[c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem
Burak Dikici
bdikici at gmail.com
Sun Mar 22 04:05:29 EDT 2009
By the way , in the lab topology i have tried this config , but when i
adversite 192.168.200.0 /24 subnet on ISP-1 with
network 192.168.200.0 mask 255.255.255.0
command , i am getting RIB failure error on my router ;
Router#show ip bgp
BGP table version is 9, local router ID is 192.168.100.2
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 0.0.0.0 0 32768 i
*> 172.16.1.0/24 192.168.200.1 0 1000 200 i
r> 192.168.200.0 192.168.200.1 0 1000 200 i
What should i do ? I have just tried to advertise the subnet on the ISP-1
which is between my router and ISP-1 router.
On Sun, Mar 22, 2009 at 9:46 AM, Burak Dikici <bdikici at gmail.com> wrote:
> Hi Randy ,
>
> I couldn't understand what you mean with a local-route ? Could you explain
> little more ?
>
> Burak
>
>
>
> On Sun, Mar 22, 2009 at 1:09 AM, <RPhookun at lecg.com> wrote:
>
>>
>> Hi Burak,
>> Ask ISP-A to announce the infrastructure /24 to router# as a local-route
>> via a network statement 192.168.x.0 mask 255.255.255.0. They may not want to
>> do the same via redistribute-connected(if rtr-ISP-1 is also used for
>> peerring with other customers)
>>
>> ./Randy
>>
>>
>>
>> *Burak Dikici <bdikici at gmail.com>*
>> Sent by: cisco-nsp-bounces at puck.nether.net
>>
>> 03/21/2009 03:34 PM
>> To
>> RPhookun at lecg.com cc
>> ip at ioshints.info, cisco-nsp-bounces at puck.nether.net,
>> cisco-nsp at puck.nether.net
>> Subject
>> Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route
>> map'saccess-list problem
>>
>>
>>
>>
>>
>> Hi Randy ,
>>
>> I have missied the point. I am going to talk this subject with the ISP-1.
>> Kind Regards.
>>
>> Burak Dikici
>>
>>
>>
>>
>> On Sat, Mar 21, 2009 at 8:12 PM, <RPhookun at lecg.com> wrote:
>>
>> >
>> > Hi Burak,
>> >
>> > I had replied with the *fix* some days ago -
>> > You can still use the ISP-1 infrastructrure /24. You have to have the
>> ISP-1
>> > router announce the /24 to router#
>> > As you probably realise, this announcement is not required for the
>> peering
>> > session *itself* to be up.
>> >
>> > The annoucement by ISP-1 router of this /24 will cause it to appear in
>> > router#'s bgp table which you can then use as the tracked prefix.
>> >
>> > Router#'s routing table will always install only the *connected*(d-0)
>> > version of this /24 which is what you want! The eBGP version(d-20) will
>> > exist only in the bgp table as a valid prefix you can track.
>> >
>> > Hope this helps.
>> > ./Randy
>> >
>> >
>> >
>> > *Burak Dikici <bdikici at gmail.com>*
>> > Sent by: cisco-nsp-bounces at puck.nether.net
>> >
>> > 03/21/2009 08:19 AM
>> > To
>> > RPhookun at lecg.com, ip at ioshints.info cc
>> > cisco-nsp-bounces at puck.nether.net, cisco-nsp at puck.nether.net
>> > Subject
>> > Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route
>> > map'saccess-list problem
>> >
>> >
>> >
>> >
>> >
>> > Hello ,
>> >
>> > The main problem is which prefix should i track ? I can't use the
>> > infrastructe subnet between my router and ISP-1 router , because it is
>> > directly connected and it is in the routing table , not in the bgp
>> table.
>> > I was thinking on that , then i have decided to use reliable root DNS
>> > servers subnets to track with acl or prefix-list , for example ;
>> >
>> > access-list 20 permit 198.41.0.0 0.0.0.255 /* a.root-servers.net */
>> > access-list 20 permit 192.228.79.0 0.0.0.255 /* b.root-servers.net */
>> > access-list 20 permit 192.33.4.0 0.0.0.255 /* c.root-servers.net */
>> > access-list 20 permit 128.8.0.0 0.0.255.255 /* d.root-servers.net */
>> >
>> > what do you think about this idea ?
>> >
>> > Burak Dikici
>> >
>> >
>> >
>> >
>> > On Thu, Mar 19, 2009 at 2:48 PM, Burak Dikici <bdikici at gmail.com>
>> wrote:
>> >
>> > > Sorry about my late reply. I am very busy these days with another
>> > project.
>> > > I am going to test your recommendations in a few days , and going to
>> > reply
>> > > back to you. Thank you all. Kind Regards...
>> > >
>> > > Burak Dikici
>> > >
>> > >
>> > >
>> > > On Wed, Mar 18, 2009 at 12:04 AM, <RPhookun at lecg.com> wrote:
>> > >
>> > >>
>> > >> The prefix-list within the Non-Exist clause also has to *exactly*
>> match
>> > >> the prefix in the bgp table..
>> > >> Regards,
>> > >> ./Randy
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> *"Ivan Pepelnjak" <ip at ioshints.info>*
>> > >> Sent by: cisco-nsp-bounces at puck.nether.net
>> > >>
>> > >> 03/17/2009 02:20 PM
>> > >> To
>> > >> "'Dale Shaw'" <dale.shaw+cisco-nsp at gmail.com<dale.shaw%2Bcisco-nsp at gmail.com>
>> <dale.shaw%2Bcisco-nsp at gmail.com <dale.shaw%252Bcisco-nsp at gmail.com>>
>> > <dale.shaw%2Bcisco-nsp at gmail.com <dale.shaw%252Bcisco-nsp at gmail.com> <
>> dale.shaw%252Bcisco-nsp at gmail.com <dale.shaw%25252Bcisco-nsp at gmail.com>>>>,
>>
>>
>> >
>> > >> "'Burak Dikici'" <bdikici at gmail.com> cc
>> > >> cisco-nsp at puck.nether.net Subject
>> > >> Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route
>> > >> map'saccess-list problem
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> Did some tests on the NON-EXIST-MAP with 12.2SRC. I was spreading
>> wrong
>> > >> rumors, time to fix them:
>> > >>
>> > >> * The route-map checks the routes in the BGP table (_not_ in the IP
>> > >> routing
>> > >> table). Dale was right.
>> > >> * It can take a while for the routes to be advertised/withdrawn; the
>> > >> non-exist-map is checked only at the BGP scan intervals (60 seconds
>> by
>> > >> default, can be adjusted).
>> > >> * You can use a combination of an access-list and AS-path access-list
>> in
>> > >> the
>> > >> route-map.
>> > >>
>> > >> The handling of standard access-lists used in the "match ip address"
>> > >> route-map condition is a bit weird, though:
>> > >>
>> > >> * "permit any" does _NOT_ work.
>> > >> * "permit prefix 0.0.0.0" (which gets translated into "permit prefix"
>> in
>> > >> standard ACL) does _NOT_ work.
>> > >> * fancy wildcard tests (for example "permit 0.0.0.0 127.255.255.255)
>> do
>> > >> _NOT_ work
>> > >>
>> > >> It looks like:
>> > >>
>> > >> * the IP prefix in the BGP table must match the address in the ACL
>> > exactly
>> > >> (wildcard bits are ignored).
>> > >> * ... but you still need the wildcard bits (inverted netmask) for the
>> > >> match
>> > >> to work.
>> > >>
>> > >> For example: if you want to match 10.8.8.0/24, you have to use
>> "permit
>> > >> 10.8.8.0 0.0.0.255". "permit 10.8.8.0" or "permit 10.8.0.0
>> 0.0.255.255"
>> > do
>> > >> _NOT_ work.
>> > >>
>> > >> Left to do: tests with the ip prefix-list instead of IP access list
>> (and
>> > >> no,
>> > >> I will NOT test extended ACL :).
>> > >>
>> > >> Hope this helps
>> > >> Ivan
>> > >>
>> > >> > -----Original Message-----
>> > >> > From: Dale Shaw [mailto:dale.shaw+cisco-nsp at gmail.com<dale.shaw%2Bcisco-nsp at gmail.com>
>> <dale.shaw%2Bcisco-nsp at gmail.com <dale.shaw%252Bcisco-nsp at gmail.com>>
>> > <dale.shaw%2Bcisco-nsp at gmail.com <dale.shaw%252Bcisco-nsp at gmail.com> <
>> dale.shaw%252Bcisco-nsp at gmail.com <dale.shaw%25252Bcisco-nsp at gmail.com>
>> >>]
>> > >>
>> > >> > Sent: Sunday, March 15, 2009 11:33 PM
>> > >> > To: Burak Dikici
>> > >> > Cc: cisco-nsp at puck.nether.net
>> > >> > Subject: Re: [c-nsp] BGP conditional advertisemet - NON-EXIST
>> > >> > route map'saccess-list problem
>> > >> >
>> > >> > Hi Burak,
>> > >> >
>> > >> > On Mon, Mar 16, 2009 at 12:06 AM, Burak Dikici
>> > >> > <bdikici at gmail.com> wrote:
>> > >> > > i am trying to use
>> > >> > > BGP conditional advertisemet configuration. I have got a
>> > >> > problem with
>> > >> > > NON-EXIST route map's access-list. In the NON-EXIST router map i
>> am
>> > >> > > using the commands which is written below ;
>> > >> >
>> > >> > Here are some notes I made recently when playing with BGP
>> > >> > conditional advertising. I hope it helps.
>> > >> >
>> > >> > 1.) prefixes matched in advertise-map and exist/non-exist map
>> > >> > must exist (or not) in the *BGP* table
>> > >> > however: they do not need to be locally originated (e.g. R1
>> > >> > can match routes received from R2 and advertise (or not) to R3
>> > >> > and: the validity of the prefix in the BGP table (i.e.
>> > >> > RIB-failure) doesn't matter. if there's there, and using
>> > >> > exist-map, the condition is met.
>> > >> >
>> > >> > 2.) when using 'exist' map, prefixes matched by advertise-map
>> > >> > are advertised when exist-map condition is met
>> > >> > example: advertise 1.0.0.0/8 (advertise-map) from BGP table when
>> > >> > 3.20.20.0/24 (exist-map) exists in BGP table
>> > >> >
>> > >> > 3.) when exist 'non-exist' map, prefixes matched by
>> > >> > advertise-map are advertised when non-exist-map condition is met
>> > >> > example: advertise 1.0.0.0/8 (advertise-map) from BGP table when
>> > >> > 3.20.20.0/24 (non-exist-map) does NOT exist in BGP table
>> > >> >
>> > >> > 4.) prefixes matched in advertise-map are the only prefixes
>> > >> > affected -- other prefixes that may exist are advertised (or
>> > >> > not) as normal
>> > >> >
>> > >> > 5.) when dealing with conditional advertisement tasks, always
>> > >> > consider what will happen normally (without any config)
>> > >> >
>> > >> > I'd be happy to be corrected, but I think the first point is
>> > >> > contrary to what Ivan said. Also consider point #4 -- BGP
>> > >> > conditional advertising is not strictly a route filtering
>> > >> > mechanism, although it can be configured to achieve similar
>> results.
>> > >> >
>> > >> > cheers,
>> > >> > Dale
>> > >> >
>> > >> >
>> > >>
>> > >> _______________________________________________
>> > >> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> > >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> > >>
>> > >>
>> > >
>> > _______________________________________________
>> > cisco-nsp mailing list cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>> >
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
More information about the cisco-nsp
mailing list