From: Narbik Kocharians (narbikk@gmail.com)
Date: Tue Apr 03 2007 - 00:33:09 ART
It all depends on what you want to do and what the policy is. You should NOT
set that as a rule.
On 3/31/07, Bit Gossip <bit.gossip@chello.nl> wrote:
>
> This is very interesting, better to find out this things now than during
> the
> exam ......
>
> I have labbed the NON-EXIST map with extended ACL and I have to confirm
> that
> it doesn't work.
> To recap the only flavor that seems to work in NON-EXIST map is
> prefix-list
> Below the config for extended ACL
> Thanks,
> Luca.
>
> router bgp 300
> <...>
> neighbor 136.1.245.5 remote-as 200
> neighbor 136.1.245.5 advertise-map T5.5 non-exist-map T5.5NE
> !
> ip prefix-list T5.5 seq 5 permit 136.1.29.0/24
> !
> ip prefix-list T5.5NE seq 5 permit 136.1.23.0/24
> !
> ip access-list standard T5.5NE
> permit 136.1.23.0
> !
> ip access-list extended T5.5NE-EXTENDED
> permit ip host 136.1.23.0 host 255.255.255.0
> !
> route-map T5.5NE permit 10
> match ip address T5.5NE-EXTENDED
> !
> route-map T5.5 permit 10
> match ip address prefix-list T5.5
>
>
> Rack1R2#show ip bgp route-map T5.5
> Network Next Hop Metric LocPrf Weight Path
> *> 136.1.29.0/24 0.0.0.0 0 32768 i
>
> Rack1R2#show ip bgp route-map T5.5NE
> Network Next Hop Metric LocPrf Weight Path
> *> 136.1.23.0/24 0.0.0.0 0 32768 i
>
> As both AD-MAP and NON-EXIST map are true, the prefix 139.1.29/24 should
> not
> be advertise, but it is!!
> It is not advertised instead when using prefix list in the route-map
> T5.5NE
>
>
>
> ----- Original Message -----
> From: "maureen schaar" <maureen.schaar@gmail.com>
> To: "Sergey Golovanov" <sergey.golovanov@iementor.com>
> Cc: "Bit Gossip" <bit.gossip@chello.nl>; <ccielab@groupstudy.com>
> Sent: Saturday, March 31, 2007 8:22 PM
> Subject: Re: BGP conditional advert - non-exist-map
>
>
> > Since I was not aware of this, I decided to test it and Sergey is
> > totally correct. However, you can use a standard acl in the advertise
> > map, but for the exist-map, it does not work.
> > Below I have put the test results if anyone is interested.
> >
> > I am using this configuration:
> >
> > router bgp xx
> > neighbor 150.2.12.254 advertise-map ADVERTISE exist-map EXIST
> > network 2.2.2.0 mask 255.255.255.0
> > network 3.3.3.0 mask 255.255.255.0
> >
> > ip access-list extended EXIST
> > permit ip host 3.3.3.0 any log
> >
> > ip access-list standard ADVERTISE
> > permit 2.2.2.0
> >
> > route-map ADVERTISE permit 10
> > match ip address ADVERTISE
> >
> > route-map EXIST permit 10
> > match ip address EXIST
> >
> > Both the prefixes 2.2.2.0 and 3.3.3.0 exist in the bgp and routing
> table.
> >
> >
> > W2R2#clear ip bgp 150.1.12.254 soft
> > *Mar 31 20:07:17.055: %SEC-6-IPACCESSLOGNP: list EXIST permitted 0
> > 3.3.3.0 -> 255.255.255.0, 1 packet
> > *Mar 31 20:07:23.923: BGP(0): 150.1.12.254 2.2.2.0/24 matches
> > advertise map ADVERTISE, state: Advertise
> >
> > W2R2#sh access-lists EXIST
> > Extended IP access list EXIST
> > 10 permit ip host 3.3.3.0 any log (2 matches)
> >
> >
> > Now when I change the access-list to a standard acl, this happens:
> >
> > W2R2(config)#no ip access-list ex EXIST
> > W2R2(config)#ip access-l sta EXIST
> > W2R2(config-std-nacl)#permit host 3.3.3.0
> > W2R2(config-std-nacl)#
> > W2R2#clear ip bgp 150.1.12.254 soft
> >
> > *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 2.2.2.0/24 matches
> > advertise map ADVERTISE, state: Withdraw
> > *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 send unreachable 2.2.2.0/24
> > *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 send UPDATE 2.2.2.0/24 --
> unreachable
> >
> > And the prefix 2.2.2.0 is indeed no longer advertised.
> >
> >
> > Maureen
> >
> > On 3/31/07, Sergey Golovanov <sergey.golovanov@iementor.com> wrote:
> > > No, it's not true. If using ACL, always use Extended ACL. And try to
> always
> > > use a "positive" ACL, that only permits the networks that you are
> trying
> to
> > > specify for the non-exist behavior
> > >
> > > ----------------------------------------------------------------------
> > > Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
> > > ieMentor Instructor and Content Developer
> > > sergey.golovanov@iementor.com
> > > http://www.iementor.com
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> Bit
> > > Gossip
> > > Sent: Saturday, March 31, 2007 9:25 AM
> > > To: ccielab@groupstudy.com
> > > Subject: BGP conditional advert - non-exist-map
> > >
> > > Group,
> > > Is it true that the match condition in a non-exist-map can be ONLY a
> > > prefix-list?
> > > The 2 flavors of route-map T5.5NE listed below match one and the same
> > > prefix:
> > >
> > > Rack1R2(config-route-map)#do show ip bgp route-map T5.5NE
> > >
> > > Network Next Hop Metric LocPrf Weight Path
> > > *> 136.1.23.0/24 0.0.0.0 0 32768 i
> > >
> > >
> > > but only the one with the prefix-list match works as a non-exist map.
> > > The other one with the acl just advertise the prefix no matter what
> > >
> > > Thanks,
> > > Luca.
> > >
> > > PS: what about exist-map?
> > >
> > >
> > >
> > > router bgp 300
> > > neighbor 136.1.245.5 advertise-map T5.5 non-exist-map T5.5NE
> > > !
> > > ip prefix-list T5.5NE seq 5 permit 136.1.23.0/24
> > > !
> > > ip access-list standard T5.5NE
> > > permit 136.1.23.0
> > > !
> > > !
> > >
> > > 1 ) ~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > route-map T5.5NE permit 10
> > > match ip address prefix-list T5.5NE
> > >
> > > 2) ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > route-map T5.5NE permit 10
> > > match ip address T5.5NE
> > > !
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Narbik Kocharians CCIE# 12410 (R&S, SP, Security) CCSI# 30832 Network Learning, Inc. (CCIE class Instructor) www.ccbootcamp.com (CCIE Training)
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:34 ART