Recently my office encounter an issue where our ISP informed us that our router had advertised a high number of network prefix which causes the BGP session to go down (as there was a limit set for the number of prefix it can accept). That lasted for >12 hours.
However the problem was resolved automatically thereafter without any intervention at our end and the number of prefix advertised dropped back to normal.
How could such incident happen and what could be the possible causes for the surge assuming there is no misconfig of router?
Could there also be a possibility of a problem with the PE router?
High number of prefixes caused BGP to go down? If the ISp has a limit on their end they would probably drop the other prefixes, not bring the BGP session down. If the BGP session is already down, how would the PE know when the number of prefixes has gone down?
Can your ISP provide some information from their end to show which prefixes we had advertised?
Also, how many prefixes do you normally advertise and did you check during the problem to see how many prefixes you were advertising?
In my opinion there was something wrong with the ISP end, without some proof we cannot blame our router.
if your router advertises IP prefixes only with network commands and/or you implement an outbound filter towards the ISP there are no ways to advertise more prefixes then expected.
Conversely, if you redistribute an IGP into BGP without an outbound filter then the router is exposed to the risk to advertise a variable number of prefixes over time for example because an aggregate prefix configured under the IGP was removed.
In this second scenario a change in the IGP domain could cause a change in the number of IP prefixes advertised.
Another possible scenario could be the following:
your BGP router is multihomed and it has no outbound filter to this ISP that implements route control with n. of rx prefixes (ISP1) and advertised prefixes received from ISP2 to ISP1.
to be noted these scenarios would imply some lack of routing control that it is not common nowdays.
Thanks for reply, I'm actually not a very network-saavy person.
The ISP's PE log shows eg. "no. of prefix received from is 21 exceed limit 20" then the BGP would go down. There is actually a clause that states we should not exceed 20 prefixes so I'm not overly concern on how it should behave when it actually exceeds. Our ISP is also unable to tell us what are the routes we are advertising when it goes over 100 as the BGP session is already down.
We did not check the advertised routes on our end when it happened because onsite personnel was not aware how to check it. If we had known then how to check it at that point in time we would have an easier time identifying the root cause
The strange part is how it could have exceeded when we are only advertising 18 prefixes based on router configuration, and through no intervention on our end the prefixes drop back to normal a few hours later. We do not have multihoming, or at least not that I'm aware. Till now I still do not have the root cause for this surge. And btw could a virus attack actually cause this?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...