[c-nsp] Filtering OSPF routes from MPBGP to BGP speaker in thesame VRF
Jason Lixfeld
jason at lixfeld.ca
Sun Feb 26 14:26:36 EST 2012
Yup. The failings of working on a problem until your eyes bleed :)
On 2012-02-26, at 2:04 PM, Andriy Bilous wrote:
> match community requires _ip-community_number_ not the numerical value
> of the community intself.
>
> On Sun, Feb 26, 2012 at 2:41 PM, Jason Lixfeld <jason at lixfeld.ca> wrote:
>> On 2012-02-26, at 4:14 AM, Oliver Boehmer (oboehmer) wrote:
>>
>>> iBGP as PE-CE routing protocol is not officially supported in IOS (i.e.
>>> between a real L3VPN PE and a CE as described in
>>> draft-marques-l3vpn-ibgp. running it in vrf-lite is supported for most
>>> scenarios, IIRC), and you might already have noticed this as you might
>>> have needed to tweak the next-hop manually?
>>
>> I had't actually gotten that far in the lab quite yet. I'm still only at the point of having a BGP table on the PEs that included more than just OSPF routes within that VRF and not being able to filter those OSPF routes them from appearing in the CE BGP table.
>>
>>> Having said this, I'm not
>>> sure what prevented you from filtering out the prefixes based on some
>>> regular communities you have set when redistributing the OSPF prefixes
>>> to MP-BGP on the ingress PE1? Can you share some config examples?
>>
>> Adding the community to the OSPF routes isn't the problem. Filtering out that community from being announced to a PE-CE iBGP session is where the problems arise.
>>
>> Here's an OSPF route redistributed into MPBGP with the community 1 filtering hook added:
>>
>> ASR.2#sh ip bgp vpnv4 vrf Inetv4 11.11.11.1
>> BGP routing table entry for 21949:4:11.11.11.1/32, version 24
>> Paths: (2 available, best #2, table Inetv4)
>> Flag: 0x820
>> Advertised to update-groups:
>> 1 2
>> Local
>> 10.0.0.5 (metric 20) from 10.0.0.5 (10.0.0.5)
>> Origin incomplete, metric 31, localpref 100, valid, internal
>> Community: 1
>> Extended Community: RT:21949:4 OSPF DOMAIN ID:0x0005:0x000000640200
>> OSPF RT:0.0.0.0:5:0 OSPF ROUTER ID:10.0.0.7:0
>> mpls labels in/out 41/48
>> Local
>> 9.20.255.4 from 0.0.0.0 (10.0.0.6)
>> Origin incomplete, metric 31, localpref 100, weight 32768, valid, sourced, best
>> Community: 1
>> Extended Community: RT:21949:4 OSPF DOMAIN ID:0x0005:0x000000640200
>> OSPF RT:0.0.0.0:5:0 OSPF ROUTER ID:10.0.0.8:0
>> mpls labels in/out 41/nolabel
>> ASR.2#
>>
>> The intention is to prevent that route from being advertised to neighbor 9.20.255.4 inside vrf Inetv4:
>>
>> ASR.2#sh run | s router bgp
>> router bgp 21949
>> bgp log-neighbor-changes
>> neighbor 10.0.0.5 remote-as 21949
>> neighbor 10.0.0.5 update-source Loopback0
>> !
>> address-family ipv4
>> neighbor 10.0.0.5 activate
>> neighbor 10.0.0.5 send-community both
>> neighbor 10.0.0.5 next-hop-self
>> no auto-summary
>> no synchronization
>> exit-address-family
>> !
>> address-family vpnv4
>> neighbor 10.0.0.5 activate
>> neighbor 10.0.0.5 send-community both
>> exit-address-family
>> !
>> address-family ipv4 vrf Inetv4
>> redistribute connected
>> redistribute static
>> redistribute ospf 100 vrf Inetv4 match internal external 1 external 2 nssa-external 1 nssa-external 2 route-map OSPFtoBGP
>> neighbor 9.20.255.4 remote-as 21949
>> neighbor 9.20.255.4 activate
>> neighbor 9.20.255.4 send-community both
>> neighbor 9.20.255.4 route-reflector-client
>> neighbor 9.20.255.4 next-hop-self
>> neighbor 9.20.255.4 route-map NOOSPF out
>> no synchronization
>> network 9.20.255.0 mask 255.255.255.0
>> network 10.0.0.0 mask 255.255.255.0
>> exit-address-family
>> !
>> ASR.2#sh run | b route-map NOOSPF
>> route-map NOOSPF deny 10
>> match community 1
>> route-map NOOSPF permit 20
>> ASR.2#
>>
>> But on 7600.2/9.20.255.4/CE I still see the route tagged with community 1 even though it should be filtered on ASR.2 via route-map NOOSPF:
>>
>> 7600.2#sh ip bgp 11.11.11.1
>> BGP routing table entry for 11.11.11.1/32, version 253
>> Paths: (2 available, best #1, table Default-IP-Routing-Table, RIB-failure(17))
>> Flag: 0xBC0
>> Advertised to update-groups:
>> 1
>> Local, (Received from a RR-client)
>> 9.20.255.5 from 9.20.255.5 (10.0.0.6)
>> Origin incomplete, metric 31, localpref 100, valid, internal, best
>> Community: 1
>> Extended Community: RT:21949:4 OSPF DOMAIN ID:0x0005:0x000000640200
>> OSPF RT:0.0.0.0:5:0 OSPF ROUTER ID:10.0.0.8:0
>> Local
>> 9.20.255.3 (metric 11) from 10.0.0.3 (10.0.0.3)
>> Origin incomplete, metric 31, localpref 100, valid, internal
>> Community: 1
>> Extended Community: RT:21949:4 OSPF DOMAIN ID:0x0005:0x000000640200
>> OSPF RT:0.0.0.0:5:0 OSPF ROUTER ID:10.0.0.7:0
>> Originator: 10.0.0.5, Cluster list: 10.0.0.3
>> 7600.2#
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list