[nsp] adding communities to ibgp originated routes
Danny McPherson
danny at tcb.net
Tue Jun 1 12:02:50 EDT 2004
On Jun 1, 2004, at 3:49 AM, Gert Doering wrote:
> Hi
>
> On Mon, May 31, 2004 at 06:35:58PM -0700, matthew zeier wrote:
>> What's the most common method of adding communities to ibgp routes?
>> Have
>> the originating routes with a route-map to all ibgp peers matching an
>> ACL
>> and setting a community?
>
> we do:
>
> router bgp 5539
> address-family ipv4
> network a.b.0.0 mask 255.255.0.0 route-map set-local-community
>
> route-map set-local-community permit 10
> set community 5539:abc
>
> I'm not sure whether this is the "commonly accepted wisdom" to do it,
> but
> it sounds more convenient than having to have additional route-maps on
> all iBGP sessions ("yet another thing to forget", even with
> peer-groups).
Indeed, and be sure not to forget "neighbor x.x.x.x send-community" :-)
In addition, it's a good idea to be explicit with route advertisement
policy.
That is, permit expressly defined communities and deny all others
(e.g., routes
with no communities). I've found instances where routes were being
leaked
because an ACL rewrite for a match component of a route-map was
occurring
during a BGP redistribution process run while the referenced ACL didn't
exist
at that instant and eBGP advertisement policies were implicit (e.g.,
"if these
communities are NOT there advertise the route).
Of course, the route were withdrawn during the subsequent run some 60
seconds later, but nonetheless (ohh, and this is just another reason
I'm not a
fan of redistribution), but the lesson applies equally here :-)
-danny
More information about the cisco-nsp
mailing list