Multiple Subnets of a /24 BGP

Steven Peterson · ‎02-26-2011

We have 2 non contiguous /24 from ARIN, our network is broken into 3 major sections, one has its own /24 the other 2 split one as follows

204.138.16x.0 /24

204.138.16x.0 /25 --> 204.138.16x.140

204.138.16x.128 /26 Directly connected to router

204.138.16x.192 /26 --> 204.138.16x.170

Additonaly in the range directly attached to the router are a mix of firewalls and vpn endpoints.

here are the vitals in my bgp config

network 204.138.16x.0

aggregate-address 204.138.16x.0 255.255.255.0

redistribute static route-map rm_redist_ok

the prefix list in the route-map lists our subnets, that we want to redistribute

then denys everything else

now we have this up and advertising, the route to /24 in question shows up in the table and a trace route get to the cisco router but not beyond it

this includes to addresses in the directly connected subnet as well as ones routed through it.

The router/firewalls behind my cisco edge are openbsd based.

Any idea what I am doing wrong? I am willing to send the full config via private message I would prefer not posting my full ip blocks to make it harder for them to be harvested by spamers.

Dennis Mink · ‎02-27-2011

So can you actually ping anything in the 204.138.16x.128 /26 range, most importantly, the router's

IP address in this range? if so that would mean routing on this subnets wiorks both ways end to end.

Please remember to rate useful posts, by clicking on the stars below.

Kishore Chennupati · ‎02-27-2011

Hi Steven,

few things i can think of....

Do the firewallls,vpn devices have a default route back to this router? Maybe its the return traffic that is not getting back. As you said you can get to the router from outside but it doesnt go any further. Also, maybe you need to check the firewall routing as well.

Also , if you are going to redis all the more specif prefixs into the BGP table in this case then you dont need to put in the network A.B.C.D because you are going to advertise the summary route anyway for those prefixes.

Does this give you any direction?

HTH,

Regards,

Kishore

Steven Peterson · ‎02-27-2011

I checked the traffic flow and the default route is set on the firewall/routers behind the edge device.

I can ping the edge router from a from a device behind any of the firewalls. additonaly I can get the the edge routers telnet and ssh from behind any of the firewalls.

I tried removing the network 204.138.16x.0 statement and at that point we stopped advertising the route. I waited a few minutes to see if this was just temporary. the route did not get readvertised.

once I readded the network 204.138.16x.0, the route was advertised again.

Kishore Chennupati · ‎02-27-2011

Hi ,

So , if you take out the network command your config would look like this

router bgp

aggregate-address 204.138.16x.0 255.255.255.0

redistribute static route-map rm_redist_ok

...and you are not seeing 204.138.16x.0/24 getting advertised , the reason is because you have an aggregate command but you dont have atleast one specific route in the BGP table.

The network command works because you must have had atleast 1 address in that /24 range in your routing table or you must have configured a Null 0 route.

Can you please paste the "sh ip bgp neigbor advertised-routes"? and also the route-map and prefixz-list

Just being pedantic, the filters and ACL's are all fine on the firewall and the internal devices right?

Regards,