Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BGP Announcing more specific routes (/23 in two /24)

Hi Community,
We are facing some problems about the BGP configuration and we'd like to know if you can help us with this issue.

Description:
We have a /23 prefix and we are trying to announce two /24 to the ISP.
We know that for BGP announce a prefix it should be present in the routing table and a solution for this more specific announce is to use ip routes to Null0.
However, we are getting some problems with packets that are being dropped.

For instance, If my 2 routers have a LAN segment on /23:
r1: g0/0 - 190.25.3.252/23
r2: g0/0 - 190.25.3.253/23
fw: e0/0 - 190.25.3.250/23

I can ping each other.

If I put the following config, I lose the connectivity:
ip route 190.25.2.0 255.255.255.0 Null0 254
ip route 190.25.3.0 255.255.255.0 Null0 254

I think that is an expected behavior because at this moment I have a more specific route pointing to Null0. So when a traffic comes from Internet to IP 190.25.2.10, for example, instead of the traffic goes to fw, it's dropped.

r1#sh ip route 190.25.2.0
Routing entry for 190.25.2.0/24
  Known via "static", distance 254, metric 0 (connected)
  Advertised by bgp 65001
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1
r1#
r1#sh ip route 190.25.3.0
Routing entry for 190.25.2.0/24
  Known via "static", distance 254, metric 0 (connected)
  Advertised by bgp 65001
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1
r1#

The question is: how can I solve this issue? What would be the best practice?

At this moment, we have just one ISP for this example, but will be two or more.

Thank you very much. I'll provide a image from the topology to clarify this issue.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

You beat me to it Good idea

You beat me to it smiley

Good idea to use the outgoing interface and not the next hop IP.

So it's all working now ?

Jon

12 REPLIES
Hall of Fame Super Blue

The requirement for BGP to

The requirement for BGP to advertise the network is that the route must be in the IP routing table but it doesn't say anything about what the next hop is as long as it is reachable.

So why not try changing the next hop to be the firewall for the routes you are adding.

Jon

Plinio, I agree 100% with Jon

Plinio,

 I agree 100% with Jon Marshall on this one. I know what you're thinking, but in this instance, you do not need to do that.

 

For instance, If my 2 routers have a LAN segment on /23:
r1: g0/0 - 190.25.3.252/23
r2: g0/0 - 190.25.3.253/23
fw: e0/0 - 190.25.3.250/23

I can ping each other.

If I put the following config, I lose the connectivity:
ip route 190.25.2.0 255.255.255.0 Null0 254
ip route 190.25.3.0 255.255.255.0 Null0 254

 

You do not need the Null0 routes. On your picture, these LAN routes go back towards your Firewall, so as Jon Marshall suggested I would do this.

 

ip route 190.25.2.0 255.255.255.0 [firewall-nexthop]                                                                         

ip route 190.25.3.0 255.255.255.0 [firewall-nexthop]

 

New Member

Hi Guys,Thank you for your

Hi Guys,

Thank you for your feedback.

I made the changes, but I got the following result:

With routes pointing to Null0, I have the following output:

r1#sh ip bgp nei x.x.x.x advertised-routes 

BGP table version is 7, local router ID is 10.4.27.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
 
     Network          Next Hop            Metric LocPrf Weight Path
 *>  190.25.2.0/24  0.0.0.0                  0         32768 i
 *>  190.25.2.0/23  0.0.0.0                  0         32768 i
 *>  190.25.3.0/24  0.0.0.0                  0         32768 i
 
Total number of prefixes 3 
r1#
 
After this config:
 
ip route 190.25.2.0 255.255.255.0 190.25.3.250
ip route 190.25.3.0 255.255.255.0 190.25.3.250
 
I have the following output:
 
r1#sh ip bgp nei x.x.x.x advertised-routes 
BGP table version is 11, local router ID is 10.4.27.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
 
     Network          Next Hop            Metric LocPrf Weight Path
 *>  190.25.2.0/24  190.25.3.250             0         32768 i
 *>  190.25.2.0/23  0.0.0.0                  0         32768 i
 
Total number of prefixes 2
r1#

 

The second /24 (190.25.3.0/24) isn't advertise.

 

Maybe I think that I have to change this design.

 

Hall of Fame Super Blue

Can you post -"sh ip route

Can you post -

"sh ip route 190.25.2.0 255.255.254.0"

"sh ip route 190.25.2.0 255.255.255.0"

"sh ip route 190.25.3.0 255.255.255.0"

Jon

New Member

Sure Joh,r1#sh ip route 190

Sure Joh,

r1#sh ip route 190.25.2.0 255.255.254.0
Routing entry for 190.25.2.0/23
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Advertised by bgp 65001
  Routing Descriptor Blocks:
  * directly connected, via Ethernet0/0
      Route metric is 0, traffic share count is 1
r1#
r1#
r1#
r1#sh ip route 190.25.2.0 255.255.255.0
Routing entry for 190.25.2.0/24
  Known via "static", distance 1, metric 0
  Advertised by bgp 65001
  Routing Descriptor Blocks:
  * 190.25.3.250
      Route metric is 0, traffic share count is 1
r1#
r1#
r1#sh ip route 190.25.3.0 255.255.255.0
% Subnet not in table
r1#
r1#
r1#sh run | i ip route
ip route 190.25.2.0 255.255.255.0 190.25.2.250 name BGP
ip route 190.25.3.0 255.255.255.0 190.25.3.250 name BGP
r1#

I don't know if the route is not instaled because of the configuration of the interface that is a /23.

New Member

Jon,I fix the problem using

Jon,

I fix the problem using this config:

ip route 190.25.2.0 255.255.255.0 Ethernet0/0
ip route 190.25.3.0 255.255.255.0 Ethernet0/0
 
 
r1#sh ip bgp nei x.x.x.x advertised-routes 
BGP table version is 15, local router ID is 10.4.27.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
 
     Network          Next Hop            Metric LocPrf Weight Path
 *>  190.25.2.0/24  0.0.0.0             0         32768 i
 *>  190.25.2.0/23  0.0.0.0                  0         32768 i
 *>  190.25.3.0/24  0.0.0.0                  0         32768 i
 
Total number of prefixes 3
r1#
 
I think that can be a valid solution, ok?
Hall of Fame Super Blue

You beat me to it Good idea

You beat me to it smiley

Good idea to use the outgoing interface and not the next hop IP.

So it's all working now ?

Jon

New Member

Hi Jon,Yes, everything is

Hi Jon,

Yes, everything is working fine and as expected.

I appreciate your attention.

Thank you very much.

Hall of Fame Super Blue

No problem but can you have a

No problem but can you have a read of my last post just to be sure you understand what is happening.

Jon

Hall of Fame Super Blue

In terms of whether it is

In terms of whether it is valid it depends.

When you configure a static route with a next hop IP then you router simply needs to ARP for the next hop IP and the firewall responds because it owns that IP.

When you configure a static route pointing out of an interface then the router has to ARP for all destinations in that subnet. If the destination IP is on the other side of the firewall then the firewall has to be running proxy arp to reply with it's own mac address.

So -

1) are the /24 networks on the other side of the firewall

2) is the firewall running proxy arp on the interface facing the router

Jon

 

New Member

Jon,In this scenario we have

Jon,

In this scenario we have just 4 host using this /23 (2 firewall and the 2 routers).

On firewall, we have an outisde interface that is part of the /23 and one interface that is the inside (10.x.x.x).

So, in this case, we will not have hosts on /23 (/24 and /24). We will have just NAT translations.

I'm not sure just about why the route to the 2nd /24 was not being shown in the routing table. The router was considering just the first /24 and the /23.

Thank you again.

Hall of Fame Super Blue

Okay that makes sense.If the

Okay that makes sense.

If the firewall is only using those IPs for NAT then it should work okay because the firewall will respond to an ARP request for any of those addresses if it has a NAT statement for it which is exactly what you want to happen.

Jon

2098
Views
15
Helpful
12
Replies