BGP routes

Unanswered Question
Oct 24th, 2008
User Badges:

Guys,


My ISP peer says they're sending me 77k routes, but I'm only seeing ~1400 routes when doing a 'sho ip bgp sum'. I have a prefix-list and a route-map applied inbound. The prefix list is:


ip as-path access-list 1 permit ^$


and the route-list is as follows:


ip prefix-list DENY_BAD_ROUTES seq 10 deny 0.0.0.0/8 le 32

ip prefix-list DENY_BAD_ROUTES seq 20 deny 10.0.0.0/8 le 32

ip prefix-list DENY_BAD_ROUTES seq 30 deny 127.0.0.0/8 le 32

ip prefix-list DENY_BAD_ROUTES seq 40 deny 172.16.0.0/12 le 32

ip prefix-list DENY_BAD_ROUTES seq 50 deny 192.0.2.0/24 le 32

ip prefix-list DENY_BAD_ROUTES seq 60 deny 192.168.0.0/16 le 32

ip prefix-list DENY_BAD_ROUTES seq 70 deny 224.0.0.0/3 le 32

ip prefix-list DENY_BAD_ROUTES seq 1000 deny 216.x.x.0/24 le 32


I've done soft and hard resets to try and get things correct on my side with no luck. Any suggestions on what could be the issue?


Thanks in advance.


/rls

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mheusing Fri, 10/24/2008 - 08:44
User Badges:
  • Cisco Employee,

Hi,


Actually I do not understand, why you get any route. There is no "permit" in your prefix-list ... and thus I would assume you are either blocking everything, or nothing (if not properly applying your filters).

Can you provide the BGP config (sanitized) as well?



Regards,

Martin


rsamuel708 Fri, 10/24/2008 - 10:04
User Badges:

Sorry...I actually didn't paste in the last line of the prefix-list as shown below:


ip prefix-list DENY_BAD_ROUTES seq 9999 permit 0.0.0.0/0 le 27


Would the entire config still be helpful? If so, I can paste if for you shortly.


/rls

Giuseppe Larosa Fri, 10/24/2008 - 11:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Robert,

the ip as-path access-list would permit only iBGP paths because it allows only empty AS path field.

So this is not possible by definition in an eBGP session with your provider.

If you have an AS path access-list that allows only your ISP ASN like

^ASN$

then you accept only the routes originated in the ISP AS and this could explain why you see 1400 routes instead of 77 thousands


So it would be better if you can post the config of the eBGP session just remove public ip addresses


I think you are using as-path 1 outbound to avoid to advertise routes from other ISP



Hope to help

Giuseppe



rsamuel708 Fri, 10/24/2008 - 11:35
User Badges:

Giuseppe, my purpose with as-path access-list 5 applied inbound was to only allow AS7018 local routes. As-path access-list 1 applied outbound was to prevent any transit traffic from my other provider via the ibgp connection. I have the exact same setup on the other router connected to the other provider.


So does allowing ^7018 which says allows only prefixes that originate in AS7018 differ from accepting local routes only from AS7018?


My config is below:




router bgp 4***7

no synchronization

bgp log-neighbor-changes

network 165.**.**.0 mask 255.255.255.0

network 216.**.**.0

neighbor 12.**.**.169 remote-as 7018

neighbor 12.**.**.169 description AT&T connection - AS7018

neighbor 12.**.**.169 password OH2AtTBgP

neighbor 12.**.**.169 version 4

neighbor 12.**.**.169 soft-reconfiguration inbound

neighbor 12.**.**.169 route-map DENY_BAD_ROUTES in

neighbor 12.**.**.169 maximum-prefix 50000

neighbor 12.**.**.169 filter-list 5 in

neighbor 12.**.**.169 filter-list 1 out

neighbor 172.31.204.253 remote-as 4***7

neighbor 172.31.204.253 description iBGP to internet router - AS4***7

neighbor 172.31.204.253 update-source Loopback0

neighbor 172.31.204.253 version 4

neighbor 172.31.204.253 soft-reconfiguration inbound

no auto-summary

!

ip route 66.**.**.32 255.255.255.252 172.31.204.253

ip route 172.31.204.253 255.255.255.255 FastEthernet1/0

!

ip as-path access-list 1 permit ^$

ip as-path access-list 5 permit ^7018$

!

no ip http server

no ip http secure-server

!

!

ip prefix-list DENY_BAD_ROUTES seq 10 deny 0.0.0.0/8 le 32

ip prefix-list DENY_BAD_ROUTES seq 20 deny 10.0.0.0/8 le 32

ip prefix-list DENY_BAD_ROUTES seq 30 deny 127.0.0.0/8 le 32

ip prefix-list DENY_BAD_ROUTES seq 40 deny 172.16.0.0/12 le 32

ip prefix-list DENY_BAD_ROUTES seq 50 deny 192.0.2.0/24 le 32

ip prefix-list DENY_BAD_ROUTES seq 60 deny 192.168.0.0/16 le 32

ip prefix-list DENY_BAD_ROUTES seq 70 deny 224.0.0.0/3 le 32

ip prefix-list DENY_BAD_ROUTES seq 1000 deny 216.**.**.0/24 le 32

ip prefix-list DENY_BAD_ROUTES seq 9999 permit 0.0.0.0/0 le 27

!

route-map DENY_BAD_ROUTES permit 10

match ip address prefix-list DENY_BAD_ROUTES

!

!



Giuseppe Larosa Fri, 10/24/2008 - 12:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Robert,

the AS path access-list 5 allows AS 7018 local routes only.

Then there is also the filtering action of the prefix list.

If AS7018 is sending to you 77,000 routes these probably routes from other customers

the AS path will be

7018 x

or

7018 x y


all these are denied


permit ^7018

and

permit ^7018$


do different things


In addition AS 7018 is a big provider but they cannot have 77,000 local routes that are le 27.

They can have 77,000 routes or more with detailed customer routes with no aggregation.

So the combination of the two filters may produce the results you see.


However, you have configured soft reconfiguration inbound so you should be able to check the received routes from neighbor with one of the variations of sh ip bgp neigh command


(original updates from neighbor are stored to be able to apply a change in filters without resetting the BGP connection)


So you can go on in your investigation


Hope to help

Giuseppe


rsamuel708 Fri, 10/24/2008 - 13:00
User Badges:

Thank you for the information Giuseppe. In your opinion, knowing my intent, what type of filtering would allow me to fully see the routes my provider is sending me. I'm seeing the same behavior on both sides, and although it is not causing me issues per se, I'd like to see how traffic normally flows when the correct routes are seen by my ebgp sessions.


Thanks again.

Actions

This Discussion