Solved: Re: VRF External Route

Justin Reeve · ‎11-10-2021

Hi,

I have a route to 10.18.0.1 in my routing table of my VRF and I'm not sure where it came from. I don't have 158.165.244.0 as a BGP neighbor in the VRF. I'd also like to know what it means by "(default)" in the output. All I can tell from BGP is that the route has been received via redistribution e.g. "Origin incomplete" although I'm only redistributing static and connected.

show ip rou vrf VRF_A 10.18.0.1

Routing Table: VRF_A
Routing entry for 10.18.0.0/25
Known via "bgp 60095", distance 200, metric 0, type internal
Last update from 158.165.244.0 7w0d ago
Routing Descriptor Blocks:
* 158.165.244.0 (default), from 158.165.244.0, 7w0d ago
Route metric is 0, traffic share count is 1
AS Hops 0
MPLS label: 28
MPLS Flags: MPLS Required, NSF

show ip bgp vpnv4 vrf VRF_A 10.18.0.1
BGP routing table entry for 60095:2000:10.18.0.1/25, version 3220182
BGP Bestpath: deterministic-med
Paths: (1 available, best #1, table VRF_A)
Flag: 0x100
Advertised to update-groups:
128 188
Refresh Epoch 5
Local
158.165.244.0 (metric 101) (via default) from 158.165.244.0 (158.165.244.0)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Extended Community: RT:60095:2000
mpls labels in/out nolabel/28
rx pathid: 0, tx pathid: 0x0

router bgp 60095
!
address-family ipv4 vrf VRF_A
bgp router-id 158.165.244.1
redistribute connected
redistribute static
neighbor 10.191.254.6 remote-as 64435
neighbor 10.191.254.6 description VRF_A Man
neighbor 10.191.254.6 activate
neighbor 10.191.254.6 next-hop-self all
neighbor 10.191.254.6 allowas-in
neighbor 158.165.244.11 remote-as 64435
neighbor 158.165.244.11 description VRF_A FW
neighbor 158.165.244.11 fall-over
neighbor 158.165.244.11 activate
neighbor 158.165.244.11 next-hop-self all
neighbor 158.165.244.11 as-override
default-information originate
exit-address-family

Thanks in advance

J

jcockburn · ‎11-10-2021

Hey @Justin Reeve ,

Looks like this might come from another PE router in your AS...Router with RID 158.165.244.0

View solution in original post

Georg Pauwen · ‎11-10-2021

Hello,

I am not prejudiced, but looking at the source/country of origin of the AS, be careful, this could be a hack attempt. Don't try and peer with them !

https://bgp.he.net/AS60095

As a matter of fact, I would put in an as-path filter asap to block that AS...

jcockburn · ‎11-10-2021

Hey @Justin Reeve ,

Looks like this might come from another PE router in your AS...Router with RID 158.165.244.0

Justin Reeve · ‎11-11-2021

Thanks looking at the peer I can see that it's being redistributed into BGP via connected

Remote peer :

address-family ipv4 vrf VRF_A
bgp router-id 158.165.244.0
redistribute connected
redistribute static

Routing Table: VRF_A
Routing entry for 10.18.0.0/25
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via bgp 60095
Advertised by bgp 60095
Routing Descriptor Blocks:
* directly connected, via BDI2202
Route metric is 0, traffic share count is 1

I now see where the (default) is coming into this too, it's the default routing table for the VRF. I can see it being received from the PE:

show ip bgp vpnv4 all neigh 158.165.244.0 routes

Route Distinguisher: 60095:2000 (default for vrf VRF_A) VRF Router ID 158.165.244.1
* i 0.0.0.0 158.165.244.0 0 100 0 65335 i
*>i 10.18.0.0/25 158.165.244.0 0 100 0 ?