BGP Filtering

Is there a way in BGP to use an inbound filter list to select prefixes from only certain ASs but always accept a certain prefix no matter what AS path it has?
Scenario: We have two upstream providers and are accepting only certain AS paths from each. In addition, both providers are sending 0.0.0.0/0. We filter that route from our secondary provider but have a floating static to 0.0.0.0/0 in case our default provider goes down. Our default provider used to send the route with only their AS in the path but something changed where they are now advertising the default route which they are receiving from one of their upstream providers so the AS path changed. At this point, we filtered the default route out because it didn't match our AS filter. I can add that particular AS to our filter but if it changes again, we will be in the same boat. I believe that the only way for this to work now is to accept all prefixes and AS paths from this provider and then mark any route learned from our secondary provider with a better preference. The only other way would be to create a static default route that points to a prefix in their network and hope that that network never went down which I don't want to do.

Thanks for the reply. No we do not have a route map filtering AS paths, we have an as-path access-list using regular expressions bound via a filter-list statement to filter AS paths. This is set to allow only paths with our upstream provider and also paths with two unique AS numbers (our upstream provider and a few select ASs). We use an as-path access-list since it is easier to allow those paths which contain two AS numbers (although any number of repeats, ie:
ip as-path access-list 1 permit ^xxxxx(_xxxxx)*_yyyyy(_yyyyy)*$
I supposed we could bind it into the route-map that is bound to that neighbor but the route map is doing something different. It was cleaner to use the route-map to do one thing and the filter-list to do the other because if we combine them together we'll have to create some nests. However this would probably be better than accepting all routes when we don't really need them.

Similar Messages

Redundant access from MPLS VPN to global routing table

Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

Hi Andris,
I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
dot1q will be ok as well.
This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
Example:
PE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0/0.1 point-to-point
description customer VPN access
ip vrf customer
ip address 10.1.1.1 255.255.255.252
interface Serial0/0.2 point-to-point
description customer Internet access
ip address 192.168.1.1 255.255.255.252
router rip
address-family ipv4 vrf customer
version 2
network 10.0.0.0
no auto-summary
redistribute bgp 65000 metric 5
router bgp 65000
neighbor 192.168.1.2 remote-as 65001
address-family ipv4 vrf customer
redistribute rip
CE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0.1 point-to-point
description VPN access
ip address 10.1.1.2 255.255.255.252
interface Serial0.2 point-to-point
description Internet access
ip address 192.168.1.2 255.255.255.252
router bgp 65001
neighbor 192.168.1.1 remote-as 65000
router rip
version 2
network 10.0.0.0
no auto-summary
Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
Regards
Martin

BGP Prefix Filtering

Good day Colleagues,
I want to ask you advice about the policy for BGP prefix filtering. The main idea is to automatize the process of prefix filtering. I've read a lot of articles about it, but I need to discuss it to be sure about the correct way to implement it on practice.
A few words about our network... Our company is ISP. We are using C7200, C7600 and AS5350XM for peering, connection to the upstreams and the customers.
A few main questions:
1. To create the prefix-list or as-path acl I am using RtConf or bgpq. Than I use our own script to connect via telnet/ssh to a router. Is it normal practice? Do you use your own script(perl, bash, etc) or mix of it with the programs like Rancid?
2.If to put a few prefix-lists on AS5350XM the output of the config will be not a simple task and I afraid it could be the problem to keep in RAM so many information. Some prefix-list can contain more than 10 000 strings and if we have about 50 peers on the router, than it will be a problem. Or you can imagine the prefix-list for the route-server on DECIX, LINX, etc. What do you think about it?
3.Is it good idea to use uRPF? What do you recommend?
4.To protect the network from bogons, martians, unallocated ip-addresses I am thinking about using the prefix-list on 10 300 strings (question 2) or use the bogon route-server from team-cymru. It is very hard to trust the route-server... what could be if it will advertise the normal prefixes... What do you about it? Maybe I just can't effort such kind of protection with my resources.
5. Very often some prefixes from peers would be filtered by my prefix-list. Should I ask them about the situation (check RIPE, etc.), or just forget about it? What would be better?
P.S. I am talking about the prefix-lists because the as-path acls can't do the filtering as strict as the prefix-lists do.
Thank you in advance for any comments,
Dmitry

Even though you're using a prefix list, the prefix list is used for filtering and not advertising the network. You still have to advertise the network using "network 2001:600:1:1::1/128" and you should see it.
HTH,
John
*** Please rate all useful posts ***

BGP Conditional Route Filtering

Hi All,
I have router with 2 Connection.
1) IP Transit from Tier 2 Provider
2) IX - Local Internet Exchange for local peering
I'm receiving full internet route nearly 500k+ entries. I also have few local peering through IX connection to local telco. Now that , Im receiving more specific route from IP Transit link compared to local peering . Eg
Local Peer A( ASN YYYY) send route : a.a.0.0/16
IP Transit send route : a.a.1.0/24
With this , My traffic to a.a.1.0/24 end up routed over IP transit link. But we need the traffic routed via IX Peering, since its direct peering and have low latency and high bandwidth capacity.
Im thinking, to filter AS-PATH YYYY from IP Transit link, so that anyy traffic to ASN YYYY will now routed over local IX Peering. But, this will cause traffic get dropped if My Port to IX or Peering Partner Port to IX is went down. The traffic then should routed over IP transit link if local peering is down. Meaning to say , AS-Path filtering should be removed if local peering to that ASN is down.
Any Idea how to accomplish this ?

Hello
You dont say if this is just one router with two perrings or two routers with ibgp between them each with a isp peering?
However i for outbound traffic you can use either Weight or local Prefeance path selection for your local traffic to be go over your selected link.
For inbound As-Path prepending would be apllcable I think
Outbound:
Weight (Is locally significant - Just one router)
access-list 10 permit x.x.x.x y.y.y.y
route-map Weight permit 10
match ip address 1
set weight 400000
route-map Weight permit 99
router bgp xx
neigbour x.x.x.x route-map Weight out (to ebgp perring for your prefered choice path)
or
route-map Local-Pref permit 10 ( for IBGP routers)
match ip address 1
set local-preferance 200
route-map Local-Pref permit 99
router bgp xx
neigbour x.x.x.x route-map Local-Pref in (to ebgp perring for your prefered choice path)
Inbound
AS=PAth prepend
route-map AS-Path permit 10
match ip address 10
set as-path prepend ASN ASN ASN
route-map AS-Path permit 99
router bgp xx
neigbour x.x.x.x route-map AS-Path out ( to the least preffered ISP)
res
Paul

IPv6 BGP prefix-list filtering

Dears,
I have established iBGP seesion between 2 routers (R1 ---- R2) and I want to advertise loopback interface /128 using ipv prifex filtering, but didnt advertise to neighbor loopback . it is working fine with network or redistribute command but I want to know why it is not working with
prefix-list filtering?
Configuration:
router bgp 100
neighbor 2001:100:1:1::2 remote-as 100
address-family ipv6
neighbor 2001:100:1:1::2 activate
neighbor 2001:100:1:1::2 prefix-list IPV6 out
no synchronization
exit-address-family
int lo 100
ipv address 2001:500:1:1::1/128
ipv6 prefix-list IPV6 seq 10 permit 2001:500:1:1::1/128
router bgp 100
neighbor 2001:100:1:1::1 remote-as 100
address-family ipv6
neighbor 2001:100:1:1::1 activate
neighbor 2001:100:1:1::1 prefix-list TEST out
no synchronization
exit-address-family
int lo 100
ipv address 2001:600:1:1::1/128
ipv6 prefix-list TEST seq 10 permit 2001:600:1:1::1/128
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2001:100:1:1::1 4 100 49236 49191 5 0 0 04:03:21 0

Even though you're using a prefix list, the prefix list is used for filtering and not advertising the network. You still have to advertise the network using "network 2001:600:1:1::1/128" and you should see it.
HTH,
John
*** Please rate all useful posts ***

BGP on A9K: Filtering prefixes using Communities on iBGP

Hello,
We are trying to filter some prefixes to a iBGP connection but it doesn't work properly:
The rpl is like this:
community-set MID
15525:8657
end-set
route-policy Deny_Community_MID
if community matches-any MID then
    drop
else
    pass
endif
end-policy
This rpl only removes the community from the prefix, and the prefix always arrive on the iBGP neighbor, which it not what we intend to do ! What we intend to do is to filter out the prefix ...
On our research we find this which is absolutely different from the IOS behaviour ...
BGP community and extended-community filtering cannot be configured for iBGP neighbors. Communities and extended-communities are always sent to iBGP neighbors
on
http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k_r4.0/routing/configuration/guide/rc40asr9k_chapter1.html#task_1211424
Is this true or are we seeing this the wrong way?
Thank you!

Done! But i have several more examples on the poor and buggy IOSXR documentation .. :
Command Reference A9K 4.0, BGP Chapter:
                The commands “additional-paths” should have a brief explanation stating that they belong the PIC Edge Framework .. but nothing .. No usage guidelines
Command Reference A9K 4.0, IS-IS Chapter:
The command “ipfrr” is deprecated and replaced by “fast-reroute” but still appears on documentation ..
Configuration Guide A9K 4.0, Routing Chapter:
                There is no reference to PIC anywhere .. only a couple of meaningless words

Filtering OSPF routes from MPBGP to BGP speaker in the same VRF

I'm wondering if anyone has some ideas they an share on this.
Assume the following:
- CE1 is speaking *iBGP and OSPF to PE1 inside vrf foo
- PE1 is mutually redistributing CE1's OSPF table with MPBGP
- PE1 exchanges MPBGP routes with PE2.
- PE2 is mutually redistributing CE2's OSPF table with MPBGP
- CE2 is speaking *iBGP and OSPF to PE2 inside vrf foo
So the problem is that the OSPF routes redistributed into MPBGP from via one CE are being announced to the other CE via the PE-CE BGP process. Because those routes are already being received by the CE via the PE-CE OSPF process, they are showing up in the CE's BGP table as RIB failures.
Is there any way to filter those out? I've tried setting and matching tags and communities from within various redistribution points on the PE, but I can't seem to keep them out of the CE's BGP table.

are you sure you are using iBGP on both sides and not eBGP?
I'm asking because routes learnt by PE1 from CE via iBGP ( meaning same BGP AS number on CE1 and PE1 vrf foo) will not be propagated to CE2, because an iBGP route learned by a BGP speaker in not pushed to another iBGP speaker.
So it means that a show ip bgp neighbor vrf foo advertised routes on PE2 shall show that no routes from CE1 are being advertised to CE2.
As mentionned earlier, changing BGP admin distance is an option. Let BGP have a better distance on your CEs and this should do the trick :
router bgp xxx
distance bgp 20 20 20
Then after clearing bgp session, the rib failures are gone as OSPF is AD 110 and BGP is now AD 20 ( also remember that BGP does not annouces rib failure routes to other BGP peers)
cheers

Packet filtering on BGP communities

Hi all
I want to achieve the following scenario:
I have a BGP feed that gives me routes with community X.
I have an input ACL on an interface.
I want to be able to say:
if src or dst of packet = any route with community x then drop
I can do this with FBF in junos, can I do this on IOS-XR?

Hi William,
I think you can use technique similar to RTBH :
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf
by using rpl to set the next-hop to a /32 address statically routed to NULL.
For source address match, you combine this with RPF.
Hope it helps,
Serge.

BGP route filtering

How to stop isp1 routes advertisement via isp2 on Bgp...
The problem is when my spoke isp1 mpls down...
Still it is getting routes via isp2

I do not have an understanding of your topology or of the relationship between ISP 1 and ISP 2 and therefore can not be sure how well my suggestion will work. But here is what I frequently use when I want to be sure that routes learned from ISP 1 do not get advertised to ISP 2.
ip as-path access-list 10 permit ^$
router bgp 123
neighbor 1.2.3.4 filter-list 10 out
HTH
Rick

Difference between sh ip bgp & sh ip route? BGP tables and main routing table.

Difference between sh ip bgp & sh ip route?
sh ip bgp :::: loc-rib ?
sh ip bgp nei x.x.x.x advertised-routes : adj-rib-in.
sh ip bgp nei x.x.x.x recieved-routes : adj-rib-out.
sh ip bgp nei x.x.x.x routes : loc-rib ?
sh ip route = rib ? if yes does it mean its loc-rib ?
so in a given router with bgp running, will there be 5 tables (sh ip bgp; adj-rib-in; loc-rib;adj-rib-out; sh ip route) ? if yes where are they saved ?

sh ip bgp
shows the BGP table (where are stored info coming from BGP update)
sh ip bgp nei x.x.x.x advertised-routes
shows networks that your router will advertise to a specific neighbor
sh ip bgp nei x.x.x.x recieved-routes
shows advertisement received from a specific neighbor; networks (NLRI) filtered with route-map distribute-list,... are included (Inbound soft reconfiguration must be enabled)
sh ip bgp nei x.x.x.x routes
shows only routes sent by a specific neighbor and not filtered or discarded (i.s accepted)
sh ip route
show routing table; it contains the best route for each network (best is first of all the lowest administrative distance, then the lowest metric)
Bye,
enrico.
PS please rate if useful

BGP in Dual Homing setup not failing over correctly

Hi all,
we have dual homed BGP connections to our sister company network but the failover testing is failing.
If i shutdown the WAN interface on the primary router, after about 5 minutes, everything converges and fails over fine.
But, if i shut the LAN interface down on the primary router, we never regain connectivity to the sister network.
Our two ASR's have an iBGP relationship and I can see that after a certain amount of time, the BGP routes with a next hop of the primary router get flushed from BGP and the prefferred exit path is through the secondary router. This bit works OK, but i believe that the return traffic is still attempting to return over the primary link...
To add to this, we have two inline firewalls on each link which are only performing IPS, no packet filtering.
Any pointers would be great.
thanks
Mario

Hi John,
right... please look at the output below which is the partial BGP table during a link failure...
10.128.0.0/9 is the problematic summary that still keeps getting advertised out when we do not want it to during a failure....
now there are prefixes in the BGP table which fall within that large summary address space. But I am sure that they are all routes that are being advertised to us from the eBGP peer...
*> 10.128.0.0/9     0.0.0.0                            32768 i
s> 10.128.56.16/32 172.17.17.241                 150      0 2856 64619 i
s> 10.128.56.140/32 172.17.17.241                 150      0 2856 64619 i
s> 10.160.0.0/21    172.17.17.241                 150      0 2856 64611 i
s> 10.160.14.0/24   172.17.17.241                 150      0 2856 64611 i
s> 10.160.16.0/24   172.17.17.241                 150      0 2856 64611 i
s> 10.200.16.8/30   172.17.17.241                 150      0 2856 65008 ?
s> 10.200.16.12/30 172.17.17.241                 150      0 2856 65006 ?
s> 10.255.245.0/24 172.17.17.241                 150      0 2856 64548 ?
s> 10.255.253.4/32 172.17.17.241                 150      0 2856 64548 ?
s> 10.255.253.10/32 172.17.17.241                 150      0 2856 64548 ?
s> 10.255.255.8/30 172.17.17.241                 150      0 2856 6670 ?
s> 10.255.255.10/32 172.17.17.241                 150      0 2856 ?
s> 10.255.255.12/30 172.17.17.241                 150      0 2856 6670 ?
s> 10.255.255.14/32 172.17.17.241                 150      0 2856 ?
i would not expect summary addresses to still be advertised if the specific prefixes are coming from eBGP... am i wrong?
thanks for everything so far...
Mario De Rosa

BGP Outbound Route-Map Question

Hi Experts,
Just need your help again. I was trying to do some lab and I came across this weird behaviour with BGP outbound route-map. The diagram is simple.
Please see attached diagram. Sorry for the very poor illustration. R6 has iBGP peering to both R4 and R1. Both R1 and R4 have eBGP peering to R5. No IGP running on any routers as well to keep things simple. There are 2 things to do.
* Create a static route for 160.1.0.0/16 pointing to Null0 on both R1 and R4 and advertise to BGP via network statement but only R5 should be able to see the 160.1.0.0/16 route. R6 should not receive it.
* Advertise R5's /32 loopback interface to BGP but ensure R6 to have that route in its routing table. Don't use next-hop-self on both R1 and R4. Don't advertise WAN link via network command.
I'll just illustrate R4 and R6 here to keep things straight forward.
R4#sh ip bgp
BGP table version is 5, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 150.1.5.5/32     155.1.45.5               0             0 100 i
*> 160.1.0.0        0.0.0.0                  0         32768 i
R6#sh ip bgp
BGP table version is 11, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
* i150.1.5.5/32     155.1.45.5               0    100      0 100 i
* i                 155.1.0.5                0    100      0 100 i
The first task was achieved as the 160.0.0.0/16 route is not present in R6's table. I used these commands in R4.
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 160.1.0.0
neighbor 155.1.45.5 remote-as 100
neighbor 155.1.146.6 remote-as 65000
neighbor 155.1.146.6 route-map R6_OUT out
no auto-summary
route-map R6_OUT deny 5
match ip address prefix-list AGGR
route-map R6_OUT permit 1000
ip prefix-list AGGR seq 5 permit 160.1.0.0/16
So with the configuration above, it is clear that R4 is hitting route-map line 5 to deny 160.1.0.0/16 being advertised to R6. I tried to remove line 5 to validate as well if the /16 route will be advertised to R6 and it did so route-map configuration above is confirmed working.
Next, advertise loopback 0 of R5 to R6 and make sure it is a valid route in BGP table without the use of next-hop-self or WAN advertisement.
I used the following configuration.
ip prefix-list R5_LINK seq 5 permit 155.1.45.5/32
route-map R6_OUT permit 10
match ip route-source R5_LINK
set ip next-hop 155.1.146.4
I inserted line 10 in between route-map 5 and 1000. So R4 would check its route table for routes with 155.1.45.5 as route-source then advertise it to R6 with next-hop address of 155.1.146.4. It worked!
R6#sh ip bgp
BGP table version is 15, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*>i150.1.5.5/32     155.1.146.4              0    100      0 100 i
* i                 155.1.0.5                0    100      0 100 i
*>i160.1.0.0        155.1.146.4              0    100      0 i
As you can see above, 150.1.5.5 route is now a valid BGP route but surprisingly, the 160.1.0.0/16 route is there! From what I have seen, BGP skipped line 5 and started at 10. Even if I insert the same rule as line 5 and make it as line 15, it's not working. The /16 route is still being advertised. If I remove the match ip route-source clause in sequence 10 then it will withdraw the 160.1.0.0/16 route again. Looks like "match ip route-source" is not very friendly with direct filtering to BGP neighbors but I saw this being used with BGP inject-map and it worked well.
R4#sh route-map
route-map R6_OUT, deny, sequence 5
Match clauses:
    ip address prefix-lists: AGGR
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 10
Match clauses:
    ip route-source (access-lists): R5_LINK
Set clauses:
    ip next-hop 155.1.146.4
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 1000
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Any thoughts why this is happening?
Thanks in advance.

Hi John,
I did a small lab to test feature "match ip route-source" and it is working fine. Please check below config and output.
R4 does not have 172.16.16.0/24 and also routes for which next-hop is not 1.1.1.1. In case you still facing issue, please share output of "debug ip bgp updates out"
Topology
R1--ebgp--R3---ibgp---R4
R3#show ip b su | b Nei
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 100 34 36 29 0 0 00:27:37 7
4.4.4.4 4 300 9 12 29 0 0 00:04:12 0
R3#
R3#sh route-map TO-R4
route-map TO-R4, deny, sequence 10
Match clauses:
ip address prefix-lists: DENY-PREFIX
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TO-R4, permit, sequence 20
Match clauses:
ip route-source (access-lists): 20
Set clauses:
Policy routing matches: 0 packets, 0 bytes
R3#
R3#show ip prefix-list DENY-PREFIX
ip prefix-list DENY-PREFIX: 1 entries
seq 5 permit 172.16.16.0/24
R3#
R3#sh ip access-lists 20
Standard IP access list 20
20 permit 1.1.1.1 (25 matches)
R3#
R3#show ip b
BGP table version is 29, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 172.16.8.0/22 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.16.0/24 1.1.1.1 0 0 100 i
*> 172.16.17.0/24 1.1.1.1 0 0 100 i
*> 172.16.19.0/24 1.1.1.1 0 0 100 i
*> 172.16.20.0/22 1.1.1.1 0 0 100 i
* 172.16.24.0/30 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.80.0/22 1.1.1.1 0 0 100 i
R3#
R4#show ip b
BGP table version is 53, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
r>i172.16.17.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.19.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.20.0/22 1.1.1.1 0 100 0 100 i
*>i172.16.80.0/22 1.1.1.1 0 100 0 100 i
R4#
--Pls dont forget to rate helpful posts--
Regards,
Akash

Does editing a pre-fix set for bgp in IOS-XR cause a loss of network connectivity

Hi,
I have to edit an existing prefix-set for bpg in ios-xr. When I went to do it the first time it told me it would wipe the existing information so I aborted the change.
I have since read that you need to redo the whole list and add the new network you want.
For example.
existing
pre-fix set TEST
10.10.10.0/24,
11.11.11.0/24
new
pre-fix set TEST
10.10.10.0/24, 11.11.11.0/24, 12.12.12.0/24
1st) is the above correct?
2nd) when this is done will there be any drops in connectivity?
Thank you.

1) It is correct, when you create the new prefix-set with the same name as the old one, it overwrites the old one. Meaning that, it wont "append" to the old config, it creates a new prefix-set from scratch
2) Depends on where are you referencing the prefix-set. For example, on BGP route-policy, there wont be any drop on BGP connectivity, you might even have to do a soft refresh in and out to refresh the advertised/filtered routes

BGP Support for IP Prefix Import from Global Table into a VRF Table

Hi,
is any ever tried this. When i uses a such a route-map for import ipv4 prefix from the global route table, it also filters the ipv4 prefix'es from the vrf route table. So I lost vrf routes from the other routers. I have tried to allow wiht a extcommunity list but I didnt worked. Is this a bug or am I missing something.

Hi Tarj,
First of all, i'd recommend you to start a new thread in case you have your own problem to solve, unless your problem is related to the original post.
As for you question, what you have described is the exact behavior of a service provider with a MPLS backbone, it is a BGP free core, the P routers need not run BGP, since the PE routers will have LSP tunnels using label switching over the backbone and the P routers will just do label swapping and not IP lookups, accordingly the P routers needs not learn the BGP routes, but however you need all the routers (PEs and Ps) to run an IGP in order to be able to build the forwarding plane tables.
I hope that i've been informative.
BR,
Mohammed Mahmoud.

Filtering methods inside a VRF in MPLS VPN

Hi,
we have a network with MPLS VPN and several VRFs involved.
Inside a certain VRF I need to avoid that two particular networks can talk to each other.
Can you give me a hint of what can be a solution to implement this ?
Thanks
Regards
Marco

Hi Marco,
To prevent connectivity between two networks where a MPLS VPN is involved you can apply the same methods as in a "normal" router network. Just think of the complete MPLS VPN (PE to PE) as being one big "router simulator".
You could either implement ACLs on the interfaces connecting to the PE or filter routing updates between sites - depending on your topology. When filtering routing updates seems the way to go, you should also have a look into selective import or export. With the help of a route-map one can selectively insert single networks into a VPN by selectively attaching route-targets to BGP updates.
Regards, Martin

BGP Filtering

Similar Messages

Maybe you are looking for