[c-nsp] re-advertising eBGP learned prefixes

Michael Chomicz michael.chomicz at gmail.com
Fri Oct 21 03:38:11 EDT 2011 

Looks like your as-path ACL is still blocking your route

try:

ip as-path access-list 100 permit _30835




On Thu, Oct 20, 2011 at 6:00 PM, <cisco-nsp-request at puck.nether.net> wrote:

> Send cisco-nsp mailing list submissions to
>        cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
>        cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
>        cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
>   1. Re: re-advertising eBGP learned prefixes (Gert Doering)
>   2. Re: re-advertising eBGP learned prefixes (Andrey Koklin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 20 Oct 2011 17:17:46 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: Andrey Koklin <aka at veco.ru>
> Cc: Gert Doering <gert at greenie.muc.de>, cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] re-advertising eBGP learned prefixes
> Message-ID: <20111020151746.GK8496 at greenie.muc.de>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> On Thu, Oct 20, 2011 at 07:13:50PM +0400, Andrey Koklin wrote:
> > ip as-path access-list 100 permit ^$
> > ip as-path access-list 101 permit _21017_
> > ip as-path access-list 102 permit _21017_21017_
>
> This...
>
> > route-map TO_VPN_CTK permit 10
> >  match ip address prefix-list TO_VPN_CTK
> >  match as-path 100
>
> ... together with this will only permit AS-paths matched by ACL 100,
> which is "^$" = "your local AS".
>
> So this AS path ACL will never permit anything learned from eBGP.
>
> Maybe this should have been
>
> ip as-path access-list 100 permit ^$
> ip as-path access-list 100 permit _21017_
> ip as-path access-list 100 permit _21017_21017_
>
> ("100" in all 3 lines)
>
> > I've just tried to remove filters. The router started to advertise all
> > but the needed prefixes, like 10.36.72.32/27...
>
> See above: the as-path filter is borked.
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 305 bytes
> Desc: not available
> URL: <
> https://puck.nether.net/pipermail/cisco-nsp/attachments/20111020/edafa327/attachment-0001.pgp
> >
>
> ------------------------------
>
> Message: 2
> Date: Thu, 20 Oct 2011 19:39:45 +0400
> From: Andrey Koklin <aka at veco.ru>
> To: Gert Doering <gert at greenie.muc.de>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] re-advertising eBGP learned prefixes
> Message-ID: <4EA040C1.8000409 at veco.ru>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 10/20/2011 19:17, Gert Doering wrote:
>
> >> ip as-path access-list 100 permit ^$
> >> ip as-path access-list 101 permit _21017_
> >> ip as-path access-list 102 permit _21017_21017_
>
> > This...
>
> >> route-map TO_VPN_CTK permit 10
> >>  match ip address prefix-list TO_VPN_CTK
> >>  match as-path 100
>
> > ... together with this will only permit AS-paths matched by ACL 100,
> > which is "^$" = "your local AS".
>
> > So this AS path ACL will never permit anything learned from eBGP.
>
> Oh, yes, this is important error!
>
> I've added now the AS which prefixes should be seen there.
> Now it is:
>
> -- 8< --
> router bgp 65036
>  no synchronization
>  bgp log-neighbor-changes
>  bgp redistribute-internal
>  network 10.36.0.0 mask 255.255.0.0
>  network 213.129.126.0
>  timers bgp 5 20 15
>  neighbor 10.36.254.2 remote-as 21017
>  neighbor 10.36.254.2 soft-reconfiguration inbound
>  neighbor 10.36.254.2 route-map FROM_VPN_CTK in
>  neighbor 10.36.254.2 route-map TO_VPN_CTK out
>  neighbor 213.129.126.1 remote-as 65036
>  neighbor 213.129.126.1 soft-reconfiguration inbound
>  default-information originate
>  distance bgp 100 100 10
>  no auto-summary
>
> ip as-path access-list 100 permit ^$
> ip as-path access-list 100 permit _30835_
>
> ip prefix-list TO_VPN_CTK description announced nets through CTK VPN
> ip prefix-list TO_VPN_CTK seq 10 permit 0.0.0.0/0
> ip prefix-list TO_VPN_CTK seq 20 permit 213.129.126.0/24
> ip prefix-list TO_VPN_CTK seq 30 permit 10.36.0.0/16
> ip prefix-list TO_VPN_CTK seq 35 permit 10.36.0.0/16 le 28
> ip prefix-list TO_VPN_CTK seq 40 permit 10.36.0.0/18 le 28
> ip prefix-list TO_VPN_CTK seq 50 permit 10.36.248.0/23 le 24
>
> route-map TO_VPN_CTK permit 10
>  match ip address prefix-list TO_VPN_CTK
>  match as-path 100
> -- 8< --
>
> But unfortunately, the problem remains:
>
> spring#cle ip bgp * soft
>
> spring#sh ip bgp 10.36.72.32
> BGP routing table entry for 10.36.72.32/27, version 507121
> Paths: (1 available, best #1, table Default-IP-Routing-Table)
> Flag: 0x820
>  Not advertised to any peer
>  20485 30835, (received & used)
>    10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1)
>      Origin incomplete, metric 0, localpref 100, valid, internal, best
>      Originator: 10.36.1.4, Cluster list: 10.36.1.1
>
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 107, Issue 66
> ******************************************
>

More information about the cisco-nsp mailing list