BGP Community | Route-Map | Local Pref

While labbing today I've ran into some strange behavior with BGP communities/route-map processing. Basically the objective was from R9, send a community for the 172.30.79.0/27 route out to R7 to 65100:90 AND send a community for the 172.30.89.0/27 route out to R8 to 65100:110. Then on R9 match community 65100:90 and set the local-pref to 90 and 65100:110 to local-pref of 110. Should be easy enough but the behavior that i'm seeing is that all is working on R7 but not on R8. The R8 inbound route-map is watching the community but not setting the local-pref for some reason... Any ideas? See below.
Topology
##R9’s BGP/Route-map config setting communities for the two routes out to R7 & R8##
R9#sh run | s bgp|route-map
router bgp 65100
network 172.30.79.0 mask 255.255.255.224
network 172.30.89.0 mask 255.255.255.224
network 192.122.3.9 mask 255.255.255.255
neighbor 172.30.79.7 remote-as 65006
neighbor 172.30.79.7 send-community both
neighbor 172.30.79.7 route-map R7-OUT out
neighbor 172.30.89.8 remote-as 65006
neighbor 172.30.89.8 send-community both
neighbor 172.30.89.8 route-map R8-OUT out
ip bgp-community new-format
route-map R7-OUT permit 10
match ip address prefix-list 172.30.79.0/27
set community 65100:90
route-map R7-OUT permit 20
route-map R8-OUT permit 10
match ip address prefix-list 172.30.89.0/27
set community 65100:110
route-map R8-OUT permit 20
##R7’s config##
R7#sh run | s bgp|route-map
router bgp 65006
address-family ipv4 vrf VPN
neighbor 172.30.79.9 remote-as 65100
neighbor 172.30.79.9 activate
neighbor 172.30.79.9 send-community both
neighbor 172.30.79.9 as-override
neighbor 172.30.79.9 route-map R9-IN in
route-map R9-IN permit 10
match community 65100:90
set local-preference 90
route-map R9-IN permit 20
##R7’s ‘show bgp’##
R7#sh ip bgp vpnv4 vrf VPN | b Network
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65066:700 (default for vrf VPN)
r> 172.30.79.0/27   172.30.79.9           90             0 65100 i
*> 172.30.89.0/27   172.30.79.9              0             0 65100 i
*> 192.122.3.9/32   172.30.79.9              0             0 65100 i
##R8’s config##
router bgp 65006
address-family ipv4 vrf VPN
neighbor 172.30.89.9 remote-as 65100
neighbor 172.30.89.9 activate
neighbor 172.30.89.9 send-community both
neighbor 172.30.89.9 as-override
neighbor 172.30.89.9 route-map R9-INv2 in
route-map R9-INv2 permit 10
match community 65100:110
set local-preference 110
route-map R9-INv2 permit 20
##R8’s ‘show bgp’##
R8#sh ip bgp vpnv4 vrf VPN | b Network
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65006:800 (default for vrf VPN)
*> 172.30.79.0/27   172.30.89.9              0             0 65100 i
r> 172.30.89.0/27   172.30.89.9              0             0 65100 i
*> 192.122.3.9/32   172.30.89.9              0             0 65100 i
R8#sh ip bgp vpnv4 vrf VPN community | b Network
     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65006:800 (default for vrf VPN)
r> 172.30.89.0/27   172.30.89.9              0             0 65100 i
R8#sh ip bgp vpnv4 vrf VPN 172.30.89.0/27
BGP routing table entry for 65006:800:172.30.89.0/27, version 77
Paths: (1 available, best #1, table VPN, RIB-failure(17))
Not advertised to any peer
Refresh Epoch 2
65100
    172.30.89.9 from 172.30.89.9 (192.122.3.9)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Community: 65100:110
      Extended Community: RT:910:910
      mpls labels in/out 45/nolabel
      rx pathid: 0, tx pathid: 0x0

Similar Messages

BGP Outbound Route-Map Question

Hi Experts,
Just need your help again. I was trying to do some lab and I came across this weird behaviour with BGP outbound route-map. The diagram is simple.
Please see attached diagram. Sorry for the very poor illustration. R6 has iBGP peering to both R4 and R1. Both R1 and R4 have eBGP peering to R5. No IGP running on any routers as well to keep things simple. There are 2 things to do.
* Create a static route for 160.1.0.0/16 pointing to Null0 on both R1 and R4 and advertise to BGP via network statement but only R5 should be able to see the 160.1.0.0/16 route. R6 should not receive it.
* Advertise R5's /32 loopback interface to BGP but ensure R6 to have that route in its routing table. Don't use next-hop-self on both R1 and R4. Don't advertise WAN link via network command.
I'll just illustrate R4 and R6 here to keep things straight forward.
R4#sh ip bgp
BGP table version is 5, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 150.1.5.5/32     155.1.45.5               0             0 100 i
*> 160.1.0.0        0.0.0.0                  0         32768 i
R6#sh ip bgp
BGP table version is 11, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
* i150.1.5.5/32     155.1.45.5               0    100      0 100 i
* i                 155.1.0.5                0    100      0 100 i
The first task was achieved as the 160.0.0.0/16 route is not present in R6's table. I used these commands in R4.
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 160.1.0.0
neighbor 155.1.45.5 remote-as 100
neighbor 155.1.146.6 remote-as 65000
neighbor 155.1.146.6 route-map R6_OUT out
no auto-summary
route-map R6_OUT deny 5
match ip address prefix-list AGGR
route-map R6_OUT permit 1000
ip prefix-list AGGR seq 5 permit 160.1.0.0/16
So with the configuration above, it is clear that R4 is hitting route-map line 5 to deny 160.1.0.0/16 being advertised to R6. I tried to remove line 5 to validate as well if the /16 route will be advertised to R6 and it did so route-map configuration above is confirmed working.
Next, advertise loopback 0 of R5 to R6 and make sure it is a valid route in BGP table without the use of next-hop-self or WAN advertisement.
I used the following configuration.
ip prefix-list R5_LINK seq 5 permit 155.1.45.5/32
route-map R6_OUT permit 10
match ip route-source R5_LINK
set ip next-hop 155.1.146.4
I inserted line 10 in between route-map 5 and 1000. So R4 would check its route table for routes with 155.1.45.5 as route-source then advertise it to R6 with next-hop address of 155.1.146.4. It worked!
R6#sh ip bgp
BGP table version is 15, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*>i150.1.5.5/32     155.1.146.4              0    100      0 100 i
* i                 155.1.0.5                0    100      0 100 i
*>i160.1.0.0        155.1.146.4              0    100      0 i
As you can see above, 150.1.5.5 route is now a valid BGP route but surprisingly, the 160.1.0.0/16 route is there! From what I have seen, BGP skipped line 5 and started at 10. Even if I insert the same rule as line 5 and make it as line 15, it's not working. The /16 route is still being advertised. If I remove the match ip route-source clause in sequence 10 then it will withdraw the 160.1.0.0/16 route again. Looks like "match ip route-source" is not very friendly with direct filtering to BGP neighbors but I saw this being used with BGP inject-map and it worked well.
R4#sh route-map
route-map R6_OUT, deny, sequence 5
Match clauses:
    ip address prefix-lists: AGGR
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 10
Match clauses:
    ip route-source (access-lists): R5_LINK
Set clauses:
    ip next-hop 155.1.146.4
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 1000
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Any thoughts why this is happening?
Thanks in advance.

Hi John,
I did a small lab to test feature "match ip route-source" and it is working fine. Please check below config and output.
R4 does not have 172.16.16.0/24 and also routes for which next-hop is not 1.1.1.1. In case you still facing issue, please share output of "debug ip bgp updates out"
Topology
R1--ebgp--R3---ibgp---R4
R3#show ip b su | b Nei
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 100 34 36 29 0 0 00:27:37 7
4.4.4.4 4 300 9 12 29 0 0 00:04:12 0
R3#
R3#sh route-map TO-R4
route-map TO-R4, deny, sequence 10
Match clauses:
ip address prefix-lists: DENY-PREFIX
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TO-R4, permit, sequence 20
Match clauses:
ip route-source (access-lists): 20
Set clauses:
Policy routing matches: 0 packets, 0 bytes
R3#
R3#show ip prefix-list DENY-PREFIX
ip prefix-list DENY-PREFIX: 1 entries
seq 5 permit 172.16.16.0/24
R3#
R3#sh ip access-lists 20
Standard IP access list 20
20 permit 1.1.1.1 (25 matches)
R3#
R3#show ip b
BGP table version is 29, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 172.16.8.0/22 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.16.0/24 1.1.1.1 0 0 100 i
*> 172.16.17.0/24 1.1.1.1 0 0 100 i
*> 172.16.19.0/24 1.1.1.1 0 0 100 i
*> 172.16.20.0/22 1.1.1.1 0 0 100 i
* 172.16.24.0/30 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.80.0/22 1.1.1.1 0 0 100 i
R3#
R4#show ip b
BGP table version is 53, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
r>i172.16.17.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.19.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.20.0/22 1.1.1.1 0 100 0 100 i
*>i172.16.80.0/22 1.1.1.1 0 100 0 100 i
R4#
--Pls dont forget to rate helpful posts--
Regards,
Akash

BGP Conditional Route Filtering

Hi All,
I have router with 2 Connection.
1) IP Transit from Tier 2 Provider
2) IX - Local Internet Exchange for local peering
I'm receiving full internet route nearly 500k+ entries. I also have few local peering through IX connection to local telco. Now that , Im receiving more specific route from IP Transit link compared to local peering . Eg
Local Peer A( ASN YYYY) send route : a.a.0.0/16
IP Transit send route : a.a.1.0/24
With this , My traffic to a.a.1.0/24 end up routed over IP transit link. But we need the traffic routed via IX Peering, since its direct peering and have low latency and high bandwidth capacity.
Im thinking, to filter AS-PATH YYYY from IP Transit link, so that anyy traffic to ASN YYYY will now routed over local IX Peering. But, this will cause traffic get dropped if My Port to IX or Peering Partner Port to IX is went down. The traffic then should routed over IP transit link if local peering is down. Meaning to say , AS-Path filtering should be removed if local peering to that ASN is down.
Any Idea how to accomplish this ?

Hello
You dont say if this is just one router with two perrings or two routers with ibgp between them each with a isp peering?
However i for outbound traffic you can use either Weight or local Prefeance path selection for your local traffic to be go over your selected link.
For inbound As-Path prepending would be apllcable I think
Outbound:
Weight (Is locally significant - Just one router)
access-list 10 permit x.x.x.x y.y.y.y
route-map Weight permit 10
match ip address 1
set weight 400000
route-map Weight permit 99
router bgp xx
neigbour x.x.x.x route-map Weight out (to ebgp perring for your prefered choice path)
or
route-map Local-Pref permit 10 ( for IBGP routers)
match ip address 1
set local-preferance 200
route-map Local-Pref permit 99
router bgp xx
neigbour x.x.x.x route-map Local-Pref in (to ebgp perring for your prefered choice path)
Inbound
AS=PAth prepend
route-map AS-Path permit 10
match ip address 10
set as-path prepend ASN ASN ASN
route-map AS-Path permit 99
router bgp xx
neigbour x.x.x.x route-map AS-Path out ( to the least preffered ISP)
res
Paul

Local policy route-map for policy route

Hi
this is related my previous question:
I want to set policy route on asr1004, that redirect vpn traffic.
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24) to be redirect to10.2.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.2.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
if not, do I have any change to do policy route for this case?
any comment will be appreciated
Thanks in advance
Julxu

hi Jon
can I refresh the question again:
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24) to be redirect to10.10.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
such as:
interface TenGigabitEthernet0/0/0
description bgp to get default
ip address 10.100.100.100 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
interface TenGigabitEthernet0/1/0
description get internaltraffic
ip address 10.3.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
interface GigabitEthernet0/2/1
description vpn
ip address 10.10.2.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
media-type rj45
negotiation auto
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
ip route 10.200.200.0/24 10.10.2.2
Could you please advise if it is correct?

BGP default route advertisement - change preference

hi guys,
I would appreciate some assistance here. We have a primary head office & a DR site. Routers at both sites connect to our carrier for an IP VPN service using BGP. BGP configs on each router advertise a default route 0.0.0.0.
#sh ip bgp neighbors x.x.x.x advertised-routes
BGP table version is 358, local router ID is x.x.x.x
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Originating default network 0.0.0.0
Issue is, some of our remote sites prefer the DR router path for traffic destined to internet.
We are advertising multiple default routes to our carrier, and based on feedback from carrier, route with lowest MED is preferred.
This brings me to what i need to change from my side. Need to change the route preference so that from our remote offices, only the route to head office is preferred with DR site the least preferred route. I know there are multliple ways of doing this, however keen to get input from the experts out there.
DR site router has this BGP config currently applied:
router bgp XXXXX
bgp log-neighbor-changes
redistribute connected
redistribute ospf 1 match internal external 1 external 2
neighbor x.x.x.x remote-as XXXX
neighbor x.x.x.x default-originate
neighbor x.x.x.x soft-reconfiguration inbound
neighbor x.x.x.x route-map IMPORT-POLICY in
neighbor x.x.x.x route-map OPI-route-advertisement out
default-information originate
Removing the "neighbor x.x.x.x default-originate" is not an option, as we need to have the ability to failover to DR at any point.
Thanks in advance & if you need any further info pls advise.
Rama

Hi Milan,
Thanks. Answers below:
Does it provide an MPLS backbone to you? YES
Are you using the same AS number on all your sites or different ones? Same AS
Any way, what about advertising the default route from your DR site with the site AS number prepended several times (5 times, e.g.)? That's the thing I am struggling to understand as the route-map OPI-route-advertisement already has it prepended 2 times. Shouldn't that be enough to influence which route is least preferred?
route-map OPI-route-advertisement permit 20
match ip address prefix-list xxx default-route
set as-path prepend XXXXX XXXXX
If your provider would permit that and hasn't configured his routers to ignore the AS_PATH length (as him a question), it should make the default route advertised from your DR less preferred within your backbone. Will ask.
Given this, any other thoughts/questions?
Thanks, Rama

BGP Advertised Routes two Peering

Dear all
I have issue with BGP behaviour. I have two BGP peering; from both I receive default route, but one of them,
AS 65472 is primary so I setup local preference in 200; it is because I want to use AS 65472 as internet
provider. The another one, AS 65472 is used as secundary internet access, but for internal network (private) is
used as primary. The issue is when try ping from LAN, can not reach internal network, seems to be that
becuase Local preference is setup within AS65472 and the packet try to go thru AS 65472 because local prefeence 200,
but I need that internal network go thru AS 65471.
I am sure that I am advertising network as I expect, but when is running BGP for both peering, it fails.
Here are go output for this situation:
7204VXR-SCT#sh ip bgp neighbors 172.16.40.37 received-routes
   Network          Next Hop            Metric LocPrf Weight Path
* i0.0.0.0          172.16.40.37             0    100      0 i
Total number of prefixes 1
7204VXR-SCT#sh ip bgp neighbors 172.16.40.37 advertised-routes
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.200.0/30   0.0.0.0                  0         32768 i
*> 10.30.24.0/21    172.16.40.4              0         32768 i
*> 172.16.17.0/24   172.16.40.5              0         32768 i
*> 172.16.211.0/24 0.0.0.0                  0         32768 i
*> 172.18.56.16/29 0.0.0.0                  0         32768 i
*> 172.30.100.18/32 0.0.0.0                  0         32768 i
*> 172.31.0.20/30   0.0.0.0                  0         32768 i
7204VXR-SCT#sh ip bgp neighbors 190.97.254.241 received-routes
   Network          Next Hop            Metric LocPrf Weight Path
* 0.0.0.0          190.97.254.241                         0 65472 i
Total number of prefixes 1
   Network          Next Hop            Metric LocPrf Weight Path
*> 190.153.116.0/22 172.16.40.4              0         32768 i
*> 190.153.120.0/22 172.16.40.4              0         32768 i
*> 190.153.124.0/24 172.16.40.37            10         32768 i
router bgp 65471
bgp log-neighbor-changes
neighbor externalBGP peer-group
neighbor externalBGP remote-as 65472
neighbor externalBGP version 4
neighbor internalBGP-SCT peer-group
neighbor internalBGP-SCT remote-as 65471
neighbor internalBGP-SCT version 4
neighbor 172.16.40.37 peer-group internalBGP-SCT
neighbor 190.97.254.241 peer-group viginet
address-family ipv4
neighbor externalBGPsoft-reconfiguration inbound
neighbor externalBGProute-map viginet-in in
neighbor externalBGProute-map viginet-out out
neighbor internalBGP-SCT soft-reconfiguration inbound
neighbor internalBGP-SCT route-map internalBGP-SCT-out out
neighbor 172.16.40.37 activate
neighbor 190.97.254.241 activate
no auto-summary
no synchronization
network 10.10.200.0 mask 255.255.255.252
network 10.30.24.0 mask 255.255.248.0
network 172.16.17.0 mask 255.255.255.0
network 172.16.40.0 mask 255.255.255.0
network 172.16.211.0 mask 255.255.255.0
network 172.18.56.16 mask 255.255.255.248
network 172.30.100.18 mask 255.255.255.255
network 172.31.0.20 mask 255.255.255.252
network 190.153.116.0 mask 255.255.252.0
network 190.153.120.0 mask 255.255.252.0
network 190.153.124.0 mask 255.255.255.0
exit-address-family
ip route 172.16.40.36 255.255.255.252 Null0 250
ip route 190.153.116.0 255.255.252.0 172.16.40.4
ip route 190.153.120.0 255.255.252.0 172.16.40.4
ip prefix-list invalidas seq 10 permit 172.16.40.0/24
ip prefix-list invalidas seq 15 permit 10.30.24.0/21
ip prefix-list invalidas seq 20 permit 172.16.211.0/24
ip prefix-list invalidas seq 25 permit 172.18.56.16/29
ip prefix-list invalidas seq 30 permit 172.30.100.18/32
ip prefix-list invalidas seq 35 permit 10.10.200.0/30
ip prefix-list invalidas seq 40 permit 172.16.17.0/24
ip prefix-list invalidas seq 45 permit 172.31.0.20/30
ip access-list standard viginet-100
permit 190.153.116.0 0.0.3.255
permit 190.153.120.0 0.0.3.255
permit 190.153.124.0 0.0.0.255
route-map externalBGP-out permit 10
match ip address viginet-100
route-map externalBGP-in permit 10
set local-preference 200
route-map internalBGP-SCT-out permit 10
match ip address prefix-list invalidas

Hello.
If you want your internal network to go through peer 65471 (to 0.0.0.0/0), then why do you need AS 65472?
Could you please provide "show ip bgp 0.0.0.0/0"?

Route map no match

Hi,
what is the reason for not having any match, in the acl for the route-map?
Current configuration : 1731 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
ip cef
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Loopback1
ip address 192.168.1.1 255.255.255.0
interface Loopback200
ip address 196.0.0.1 255.255.255.0
interface FastEthernet0/0
ip address 195.0.0.1 255.255.255.0
ip policy route-map r_teste
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 10.0.0.2 255.255.255.252
serial restart-delay 0
interface Serial1/1
ip address 172.16.0.2 255.255.255.252
serial restart-delay 0
clock rate 128000
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
router bgp 100
no synchronization
bgp log-neighbor-changes
network 192.168.0.0
network 192.168.1.0
neighbor 10.0.0.1 remote-as 200
neighbor 172.16.0.1 remote-as 300
no auto-summary
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
access-list 40 permit any
route-map anuncia1 permit 20
match ip address 20
route-map anuncia0 permit 10
match ip address 10
route-map r_teste permit 10
match ip address 40
set ip default next-hop 10.0.0.1
control-plane
line con 0
line aux 0
line vty 0 4
login
end
R2#ping 192.168.55.1 source 195.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
Packet sent with a source address of 195.0.0.1
Success rate is 0 percent (0/5)
R2#sh access-lists
Standard IP access list 10
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
Standard IP access list 20
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard IP access list 30
    10 permit 195.0.0.0, wildcard bits 0.0.0.255
Standard IP access list 40
    10 permit any
Extended IP access list 100
    10 permit ip any 192.168.55.0 0.0.0.255
R2#
is possible without changing the bgp?
thanks

Default PBR:
All packets received on an interface (ingress) with PBR enabled are entertained, first they should match through ACL then forward to next hop. if a match is exist (through ACL) but not forward to next hop then do nothing this packet especially for ICMP packet.
I think you need Local PBR:
Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:
ip local policy route-map TEST
Regards,
kazim

Route-map continue, in CRS RPL

Dear all,
what is the replacement for continue command in route-map for CRS IOS XR RPL ?
is it ? pass command ??
actually i had some issue matching almost 15 community attribute ingress from customer network...
and i think, is it can be done with pass command ?
like :
if community (a:a) then
action
pass
else if community (b:b) then
action
pass
end if
so, when the route contain community a:a, will get action assigned, and not yet to be forwarded, instead, will continue to run the next if, to check if the route also contain b:b community...
so with this i dont have to create almost 2^15 combination if format on RPL.
is it do able ? or is there any command that work simillar with "continue" command in route-map, if match, the route still get processed until the end of policy.
Thanks a lot,
Budi L

Hello Budi
Yes, the pass statement allows a policy to continue executing even though the route has not been modified. When a policy has finished executing, any route that has been modified in the policy or any route that has received a pass disposition in the policy, successfully passes the policy and completes the execution. Note, a policy does not modify route attribute values until all tests have been completed. In other words, comparison operators always run on the initial data in the route. Intermediate modifications of the route attributes do not have a cascading effect on the evaluation of the policy.
Here is the PASS example:
route-policy ak-community
if community matches-any (11:11, 44:44) then
   set community (55:55) additive
   pass
endif
if community matches-any (22:22) then
   set community (77:77) additive
endif
end-policy
If a route contains a community 11:11 then we add 55:55 and continue. So If the same route contain 22:22 as well, we’d add another community 77:77 to the same route. Note, if we have an action (like SET here), a PASS statement is not needed and we continue with the policy.
Example 2. Here we can see nested IF. So if a route contains 11:11 then we add 55:55 and verify it further if the route has 22:22 and if so, add 77:77
route-policy ak-community
if community matches-any (11:11, 44:44) then
   set community (55:55) additive
   if community matches-any (22:22) then
     set community (77:77) additive
   endif
endif
end-policy
Example 3. In this example we add 55:55 to routes matching 11:11 or 44:44. Otherwise, if a route has 22:22, we add 77:77. Note, if a route has 11:11 AND 22:22 (or 44:44 AND 22:22) we’d add 55:55 only.
route-policy ak-community
if community matches-any (11:11, 44:44) then
   set community (55:55) additive
elseif community matches-any (22:22) then
   set community (77:77) additive
endif
end-policy
IF statement are flexible too. You noted we used MATCHES-ANY in the IF statement. We can use a list of different conations in one IF. For example:
If community matches-every (11:11, 22:22) or destination in (11.1.3.0/24) then
   set local-preference 500
Regards,
/A

Route shaping / Route Mapping

Ok I am looking for a way to propoerly force specific traffic over a specific link. I am thinking that I need to dp this with route mapping but am not sure of this is handled by the core or by the edge routers.
Here is the senario. I have two links connected to two different routers and both routers are inturn connected to the same core switch. Link #1 is a 3M serial link and link #2 a 10M Ethernet link. The router supporting the 3M link is a 3825 and the router supporting the 10M link is a 2921. The switch they are connected to is a 3750G.
We have installed two SANs within the network and one is located at the facility supported by these two links. They have started replication between the two SANS and I want to prevent this replication traffic from flowing over the 3M. If the 10M goes down for any reason the replication will be paused or stored until the link comes back up. What do I need to do to advertise / route the traffic between the two SANs over the 10M link? I use EIGRP between the core and the two routers and use BGP between the two routers and my provider. I am thinking the end goal is to not advertise the VLAN the local SAN is attached to over the router with the 3M link attached. Since both routers use the same EIGRP instance if there would be some massaging on both routers or do something unique on the core.
Where do I start? I am working on a refrigerator diagram that shows how things are interconnected and will attach shortly.
Thanks in advancce...
Brent

Hi Brent,
Just make sure the the core has a better metric path to reach the other SAN subnet via the 10M link, Do you want to use the 3 M link as backup - if so the core must see the 3M link is a feasible successor.
You may need to check that the cores at both ends agree on the 10M link as the path between the 2 SANs.
Cheers
Mike

Managing Route-Map based MPLS VPN

1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
2) Is there any MIB to get from the MIB
a) Route-maps tied to each VRF
b) What is the filter associated with each route-map?
c) Definition of each of the above filter
It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
Thanks,
Suresh R

Each CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html

BGP Community additive out of order?

From cli output:
13237 3356 3549 22047
    195.69.144.212 from 195.69.144.212 (82.197.128.1)
      Origin IGP, localpref 100, valid, external
      Community: 3356:2 3356:22 3356:86 3356:501 3356:666 3356:2065 3549:4852 3549:34152 13237:44049 13237:46067
      Last update: Fri Apr 30 06:28:19 2010
the community items sequence doesn't match the as-path( 3356 - 3549 - 13237 vs. 13237 3356 3549... )
if they are using additive community features, what would cause this?
TIA.

Hello Gviewer,
in example 3-141 of TCP/IP vol.II is shown a sh ip bgp from a router internal to AS 100 named colorado.
AS path attribute is 2000 because AS 100 is not added to AS path in an iBGP session within AS 100 (it will be added when sending the update to another AS)
so community 2000:xx is set by eBGP peer (austria) and later BGP community 100:yy is set by iBGP peer (Idaho) of the router in which the sh ip bgp is been performed (colorado)
to be noted the eBGP peer of the router of example 3-141 will see an AS path of 100 2000 with BGP community 100:yy 2000:xx and this would be more similar to what you have seen in your tests.
The key point is that 100:xx is added by an iBGP peer.
Hope to help
Giuseppe

Route-map, vlan routing

I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:
access-list 10 permit 192.168.24.101
access-list 10 permit 192.168.24.102
access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
access-list 104 permit tcp host 172.16.4.20 any eq www
ip access-list extended BITCENTRAL_INTERNET
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 172.16.1.170 any
permit ip host 172.16.1.150 any
ip access-list extended EDIT_BAYS
deny ip any 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 192.168.25.2 any
permit ip host 192.168.26.80 any
permit ip host 192.168.25.104 any
permit ip host 192.168.25.3 any
permit ip host 192.168.26.69 any
permit ip host 192.168.26.71 any
permit ip host 192.168.27.33 any
ip access-list extended ENPS
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 192.168.24.101 any
permit ip host 192.168.24.102 any
permit ip host 192.168.24.103 any
ip access-list extended ENTRIQ
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
deny ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip 172.16.8.0 0.0.0.255 any
ip access-list extended MISC
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
deny ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip 172.16.11.0 0.0.0.255 any
ip access-list extended Omneon
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
permit ip host 172.16.2.11 any
permit ip host 172.16.2.2 any
ip access-list extended ROSS-VLAN
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 172.16.4.20 any
permit ip host 172.16.4.32 any
permit ip host 172.16.4.31 any
permit ip host 172.16.4.29 any
permit ip host 172.16.4.30 any
permit ip host 172.16.4.28 any
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 172.16.1.1 255.255.255.0
ip policy route-map BITCENTRAL
interface Vlan20
ip address 172.16.2.1 255.255.255.0
ip policy route-map OMNEON
interface Vlan30
ip address 172.16.3.1 255.255.255.0
interface Vlan40
ip address 172.16.4.1 255.255.255.0
ip policy route-map ROSS-VLAN
interface Vlan50
ip address 172.16.5.1 255.255.255.0
interface Vlan60
ip address 172.16.6.1 255.255.255.0
interface Vlan70
ip address 172.16.7.1 255.255.255.0
interface Vlan80
ip address 172.16.8.1 255.255.255.0
ip policy route-map ENTRIQ
interface Vlan100
ip address 192.168.27.1 255.255.252.0
ip helper-address 192.168.7.255
ip policy route-map OMNIBUS-VLAN
interface Vlan110
ip address 172.16.11.1 255.255.255.0
ip helper-address 192.168.27.200
ip policy route-map MISC
interface Vlan120
ip address 172.16.10.1 255.255.255.240
ip policy route-map EDIT_BAYS
interface Vlan140
ip address 192.168.4.15 255.255.255.0
ip directed-broadcast 10
interface Vlan500
ip address 192.168.1.19 255.255.255.224
ip classless
ip route 172.22.0.0 255.255.255.248 192.168.4.1
ip route 192.168.0.0 255.255.255.224 192.168.4.254
ip route 192.168.5.0 255.255.255.0 192.168.4.1
route-map BITCENTRAL permit 60
match ip address BITCENTRAL_INTERNET
set ip next-hop 192.168.4.1
route-map EDIT_BAYS permit 50
match ip address EDIT_BAYS
set ip next-hop 192.168.4.1
route-map ENTRIQ permit 80
match ip address ENTRIQ
set ip next-hop 172.16.8.254
route-map MISC permit 40
match ip address MISC
set ip next-hop 192.168.4.1
route-map MSN permit 10
match ip address 104
set ip next-hop 192.168.4.1
route-map OMNEON permit 20
match ip address Omneon
set ip next-hop 192.168.4.1
route-map OMNIBUS-VLAN permit 30
match ip address EDIT_BAYS
set ip next-hop 192.168.4.1
route-map OMNIBUS-VLAN permit 40
match ip address ENPS
set ip next-hop 192.168.4.1
route-map ROSS-VLAN permit 70
match ip address ROSS-VLAN
set ip next-hop 192.168.4.1
route-map SEC-VLAN permit 30
match ip address SEC-VLAN
set ip next-hop 192.168.4.1
Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again. What in my route-map is causing this, I thought I setup the deny rules pretty good?

Hi Mike,
Between you and me, this is a lengthy config you have there.
Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.
So if you can shorten your config to one example, then do the tests :
- sourced from device A (it can be the SVI of another switch)
- through your 6509
- destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface).

Understanding a route map

Hi All,
I have just taken over supporting a network, and have come accross a route map, that I don't really understand. The route-map is copied below. Can anyone please tell me step by step how its processed, and what the outcome is?
route-map test permit 5
match ip address prefix-list path_one_prefer
route-map test permit 10
match as-path 3
route-map test permit 20
match ip address prefix-list route-filter
set as-path prepend 65100
ip prefix-list path_one_prefer seq 5 permit 10.10.0.0/16
ip as-path access-list 3 permit _65000_
ip prefix-list route-filter seq 10 deny 172.130.1.0/28
ip prefix-list route-filter seq 15 deny 172.131.1.248/29
ip prefix-list route-filter seq 20 deny 172.200.128.0/27
The route map is applied outbound towards an ebgp peer
Many Thanks
Russ

Hello Russ,
Yes that is indeed the case.
route-map test permit 20
match ip address prefix-list route-filter
set as-path prepend 65100
!ip prefix-list route-filter seq 10 deny 172.130.1.0/28
ip prefix-list route-filter seq 15 deny 172.131.1.248/29
ip prefix-list route-filter seq 20 deny 172.200.128.0/27
In the route-map lines 20 - it is set to "match ip address prefix-list route-filter"
Since the deny is in place in the prefix list, take it as "Not these ones"
Everything else is permitted and AS-Path prepended.
After line 20 there is no other - ACL logic - explicit deny - so if there is no match, its a deny, so the prefix's in the prefix-list "route-filter" are not advertised.
This line 20 seems to be the "catch all" other routes except for these ones i.e. that prefix list, and prepend them.
Check the routes you are advertising them as I stated in my first post with "show ip bgp neigh x.x.x.x advertised-routes" which should correlate with the route-map applied to your BGP peer.
Hope this makes it clear.

Can't apply policy route-map on C3750 stack vlan interface

Hi All.
I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
2 x WS-C3750G-24T-E in stack
Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
switch#sh sdm prefe
The current template is "desktop IPv4 and IPv6 routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses:                  1.5K
number of IPv4 IGMP groups + multicast routes:    1K
number of IPv4 unicast routes:                    2.75K
    number of directly-connected IPv4 hosts:        1.5K
    number of indirect IPv4 routes:                 1.25K
number of IPv6 multicast groups:                  1.125k
number of directly-connected IPv6 addresses:      1.5K
number of indirect IPv6 unicast routes:           1.25K
number of IPv4 policy based routing aces:         0.25K
number of IPv4/MAC qos aces:                      0.5K
number of IPv4/MAC security aces:                 0.5K
number of IPv6 policy based routing aces:         0.25K
number of IPv6 qos aces:                          0.5K
number of IPv6 security aces:                     0.5K
There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
Any help will be appretiated.
Thanks.

Hi Jon.
Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
track 11 rtr 1 reachability
track 22 rtr 2 reachability
ip routing
no ip dhcp use vrf connected
interface GigabitEthernet1/0/1
description ISP1
no switchport
ip address 9.9.9.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
speed 100
duplex full
ipv6 address 2B01:4B8:0:3::2/64
ipv6 ospf 1 area 0
no mdix auto
no cdp enable
interface GigabitEthernet2/0/1
description ISP2
no switchport
ip address 9.9.9.5 255.255.255.252
ip ospf cost 10000
speed 1000
duplex full
ipv6 address 2B01:4B8:0:7::2/64
ipv6 enable
ipv6 ospf cost 10000
ipv6 ospf 1 area 0
interface Vlan5
description Company Ext Subnet
ip address 9.9.8.1 255.255.255.128
no ip proxy-arp
no ip mroute-cache
ipv6 address 2B01:4B8:1:22::1/64
ipv6 ospf 1 area 15
access-list 111 permit tcp any any eq www
route-map pbr1 permit 10
match ip address 111
set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
route-map pbr1 permit 20
set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
route-map pbr2 permit 10
match ip address 111
set ip next-hop verify-availability 9.9.9.6 1 track 11
set ip next-hop 9.9.9.1
route-map pbr2 permit 20
set ip next-hop verify-availability 9.9.9.1 1 track 22
set ip next-hop 9.9.9.6
I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
Cheers,

MP-BGP and Route-Reflector

Hi All...
I have this topology:
CE2-->PE1-->P--->PE2-->CE2
.............\-->PE3-->CE2
In router "P" I want to configure MP-BGP, but I have many doubts with configurations this router. I need to do route-reflector too.
Anybody can help me?
CLRGomes

Thanks, look my configuration:
Router P
router bgp 65500
no synchronization
no bgp default route-target filter
bgp log-neighbor-changes
neighbor MPLS peer-group
neighbor MPLS remote-as 65500
neighbor MPLS ebgp-multihop 255
neighbor MPLS update-source Loopback0
neighbor MPLS route-reflector-client
neighbor MPLS allowas-in
neighbor MPLS soft-reconfiguration inbound
neighbor 10.10.10.2 peer-group MPLS
neighbor 10.10.10.3 peer-group MPLS
neighbor 10.10.10.4 peer-group MPLS
no auto-summary
address-family vpnv4
neighbor MPLS route-reflector-client
neighbor MPLS send-community both
neighbor 10.10.10.2 activate
neighbor 10.10.10.3 activate
neighbor 10.10.10.4 activate
exit-address-family
ok...working perfect, I did MP-BGP between PE routers and I configured RDs differents too...
Later I did between PE->CE with OSPF and working too, loadshare working.
Thanks a lot
CLRGomes
CCIE R&S

BGP Community | Route-Map | Local Pref

Similar Messages

Maybe you are looking for