[c-nsp] route-map IN / OUT deny issue

Tony Varriale tvarriale at comcast.net
Mon Mar 1 23:55:23 EST 2010 

Looks right to me.  No match statement = bad.

Try matching a prefix lists that matches all prefixes and then deny.

tv
----- Original Message ----- 
From: "Andy B." <globichen at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, March 01, 2010 5:40 PM
Subject: [c-nsp] route-map IN / OUT deny issue


> Instead of shutting down my transit BGP neighbor, I was updating my
> route-maps from and to my transit with this, so that I would send 0
> prefixes from me and receive 0 prefixes from him.
>
> route-map TRANSIT-IN deny 10
> route-map TRANSIT-OUT deny 10
>
> my BGP config is like this:
>
> neighbor x.x.x.x remote-as 1234
> neighbor x.x.x.x route-map TRANSIT-IN in
> neighbor x.x.x.x route-map TRANSIT-IN out
>
> After I did these 2 deny lines, my router has gone nuts, starting to
> drop many many BGP sessions with various peers and customers, mostly
> with this message:
>
>
> %BGP-3-NOTIFICATION: sent to neighbor y.y.y.187 4/0 (hold time expired) 0 
> bytes
>
> OSPF was going down and up as well.
>
> This kept going all the time until after about 1 hour I removed both
> route-map IN/OUT deny 10 lines, then after a few minutes, everything
> became stable again.
>
> CPU was obviously at 100%:
>
> CPU utilization for five seconds: 100%/10%; one minute: 99%; five minutes: 
> 96%
> PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
> 442    34802356  21731575       1601 58.38% 56.35% 56.52%   0 BGP Router
> 329      938516   1208660        776 15.99% 17.63% 15.58%   0 IP RIB 
> Update
> 340      227608   1498205        151  3.88%  7.43%  6.58%   0 XDR mcast
> 563    38626436    284432     135801  3.88%  3.41%  3.53%   0 BGP Scanner
> 273     5178956  43762732        118  0.85%  0.99%  0.92%   0 IP Input
>
> All I wanted to do was to "mute" the BGP session with one of my
> transits, for testing purpose, without shutting down the BGP session.
>
> Router: 6504 with sup720-3bxl on IOS SXI3
>
> What did I do wrong here? I cannot imagine that a simple route-map
> deny line can do such harm...?
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list