BGP -route filtering route-map

Unanswered Question
Feb 24th, 2010

Hi,

Please see the following configurationin regard to BGP

IP access-list std pune

deny 10.1.1.0 0.0.0.0  ( exact mach for 10.1.1.0/24 )

permit any

route-map back permit 10

match ip address pune

router bgp 100

neighbor 192.168.1.1 remote-as 100

neighbor 192.168.1.1 route-map back out ( aggrigate route stopped to 192.168.1.1 neighbor )

aggregate-address 10.1.1.0 255.255.255.0 ( aggrigate route to all neighbors )

network 10.10.2.0 mask 255.255.255.0  ( local network )

Adv networks to 192.168.1.1 are :

Router#sh ip bgp nei 192.168.1.1 ad
BGP table version is 67, local router ID is 10.10.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.2.0/24     0.0.0.0                  0         32768 i

Total number of prefixes 1

This is expected : 10.1.1.0 /24 is blocked .

But now if I add second statement in route-map back as follows

route-map back permit 20  :    Weh this line is added it starts advertizing even the blocked network ( 10.1.1.0 /24 as seen in the following

output )

Router#sh ip bgp nei 192.168.1.1 ad
BGP table version is 81, local router ID is 10.10.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.1.1.0/24      0.0.0.0                       100  32768 i ----------------------------> ( why this subnet is adv. even though it was blocked in first line )
*> 10.10.2.0/24     0.0.0.0                  0         32768 i

Total number of prefixes 2

Adding second line to route-map is negating the block action in the first line ? Is it because the same subnet is aggregated here in this case

10.1.1.0 /24 ?

Please share the experience.

Thanks

Subodh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 02/24/2010 - 12:06

Hello Subodth,

it is probably the logic of the route-map that allows for this.

if you would use a different route-map like:

access-list 11 permit 10.10.1.0 0.0.0.55

route-map block10 deny 10

match access-list 11

route-map block10 permit 20

in your route-map the 10.10.1.0/24 prefix is denied in an ACL , that is then used on a permit route-map statement.

so net 10.10.1.0 is not removed from the list of possible prefixes to be advertised, and it is then permitted by second route-map block.

using a deny route-map block should allow to put the prefix 10.10.1.0/24 in a sort a waste bin and does not leave it available to be permitted by a later route map block.

Hope to help

Giuseppe

Actions

This Discussion