Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

BGP route tag filtering

I'm working on a solution that involves MPLS with BGP and OSPF as the IGP on each end. There is also a MLVPN as a backup path. I'm trying to do mutual resistribution of OSPF and BGP. I want to use route tags to identify routes injected into OSPF from the MPLS WAN. I did that fine. The problem is that I and getting those routes sent back through BGP. I have my config below. What am I missing?

--Patrick

seanrtr1#sh run | begin router
router ospf 100
redistribute bgp 65001 subnets tag 777
passive-interface GigabitEthernet1/0
network 192.168.1.16 0.0.0.3 area 0
network 192.168.255.5 0.0.0.0 area 0
!
router bgp 65001
bgp log-neighbor-changes
redistribute ospf 100 route-map OSPF2BGP
neighbor 192.168.255.4 remote-as 209
neighbor 192.168.255.4 disable-connected-check
neighbor 192.168.255.4 update-source Loopback0
neighbor 192.168.255.4 soft-reconfiguration inbound
!

route-map OSPF2BGP deny 10
match tag 777
!        
route-map OSPF2BGP permit 20
set local-preference 50
set weight 0

10 REPLIES
Cisco Employee

BGP route tag filtering

Hello Patrick,

The problem is that I and getting those routes sent back through BGP.

Your configuration looks fine to me - routes learned from BGP into OSPF are tagged with the tag of 777, and the backward redistribution from OSPF to BGP avoids retaking routes already tagged with 777. However, this kind of recursive redistribution prevention is done in situations where the redistribution is performed on several routers. A single router never ends up in creating a recursive redistribution simply because the redistribution is done through the contents of the routing table, and on the router doing the redistribution, the routing table does not change as a result of the redistribution (i.e. routes redistributed from BGP to OSPF remain learned via BGP, and vice versa).

Is it possible that the "routes being sent back through BGP" correspond simply to BGP advertisement rules?

And by the way, I see you have soft-reconfiguration inbound configured. Are you sure you need it? The Route Refresh capability replaces this hack.

Best regards,

Peter

New Member

BGP route tag filtering

Hi Peter, Thanks for the quick reply.

I have an OSPF learned router on an OSPF only router. When I run 'show ip ospf database' I see that route listed with a 777 tag. It is being advertised from the BGP/OSPF border router. I should not see any 777 tagged routes from the local network.

I'll look into the Route Refresh replacing soft-reconfiguration inbound.

--Patrick

Cisco Employee

BGP route tag filtering

Hi Patrick,

Regarding the Route Refresh capability, please check out this thread:

https://supportforums.cisco.com/message/3523950#3523950

I have an OSPF learned router on an OSPF only router. When I run 'show  ip ospf database' I see that route listed with a 777 tag. It is being  advertised from the BGP/OSPF border router. I should not see any 777  tagged routes from the local network.

If I understand you correctly, you are looking into the OSPF database of a pure OSPF router somewhere inside your network, and you are saying that this router learns about internal networks from the BGP/OSPF router as OSPF external routes, instead of learning about them as OSPF intra-area routes. Am I correct?

Can you perhaps post a simplified sketch of your network so that I can better understand where the true network is located, and what your OSPF router claims to see? Also, would it be possible to post relevant sections of show ip ospf database XXX so that we can confirm that the route is indeed learned as external, and perhaps even known as internal although not installed into the routing table?

Best regards,

Peter

New Member

BGP route tag filtering

Here is a copy of my lab. The config from earlier is from R5. The same config is on R2 but with a different AS#. OSPF is running on all routers except for R4. The interfaces connecting to R4 from R2 and R5 are in passive mode. The link between R3 and R6 is shutdown so that I can test distribution on the primary path. I'll follow up with a post of the ospf database output.

--Patrick

New Member

BGP route tag filtering

R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.1.101.0/24 is directly connected, Loopback1
L        10.1.101.1/32 is directly connected, Loopback1
C        10.1.102.0/24 is directly connected, Loopback2
L        10.1.102.1/32 is directly connected, Loopback2
O E2     10.85.240.0/24
           [110/100] via 192.168.1.2, 00:24:50, GigabitEthernet1/0
      192.168.1.0/24 is variably subnetted, 8 subnets, 2 masks
C        192.168.1.0/30 is directly connected, GigabitEthernet1/0
L        192.168.1.1/32 is directly connected, GigabitEthernet1/0
C        192.168.1.4/30 is directly connected, GigabitEthernet2/0
L        192.168.1.5/32 is directly connected, GigabitEthernet2/0
O        192.168.1.8/30 [110/2] via 192.168.1.2, 00:50:06, GigabitEthernet1/0
O E2     192.168.1.16/30
           [110/100] via 192.168.1.2, 00:28:15, GigabitEthernet1/0
O E2     192.168.1.20/30
           [110/100] via 192.168.1.2, 00:24:50, GigabitEthernet1/0
O E2     192.168.1.24/30
           [110/100] via 192.168.1.2, 00:24:50, GigabitEthernet1/0
      192.168.255.0/32 is subnetted, 6 subnets
C        192.168.255.1 is directly connected, Loopback0
O        192.168.255.2 [110/2] via 192.168.1.2, 00:50:06, GigabitEthernet1/0
O        192.168.255.3 [110/2] via 192.168.1.6, 00:50:06, GigabitEthernet2/0
O E2     192.168.255.5 [110/100] via 192.168.1.2, 00:28:15, GigabitEthernet1/0
O E2     192.168.255.6 [110/100] via 192.168.1.2, 00:24:50, GigabitEthernet1/0
O E2     192.168.255.7 [110/100] via 192.168.1.2, 00:24:50, GigabitEthernet1/0
R1#

R1#sh ip ospf database

            OSPF Router with ID (192.168.255.1) (Process ID 100)

        Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count

192.168.255.1   192.168.255.1   1908        0x80000010 0x00B05A 3

192.168.255.2   192.168.255.2   704         0x8000000E 0x002F48 3

192.168.255.3   192.168.255.3   1197        0x80000015 0x00EBFB 2

        Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum

192.168.1.2     192.168.255.2   704         0x8000000D 0x00691A

192.168.1.6     192.168.255.3   451         0x8000000F 0x00413A

        Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum

10.1.101.1      192.168.255.1   407         0x8000000D 0x0075DE

10.1.102.1      192.168.255.1   407         0x8000000D 0x006AE8

        Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count

192.168.255.1   192.168.255.1   407         0x8000000D 0x00DD7D 2

        Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum

192.168.1.0     192.168.255.1   407         0x8000000D 0x009AC3

192.168.1.4     192.168.255.1   1908        0x8000000C 0x0074E6

192.168.1.8     192.168.255.1   407         0x8000000D 0x005401

192.168.255.1   192.168.255.1   407         0x8000000D 0x00ADAD

192.168.255.2   192.168.255.1   407         0x8000000D 0x00ADAB

192.168.255.3   192.168.255.1   1908        0x8000000C 0x00A5B3

        Summary ASB Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum

192.168.255.2   192.168.255.1   407         0x8000000D 0x0095C3

        Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag

10.85.240.0     192.168.255.2   1597        0x80000001 0x00EB9C 777

192.168.1.16    192.168.255.2   1802        0x80000001 0x005908 777

192.168.1.20    192.168.255.2   1597        0x80000001 0x00312C 777

192.168.1.24    192.168.255.2   1597        0x80000001 0x000950 777

192.168.255.5   192.168.255.2   1802        0x80000001 0x00E485 777

192.168.255.6   192.168.255.2   1597        0x80000001 0x00DA8E 777

192.168.255.7   192.168.255.2   1597        0x80000001 0x00D097 777

R1#

New Member

BGP route tag filtering

Now that I look closer, I don't see the problem I was having earlier. Maybe I just needed to walk away for a while. 10.1.101.0 and 10.1.102.0 were listed at Type-5 routes with a tag of 777. These networks are local to the router and should never show up that way.

Cisco Employee

BGP route tag filtering

Patrick,

I can see how the routes 10.1.101.0 and 10.1.102.0 could have been present in R1's LSDB as LSA-5 entries. Follow me:

  1. R1 advertises these networks via OSPF to R2.
  2. R2 redistributes them into BGP and advertises them to R4.
  3. R4 advertises these networks via BGP further to R5.
  4. R5 may, at this time, have learned about 10.1.101.0 and 10.1.102.0 via OSPF through R3 and R6. However, these routes are OSPF routes with AD=110 while the eBGP-learned routes will have their AD=20. The routing table will therefore contains the eBGP-learned routes. As a result, OSPF configuration on R5 will cause these routes to be redistributed from BGP into OSPF. Notice that if the eBGP-learned routes do not have the tag set to 777 on R2 in the first place when the OSPF-to-BGP redistribution takes place, there is nothing to prevent these routes from being redistributed from BGP to OSPF on R5.
  5. These redistributed routes will be propagated as LSA-5 through R6 and R3 back to R1. Note, however, that even though these routes are present in the LSDB on R1 as LSA-5 routes, it does not do any harm: OSPF by its design prefers first intra-area routes (LSA1+LSA2), then inter-area routes (LSA3), and only then the external routes (LSA5). Even if R1, R3 and R6 know about these networks via LSA-5, they should also know about them via LSA1-3, and these shall be preferred by OSPF's standardized preference.

Does this make sense? Would this explain what you saw?

Best regards,

Peter

New Member

BGP route tag filtering

I think that is what it happening. I have OSPF running on R3 and R6 and both have a route-map that is filtering tag 777. I'm not sure how these routes are getting through.

--Patrick

Cisco Employee

BGP route tag filtering

Patrick,

Please note that LSA-5 are not routes, rather, they are topological components. Contrary to distance vector routing protocols, you can not modify the contents of foreign LSA-5, nor can you arbitrarily limit their flooding scope. In link state routing protocols, a key concept is that each router in an area must have the same LSDB and no router may modify other routers' LSAs. If there rules were not in place, you could easily cause the LSDB to be inconsistent, leading to router computing shortest paths over differing LSDB, possibly ending up with traffic blackholes or routing loops.

I am not quite sure what kind of route-map are you using on your R3 or R6 but once an LSA-5 has been originated into OSPF on R5, it will be flooded throughout the entire OSPF domain (except stubby, totally stubby, NSSA or NSSA-TS areas of course) and no route-map is capable of stopping it.

Just curious - can you post the OSPF configuration on R3 and R6? I'd like to see how you are using the route-map there.

Best regards,

Peter

New Member

BGP route tag filtering

Peter,

Here is the config for ospf on R3 and R6.

router ospf 100

network 192.168.1.20 0.0.0.3 area 0

network 192.168.1.24 0.0.0.3 area 0

network 192.168.255.7 0.0.0.0 area 0

distribute-list route-map ospf-tag-filter in

!

!

route-map ospf-tag-filter deny 10

match tag 777

!

route-map ospf-tag-filter permit 20

Note that R1 is prefering routes via R3 over R2 even when I specify an OSPF interface cost of 500 on R3 and R6. By goal would be to have all routes prefer the BGP path. The R3/R6 path represent what we have as a DMVPN.

Thanks,

Patrick

2484
Views
0
Helpful
10
Replies
CreatePlease to create content