[c-nsp] prevent route entering fib

Erik Klaassen e.klaassen at fr-ix.nl
Tue Nov 17 06:01:43 EST 2015 

My bad, typo in the config. BGP-SD is working.
I think i will do some more community tag regex confu and use this.

Lab config to test BGP-SD.

router bgp 199
 neighbor 10.0.0.2 remote-as 199
 neighbor 10.0.0.2 description EXABGP
 neighbor 192.168.0.2 remote-as 55
 neighbor 192.168.0.2 description TRANSIT
 !
 address-family ipv4
  no synchronization
  table-map bgp-to-fib filter
  network 10.41.144.0 mask 255.255.252.0
  neighbor 10.0.0.2 activate
  neighbor 10.0.0.2 route-map EXABGP in
  neighbor 192.168.0.2 activate
  neighbor 192.168.0.2 send-community
  neighbor 192.168.0.2 route-map TRANSIT out
 exit-address-family
!
!
ip bgp-community new-format
ip community-list 100 permit 199:100
ip route 10.41.144.0 255.255.252.0 Null0
!
!
ip prefix-list CUST_SEL_BLACKHOLE_32 seq 5 permit 10.41.144.0/22 ge 32
!
ip prefix-list CUST_PREFIX seq 5 permit 10.41.144.0/22
!
ip prefix-list TEST_PREFIX_147_24 seq 5 permit 10.41.147.0/24
!
route-map bgp-to-fib deny 10
 match community 100
!
route-map TRANSIT permit 10
 match ip address prefix-list CUST_PREFIX
!
route-map TRANSIT permit 20
 description announce /24 via specific transit
 match ip address prefix-list TEST_PREFIX_147_24
 set community none
!
route-map TRANSIT permit 10
 match ip address prefix-list CUST_SEL_BLACKHOLE_32
 set community 55:664
!
route-map EXABGP permit 10
 description limit-exabgp
 match ip address prefix-list TEST_PREFIX_147_24
 match community 100
!
route-map EXABGP permit 20
 description limit-exabgp
 match ip address prefix-list CUST_SEL_BLACKHOLE_32
 match community 100



Erik

----- Oorspronkelijk bericht -----
Van: "Mark Tinka" <mark.tinka at seacom.mu>
Aan: "Erik Klaassen" <e.klaassen at fr-ix.nl>, cisco-nsp at puck.nether.net
Verzonden: Dinsdag 17 november 2015 10:44:39
Onderwerp: Re: [c-nsp] prevent route entering fib

On 16/Nov/15 20:26, Erik Klaassen wrote:

> I have a fastnetmon/exabgp instance to inject routes into the border router(7600 / 720-3b-xl) to trigger remote blackholing. 
> Triggering a blackhole null route is easy. But now i want to implement selective blackholing (my upstream supports this) 
> The key thing is not to null route in your own network. 
> What is the best way to prevent the exabgp route entering the fib? I tried selective download ( table-map ROUTE-MAP filter), but as soon as i apply a route-map on the exabgp neighbor the table-map filter doesnt work anymore. I hope you have some suggestions. 

Can we see this configuration? Maybe I'm not understanding, clearly, the
issues you're facing with BGP-SD, as it works well for us.

Mark.

More information about the cisco-nsp mailing list