I am getting thousands of routes - the output scrolls for page after page, ending with:

Total number of prefixes 320938

It's more the "local policy denied" entry for inbound prefixes that I am asking about. I don't understand that.

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    route-map:                            0     333990

Since I appear to be geting the routes despite that entry, is it an issue?

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    route-map:                            0     333990

This output would mean you are denying that number of routes from being learned because of the route-map configuration:

neighbor 4.79.169.9 route-map BGW01-IN in

Are you actually learning all of these routes and putting them in the routing table?  The command I mentioned, "show ip bgp neighbor 4.79.169.9 received-routes" shows you a list of every prefix sent by this neighbor.  It doesn't show you the prefixes that this router is actually learning.  "show ip bgp" will show you routes that you're actually learning.  Does it show you these routes are learned from this neighbor?  What routes do you want to learn from this neighbor?

I want to learn "all" routes (a full table). This is a secondary connection with the primary out a similar path from my iBGP neighbor.

sh ip bgp gives me a long listing beginning with

dc4-bgw-01#  sh ip bgp
BGP table version is 542331800, local router ID is 64.94.72.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i1.9.0.0/16       66.151.100.85            0    350      0 10913 3561 4788 i
*                   4.79.169.9              41    300      0 3356 1273 4788 i
*>i1.11.128.0/17    66.151.100.85            0    350      0 10913 22212 9318 38091 17839 i
*                   4.79.169.9               0    300      0 3356 2828 9318 38091 17839 i
*>i1.12.0.0/24      66.151.100.85            0    350      0 10913 1239 4837 4808 17431 18245 i
*                   4.79.169.9               0    300      0 3356 1239 4837 4808 17431 18245 i

and ending with

*  223.223.216.0    4.79.169.9               0    300      0 3356 3257 10026 24549 24549 24549 24549 i
*>i                 66.151.100.85            0    350      0 10913 22212 10026 24549 24549 24549 24549 i
*  223.240.0.0/13   4.79.169.9               0    300      0 3356 1239 4134 i
*>i                 66.151.100.85            0    350      0 10913 174 4134 i
*  223.255.192.0/19 4.79.169.9             753    300      0 3356 15412 9848 9848 9848 9848 9848 9848 9848 9848 9848 9848 9848 9848 9963 i
*>i                 66.151.100.85            0    350      0 10913 174 10026 9848 9963 i
dc4-bgw-01#

That's strange that you're learning these routes even though they aren't originated from AS 3356.  Did you apply this route-map after the neighbor was up?  If so, did you do a soft clear on this neighbor?  Whenever making changes to the route map for a BGP neighbor, be sure to issue a "clear ip bgp neighbor x.x.x.x soft" for it to take effect.  Was this the whole route-map:

route-map BGW01-IN permit 10
match as-path 23
set local-preference 300

Could you show the output from "show route-map BGW01-IN" and "show ip as-path-access-list" and try the soft clear?

Also if you want to learn all routes from this neighbor, why are you matching the as-path?  Do you want to set the local pref to 300 for all routes from this neighbor or only for certain routes?  If you want to set it for all routes, you don't need to do "match as-path" at all.

-Kathy

With respect to some of the "why" questions, I inherited this config and am just trying to understand why it is working the way it is. My experience with this environment is that there are several configuration aspects that are, strictly speaking, unnecessary but used here as part of a more or less uniform approach to how the previous team had set up peers in many environments. I believe they wanted local pref to be 300 for all routes on this link. (The other router at the site has local pref 350 so all my traffic flows that over route normally.) Personally I'd like to get them set up in more of a load sharing mode so that the traffic flows over both links according to the best path as determined by BGP.

I modified the route-map after bgp has been established in an effor to troubleshoot this problem. I had not used the "clear ip bgp.. " command but have now. Here is the output you asked about:

dc4-bgw-01# clear ip bgp 4.79.169.9 soft
dc4-bgw-01#show route-map BGW01-IN
route-map BGW01-IN, permit, sequence 10
  Match clauses:
    as-path (as-path filter): 23
  Set clauses:
    local-preference 300
  Policy routing matches: 0 packets, 0 bytes
dc4-bgw-01#show ip as-path-access-list
AS path access list 21
     permit ^$
AS path access list 22
     permit .*
AS path access list 23
     permit _3356$
dc4-bgw-01#

Following the clear, I still see the local policy denied prefixes with a high count. Here is the complete "show ip bgp nei 4.79.169.9" output:

dc4-bgw-01#sh ip bgp nei 4.79.169.9
BGP neighbor is 4.79.169.9,  remote AS 3356, external link
Description: Level3
  BGP version 4, remote router ID 4.68.1.237
  BGP state = Established, up for 6w0d
  Last read 00:00:06, last write 00:00:17, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:
    1 active, is not multisession capable
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Address family IPv4 Unicast: advertised and received
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                3    3372595
    Keepalives:         55236      61261
    Route Refresh:          0          0
    Total:              55240    3433857
  Default minimum time between advertisement runs is 30 seconds

For address family: IPv4 Unicast
  Session: 4.79.169.9
  BGP table version 542388466, neighbor version 542388466/0
  Output queue size : 0
  Index 2, Offset 0, Mask 0x4
  2 update-group member
  Inbound soft reconfiguration allowed
  Community attribute sent to this neighbor
  Inbound path policy configured
  Outbound path policy configured
  Outgoing update AS path filter list is 21
  Route map for incoming advertisements is BGW01-IN
  Route map for outgoing advertisements is BGW01-OUT
                                 Sent       Rcvd
  Prefix activity:               ----       ----
    Prefixes Current:               1       1155 (Consumes 16762980 bytes)
    Prefixes Total:                 3   10870456
    Implicit Withdraw:              2    9867557
    Explicit Withdraw:              0     724062
    Used as bestpath:             n/a          0
    Used as multipath:            n/a          0
    Saved (soft-reconfig):        n/a     321210 (Consumes 16702920 bytes)

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    route-map:                            0     992102
    filter-list:                   34731876          0
    AS_PATH loop:                       n/a         24
    Total:                         34731876     992126
  Number of NLRIs in the update sent: max 1, min 1
         
  Address tracking is enabled, the RIB does have a route to 4.79.169.9
  Connections established 1; dropped 0
  Last reset never
  Transport(tcp) path-mtu-discovery is enabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Mininum incoming TTL 0, Outgoing TTL 1
Local host: 4.79.169.10, Local port: 179
Foreign host: 4.79.169.9, Foreign port: 21944

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0xF971FE4F4):
Timer          Starts    Wakeups            Next
Retrans         57381       2141             0x0
TimeWait            0          0             0x0
AckHold        277139     131752             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0

iss: 3335798635  snduna: 3336848347  sndnxt: 3336848347     sndwnd:  15658
irs: 2926055904  rcvnxt: 3274360305  rcvwnd:      16384  delrcvwnd:      0

SRTT: 301 ms, RTTO: 308 ms, RTV: 7 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 724 ms, ACK hold: 200 ms
Flags: passive open, retransmission timeout, nagle, path mtu capable
  gen tcbs

Datagrams (max data segment is 1460 bytes):
Rcvd: 476555 (out of order: 0), with data: 421516, total data bytes: 348304400
Sent: 384265 (retransmit: 2141), with data: 55240, total data bytes: 1049711
dc4-bgw-01#

Hello,

>> ip as-path access-list 23 permit _3356$

>> Am I missing something basic here?

all BGP AS paths coming from AS 3356 have AS 3356 in leftmost position and can be matched with

ip as-path access-list 24 permit ^3356

meaning all AS paths beginning with AS 3356

your current AS path access-list looks for AS paths where 3356 is inside the AS path not in first position

so you could match only routes where AS 3356 appears more then one time (prepended)

Edit:

if level3 is an upstream provider providing full table you should simply deny private IP addresses as a security measures and the bogus networks and accept all other. You may think of using a control on the number of prefixes you receive with warning option

Hope to help

Giuseppe

Thank you for your input, Giuseppe. I have modified my as-path filter according to your suggestion. That did not seem to help the issue I am seeing. So I took the additional step of changing the reference in my incoming route-map to point intead to as-path 22 which is a permit .* regexp and should thus allow all prefixes. I still see inbound routes denied by the route map according to the "sh ip bgp nei 4.79.169.9" output.

Here is the current setup:

dc4-bgw-01# clear ip bgp 4.79.169.9 soft

dc4-bgw-01#sh route-map                
route-map BGW01-OUT, permit, sequence 10
  Match clauses:
    as-path (as-path filter): 21
  Set clauses:
    community 3356:300
  Policy routing matches: 0 packets, 0 bytes
route-map BGW02-OUT, permit, sequence 10
  Match clauses:
    as-path (as-path filter): 21
  Set clauses:
    community 10913:300
  Policy routing matches: 0 packets, 0 bytes
route-map BGW01-IN, permit, sequence 10
  Match clauses:
    as-path (as-path filter): 22
  Set clauses:
    local-preference 300
  Policy routing matches: 0 packets, 0 bytes
route-map BGW02-IN, permit, sequence 10
  Match clauses:
    as-path (as-path filter): 22
  Set clauses:
    local-preference 350
  Policy routing matches: 0 packets, 0 bytes
dc4-bgw-01#sh ip as-path
AS path access list 21
     permit ^$
AS path access list 22
     permit .*
AS path access list 23
     permit ^3356
dc4-bgw-01#sh ip bgp nei 4.79.169.9    
BGP neighbor is 4.79.169.9,  remote AS 3356, external link
Description: Level3
  BGP version 4, remote router ID 4.68.1.237
  BGP state = Established, up for 6w0d
  Last read 00:00:09, last write 00:00:27, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:
    1 active, is not multisession capable
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Address family IPv4 Unicast: advertised and received
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                9    3375752
    Keepalives:         55315      61351
    Route Refresh:          0          0
    Total:              55325    3437104
  Default minimum time between advertisement runs is 30 seconds

For address family: IPv4 Unicast
  Session: 4.79.169.9
  BGP table version 542436641, neighbor version 542436581/0
  Output queue size : 0
  Index 2, Offset 0, Mask 0x4
  2 update-group member
  Inbound soft reconfiguration allowed
  Community attribute sent to this neighbor
  Inbound path policy configured
  Outbound path policy configured
  Outgoing update AS path filter list is 21
  Route map for incoming advertisements is BGW01-IN
  Route map for outgoing advertisements is BGW01-OUT
                                 Sent       Rcvd
  Prefix activity:               ----       ----
    Prefixes Current:               1     321248 (Consumes 33409792 bytes)
    Prefixes Total:                 9   10874956
    Implicit Withdraw:              8    9871768
    Explicit Withdraw:              0     724337
    Used as bestpath:             n/a          0
    Used as multipath:            n/a          0
    Saved (soft-reconfig):        n/a     321248 (Consumes 16704896 bytes)

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    route-map:                            0    1959188
    filter-list:                   36748157          0
    AS_PATH loop:                       n/a         24
    Total:                         36748157    1959212
  Number of NLRIs in the update sent: max 1, min 1

  Address tracking is enabled, the RIB does have a route to 4.79.169.9
  Connections established 1; dropped 0
  Last reset never
  Transport(tcp) path-mtu-discovery is enabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Mininum incoming TTL 0, Outgoing TTL 1
Local host: 4.79.169.10, Local port: 179
Foreign host: 4.79.169.9, Foreign port: 21944

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0xF97728E30):
Timer          Starts    Wakeups            Next
Retrans         57470       2145             0x0
TimeWait            0          0             0x0
AckHold        277483     131940             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0

iss: 3335798635  snduna: 3336850202  sndnxt: 3336850202     sndwnd:  15270
irs: 2926055904  rcvnxt: 3274674919  rcvwnd:      16384  delrcvwnd:      0

SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 724 ms, ACK hold: 200 ms
Flags: passive open, retransmission timeout, nagle, path mtu capable
  gen tcbs

Datagrams (max data segment is 1460 bytes):
Rcvd: 477106 (out of order: 0), with data: 421985, total data bytes: 348619014
Sent: 384706 (retransmit: 2145), with data: 55325, total data bytes: 1051566
dc4-bgw-01#

Hi,

as the Internet Looking Glass servers are showing cca 340 000 prefixes within the Internet, I believe your router is accepting all prefixes from the neighbor now, as your output is showing:

For address family: IPv4 Unicast
Session: 4.79.169.9
BGP table version 542436641, neighbor version 542436581/0
Output queue size : 0
Index 2, Offset 0, Mask 0x4
2 update-group member
Inbound soft reconfiguration allowed
Community attribute sent to this neighbor
Inbound path policy configured
Outbound path policy configured
Outgoing update AS path filter list is 21
Route map for incoming advertisements is BGW01-IN
Route map for outgoing advertisements is BGW01-OUT
Sent       Rcvd
Prefix activity:               ----       ----
Prefixes Current:               1     321248 (Consumes 33409792 bytes)
Prefixes Total:                 9   10874956
Implicit Withdraw:              8    9871768
Explicit Withdraw:              0     724337
Used as bestpath:             n/a          0
Used as multipath:            n/a          0
Saved (soft-reconfig):        n/a     321248 (Consumes 16704896 bytes)

And the counters below might have NOT been cleared by clear ip bgp ... soft command?

Outbound    Inbound
Local Policy Denied Prefixes:    --------    -------
route-map:                            0    1959188
filter-list:                   36748157          0
AS_PATH loop:                       n/a         24
Total:                         36748157    1959212

Can you provide sh ip bgp sum

to check how many prefixes are you receiving from your neighbor?

ad the original route-map)

ip as-path access-list 23 permit _3356$

is matching prefixes originated from your neighbor AS.

So there might have been an idea: Let's give local preference 300 to the prefixes originated by the neighbor itself  and accept all other prefixes with the default local preference?

In that case, just a line

route-map BGW01-IN permit 20

might be missing?

The complete route-map would look:

route-map BGW01-IN permit 10
match as-path 23
set local-preference 300

route-map BGW01-IN permit 20

What do you think about this possibility?

HTH,

Milan

Hello all,

Milan is right:

the original intention can be that of providing better local preference to routes with AS path = ^3556$, so you need a second route-map clause to permit all other prefixes as noted

I had missed this point.

Hope to help

Giuseppe