06-21-2018 09:17 AM - edited 03-01-2019 03:25 PM
I am trying to modify the outbound policy for an existing BGP peer on ASR9000, I shut down the BGP session, entered the address family for specific neighbor and removed the existing route-policy, then i applied the new route-policy for outbound traffic. It then returned an error message shown below; the objective of changing the route-policy was to deny RFC1918 prefixes outbound as some are been leaked.
Error message when i try to commit:
After deleting the existing the RPL and inserting the new RPL then commit, got the error message below:
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
See config applied to the BGP peer before commit
RP/0/RSP0/CPU0:name-ASR9b(config)#show confi
show confi
Thu Jun 21 04:09:48.459 EDT
Building configuration...
[K!! IOS XR Configuration 4.3.0
router bgp XXXX
neighbor X.X.X.X
no shutdown
address-family ipv4 unicast
route-policy RPL-description-OUT out
For the route-policy definition:
prefix-set pfx_definition_rfc1918
10.0.0.0/8 ge 8,
172.16.0.0/12 ge 12,
192.168.0.0/16 ge 16
end-set
as-path-set ASPS-definition-OUT
ios-regex '^AS_',
ios-regex '^AS_',
ios-regex '^AS_',
ios-regex '^AS_',
ios-regex '^AS_',
ios-regex '^$'
end-set
set
route-policy RPL-description-OUT
if destination in pfx_definition_rfc1918 then
drop
endif
if as-path in ASPS-definition-OUT then
pass
else
drop
endif
end-policy
Prior to the change, a different route-policy was been applied matching only as-path, all am trying to do is create a new route-policy to drop outbound traffic match RFC1918 prefix-set and pass all in as-path.
Any suggestions?
Solved! Go to Solution.
06-21-2018 09:55 AM
I put this in 4.3.4 and it worked, can you try again and when it fails capture 'show config failed'?
Thanks,
Sam
06-21-2018 09:55 AM
I put this in 4.3.4 and it worked, can you try again and when it fails capture 'show config failed'?
Thanks,
Sam
06-22-2018 06:49 AM
Thanks for looking into this, I tried it again on the node this night and it worked. When i "show configuration failed" i noticed that it failed because the route-policy was referencing a prefix-set that wasn't defined on this particular router unlike the others, once i got that fixed it went as planned.
Just out of curiosity, it appears I can't modify a route-policy attached to a BGP neighbor without first shutting down the neighbor before manipulating the RPL statement. When i tried deleting the policy statement and commit, got the error message below:
!!% Deletion of policy [RPL-description-OUT] is not allowed because it is in use at the bgp neighbor-out-dflt attach point.
end
Thanks once again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide