 |
| BGP filtering w/ aggregate-address |
Below is shown the BGP table on R3, before any aggregation is configured on R1.
R3#show ip bgp | include 2(0|1|2|3).0.0.0Before the aggregation we see the individual /24 routes as advertised by R2. Now we configure the router R1 to create an aggregate-address using the keyword summary-only and see what happens.
*> 20.0.0.0/24 10.0.13.1 0 1 2 i
*> 21.0.0.0/24 10.0.13.1 0 1 2 i
*> 22.0.0.0/24 10.0.13.1 0 1 2 i
*> 23.0.0.0/24 10.0.13.1 0 1 2 i
R1#configure terminalThe command is quite simple - just a single line and the /6 network matches the networks 20.0.0.0, 21.0.0.0, 22.0.0.0 and 23.0.0.0, which are now considered component networks of the aggregate address. The summary-only keyword instructs R1 to only advertise the summary address and none of the component subnets. The show ip bgp output shows the /24 subnets from R2 as suppressed (indicated by the "s" in the left-most column). But the routes are still in R1s routing table. Also, note the administrative distance of 200 for the summary route injected into the routing table by the aggregate-address command.
R1(config)#router bgp 1
R1(config-router)#aggregate-address 20.0.0.0 252.0.0.0 summary-only
R1(config-router)#end
R1#show ip bgp
BGP table version is 28, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
s> 20.0.0.0/24 10.0.12.2 0 0 2 i
*> 20.0.0.0/6 0.0.0.0 32768 i
s> 21.0.0.0/24 10.0.12.2 0 0 2 i
s> 22.0.0.0/24 10.0.12.2 0 0 2 i
s> 23.0.0.0/24 10.0.12.2 0 0 2 i
<output omitted>
R1#show ip route bgp | incl 2(0|1|2|3).0.0.0
B 20.0.0.0/6 [200/0], 00:03:04, Null0
20.0.0.0/24 is subnetted, 1 subnets
B 20.0.0.0 [20/0] via 10.0.12.2, 00:03:04
21.0.0.0/24 is subnetted, 1 subnets
B 21.0.0.0 [20/0] via 10.0.12.2, 00:03:04
22.0.0.0/24 is subnetted, 1 subnets
B 22.0.0.0 [20/0] via 10.0.12.2, 00:03:04
23.0.0.0/24 is subnetted, 1 subnets
B 23.0.0.0 [20/0] via 10.0.12.2, 00:03:04
But what about the BGP table and routing table on R3 now that R1 is suppressing the /24 subnets.
R3#show ip bgp | include 2(0|1|2|3).0.0.0Well, as expected the /24 routes are gone and they are replaced by the single /6 summary route. Notice that the AS path in the BGP table no longer shows AS 2 in the path list. This could be something you wanted to do intentionally to perhaps hide some networks' AS path from upstream routers.
*> 20.0.0.0/6 10.0.13.1 0 0 1 i
R3#show ip route bgp | include 2(0|1|2|3).0.0.0
B 20.0.0.0/6 [20/0] via 10.0.13.1, 00:08:09
It is also possible to use route-map as a so-called suppress-map instead of the summary-all keyword. This will allow you to select which component subnets are advertised along with the summary route and which are filtered. Below we configure a suppress map on R1 to allow the network 23.0.0.0 /24 along with the 20.0.0.0 /6 summary route.
R1#configure terminalNote that the access-list denies the subnet that is to be allowed and permits the routes that are to be filtered out. It would be reverse if the route-map used a deny statement instead of a permit, but that is just making things more complicated than they have to be.
R1(config)#ip access-list extended ACL_SUPPRESS_MAP
R1(config-ext-nacl)#deny ip host 23.0.0.0 host 255.255.255.0
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)#exit
R1(config)#route-map RMAP_SUPPRESS_MAP permit 10
R1(config-route-map)#match ip address ACL_SUPPRESS_MAP
R1(config-route-map)#exit
R1(config)#router bgp 1
R1(config-router)#no aggregate-address 20.0.0.0 252.0.0.0 summary-only
R1(config-router)#aggregate-address 20.0.0.0 252.0.0.0 suppress-map RMAP_SUPPRESS_MAP
Now we should be able to see the result on R3.
R3#show ip bgp | include 2(0|1|2|3).0.0.0As expected, the 23.0.0.0 /24 network is now in the BGP table and the routing table. Note that the 23.0.0.0 /23 subnets shows the AS 2 in the path now, but the aggregate address still omits it (because it is advertised by R1 - not R2).
*> 20.0.0.0/6 10.0.13.1 0 0 1 i
*> 23.0.0.0/24 10.0.13.1 0 1 2 i
R3#show ip route bgp | include 2(0|1|2|3).0.0.0
B 20.0.0.0/6 [20/0] via 10.0.13.1, 00:05:56
23.0.0.0/24 is subnetted, 1 subnets
B 23.0.0.0 [20/0] via 10.0.13.1, 00:06:26
Now, there is a slight problem with the aggregation configuration, however, that may affect routes on R2. R1 will send the aggregate route to R2 as well and R2 will enter it into the BGP table and routing table.
R2#show ip bgp | include 2(0|1|2|3)This would cause R2 to send traffic to R1 in the case of one of its locally connected interfaces would go down - this may cause some undesired effects.
BGP table version is 34, local router ID is 22.0.0.1
*> 20.0.0.0/24 0.0.0.0 0 32768 i
*> 20.0.0.0/6 10.0.12.1 0 0 1 i
*> 21.0.0.0/24 0.0.0.0 0 32768 i
*> 22.0.0.0/24 0.0.0.0 0 32768 i
*> 23.0.0.0/24 0.0.0.0 0 32768 i
R2#show ip bgp | include 2(0|1|2|3).0.0.0
*> 20.0.0.0/24 0.0.0.0 0 32768 i
*> 20.0.0.0/6 10.0.12.1 0 0 1 i
*> 21.0.0.0/24 0.0.0.0 0 32768 i
*> 22.0.0.0/24 0.0.0.0 0 32768 i
*> 23.0.0.0/24 0.0.0.0 0 32768 i
R2#show ip route | include 2(0|1|2|3).0.0.0
B 20.0.0.0/6 [20/0] via 10.0.12.1, 1d00h
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.0.0.0/24 is directly connected, Loopback0
21.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 21.0.0.0/24 is directly connected, Loopback1
22.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 22.0.0.0/24 is directly connected, Loopback2
23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 23.0.0.0/24 is directly connected, Loopback3
What if we would just like to have R2 discard the routes as they are indeed an aggregate based on the subnets originating from R2? Well, we just tell router R1 to populate the AS-SET of the AS_PATH PA with the as-set keyword.
Below we remove the previous aggregate using the suppress-map and reapply the summary-only, but now with the as-set keyword as well.
R1#configure terminalAs we can see below, R1 is advertising the summary route to R2.
R1(config)#router bgp 1
R1(config-router)#no aggregate-address 20.0.0.0 252.0.0.0 suppress-map RMAP_SUPPRESS_MAP
R1(config-router)#aggregate-address 20.0.0.0 252.0.0.0 summary-only as-set
R1#show ip bgp neighbor 10.0.12.2 advertised-routes | include (2(0|1|2|3))|NetworkBut R2 is not installing it into its BGP table - because the update contains its own ASN in the path and therefore is discarded. This can be verified on R2 by enabling debugging and doing an inbound route refresh.
Network Next Hop Metric LocPrf Weight Path
*> 20.0.0.0/6 0.0.0.0 100 32768 2 i
R2#debug ip bgp updates inR2 now rejects the aggregate update due to "AS-Path contains our own AS".
BGP updates debugging is on (inbound) for address family: IPv4 Unicast
R2#clear ip bgp * in
<output omitted>
*Apr 15 20:35:55.144: BGP(0): 10.0.12.1 rcv UPDATE w/ attr: nexthop 10.0.12.1, origin i, metric 0, aggregated by 1 1.1.1.1, originator 0.0.0.0, merged path 1 2, AS_PATH , community , extended community , SSA attribute
*Apr 15 20:35:55.144: BGPSSA ssacount is 0
*Apr 15 20:35:55.144: BGP(0): 10.0.12.1 rcv UPDATE about 20.0.0.0/6 -- DENIED due to: AS-PATH contains our own AS;
<output omitted>
No comments:
Post a Comment