Re: Change to suppress-map for BGP aggregate does not take effect

Michal Mikus · ‎03-27-2018

I have a simple topology in LAB to test this:

R1 <-------> R2 <--------> R3

R1 is configured with few /32 loopbacks:

Loopback1                  11.11.11.11
Loopback2                  11.11.12.11
Loopback3                  11.11.13.11

these are aggregated on R2 as /16:

router bgp 2

aggregate-address 11.11.0.0 255.255.0.0 summary-only suppress-map SuppressMap

!

ip prefix-list Send_12(13)_too seq 5 permit 11.11.12.11/32

!

route-map SuppressMap deny 10
match ip address prefix-list Send_12(13)_too
route-map SuppressMap permit 20

Now I know summary-only doesn't make sense or is pointless in conjunction with suppress-map, but that's how it was configured on real device so I wanted to test similar scenario.

Anyway, it works this way. R2 sends aggregate route along with more specific route for 11.11.12.11/32.

Problem is when I make the change to prefix-list - I want additional /32 route to be advertised/unsuppressed. So I add entry to prefix-list:

ip prefix-list Send_12(13)_too permit 11.11.13.11/32

And it has no effect. Local BGP table on R2 still shows 11.11.13.11/32 to be suppressed. Clear BGP doesn't help - soft nor hard.

Solution:

The only way I could get around this hurdle was to copy/paste the aggregate command in its entirety as is in BGP again:

aggregate-address 11.11.0.0 255.255.0.0 summary-only suppress-map SuppressMap

Qeustion:

While this got me to desired state, I'm wondering if there's a more clever, elegant solution. Does Cisco IOS have any command specific for this case? Something to re-evaluate route-map for aggregate.

afradalil · ‎03-27-2018

Hi Michal:
- Try to remove the summary-only option and test
- one question i have, is where do you have the following prefix list applied "ip prefix-list Block_12(13) permit 11.11.13.11/32"? all I see is your suppressed prefix applied to the suppress-map.
- I guess not seeing all the configuration is not helping but please look at the following blog, compare it to your configuration and see what you missing: "http://packetlife.net/blog/2008/sep/20/bgp-route-aggregation-part-2/"

Michal Mikus · ‎03-28-2018

The prefix-list "Block_12(13)" is matched in route-map ... if you look closer, I gave the configuration of route-map where you can find it.

"ip prefix-list Block_12(13) permit 11.11.13.11/32"is simply an update to already existing prefix-list.

I tried without summary-only but no change.

Georg Pauwen · ‎03-28-2018

Hello,

not sure if this is a (BGP specific) bug, but at least in GNS3 using 15.6, if you use a standard access list instead of the prefix list, updates work.

So instead of:

ip prefix-list Send_12(13)_too seq 5 permit 11.11.12.11/32
ip prefix-list Send_12(13)_too seq 10 permit 11.11.13.11/32
!
route-map SuppressMap deny 10
match ip address prefix-list Send_12(13)_too
route-map SuppressMap permit 20

use

access-list 1 permit 11.11.13.11
access-list 1 permit 11.11.12.11
!
route-map SuppressMap deny 10
match ip address 1
route-map SuppressMap permit 20

Michal Mikus · ‎03-28-2018

I tried ACL instead of prefix-list but no change.

Georg Pauwen · ‎03-28-2018

Hello,

I just rebuilt everything from scratch using the access list, and the addition in the access list takes about 10 seconds to be propagated.

Which image are you using, and which lab setup (live/GNS3/VIRL) ?

afradalil · ‎03-28-2018

Hi Micha,

I am still not clear on where block prefix-list comes into account, I only see Send_12(13)_too added to the route-map. And in George's example. He added the two addresses in the same access-list Send_12(13)_too

Michal Mikus · ‎03-28-2018

I'm sorry, during the process I renamed the prefix-list and forgot that one line. It should be fixed now. And thanks for your engagement :)

Georg Pauwen · ‎03-28-2018

What was the fix ?

Michal Mikus · ‎03-28-2018

I meant, I changed the name here in post. I will test again with ACL and be patient and wait more then few seconds tomorrow.

Georg Pauwen · ‎03-28-2018

Hello,

just for clarification, here is the config I used:

router bgp 2
bgp router-id 2.2.2.2
bgp log-neighbor-changes
aggregate-address 11.11.0.0 255.255.0.0 summary-only suppress-map SuppressMap
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.23.3 remote-as 3
!
route-map SuppressMap deny 10
match ip address 1
!
route-map SuppressMap permit 20
!
access-list 1 permit 11.11.12.11

R2#sh ip bgp topology *

Network Next Hop Metric LocPrf Weight Path
*> 11.11.0.0/16 0.0.0.0 32768 i
s> 11.11.11.11/32 192.168.12.1 0 0 1 i
*> 11.11.12.11/32 192.168.12.1 0 0 1 i
s> 11.11.13.11/32 192.168.12.1 0 0 1 i

I then added 11.11.13.11/32 to the access list. After waiting for the default advertisement interval (30 seconds), this is the result:

router bgp 2
bgp router-id 2.2.2.2
bgp log-neighbor-changes
aggregate-address 11.11.0.0 255.255.0.0 summary-only suppress-map SuppressMap
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.23.3 remote-as 3
!
route-map SuppressMap deny 10
match ip address 1
!
route-map SuppressMap permit 20
!
access-list 1 permit 11.11.12.11
access-list 1 permit 11.11.13.11

R2#sh ip bgp topology *

Network Next Hop Metric LocPrf Weight Path
*> 11.11.0.0/16 0.0.0.0 32768 i
s> 11.11.11.11/32 192.168.12.1 0 0 1 i
*> 11.11.12.11/32 192.168.12.1 0 0 1 i
*> 11.11.13.11/32 192.168.12.1 0 0 1 i

Michal Mikus · ‎03-29-2018

Well, I tried ACL instead exactly as you did but still no change:

R2#sh run | s router bgp
router bgp 2
no synchronization
bgp log-neighbor-changes
aggregate-address 11.11.0.0 255.255.0.0 summary-only suppress-map SupressMap
neighbor 10.0.0.1 remote-as 1
neighbor 100.0.0.2 remote-as 3
no auto-summary
R2#sh run | s route-map SupressMap
route-map SupressMap deny 10
match ip address 1
route-map SupressMap permit 20
R2#sh run | i list 1
access-list 1 permit 11.11.13.11
access-list 1 permit 11.11.12.11
R2#sh ip bgp
BGP table version is 13, local router ID is 100.0.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
r> 10.0.0.0         10.0.0.1                 0             0 1 i
*> 11.11.0.0/16     0.0.0.0                            32768 i
s> 11.11.11.11/32   10.0.0.1                 0             0 1 i
*> 11.11.12.11/32   10.0.0.1                 0             0 1 i
s> 11.11.13.11/32   10.0.0.1                 0             0 1 i
R2#

I waited good 5 minutes after the ACL update and still 11.11.13.11/32 shows to be suppressed.

I'm testing in GNS3 on 3660 router with IOS ver 12.4(15)T10.

Georg Pauwen · ‎03-30-2018

Hello,

it is either GNS3, 12.4, or a combination of both. I don't get it to work in 12.4 either. Try a 15.x version.

Michal Mikus · ‎04-04-2018

Unfortunately no. I used ACL on real HW with IOS 15 and changing the ACL doesn't change the status of suppressed route in BGP table.
I guess next time I would rework the config and use unsuppress-map on BGP neighbor instead. That works just fine.
Thanks for all your help.