bgp guru

Answered Question
Aug 13th, 2009

I am trying to impact the incoming traffic on a particular subnet. I have two connections to the same ISP same AS at different locations and another connction to a separate ISP. I use filter list to control the advertised routes and all is well but there is one subnet that comes in location A isp A and I want it to come in location B isp A so I added a route map at location A for the specific subnet and set the metric so I should theoretically come in location B but instead I lost all connectivity for all subnets. If I use a route-map out does that override a filter list? As ever thx

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 3 months ago

Hello Bill,

Peter has found the problem: the way you terminate the route-map.

As Paolo has noted there is no use here in thinking of filter types order the end result is that you are only permitting the subnet with the modified IP subnet the one permitted by ACL 30.

When dealing with BGP route maps (or for redistribution) it is important to take care of how the route map has to be terminated:

if a filtering action is desired no empty final clause is needed if the route-map is used only for modifying some attributes on some prefixes then an empty final clause may be needed or an additional clause with the appropriate match.

By the way, it is possible to include the match on as paths in the route map so that you have a single filter applied outbound a neighbor:

route-map parker-subnet-att permit 10

match ip address 30

match as-path 1

set metric 100

route-map parker-subnet-att permit 20

match as-path 1

match ip address prefix adv-55555

in this case an empty final clause is not needed but second block takes care of the prefixes you want to advertise.

I usually write the filters in this different way to make more clear how the filters works.

Hope to help

Giuseppe

Correct Answer by Peter Paluch about 7 years 3 months ago

Hi,

It seems that your route-map parker-subnet-att on the site A is missing the "permit any" block at its end. Currently, it reads as follows:

route-map parker-subnet-att permit 10

match ip address 30

set metric 100

The ACL 30 permits a single network 3.3.3.0/24. All other networks are not matched by the ACL 30, therefore, the only block of your route map does not apply to them. The next implicit invisible block of the route-map works like "deny any" and prevents all other routes from being advertised.

I believe that your route-map should correctly read as follows:

route-map parker-subnet-att permit 10

match ip address 30

set metric 100

route-map parker-subnet-att permit 20

! Nothing written here, just exit

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Paolo Bevilacqua Thu, 08/13/2009 - 11:12

That is a but difficult to put in words, but let me try.

BGP simply applies user configuration in a fixed order, that honestly I don't recall now, but can be easily be found.

There is no overriding per-se like it won't do a certain thing if you did another, and everything simply depends by the details of your lists, ACLs, etc.

Peter Paluch Thu, 08/13/2009 - 12:04

Hello,

Regarding the order of different policy mechanisms, the "BGP Frequently Asked Questions" article at

http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml#one

says:

The order of preference varies based on whether the attributes are applied for inbound updates or outbound updates.

For inbound updates the order of preference is:

1. route-map

2. filter-list

3. prefix-list, distribute-list

For outbound updates the order of preference is:

1. prefix-list, distribute-list

2. filter-list

3. route-map

Note: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor prefix-list or neighbor distribute-list) can be applied to each inbound or outbound direction for a particular neighbor.

Best regards,

Peter

Paolo Bevilacqua Thu, 08/13/2009 - 12:16

Ah, so there is some exclusive commands, I didn't remembered that.

Thanks for adding the list here, I knew you guys know.

whanson Fri, 08/14/2009 - 11:49

okay this is a snippet of what I have. As soon as I add the route-map parker to site A I can no longer access anything. A traceroute shows that the route ends in the ISP

Attachment: 
Correct Answer
Peter Paluch Fri, 08/14/2009 - 11:56

Hi,

It seems that your route-map parker-subnet-att on the site A is missing the "permit any" block at its end. Currently, it reads as follows:

route-map parker-subnet-att permit 10

match ip address 30

set metric 100

The ACL 30 permits a single network 3.3.3.0/24. All other networks are not matched by the ACL 30, therefore, the only block of your route map does not apply to them. The next implicit invisible block of the route-map works like "deny any" and prevents all other routes from being advertised.

I believe that your route-map should correctly read as follows:

route-map parker-subnet-att permit 10

match ip address 30

set metric 100

route-map parker-subnet-att permit 20

! Nothing written here, just exit

Best regards,

Peter

whanson Fri, 08/14/2009 - 12:37

So you are saying that the route-map overrides the prefix-list

Peter Paluch Fri, 08/14/2009 - 13:06

Hello,

I would not exactly say that it "overrides" the prefix list. It simply comes after the prefix list - see the sequence of steps described earlier. Even if the prefix-list permits a network, that network will have to go through the route-map. If the route-map drops it, then it will not be advertised. Of course, if a prefix-list drops a network, it will not even reach the route-map so it also won't be advertised.

Best regards,

Peter

whanson Fri, 08/14/2009 - 17:42

Yes you are, You are saying that even though I have a filter list that says what networks to advertize that is fine but since I have a route map that only includes one network that is the end all.

So in essence the filter list was overriden by the route-map.

Peter Paluch Fri, 08/14/2009 - 21:32

Hello,

In your particular case, yes, the route-map seems to override the prefix list.

But consider the other possibility: a prefix list denies a network and the route-map subsequently permits it. Will the route-map in this case override the prefix list? No, it will not. The prefix list dropped the network before it even reached the route-map.

In the outbound direction, a route-map can "override" a prefix list in the sense that if a network was permitted by the prefix list, it may be subsequently dropped by the route-map. However, the converse is not true. A route-map can not make a network to be advertised after it was first dropped by the prefix list. Therefore, it would be incorrect to state in a general sense that the route-map always overrides the prefix list.

Best regards,

Peter

Paolo Bevilacqua Sat, 08/15/2009 - 15:32

Seems to me you are trying to twist the correct explanations received to match the answer you're expecting.

Nothing overrides anything, you begin with all the prefixes in BGP table and these are reduced in steps by the filters applied.

While you're there, why not rating the useful answer using the scrollbox below.

Correct Answer
Giuseppe Larosa Sat, 08/15/2009 - 22:37

Hello Bill,

Peter has found the problem: the way you terminate the route-map.

As Paolo has noted there is no use here in thinking of filter types order the end result is that you are only permitting the subnet with the modified IP subnet the one permitted by ACL 30.

When dealing with BGP route maps (or for redistribution) it is important to take care of how the route map has to be terminated:

if a filtering action is desired no empty final clause is needed if the route-map is used only for modifying some attributes on some prefixes then an empty final clause may be needed or an additional clause with the appropriate match.

By the way, it is possible to include the match on as paths in the route map so that you have a single filter applied outbound a neighbor:

route-map parker-subnet-att permit 10

match ip address 30

match as-path 1

set metric 100

route-map parker-subnet-att permit 20

match as-path 1

match ip address prefix adv-55555

in this case an empty final clause is not needed but second block takes care of the prefixes you want to advertise.

I usually write the filters in this different way to make more clear how the filters works.

Hope to help

Giuseppe

whanson Tue, 08/18/2009 - 02:48

Thanks all for all the help I got it. Sorry I appeared so dense to some.

whanson Thu, 08/20/2009 - 00:08

Peter,

last question for now. I see from the order of route selection that metric and local pref really are only for the same AS so if I have two networks I am advertising and I want return traffic to favor isp a over isp b it sounds like expanding the as-path is the only way.

Peter Paluch Thu, 08/20/2009 - 01:08

Hello Bill,

Yes, you are right. In certain cases, if you have multiple connections to a single provider, you could influence his routing using the MED attribute, however, in general case if you have more distinct ISPs, the AS-PATH prepending is usually the only choice simple enough.

Best regards,

Peter

Actions

This Discussion