[c-nsp] BGP conditional advertisemet - NON-EXIST route map'saccess-list problem
RPhookun at lecg.com
RPhookun at lecg.com
Sun Mar 22 15:04:39 EDT 2009
Hi Burak,
It is working as expected.
The rib-failure status message; is expected. Here's why:
The rib-failure is saying that *this* /24 which is in the BGP table of
router# couldn't be installed in the IP routing table of router#. This is
normal because what is installed in the RIB of router # is the *connected*
version of this /24. The connected route has an AD of 0 which takes
precedence over the same route that is learned via eBGP with an AD of 20.
Regards,
./Randy
Burak Dikici <bdikici at gmail.com>
Sent by: cisco-nsp-bounces at puck.nether.net
03/22/2009 01:45 AM
To
RPhookun at lecg.com
cc
ip at ioshints.info, cisco-nsp-bounces at puck.nether.net,
cisco-nsp at puck.nether.net
Subject
Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route
map'saccess-list problem
Hello ,
Here is the final result updates of the lab.
*** I have started to advertise the subnet on the ISP-1 which is between
my
router and ISP-1 router ;
ISP-1(config)#router bgp 200
ISP-1(config-router)#network 192.168.200.0 mask 255.255.255.0
ISP-1#clear ip bgp * soft
ISP-1#show ip bgp
BGP table version is 4, local router ID is 192.168.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 192.168.200.2 0 0 10 i
*> 172.16.1.0/24 0.0.0.0 0 32768 i
*> 192.168.200.0 0.0.0.0 0 32768 i
*** I am getting RIB-failure error for 192.168.200.0 subnet on my Router.
Router#show ip bgp
BGP table version is 9, local router ID is 192.168.100.2
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 0.0.0.0 0 32768 i
*> 172.16.1.0/24 192.168.200.1 0 1000 200 i
r> 192.168.200.0 192.168.200.1 0 1000 200 i
*** Then , i have changed the BGP conditional advertisement configuration
on
my Router like this ;
Router#
access-list 60 permit 10.1.1.0 0.0.0.255
access-list 65 permit 192.168.200.0 0.0.0.255
route-map NON-EXIST permit 10
match ip address 65
route-map ADVERTISE permit 10
match ip address 60
router bgp 10
neighbor 192.168.100.1 advertise-map ADVERTISE non-exist-map NON-EXIST
*** At the beginnning , the Advertise-map status for ISP-2 is Withdraw ;
Router#
show ip bgp neighbors 192.168.100.1
Condition-map NON-EXIST, Advertise-map ADVERTISE, status: Withdraw
ISP-2#show ip bgp
EMPTY
*** Then , i shutdown the Router's fa0/0 interface which is ISP-1
connection.
Router#
interface FastEthernet0/0 ( ISP-1 interface )
ip address 192.168.200.2 255.255.255.0
shutdown
*** The Advertise-map status for ISP-2 goes Advertise ;
Router#
show ip bgp neighbors 192.168.100.1
Condition-map NON-EXIST, Advertise-map ADVERTISE, status: Advertise
*** And ISP-2 is getting the my Router's advertisement ;
ISP-2# show ip bgp
BGP table version is 8, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 192.168.100.2 0 0 10 i
*** As a result , it looks working with tracking of the subnet which is
between my router and ISP-1 router. But, i am sitll getting RIB-failure on
my router for this subnet. Does it look OK for you ?
Burak
On Sun, Mar 22, 2009 at 10:05 AM, Burak Dikici <bdikici at gmail.com> wrote:
> By the way , in the lab topology i have tried this config , but when i
> adversite 192.168.200.0 /24 subnet on ISP-1 with
>
> network 192.168.200.0 mask 255.255.255.0
> command , i am getting RIB failure error on my router ;
>
> Router#show ip bgp
> BGP table version is 9, local router ID is 192.168.100.2
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
> r RIB-failure, S Stale
> Origin codes: i - IGP, e - EGP, ? - incomplete
> Network Next Hop Metric LocPrf Weight Path
> *> 10.1.1.0/24 0.0.0.0 0 32768 i
> *> 172.16.1.0/24 192.168.200.1 0 1000 200 i
> r> 192.168.200.0 192.168.200.1 0 1000 200 i
>
>
> What should i do ? I have just tried to advertise the subnet on the
ISP-1
> which is between my router and ISP-1 router.
>
>
>
> On Sun, Mar 22, 2009 at 9:46 AM, Burak Dikici <bdikici at gmail.com> wrote:
>
>> Hi Randy ,
>>
>> I couldn't understand what you mean with a local-route ? Could you
>> explain little more ?
>>
>> Burak
>>
>>
>>
>> On Sun, Mar 22, 2009 at 1:09 AM, <RPhookun at lecg.com> wrote:
>>
>>>
>>> Hi Burak,
>>> Ask ISP-A to announce the infrastructure /24 to router# as a
local-route
>>> via a network statement 192.168.x.0 mask 255.255.255.0. They may not
want to
>>> do the same via redistribute-connected(if rtr-ISP-1 is also used for
>>> peerring with other customers)
>>>
>>> ./Randy
>>>
>>>
>>>
>>> *Burak Dikici <bdikici at gmail.com>*
>>> Sent by: cisco-nsp-bounces at puck.nether.net
>>>
>>> 03/21/2009 03:34 PM
>>> To
>>> RPhookun at lecg.com cc
>>> ip at ioshints.info, cisco-nsp-bounces at puck.nether.net,
>>> cisco-nsp at puck.nether.net
>>> Subject
>>> Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route
>>> map'saccess-list problem
>>>
>>>
>>>
>>>
>>>
>>> Hi Randy ,
>>>
>>> I have missied the point. I am going to talk this subject with the
ISP-1.
>>> Kind Regards.
>>>
>>> Burak Dikici
>>>
>>>
>>>
>>>
>>> On Sat, Mar 21, 2009 at 8:12 PM, <RPhookun at lecg.com> wrote:
>>>
>>> >
>>> > Hi Burak,
>>> >
>>> > I had replied with the *fix* some days ago -
>>> > You can still use the ISP-1 infrastructrure /24. You have to have
the
>>> ISP-1
>>> > router announce the /24 to router#
>>> > As you probably realise, this announcement is not required for the
>>> peering
>>> > session *itself* to be up.
>>> >
>>> > The annoucement by ISP-1 router of this /24 will cause it to appear
in
>>> > router#'s bgp table which you can then use as the tracked prefix.
>>> >
>>> > Router#'s routing table will always install only the
*connected*(d-0)
>>> > version of this /24 which is what you want! The eBGP version(d-20)
will
>>> > exist only in the bgp table as a valid prefix you can track.
>>> >
>>> > Hope this helps.
>>> > ./Randy
>>> >
>>> >
>>> >
>>> > *Burak Dikici <bdikici at gmail.com>*
>>> > Sent by: cisco-nsp-bounces at puck.nether.net
>>> >
>>> > 03/21/2009 08:19 AM
>>> > To
>>> > RPhookun at lecg.com, ip at ioshints.info cc
>>> > cisco-nsp-bounces at puck.nether.net, cisco-nsp at puck.nether.net
>>> > Subject
>>> > Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route
>>> > map'saccess-list problem
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > Hello ,
>>> >
>>> > The main problem is which prefix should i track ? I can't use the
>>> > infrastructe subnet between my router and ISP-1 router , because it
is
>>> > directly connected and it is in the routing table , not in the bgp
>>> table.
>>> > I was thinking on that , then i have decided to use reliable root
DNS
>>> > servers subnets to track with acl or prefix-list , for example ;
>>> >
>>> > access-list 20 permit 198.41.0.0 0.0.0.255 /* a.root-servers.net */
>>> > access-list 20 permit 192.228.79.0 0.0.0.255 /* b.root-servers.net
*/
>>> > access-list 20 permit 192.33.4.0 0.0.0.255 /* c.root-servers.net */
>>> > access-list 20 permit 128.8.0.0 0.0.255.255 /* d.root-servers.net */
>>> >
>>> > what do you think about this idea ?
>>> >
>>> > Burak Dikici
>>> >
>>> >
>>> >
>>> >
>>> > On Thu, Mar 19, 2009 at 2:48 PM, Burak Dikici <bdikici at gmail.com>
>>> wrote:
>>> >
>>> > > Sorry about my late reply. I am very busy these days with another
>>> > project.
>>> > > I am going to test your recommendations in a few days , and going
to
>>> > reply
>>> > > back to you. Thank you all. Kind Regards...
>>> > >
>>> > > Burak Dikici
>>> > >
>>> > >
>>> > >
>>> > > On Wed, Mar 18, 2009 at 12:04 AM, <RPhookun at lecg.com> wrote:
>>> > >
>>> > >>
>>> > >> The prefix-list within the Non-Exist clause also has to *exactly*
>>> match
>>> > >> the prefix in the bgp table..
>>> > >> Regards,
>>> > >> ./Randy
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >> *"Ivan Pepelnjak" <ip at ioshints.info>*
>>> > >> Sent by: cisco-nsp-bounces at puck.nether.net
>>> > >>
>>> > >> 03/17/2009 02:20 PM
>>> > >> To
>>> > >> "'Dale Shaw'"
<dale.shaw+cisco-nsp at gmail.com<dale.shaw%2Bcisco-nsp at gmail.com>
>>> <dale.shaw%2Bcisco-nsp at gmail.com <dale.shaw%252Bcisco-nsp at gmail.com>>
>>> > <dale.shaw%2Bcisco-nsp at gmail.com <dale.shaw%252Bcisco-nsp at gmail.com>
<
>>> dale.shaw%252Bcisco-nsp at gmail.com
<dale.shaw%25252Bcisco-nsp at gmail.com>>>>,
>>>
>>>
>>> >
>>> > >> "'Burak Dikici'" <bdikici at gmail.com> cc
>>> > >> cisco-nsp at puck.nether.net Subject
>>> > >> Re: [c-nsp] BGP conditional advertisemet - NON-EXIST route
>>> > >> map'saccess-list problem
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >> Did some tests on the NON-EXIST-MAP with 12.2SRC. I was
spreading
>>> wrong
>>> > >> rumors, time to fix them:
>>> > >>
>>> > >> * The route-map checks the routes in the BGP table (_not_ in the
IP
>>> > >> routing
>>> > >> table). Dale was right.
>>> > >> * It can take a while for the routes to be advertised/withdrawn;
the
>>> > >> non-exist-map is checked only at the BGP scan intervals (60
seconds
>>> by
>>> > >> default, can be adjusted).
>>> > >> * You can use a combination of an access-list and AS-path
>>> access-list in
>>> > >> the
>>> > >> route-map.
>>> > >>
>>> > >> The handling of standard access-lists used in the "match ip
address"
>>> > >> route-map condition is a bit weird, though:
>>> > >>
>>> > >> * "permit any" does _NOT_ work.
>>> > >> * "permit prefix 0.0.0.0" (which gets translated into "permit
>>> prefix" in
>>> > >> standard ACL) does _NOT_ work.
>>> > >> * fancy wildcard tests (for example "permit 0.0.0.0
127.255.255.255)
>>> do
>>> > >> _NOT_ work
>>> > >>
>>> > >> It looks like:
>>> > >>
>>> > >> * the IP prefix in the BGP table must match the address in the
ACL
>>> > exactly
>>> > >> (wildcard bits are ignored).
>>> > >> * ... but you still need the wildcard bits (inverted netmask) for
>>> the
>>> > >> match
>>> > >> to work.
>>> > >>
>>> > >> For example: if you want to match 10.8.8.0/24, you have to use
>>> "permit
>>> > >> 10.8.8.0 0.0.0.255". "permit 10.8.8.0" or "permit 10.8.0.0
>>> 0.0.255.255"
>>> > do
>>> > >> _NOT_ work.
>>> > >>
>>> > >> Left to do: tests with the ip prefix-list instead of IP access
list
>>> (and
>>> > >> no,
>>> > >> I will NOT test extended ACL :).
>>> > >>
>>> > >> Hope this helps
>>> > >> Ivan
>>> > >>
>>> > >> > -----Original Message-----
>>> > >> > From: Dale Shaw
[mailto:dale.shaw+cisco-nsp at gmail.com<dale.shaw%2Bcisco-nsp at gmail.com>
>>> <dale.shaw%2Bcisco-nsp at gmail.com <dale.shaw%252Bcisco-nsp at gmail.com>>
>>> > <dale.shaw%2Bcisco-nsp at gmail.com
<dale.shaw%252Bcisco-nsp at gmail.com><
>>> dale.shaw%252Bcisco-nsp at gmail.com
<dale.shaw%25252Bcisco-nsp at gmail.com>
>>> >>]
>>> > >>
>>> > >> > Sent: Sunday, March 15, 2009 11:33 PM
>>> > >> > To: Burak Dikici
>>> > >> > Cc: cisco-nsp at puck.nether.net
>>> > >> > Subject: Re: [c-nsp] BGP conditional advertisemet - NON-EXIST
>>> > >> > route map'saccess-list problem
>>> > >> >
>>> > >> > Hi Burak,
>>> > >> >
>>> > >> > On Mon, Mar 16, 2009 at 12:06 AM, Burak Dikici
>>> > >> > <bdikici at gmail.com> wrote:
>>> > >> > > i am trying to use
>>> > >> > > BGP conditional advertisemet configuration. I have got a
>>> > >> > problem with
>>> > >> > > NON-EXIST route map's access-list. In the NON-EXIST router
map i
>>> am
>>> > >> > > using the commands which is written below ;
>>> > >> >
>>> > >> > Here are some notes I made recently when playing with BGP
>>> > >> > conditional advertising. I hope it helps.
>>> > >> >
>>> > >> > 1.) prefixes matched in advertise-map and exist/non-exist map
>>> > >> > must exist (or not) in the *BGP* table
>>> > >> > however: they do not need to be locally originated (e.g. R1
>>> > >> > can match routes received from R2 and advertise (or not) to R3
>>> > >> > and: the validity of the prefix in the BGP table (i.e.
>>> > >> > RIB-failure) doesn't matter. if there's there, and using
>>> > >> > exist-map, the condition is met.
>>> > >> >
>>> > >> > 2.) when using 'exist' map, prefixes matched by advertise-map
>>> > >> > are advertised when exist-map condition is met
>>> > >> > example: advertise 1.0.0.0/8 (advertise-map) from BGP table
when
>>> > >> > 3.20.20.0/24 (exist-map) exists in BGP table
>>> > >> >
>>> > >> > 3.) when exist 'non-exist' map, prefixes matched by
>>> > >> > advertise-map are advertised when non-exist-map condition is
met
>>> > >> > example: advertise 1.0.0.0/8 (advertise-map) from BGP table
when
>>> > >> > 3.20.20.0/24 (non-exist-map) does NOT exist in BGP table
>>> > >> >
>>> > >> > 4.) prefixes matched in advertise-map are the only prefixes
>>> > >> > affected -- other prefixes that may exist are advertised (or
>>> > >> > not) as normal
>>> > >> >
>>> > >> > 5.) when dealing with conditional advertisement tasks, always
>>> > >> > consider what will happen normally (without any config)
>>> > >> >
>>> > >> > I'd be happy to be corrected, but I think the first point is
>>> > >> > contrary to what Ivan said. Also consider point #4 -- BGP
>>> > >> > conditional advertising is not strictly a route filtering
>>> > >> > mechanism, although it can be configured to achieve similar
>>> results.
>>> > >> >
>>> > >> > cheers,
>>> > >> > Dale
>>> > >> >
>>> > >> >
>>> > >>
>>> > >> _______________________________________________
>>> > >> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> > >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> > >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> > >>
>>> > >>
>>> > >
>>> > _______________________________________________
>>> > cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> >
>>> >
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list