Re: BGP conditional advert - non-exist-map

From: maureen schaar (maureen.schaar@gmail.com)
Date: Wed Apr 04 2007 - 04:36:50 ART

Below I have summed up what the various configs do. The default policy
to advertise or withdraw a prefix is changed when you switch between
exist-map and nonexist-map. You can check it yourself with deb ip bgp
updates:

*** EXIST-MAP ***

prefix permit in advertise map
prefix permit in exist-map
prefix NOT in BGP table
--> withdraw

prefix permit in advertise map
prefix permit in exist-map
prefix IN BGP table
--> advertise

*** NONEXIST-MAP ***

prefix permit in advertise map
prefix permit in exist-map
prefix NOT in BGP table
--> advertise

prefix permit in advertise map
prefix permit in exist-map
prefix IN BGP table
--> withdraw

HTH

Maureen

On 4/4/07, Narbik Kocharians <narbikk@gmail.com> wrote:
> This is the topology:
> R2 is connected via a frame P2P connection to R1 and R1 is connected via a
> Frame P2P to R3.
>
> R1s Frame connection to R2 has an IP address of 10.1.12.1/24
>
> R2s Frame connection to R1 has an IP address of 10.1.12.2/24
>
> R1s Frame connection to R3 has an IP address of 10.1.13.1/24
>
> R3s Frame connection to R1 has an IP address of 10.1.13.3/24
>
> R1 is advertising its lo0 (1.1.1.1 /8) in BGP
>
> R2 is advertising its loopback0 (2.2.2.2 /8) in BGP
>
> R3 is advertising its Loopback0 (3.3.3./8) in BGP
>
>
>
>
>
> R1 should be configured according to the following policy:
>
>
>
> X If both networks (1.0.0.0 /8 and 2.0.0.0 /8) are up, then both
> networks should be advertised to R3.
>
>
>
> X If network 1.0.0.0 /8 is down, R1 should NOT advertise network
> 2.0.0.0/8 to R3.
>
>
>
> X If network 2.0.0.0 /8 is down, then R1 should only advertise network
> 1.0.0.0 /8 to R3.
>
>
>
>
>
> *On R1*
>
>
>
> R1(config)#access-list 1 permit 1.0.0.0 0.255.255.255
>
>
>
> R1(config)#access-list 2 permit 2.0.0.0 0.255.255.255
>
>
>
> R1(config)#route-map ADV permit 10
>
> R1(config-route-map)#match ip addr 2
>
> R1(config-route-map)#exit
>
>
>
> R1(config)#route-map EXIST permit 10
>
> R1(config-route-map)#match ip addr 1
>
> R1(config-route-map)#exit
>
>
>
> R1(config)#router bgp 100
>
> R1(config-router)#neighbor 10.1.13.3 advertise-map ADV exist-map EXIST
>
> * *
>
> *To test the first condition:*
>
> * *
>
> *On R1*
>
>
>
> *R1#Show ip bgp*
>
>
>
> BGP table version is 4, local router ID is 1.1.1.1
>
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
>
> r RIB-failure, S Stale
>
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>
>
> Network Next Hop Metric LocPrf Weight Path
>
> *> 1.0.0.0 0.0.0.0 0 32768 i
>
> *> 2.0.0.0 10.1.12.2 0 0 200
> i
>
> *> 3.0.0.0 10.1.13.3 0 0 300
> i
>
>
>
> *On R2*
>
>
>
> *R2#Show ip bgp*
>
>
>
> BGP table version is 18, local router ID is 150.1.2.2
>
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
>
> r RIB-failure, S Stale
>
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>
>
> Network Next Hop Metric LocPrf Weight Path
>
> *> 1.0.0.0 10.1.12.1 0 0 100
> i
>
> *> 2.0.0.0 0.0.0.0 0 32768 i
>
> *> 3.0.0.0 10.1.12.1 0 100
> 300 i
>
>
>
> *On R3*
>
>
>
> *R3#Show ip bgp*
>
>
>
> BGP table version is 19, local router ID is 3.3.3.3
>
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
>
> r RIB-failure, S Stale
>
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>
>
> Network Next Hop Metric LocPrf Weight Path
>
> *> 1.0.0.0 10.1.13.1 0 0 100
> i
>
> *> 2.0.0.0 10.1.13.1 0 100
> 200 i
>
> *> 3.0.0.0 0.0.0.0 0 32768 i
>
>
>
> * To test the second condition:*
>
>
>
> *On R1*
>
>
>
> R1(config)#Int lo0
>
> R1(config-if)#Shut
>
>
>
> *To test and verify the configuration:*
>
> * *
>
> *On R1*
>
>
>
> *R1#Show ip bgp neighbors 10.1.13.3 advertised-routes*
>
>
>
> Total number of prefixes 0
>
>
>
> *On R3*
>
>
>
> *R3#Sh ip bgp*
>
>
>
> BGP table version is 12, local router ID is 3.3.3.3
>
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
>
> r RIB-failure, S Stale
>
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>
>
> Network Next Hop Metric LocPrf Weight Path
>
> *> 3.0.0.0 0.0.0.0 0 32768 i
>
> * *
>
> *Note if network 1.0.0.0 is down none of the networks are advertised to R3.*
>
> * *
>
> *To bring up the Loopback 0 interface of R1:*
>
> * *
>
> *On R1*
>
>
>
> R1(config)#Int lo0
>
> R1(config-if)#Shut
>
> * *
>
> *To verify the configuration:*
>
> * *
>
> *On R3*
>
> * *
>
> *R3#Sh ip bgp*
>
>
>
> BGP table version is 14, local router ID is 3.3.3.3
>
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
>
> r RIB-failure, S Stale
>
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>
>
> Network Next Hop Metric LocPrf Weight Path
>
> *> 1.0.0.0 10.1.13.1 0 0 100
> i
>
> *> 2.0.0.0 10.1.13.1 0
> 100 200 i
>
> *> 3.0.0.0 0.0.0.0 0 32768 i
>
>
>
> *To test the third condition:*
>
> * *
>
> *On R2*
>
> * *
>
> R2(config)#int lo0
>
> R2(config-if)#Shut
>
>
>
> *On R1*
>
> * *
>
> *R1#Show ip bgp neighbors 10.1.13.3 advertised-routes*
>
>
>
> BGP table version is 6, local router ID is 10.1.13.1
>
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
>
> r RIB-failure, S Stale
>
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>
>
> Network Next Hop Metric LocPrf Weight Path
>
> *> 1.0.0.0 0.0.0.0 0 32768 i
>
>
>
> Total number of prefixes 1
>
>
>
> *On R3*
>
>
>
> *R3#Show ip bgp*
>
>
>
> BGP table version is 17, local router ID is 3.3.3.3
>
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
>
> r RIB-failure, S Stale
>
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
>
>
> Network Next Hop Metric LocPrf Weight Path
>
> *> 1.0.0.0 10.1.13.1 0 0 100
> i
>
> *> 3.0.0.0 0.0.0.0 0 32768 i
>
> * *
>
>
>
>
> On 4/3/07, Bit Gossip <bit.gossip@chello.nl> wrote:
> >
> > Narbik,
> > can you make an example ......
> > Thsnks,
> > Luca.
> >
> > On Mon, 2007-04-02 at 20:33 -0700, Narbik Kocharians wrote:
> > > It all depends on what you want to do and what the policy is. You
> > > should NOT set that as a rule.
> > >
> > > On 3/31/07, Bit Gossip <bit.gossip@chello.nl> wrote:
> > > This is very interesting, better to find out this things now
> > > than during the
> > > exam ......
> > >
> > > I have labbed the NON-EXIST map with extended ACL and I have
> > > to confirm that
> > > it doesn't work.
> > > To recap the only flavor that seems to work in NON-EXIST map
> > > is prefix-list
> > > Below the config for extended ACL
> > > Thanks,
> > > Luca.
> > >
> > > router bgp 300
> > > <...>
> > > neighbor 136.1.245.5 remote-as 200
> > > neighbor 136.1.245.5 advertise-map T5.5 non-exist-map T5.5NE
> > > !
> > > ip prefix-list T5.5 seq 5 permit 136.1.29.0/24
> > > !
> > > ip prefix-list T5.5NE seq 5 permit 136.1.23.0/24
> > > !
> > > ip access-list standard T5.5NE
> > > permit 136.1.23.0
> > > !
> > > ip access-list extended T5.5NE-EXTENDED
> > > permit ip host 136.1.23.0 host 255.255.255.0
> > > !
> > > route-map T5.5NE permit 10
> > > match ip address T5.5NE-EXTENDED
> > > !
> > > route-map T5.5 permit 10
> > > match ip address prefix-list T5.5
> > >
> > >
> > > Rack1R2#show ip bgp route-map T5.5
> > > Network Next Hop Metric LocPrf Weight
> > > Path
> > > *> 136.1.29.0/24 0.0.0.0 0 32768 i
> > >
> > > Rack1R2#show ip bgp route-map T5.5NE
> > > Network Next Hop Metric LocPrf Weight
> > > Path
> > > *> 136.1.23.0/24 0.0.0.0 0 32768 i
> > >
> > > As both AD-MAP and NON-EXIST map are true, the prefix
> > > 139.1.29/24 should not
> > > be advertise, but it is!!
> > > It is not advertised instead when using prefix list in the
> > > route-map T5.5NE
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "maureen schaar" <maureen.schaar@gmail.com>
> > > To: "Sergey Golovanov" <sergey.golovanov@iementor.com>
> > > Cc: "Bit Gossip" <bit.gossip@chello.nl>;
> > > <ccielab@groupstudy.com>
> > > Sent: Saturday, March 31, 2007 8:22 PM
> > > Subject: Re: BGP conditional advert - non-exist-map
> > >
> > >
> > > > Since I was not aware of this, I decided to test it and
> > > Sergey is
> > > > totally correct. However, you can use a standard acl in the
> > > advertise
> > > > map, but for the exist-map, it does not work.
> > > > Below I have put the test results if anyone is interested.
> > > >
> > > > I am using this configuration:
> > > >
> > > > router bgp xx
> > > > neighbor 150.2.12.254 advertise-map ADVERTISE exist-map
> > > EXIST
> > > > network 2.2.2.0 mask 255.255.255.0
> > > > network 3.3.3.0 mask 255.255.255.0
> > > >
> > > > ip access-list extended EXIST
> > > > permit ip host 3.3.3.0 any log
> > > >
> > > > ip access-list standard ADVERTISE
> > > > permit 2.2.2.0
> > > >
> > > > route-map ADVERTISE permit 10
> > > > match ip address ADVERTISE
> > > >
> > > > route-map EXIST permit 10
> > > > match ip address EXIST
> > > >
> > > > Both the prefixes 2.2.2.0 and 3.3.3.0 exist in the bgp and
> > > routing table.
> > > >
> > > >
> > > > W2R2#clear ip bgp 150.1.12.254 soft
> > > > *Mar 31 20:07:17.055: %SEC-6-IPACCESSLOGNP: list EXIST
> > > permitted 0
> > > > 3.3.3.0 -> 255.255.255.0, 1 packet
> > > > *Mar 31 20:07:23.923: BGP(0): 150.1.12.254 2.2.2.0/24
> > > matches
> > > > advertise map ADVERTISE, state: Advertise
> > > >
> > > > W2R2#sh access-lists EXIST
> > > > Extended IP access list EXIST
> > > > 10 permit ip host 3.3.3.0 any log (2 matches)
> > > >
> > > >
> > > > Now when I change the access-list to a standard acl, this
> > > happens:
> > > >
> > > > W2R2(config)#no ip access-list ex EXIST
> > > > W2R2(config)#ip access-l sta EXIST
> > > > W2R2(config-std-nacl)#permit host 3.3.3.0
> > > > W2R2(config-std-nacl)#
> > > > W2R2#clear ip bgp 150.1.12.254 soft
> > > >
> > > > *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 2.2.2.0/24
> > > matches
> > > > advertise map ADVERTISE, state: Withdraw
> > > > *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 send unreachable
> > > 2.2.2.0/24
> > > > *Mar 31 20:08:34.051: BGP(0): 150.1.12.254 send UPDATE
> > > 2.2.2.0/24 --
> > > unreachable
> > > >
> > > > And the prefix 2.2.2.0 is indeed no longer advertised.
> > > >
> > > >
> > > > Maureen
> > > >
> > > > On 3/31/07, Sergey Golovanov <sergey.golovanov@iementor.com>
> > > wrote:
> > > > > No, it's not true. If using ACL, always use Extended ACL.
> > > And try to
> > > always
> > > > > use a "positive" ACL, that only permits the networks that
> > > you are trying
> > > to
> > > > > specify for the non-exist behavior
> > > > >
> > > > >
> > >
> > ----------------------------------------------------------------------
> > > > > Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service
> > > Provider/Storage)
> > > > > ieMentor Instructor and Content Developer
> > > > > sergey.golovanov@iementor.com
> > > > > http://www.iementor.com
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:
> > > nobody@groupstudy.com] On Behalf Of
> > > Bit
> > > > > Gossip
> > > > > Sent: Saturday, March 31, 2007 9:25 AM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: BGP conditional advert - non-exist-map
> > > > >
> > > > > Group,
> > > > > Is it true that the match condition in a non-exist-map can
> > > be ONLY a
> > > > > prefix-list?
> > > > > The 2 flavors of route-map T5.5NE listed below match one
> > > and the same
> > > > > prefix:
> > > > >
> > > > > Rack1R2(config-route-map)#do show ip bgp route-map T5.5NE
> > > > >
> > > > > Network Next Hop Metric LocPrf
> > > Weight Path
> > > > > *> 136.1.23.0/24 0.0.0.0 0
> > > 32768 i
> > > > >
> > > > >
> > > > > but only the one with the prefix-list match works as a
> > > non-exist map.
> > > > > The other one with the acl just advertise the prefix no
> > > matter what
> > > > >
> > > > > Thanks,
> > > > > Luca.
> > > > >
> > > > > PS: what about exist-map?
> > > > >
> > > > >
> > > > >
> > > > > router bgp 300
> > > > > neighbor 136.1.245.5 advertise-map T5.5 non-exist-map
> > > T5.5NE
> > > > > !
> > > > > ip prefix-list T5.5NE seq 5 permit 136.1.23.0/24
> > > > > !
> > > > > ip access-list standard T5.5NE
> > > > > permit 136.1.23.0
> > > > > !
> > > > > !
> > > > >
> > > > > 1 ) ~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > route-map T5.5NE permit 10
> > > > > match ip address prefix-list T5.5NE
> > > > >
> > > > > 2) ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > route-map T5.5NE permit 10
> > > > > match ip address T5.5NE
> > > > > !
> > > > >
> > > > >
> > >
> > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > >
> > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > > --
> > > Narbik Kocharians
> > > CCIE# 12410 (R&S, SP, Security)
> > > CCSI# 30832
> > > Network Learning, Inc. (CCIE class Instructor)
> > > www.ccbootcamp.com (CCIE Training)
> >
> >
>
>
> --
> Narbik Kocharians
> CCIE# 12410 (R&S, SP, Security)
> CCSI# 30832
> Network Learning, Inc. (CCIE class Instructor)
> www.ccbootcamp.com (CCIE Training)
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:34 ART