08-14-2020 06:41 AM - edited 08-14-2020 07:10 AM
All,
I understand that an attribute-map can be applied to an BGP aggregate-address statement to set certain attributes such as community. However, if I also use a suppress-map on the same statement, will the attribute-map also get applied to routes which leak through the aggregate?
In the example below, will 10.0.1.0/24 get the 65000:1 community?
router bgp 65000 [...] address-family ipv4 unicast redistribute eigrp X route-map RM-REDIST-EIGRP-BGP aggregate-address 10.0.0.0/8 suppress-map RM-CONDLEAK-BGP attribute-map RM-ATTR-DATACENTRE1 exit exit ! Negative Supress-Map. ie. If leaking, only leak these prefixes and suppress everything else:
route-map RM-CONDLEAK-BGP deny 10 description Only leak when tagged with DATACENTRE1 backdoor tag: match ip address prefix-list BPFX-CONDLEAK exit ip prefix-list BPFX-CONDLEAK seq 10 permit 10.0.1.0/24 ! Set BGP community, but will this also apply to leaking (non-suppressed) routes? route-map RM-ATTR-DATACENTRE1 permit 10 set community 65000:1 additive exit
Kind regards
James.
Solved! Go to Solution.
08-14-2020 07:35 AM
Hello @j.a.m.e.s ,
you are right I was thinking of the unsuppress-map feature that likely can be used in combination with summary-only option.
At this point I agree I don't see an easy way to set the BGP community on component routes that are denied from suppression = allowed
The set community should appear in the first deny block but I am afraid it will not be effective (to be tested but little hope)
Hope to help
Giuseppe
08-14-2020 06:59 AM
Hello @j.a.m.e.s ,
according to BGP command reference the attribute-map applies only to the aggregate route see
You can emulate the desired effect by adding a set community 65000:1 additive in the suppress-map.
However, your suppress-map should have at least one permit statement otherwise no component routes are allowed.
with a negative logic you will need
route-map RM-CONDLEAK-BGP deny 10 description Only leak when tagged with DATACENTRE1 backdoor tag: match ip address prefix-list BPFX-CONDLEAK
route-map RM-CONDLEAK-BGP permit 20
set community 65000:1 additive
Hope to help
Giuseppe
08-14-2020 07:20 AM
Thanks for pointing out that I missed the "permit all" route-map statement 20 - that is definitely needed to make sure most the component routes are suppressed!
The trouble is that I'm not sure your suggestion would work because it applies a community on the component routes to be suppressed, rather than the component routes to be announced.
Perhaps the attribute-map would simply apply to both the summary-only route and 10.0.1.0/24?
08-14-2020 07:35 AM
Hello @j.a.m.e.s ,
you are right I was thinking of the unsuppress-map feature that likely can be used in combination with summary-only option.
At this point I agree I don't see an easy way to set the BGP community on component routes that are denied from suppression = allowed
The set community should appear in the first deny block but I am afraid it will not be effective (to be tested but little hope)
Hope to help
Giuseppe
08-14-2020 08:51 AM
08-28-2022 02:58 AM
I realise this is a couple of years on, but I've since read in the nx-os configuration guide that a community can be set on the component routes leaked through the supress-map:
If you specify the suppress-map option while performing a BGP route aggregation, you can set the community attribute for a BGP route update. This option enables you to set community attributes on the more-specific routes.
Presumably this means a "set" statement within the "deny" clause of the route-map, which is a bit odd. If anyone has tested this, please let me know.
08-28-2022 01:44 PM
Just tested on nxos 7.x and it's not working as documented.
08-29-2022 05:59 AM
Hello @j.a.m.e.s ,
thanks for your feedback
I agree that with an unsupress-map and permit statement it would be more logical
Hope to help
Giuseppe
09-05-2022 08:57 AM - edited 09-05-2022 08:57 AM
TAC have opened bug CSCwc91318 with the development team to investigate.
11-26-2022 08:05 AM - edited 11-26-2022 08:11 AM
I have good news. This turned out to be a documentation bug. It's possible to set communities on components leaked through the aggregate in nx-os. It's an arcane syntax and the documentation is too brief to understand what's actually required, so let me explain by example here:
router bgp 65000
router-id 10.0.0.1
address-family ipv4 unicast
network 2.0.0.1/32 <- Will get the "Green" community
network 2.0.0.2/32 <- Will get the "Blue" community
network 2.0.0.3/32 <- Will be supressed
aggregate-address 2.0.0.0/8 suppress-map RM-SUP-TEST
exit
exit
ip route 2.0.0.1/32 Null0 name Test1
ip route 2.0.0.2/32 Null0 name Test2
ip route 2.0.0.3/32 Null0 name Test3
The outcome we want is that .1 and .2 are leaked with the appropriate communities, but .3 is supressed (aggregated into 2.0.0.0/8). To achieve this, use the following route-map:
route-map RM-SUP-TEST permit 10
description Leak these prefixes with a certain community
match ip address prefix-list PL-SUP-TEST
set community 65000:10
route-map RM-SUP-TEST permit 20
description Leak these prefixes with another community
match ip address prefix-list PL-SUP-TEST-2
set community 65000:20
route-map RM-SUP-TEST permit 30
description Supress All Other prefixes
exit
ip prefix-list PL-SUP-TEST seq 10 permit 2.0.0.1/32
ip prefix-list PL-SUP-TEST-2 seq 10 permit 2.0.0.2/32
So basically a permit statement with both a match and a set clause will act like a "deny" and therefore allow the prefix to leak through with a certain BGP community appended.
11-28-2022 03:33 AM
Hello @j.a.m.e.s ,
thanks for your feedback.
The working configuration is a little strange at first sight as the permit statement would mean to suppress the matching component route(s). However, the set action with setting BGP community attribute make the device to understand your intent that is advertise the matched component route(s) with the changed BGP community attribute.
It looks like a workaround for the lack of support of the unsupress-map option.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide