ACL that should act as ... what? Permit any? Deny any?

So my personal recommendation would be to have an explicit deny any entry at the end of both your BGP_No_Prepend and BGP_Prepend ACLs. You surely know you can insert entries at an arbitrary place into a named ACL using sequence numbers so this is not going to make your life harder, and it will make sure that the ACLs are never empty and therefore ambiguous.

Best regards,
Peter

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Peter Paluch

‎11-17-2015 03:33 PM

Hello Peter,

I posted my answer before seeing your answer. I was typing. I think we are saying the same thing.

Masoud

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Masoud Pourshabanian

‎11-17-2015 03:48 PM

Masoud,

Absolutely - you have noticed and commented on exactly the same thing. Good thinking!

The one thing I am not entirely certain about is that Jonathan mentioned that even if his BGP_Prepend ACL is empty while the BGP_No_Prepend ACL is nonempty, no prepending occurs. This does not really sit with our explanations so far. But I think that it is best to keep both ACLs nonempty to avoid any implementation issues that try to deal with corner cases such as "what should an empty ACL do?"

Best regards,
Peter

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-17-2015 03:29 PM

Hello,

ip access-list standard BGP_No_Prepend

route-map BGP_Nets_Out permit 10
 match ip address BGP_No_Prepend

These combination probably match everything (any any) in your new IOS, so the next route-map will not be checked any more. Check show access-list  BGP_No_Prepend and show route-map BGP_Nets_Out to see whether there is any hit when the list is empty.

Change your configuration to this. Only one access-list

ip access-list standard BGP_Prepend
 permit 1.1.1.0 0.0.0.255
 permit 3.3.3.0 0.0.0.63
 permit 2.2.2.0 0.0.0.63

route-map BGP_Nets_Out permit 10
 match ip address BGP_Prepend
 set as-path prepend 1 1 1 1 1

route-map BGP_Nets_Out permit 20

[no thing is needed here or your empty access-list]

Just one access-list is enough. Probably you can add your empty access-list here but it does not make any difference with your explanation..

I think it is not a bug. It is just different interepretation of empty access-list.

Masoud




 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card