Trying to restrict routes sent and received with prefix list

hcyrus · ‎03-29-2018

HELLLLLLP!!!

I am trying to filter advertised and received routes over a BGP connection to AWS and not having any success. I want to only allow 10.7.6.1 to send its network to 10.7.6.2 and I only want to receive 10.60.0.0/16 from 10.7.6.2

So here’s the low down…

I have a BGP connection established between 10.7.6.1 (RQ side) and 10.7.6.2 (AWS side)

I want to only advertise 10.7.6.0/30 to 10.7.6.2

I want to only receive 10.60.0.0/16 from 10.7.6.2

neighbor 10.7.6.2 activate

neighbor 10.7.6.2 soft-reconfiguration inbound

neighbor 10.7.6.2 route-map awsin in

neighbor 10.7.6.2 route-map aws out

I am in the process of removing all the permit statements except 10.7.6.0/30 to see if that works going outbound

ip prefix-list aws seq 5 permit 10.7.0.0/20

ip prefix-list aws seq 6 permit 10.7.1.0/30

ip prefix-list aws seq 7 permit 10.7.2.0/30

ip prefix-list aws seq 8 permit 10.7.3.0/30

ip prefix-list aws seq 9 permit 10.7.4.0/30

ip prefix-list aws seq 10 permit 10.7.5.0/30

ip prefix-list aws seq 11 permit 10.7.6.0/30

ip prefix-list aws seq 12 permit 10.7.8.0/30

ip prefix-list aws seq 13 permit 10.7.9.0/30

route-map aws permit 10

description aws

match ip address prefix-list aws

I am going to remove the deny statement and see if that does anything…

ip prefix-list awsin seq 5 permit 10.60.0.0/24

ip prefix-list awsin seq 10 deny 10.0.0.0/8

route-map awsin permit 10

description awsin

match ip address prefix-list awsin

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.7.1.2 4 65000 71 76 49077013 0 0 00:32:38 8

10.7.2.2 4 65000 70 76 49077013 0 0 00:32:38 8

10.7.3.2 4 65000 70 76 49077013 0 0 00:32:38 8

10.7.4.2 4 65000 70 75 49077013 0 0 00:32:38 8

10.7.5.2 4 65000 70 76 49077013 0 0 00:32:38 8

10.7.6.2 4 65000 24 27 49077013 0 0 00:10:14 0

10.7.8.2 4 65000 70 75 49077013 0 0 00:32:38 8

10.7.9.2 4 65000 70 75 49077013 0 0 00:32:38 8

66.116.118.225 4 23005 18601512 316913 49077075 0 0 19w2d 684403

sh ip bgp neighbors 10.7.6.2 advertised-routes

BGP table version is 49077152, local router ID is

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 10.7.1.0/30 0.0.0.0 0 32768 i

*> 10.7.2.0/30 0.0.0.0 0 32768 i

*> 10.7.3.0/30 0.0.0.0 0 32768 i

*> 10.7.4.0/30 0.0.0.0 0 32768 i

*> 10.7.5.0/30 0.0.0.0 0 32768 i

*> 10.7.6.0/30 0.0.0.0 0 32768 i

*> 10.7.8.0/30 0.0.0.0 0 32768 i

*> 10.7.9.0/30 0.0.0.0 0 32768 i

Total number of prefixes 8

sh ip bgp neighbors 10.7.6.2 received-routes

BGP table version is 49077217, local router ID is

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

* 10.10.0.0/16 10.7.6.2 0 65000 i

* 10.20.0.0/16 10.7.6.2 0 65000 i

* 10.30.0.0/16 10.7.6.2 0 65000 i

* 10.40.0.0/16 10.7.6.2 0 65000 i

* 10.50.0.0/16 10.7.6.2 0 65000 i

* 10.60.0.0/16 10.7.6.2 0 65000 i

* 10.80.0.0/16 10.7.6.2 0 65000 i

* 10.90.0.0/16 10.7.6.2 0 65000 i

Total number of prefixes 8

Georg Pauwen · ‎03-29-2018

Hello,

I want to only receive 10.60.0.0/16 from 10.7.6.2

but you have configured:

ip prefix-list awsin seq 5 permit 10.60.0.0/24

Make sure you change the /24 to /16 in the prefix list.

I put this into GNS3, here is my working config:

router bgp 1
bgp log-neighbor-changes
neighbor 10.7.6.2 remote-as 2
!
address-family ipv4
network 10.7.6.0 mask 255.255.255.252
network 10.7.8.0 mask 255.255.255.252
network 10.7.9.0 mask 255.255.255.252
neighbor 10.7.6.2 activate
neighbor 10.7.6.2 soft-reconfiguration inbound
neighbor 10.7.6.2 route-map awsin in
neighbor 10.7.6.2 route-map aws out
exit-address-family
!
ip prefix-list aws seq 5 permit 10.7.6.0/30
!
ip prefix-list awsin seq 5 permit 10.60.0.0/16
!
route-map awsin permit 10
match ip address prefix-list awsin
!
route-map aws permit 10
match ip address prefix-list aws

hcyrus · ‎03-29-2018

I was able to get it to do what I wanted by doing the following

ip prefix-list 701 seq 10 permit 10.7.1.0/30
ip prefix-list 701in seq 5 permit 10.10.0.0/16
ip prefix-list 702 seq 5 permit 10.7.2.0/30
ip prefix-list 702in seq 5 permit 10.20.0.0/16
ip prefix-list 703 seq 5 permit 10.7.3.0/30
ip prefix-list 703in seq 5 permit 10.30.0.0/16
ip prefix-list 704 seq 5 permit 10.7.4.0/30
ip prefix-list 704in seq 5 permit 10.40.0.0/16
ip prefix-list 705 seq 5 permit 10.7.5.0/30
ip prefix-list 705in seq 5 permit 10.50.0.0/16

ip prefix-list 706out seq 5 permit 10.7.6.0/24
ip prefix-list 708 seq 5 permit 10.7.8.0/30
ip prefix-list 708in seq 5 permit 10.80.0.0/16
ip prefix-list 709 seq 5 permit 10.7.9.0/30
ip prefix-list 709in seq 5 permit 10.90.0.0/16

neighbor 10.7.1.2 activate
neighbor 10.7.1.2 soft-reconfiguration inbound
neighbor 10.7.1.2 prefix-list 701in in
neighbor 10.7.1.2 prefix-list 701 out
neighbor 10.7.2.2 activate
neighbor 10.7.2.2 soft-reconfiguration inbound
neighbor 10.7.2.2 prefix-list 702in in
neighbor 10.7.2.2 prefix-list 702 out
neighbor 10.7.3.2 activate
neighbor 10.7.3.2 soft-reconfiguration inbound
neighbor 10.7.3.2 prefix-list 703in in
neighbor 10.7.3.2 prefix-list 703 out
neighbor 10.7.4.2 activate
neighbor 10.7.4.2 soft-reconfiguration inbound
neighbor 10.7.4.2 prefix-list 704in in
neighbor 10.7.4.2 prefix-list 704 out
neighbor 10.7.5.2 activate
neighbor 10.7.5.2 soft-reconfiguration inbound
neighbor 10.7.5.2 prefix-list 705in in
neighbor 10.7.5.2 prefix-list 705 out
neighbor 10.7.6.2 activate
neighbor 10.7.6.2 soft-reconfiguration inbound
neighbor 10.7.6.2 prefix-list test in
neighbor 10.7.6.2 prefix-list test1 out
neighbor 10.7.8.2 activate
neighbor 10.7.8.2 soft-reconfiguration inbound
neighbor 10.7.8.2 prefix-list 708in in
neighbor 10.7.8.2 prefix-list 708 out
neighbor 10.7.9.2 activate
neighbor 10.7.9.2 soft-reconfiguration inbound
neighbor 10.7.9.2 prefix-list 709in in
neighbor 10.7.9.2 prefix-list 709 out

which gives me the following for each neighbor

sh ip bgp neighbors 10.7.6.2 routes
BGP table version is 49099752, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 10.60.0.0/16 10.7.6.2 0 65000 i

Total number of prefixes 1

sh ip bgp neighbors 10.7.6.2 advertised-routes
BGP table version is 49099884, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 10.7.6.0/30 0.0.0.0 0 32768 i

Total number of prefixes 1

Not sure why i have a next hop of 0.0.0.0

Georg Pauwen · ‎03-29-2018

Hello,

next hop 0.0.0.0 simply means that the network 10.7.6.0/30 is locally originated. How do you advertise that network, with a 'network' statement under the address family ?

hcyrus · ‎03-29-2018

yep

address-family ipv4
network 10.7.0.0 mask 255.255.240.0 <- need to remove this one i think....
network 10.7.1.0 mask 255.255.255.252
network 10.7.2.0 mask 255.255.255.252
network 10.7.3.0 mask 255.255.255.252
network 10.7.4.0 mask 255.255.255.252
network 10.7.5.0 mask 255.255.255.252
network 10.7.6.0 mask 255.255.255.252
network 10.7.8.0 mask 255.255.255.252
network 10.7.9.0 mask 255.255.255.252