[c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem

RPhookun at lecg.com RPhookun at lecg.com
Tue Mar 17 18:04:29 EDT 2009 

The prefix-list within the Non-Exist clause also has to *exactly* match 
the prefix in the bgp table..
Regards,
./Randy





"Ivan Pepelnjak" <ip at ioshints.info> 
Sent by: cisco-nsp-bounces at puck.nether.net
03/17/2009 02:20 PM

To
"'Dale Shaw'" <dale.shaw+cisco-nsp at gmail.com>, "'Burak Dikici'" 
<bdikici at gmail.com>
cc
cisco-nsp at puck.nether.net
Subject
Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route 
map'saccess-list problem






Did some tests on the NON-EXIST-MAP with 12.2SRC. I was spreading wrong
rumors, time to fix them:

* The route-map checks the routes in the BGP table (_not_ in the IP 
routing
table). Dale was right.
* It can take a while for the routes to be advertised/withdrawn; the
non-exist-map is checked only at the BGP scan intervals (60 seconds by
default, can be adjusted).
* You can use a combination of an access-list and AS-path access-list in 
the
route-map.

The handling of standard access-lists used in the "match ip address"
route-map condition is a bit weird, though:

* "permit any" does _NOT_ work.
* "permit prefix 0.0.0.0" (which gets translated into "permit prefix" in
standard ACL) does _NOT_ work.
* fancy wildcard tests (for example "permit 0.0.0.0 127.255.255.255) do
_NOT_ work

It looks like:

* the IP prefix in the BGP table must match the address in the ACL exactly
(wildcard bits are ignored).
* ... but you still need the wildcard bits (inverted netmask) for the 
match
to work.

For example: if you want to match 10.8.8.0/24, you have to use "permit
10.8.8.0 0.0.0.255". "permit 10.8.8.0" or "permit 10.8.0.0 0.0.255.255" do
_NOT_ work.

Left to do: tests with the ip prefix-list instead of IP access list (and 
no,
I will NOT test extended ACL :).

Hope this helps
Ivan

> -----Original Message-----
> From: Dale Shaw [mailto:dale.shaw+cisco-nsp at gmail.com] 
> Sent: Sunday, March 15, 2009 11:33 PM
> To: Burak Dikici
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP conditional advertisemet - NON-EXIST 
> route map'saccess-list problem
> 
> Hi Burak,
> 
> On Mon, Mar 16, 2009 at 12:06 AM, Burak Dikici 
> <bdikici at gmail.com> wrote:
> > i am trying to use
> > BGP conditional advertisemet configuration. I have got a 
> problem with 
> > NON-EXIST route map's access-list. In the NON-EXIST router map i am 
> > using the commands which is written below ;
> 
> Here are some notes I made recently when playing with BGP 
> conditional advertising. I hope it helps.
> 
> 1.) prefixes matched in advertise-map and exist/non-exist map 
> must exist (or not) in the *BGP* table
>  however: they do not need to be locally originated (e.g. R1 
> can match routes received from R2 and advertise (or not) to R3
>  and: the validity of the prefix in the BGP table (i.e. 
> RIB-failure) doesn't matter. if there's there, and using 
> exist-map, the condition is met.
> 
> 2.) when using 'exist' map, prefixes matched by advertise-map 
> are advertised when exist-map condition is met
>  example: advertise 1.0.0.0/8 (advertise-map) from BGP table when
> 3.20.20.0/24 (exist-map) exists in BGP table
> 
> 3.) when exist 'non-exist' map, prefixes matched by 
> advertise-map are advertised when non-exist-map condition is met
>  example: advertise 1.0.0.0/8 (advertise-map) from BGP table when
> 3.20.20.0/24 (non-exist-map) does NOT exist in BGP table
> 
> 4.) prefixes matched in advertise-map are the only prefixes 
> affected -- other prefixes that may exist are advertised (or 
> not) as normal
> 
> 5.) when dealing with conditional advertisement tasks, always 
> consider what will happen normally (without any config)
> 
> I'd be happy to be corrected, but I think the first point is 
> contrary to what Ivan said. Also consider point #4 -- BGP 
> conditional advertising is not strictly a route filtering 
> mechanism, although it can be configured to achieve similar results.
> 
> cheers,
> Dale
> 
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list