Re: BGP conditional advert - non-exist-map

From: Bit Gossip (bit.gossip@chello.nl)
Date: Sat Mar 31 2007 - 16:03:07 ART

This is very interesting, better to find out this things now than during the
exam ......

I have labbed the NON-EXIST map with extended ACL and I have to confirm that
it doesn't work.
To recap the only flavor that seems to work in NON-EXIST map is prefix-list
Below the config for extended ACL
Thanks,
Luca.

router bgp 300
 <...>
 neighbor 136.1.245.5 remote-as 200
 neighbor 136.1.245.5 advertise-map T5.5 non-exist-map T5.5NE
!
ip prefix-list T5.5 seq 5 permit 136.1.29.0/24
!
ip prefix-list T5.5NE seq 5 permit 136.1.23.0/24
!
ip access-list standard T5.5NE
 permit 136.1.23.0
!
ip access-list extended T5.5NE-EXTENDED
 permit ip host 136.1.23.0 host 255.255.255.0
!
route-map T5.5NE permit 10
 match ip address T5.5NE-EXTENDED
!
route-map T5.5 permit 10
 match ip address prefix-list T5.5

Rack1R2#show ip bgp route-map T5.5
   Network Next Hop Metric LocPrf Weight Path
*> 136.1.29.0/24 0.0.0.0 0 32768 i

Rack1R2#show ip bgp route-map T5.5NE
   Network Next Hop Metric LocPrf Weight Path
*> 136.1.23.0/24 0.0.0.0 0 32768 i

As both AD-MAP and NON-EXIST map are true, the prefix 139.1.29/24 should not
be advertise, but it is!!
It is not advertised instead when using prefix list in the route-map T5.5NE

----- Original Message -----
From: "maureen schaar" <maureen.schaar@gmail.com>
To: "Sergey Golovanov" <sergey.golovanov@iementor.com>
Cc: "Bit Gossip" <bit.gossip@chello.nl>; <ccielab@groupstudy.com>
Sent: Saturday, March 31, 2007 8:22 PM
Subject: Re: BGP conditional advert - non-exist-map

> Since I was not aware of this, I decided to test it and Sergey is
> totally correct. However, you can use a standard acl in the advertise
> map, but for the exist-map, it does not work.
> Below I have put the test results if anyone is interested.
>
> I am using this configuration:
>
> router bgp xx
> neighbor 150.2.12.254 advertise-map ADVERTISE exist-map EXIST
> network 2.2.2.0 mask 255.255.255.0
> network 3.3.3.0 mask 255.255.255.0
>
> ip access-list extended EXIST
> permit ip host 3.3.3.0 any log
>
> ip access-list standard ADVERTISE
> permit 2.2.2.0
>
> route-map ADVERTISE permit 10
> match ip address ADVERTISE
>
> route-map EXIST permit 10
> match ip address EXIST
>
> Both the prefixes 2.2.2.0 and 3.3.3.0 exist in the bgp and routing table.
>
>
> W2R2#clear ip bgp 150.1.12.254 soft
> *Mar 31 20:07:17.055: %SEC-6-IPACCESSLOGNP: list EXIST permitted 0
> 3.3.3.0 -> 255.255.255.0, 1 packet
> *Mar 31 20:07:23.923: BGP(0): 150.1.12.254 2.2.2.0/24 matches
> advertise map ADVERTISE, state: Advertise
>
> W2R2#sh access-lists EXIST
> Extended IP access list EXIST
> 10 permit ip host 3.3.3.0 any log (2 matches)
>
>
> Now when I change the access-list to a standard acl, this happens:
>
> W2R2(config)#no ip access-list ex EXIST
> W2R2(config)#ip access-l sta EXIST
> W2R2(config-std-nacl)#permit host 3.3.3.0
> W2R2(config-std-nacl)#
> W2R2#clear ip bgp 150.1.12.254 soft
>
> *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 2.2.2.0/24 matches
> advertise map ADVERTISE, state: Withdraw
> *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 send unreachable 2.2.2.0/24
> *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 send UPDATE 2.2.2.0/24 --
unreachable
>
> And the prefix 2.2.2.0 is indeed no longer advertised.
>
>
> Maureen
>
> On 3/31/07, Sergey Golovanov <sergey.golovanov@iementor.com> wrote:
> > No, it's not true. If using ACL, always use Extended ACL. And try to
always
> > use a "positive" ACL, that only permits the networks that you are trying
to
> > specify for the non-exist behavior
> >
> > ----------------------------------------------------------------------
> > Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
> > ieMentor Instructor and Content Developer
> > sergey.golovanov@iementor.com
> > http://www.iementor.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bit
> > Gossip
> > Sent: Saturday, March 31, 2007 9:25 AM
> > To: ccielab@groupstudy.com
> > Subject: BGP conditional advert - non-exist-map
> >
> > Group,
> > Is it true that the match condition in a non-exist-map can be ONLY a
> > prefix-list?
> > The 2 flavors of route-map T5.5NE listed below match one and the same
> > prefix:
> >
> > Rack1R2(config-route-map)#do show ip bgp route-map T5.5NE
> >
> > Network Next Hop Metric LocPrf Weight Path
> > *> 136.1.23.0/24 0.0.0.0 0 32768 i
> >
> >
> > but only the one with the prefix-list match works as a non-exist map.
> > The other one with the acl just advertise the prefix no matter what
> >
> > Thanks,
> > Luca.
> >
> > PS: what about exist-map?
> >
> >
> >
> > router bgp 300
> > neighbor 136.1.245.5 advertise-map T5.5 non-exist-map T5.5NE
> > !
> > ip prefix-list T5.5NE seq 5 permit 136.1.23.0/24
> > !
> > ip access-list standard T5.5NE
> > permit 136.1.23.0
> > !
> > !
> >
> > 1 ) ~~~~~~~~~~~~~~~~~~~~~~~~~~
> > route-map T5.5NE permit 10
> > match ip address prefix-list T5.5NE
> >
> > 2) ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > route-map T5.5NE permit 10
> > match ip address T5.5NE
> > !
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART