Tuesday, October 11, 2011

BGP Route Map Logic

A route map is an extremely powerful and versatile tool for route filtering and manipulating BGP attributes. In regards of BGP, route maps are used in the following commands:
aggregate-address address mask advertise-map route-map-name
aggregate-address address mask as-set route-map-name
aggregate-address address mask attribute-map route-map-name
aggregate-address address mask route-map route-map-name
aggregate-address address mask suppress-map route-map-name
bgp dampening route-map route-map-name
neighbor ip-addr advertise-map route-map-name {exist-map | non-exist-map} map-name
neighbor ip-addr default-originate route-map route-map-name
neighbor ip-addr route-map route-map-name {in | out}
neighbor ip-addr unsuppress-map route-map-name
redistribute protocol route-map route-map-name

Network Setup for BGP Route Map Logic

The network setup above is used to demonstrate the logic of route maps.
Below shows the BGP table on RT2 prior to implementing any route map.
RT2#sh ip bgp
BGP table version is 5, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.1.0/24    12.12.12.1               0             0 1 i
*> 172.16.2.0/24    12.12.12.1               0             0 1 i
*> 192.168.1.0      12.12.12.1               0             0 1 i
*> 192.168.2.0      12.12.12.1               0             0 1 i
RT2#

Below shows the effect upon implementing a route map on RT2 but the route map is not defined – all routes are denied.
RT2#debug ip bgp updates
BGP updates debugging is on
RT2#
RT2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RT2(config)#router bgp 2
RT2(config-router)#neighbor 12.12.12.1 route-map map01 in
RT2(config-router)#exit
RT2(config)#
RT2(config)#do clear ip bgp 12.12.12.1 in
RT2(config)#
00:01:53: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.1, origin i, metric 0, path 1
00:01:53: BGP(0): 12.12.12.1 rcvd 172.16.1.0/24 -- DENIED due to: route-map;
00:01:53: BGP(0): no valid path for 172.16.1.0/24
00:01:53: BGP(0): 12.12.12.1 rcvd 172.16.2.0/24 -- DENIED due to: route-map;
00:01:53: BGP(0): no valid path for 172.16.2.0/24
00:01:53: BGP(0): 12.12.12.1 rcvd 192.168.1.0/24 -- DENIED due to: route-map;
00:01:53: BGP(0): no valid path for 192.168.1.0/24
00:01:53: BGP(0): 12.12.12.1 rcvd 192.168.2.0/24 -- DENIED due to: route-map;
00:01:53: BGP(0): no valid path for 192.168.2.0/24
00:01:53: BGP(0): nettable_walker 172.16.1.0/24 no best path
00:01:53: BGP(0): nettable_walker 172.16.2.0/24 no best path
00:01:53: BGP(0): nettable_walker 192.168.1.0/24 no best path
00:01:53: BGP(0): nettable_walker 192.168.2.0/24 no best path
00:01:53: BGP(0): 12.12.12.1 computing updates, afi 0, neighbor version 5, table version 9, starting at 0.0.0.0
00:01:53: BGP(0): 12.12.12.1 update run completed, afi 0, ran for 4ms, neighbor version 5, start version 9, throttled to 9
RT2(config)#
RT2(config)#do sh ip bgp

RT2(config)#

Below shows the effect upon implementing an empty route-map permit statement on RT2.
RT2(config)#route-map map01 permit 10
RT2(config-route-map)#exit
RT2(config)#
RT2(config)#do clear ip bgp 12.12.12.1 in
RT2(config)#
00:02:23: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.1, origin i, metric 0, path 1
00:02:23: BGP(0): 12.12.12.1 rcvd 172.16.1.0/24
00:02:23: BGP(0): 12.12.12.1 rcvd 172.16.2.0/24
00:02:23: BGP(0): 12.12.12.1 rcvd 192.168.1.0/24
00:02:23: BGP(0): 12.12.12.1 rcvd 192.168.2.0/24
00:02:23: BGP(0): Revise route installing 1 of 1 route for 172.16.1.0/24 -> 12.12.12.1 to main IP table
00:02:23: BGP(0): Revise route installing 1 of 1 route for 172.16.2.0/24 -> 12.12.12.1 to main IP table
00:02:23: BGP(0): Revise route installing 1 of 1 route for 192.168.1.0/24 -> 12.12.12.1 to main IP table
00:02:23: BGP(0): Revise route installing 1 of 1 route for 192.168.2.0/24 -> 12.12.12.1 to main IP table
00:02:23: BGP(0): 12.12.12.1 computing updates, afi 0, neighbor version 9, table version 13, starting at 0.0.0.0
00:02:23: BGP(0): 12.12.12.1 update run completed, afi 0, ran for 4ms, neighbor version 9, start version 13, throttled to 13
RT2(config)#
RT2(config)#do sh ip bgp
BGP table version is 13, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.1.0/24    12.12.12.1               0             0 1 i
*> 172.16.2.0/24    12.12.12.1               0             0 1 i
*> 192.168.1.0      12.12.12.1               0             0 1 i
*> 192.168.2.0      12.12.12.1               0             0 1 i
RT2(config)#
The empty form of the route-map permit statement allows all routes – equivalent to permit any in an IP access list.

Now changes the route map from permit to deny.
The deny form of the empty route map denies all routes.
RT2(config)#route-map map01 deny 10
RT2(config-route-map)#exit
RT2(config)#
RT2(config)#do clear ip bgp 12.12.12.1 in
RT2(config)#
00:02:53: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.1, origin i, metric 0, path 1
00:02:53: BGP(0): 12.12.12.1 rcvd 172.16.1.0/24 -- DENIED due to: route-map;
00:02:53: BGP(0): no valid path for 172.16.1.0/24
00:02:53: BGP(0): 12.12.12.1 rcvd 172.16.2.0/24 -- DENIED due to: route-map;
00:02:53: BGP(0): no valid path for 172.16.2.0/24
00:02:53: BGP(0): 12.12.12.1 rcvd 192.168.1.0/24 -- DENIED due to: route-map;
00:02:53: BGP(0): no valid path for 192.168.1.0/24
00:02:53: BGP(0): 12.12.12.1 rcvd 192.168.2.0/24 -- DENIED due to: route-map;
00:02:53: BGP(0): no valid path for 192.168.2.0/24
00:02:53: BGP(0): nettable_walker 172.16.1.0/24 no best path
00:02:53: BGP(0): nettable_walker 172.16.2.0/24 no best path
00:02:53: BGP(0): nettable_walker 192.168.1.0/24 no best path
00:02:53: BGP(0): nettable_walker 192.168.2.0/24 no best path
00:02:53: BGP(0): 12.12.12.1 computing updates, afi 0, neighbor version 13, table version 17, starting at 0.0.0.0
00:02:53: BGP(0): 12.12.12.1 update run completed, afi 0, ran for 4ms, neighbor version 13, start version 17, throttled to 17
RT2(config)#
RT2(config)#do sh ip bgp

RT2(config)#

The numbered route-map statement can be either a permit or deny; the match clause, if used, can also be either a permit or deny. Therefore, a route map has 4 basic forms or permutations:
route-map permit, match permit
route-map permit, match deny
route-map deny, match permit
route-map deny, match deny

The first 2 forms are commonly used to allow certain routes to be accepted while denying others.
RT2(config)#access-list 1 permit 172.16.1.0 0.0.0.255
RT2(config)#route-map map01 permit 10
RT2(config-route-map)#match ip address 1
RT2(config-route-map)#exit
RT2(config)#
RT2(config)#do clear ip bgp 12.12.12.1 in
RT2(config)#
00:03:19: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.1, origin i, metric 0, path 1
00:03:19: BGP(0): 12.12.12.1 rcvd 172.16.1.0/24
00:03:19: BGP(0): 12.12.12.1 rcvd 172.16.2.0/24 -- DENIED due to: route-map;
00:03:19: BGP(0): 12.12.12.1 rcvd 192.168.1.0/24 -- DENIED due to: route-map;
00:03:19: BGP(0): 12.12.12.1 rcvd 192.168.2.0/24 -- DENIED due to: route-map;
00:03:19: BGP(0): Revise route installing 1 of 1 route for 172.16.1.0/24 -> 12.12.12.1 to main IP table
00:03:20: BGP(0): 12.12.12.1 computing updates, afi 0, neighbor version 17, table version 18, starting at 0.0.0.0
00:03:20: BGP(0): 12.12.12.1 update run completed, afi 0, ran for 0ms, neighbor version 17, start version 18, throttled to 18
RT2(config)#
RT2(config)#do sh ip bgp
BGP table version is 18, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.1.0/24    12.12.12.1               0             0 1 i
RT2(config)#

In order to determine when the route map terminates execution upon a match, add another route-map statement upon the route map on RT2:
RT2(config)#route-map map01 permit 20
RT2(config-route-map)#set metric 10
RT2(config-route-map)#exit
RT2(config)#
RT2(config)#do clear ip bgp 12.12.12.1 in
RT2(config)#
00:03:46: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.1, origin i, metric 0, path 1
00:03:46: BGP(0): 12.12.12.1 rcvd 172.16.1.0/24...duplicate ignored
00:03:46: BGP(0): 12.12.12.1 rcvd 172.16.2.0/24
00:03:46: BGP(0): 12.12.12.1 rcvd 192.168.1.0/24
00:03:46: BGP(0): 12.12.12.1 rcvd 192.168.2.0/24
00:03:46: BGP(0): Revise route installing 1 of 1 route for 172.16.2.0/24 -> 12.12.12.1 to main IP table
00:03:46: BGP(0): Revise route installing 1 of 1 route for 192.168.1.0/24 -> 12.12.12.1 to main IP table
00:03:46: BGP(0): Revise route installing 1 of 1 route for 192.168.2.0/24 -> 12.12.12.1 to main IP table
00:03:51: BGP(0): 12.12.12.1 computing updates, afi 0, neighbor version 18, table version 21, starting at 0.0.0.0
00:03:51: BGP(0): 12.12.12.1 update run completed, afi 0, ran for 4ms, neighbor version 18, start version 21, throttled to 21
RT2(config)#
RT2(config)#do sh ip bgp
BGP table version is 21, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.1.0/24    12.12.12.1               0             0 1 i
*> 172.16.2.0/24    12.12.12.1              10             0 1 i
*> 192.168.1.0      12.12.12.1              10             0 1 i
*> 192.168.2.0      12.12.12.1              10             0 1 i
RT2(config)#
When there is a match using the permit statement, the route is accepted and the route map is terminated for that route. When there is a match using a deny statement, the route is not accepted, but execution continues and the route is processed by the next route map statement. If there is no other route map statement, all remaining routes are rejected.

The last 2 forms of a route map contain a route-map deny statement.
Change the route-map statement to deny, but do not change the IP access list.
RT2(config)#no route-map map01
RT2(config)#do sh route-map

RT2(config)#
RT2(config)#route-map map01 deny 10
RT2(config-route-map)#match ip address 1
RT2(config-route-map)#exit
RT2(config)#
RT2(config)#do clear ip bgp 12.12.12.1 in
RT2(config)#
00:04:18: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.1, origin i, metric 0, path 1
00:04:18: BGP(0): 12.12.12.1 rcvd 172.16.1.0/24 -- DENIED due to: route-map;
00:04:18: BGP(0): no valid path for 172.16.1.0/24
00:04:18: BGP(0): 12.12.12.1 rcvd 172.16.2.0/24 -- DENIED due to: route-map;
00:04:18: BGP(0): no valid path for 172.16.2.0/24
00:04:18: BGP(0): 12.12.12.1 rcvd 192.168.1.0/24 -- DENIED due to: route-map;
00:04:18: BGP(0): no valid path for 192.168.1.0/24
00:04:18: BGP(0): 12.12.12.1 rcvd 192.168.2.0/24 -- DENIED due to: route-map;
00:04:18: BGP(0): no valid path for 192.168.2.0/24
00:04:18: BGP(0): nettable_walker 172.16.1.0/24 no best path
00:04:18: BGP(0): nettable_walker 172.16.2.0/24 no best path
00:04:18: BGP(0): nettable_walker 192.168.1.0/24 no best path
00:04:18: BGP(0): nettable_walker 192.168.2.0/24 no best path
00:04:21: BGP(0): 12.12.12.1 computing updates, afi 0, neighbor version 21, table version 25, starting at 0.0.0.0
00:04:21: BGP(0): 12.12.12.1 update run completed, afi 0, ran for 4ms, neighbor version 21, start version 25, throttled to 25
RT2(config)#
RT2(config)#do sh ip bgp

RT2(config)#

All the routes are denied. In order to have only 172.16.1.0/24 to be denied by the route map, an empty route-map permit statement that acts like a permit any is required for other routes.
RT2(config)#route-map map01 permit 20
RT2(config-route-map)#exit
RT2(config)#
RT2(config)#do clear ip bgp 12.12.12.1 in
RT2(config)#
00:04:47: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.1, origin i, metric 0, path 1
00:04:47: BGP(0): 12.12.12.1 rcvd 172.16.1.0/24 -- DENIED due to: route-map;
00:04:47: BGP(0): 12.12.12.1 rcvd 172.16.2.0/24
00:04:47: BGP(0): 12.12.12.1 rcvd 192.168.1.0/24
00:04:47: BGP(0): 12.12.12.1 rcvd 192.168.2.0/24
00:04:47: BGP(0): Revise route installing 1 of 1 route for 172.16.2.0/24 -> 12.12.12.1 to main IP table
00:04:47: BGP(0): Revise route installing 1 of 1 route for 192.168.1.0/24 -> 12.12.12.1 to main IP table
00:04:47: BGP(0): Revise route installing 1 of 1 route for 192.168.2.0/24 -> 12.12.12.1 to main IP table
00:04:47: BGP(0): 12.12.12.1 computing updates, afi 0, neighbor version 25, table version 28, starting at 0.0.0.0
00:04:47: BGP(0): 12.12.12.1 update run completed, afi 0, ran for 4ms, neighbor version 25, start version 28, throttled to 28
RT2(config)#
RT2(config)#do sh ip bgp
BGP table version is 28, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.2.0/24    12.12.12.1               0             0 1 i
*> 192.168.1.0      12.12.12.1               0             0 1 i
*> 192.168.2.0      12.12.12.1               0             0 1 i
RT2(config)#

The last scenario is implementing a deny – deny and becomes a permit for 172.16.1.0/24! :-)
RT2(config)#no access-list 1
RT2(config)#access-list 1 deny 172.16.1.0 0.0.0.255
RT2(config)#access-list 1 permit any
RT2(config)#do clear ip bgp 12.12.12.1 in
RT2(config)#
00:05:15: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.1, origin i, metric 0, path 1
00:05:15: BGP(0): 12.12.12.1 rcvd 172.16.1.0/24
00:05:15: BGP(0): 12.12.12.1 rcvd 172.16.2.0/24 -- DENIED due to: route-map;
00:05:15: BGP(0): no valid path for 172.16.2.0/24
00:05:15: BGP(0): 12.12.12.1 rcvd 192.168.1.0/24 -- DENIED due to: route-map;
00:05:15: BGP(0): no valid path for 192.168.1.0/24
00:05:15: BGP(0): 12.12.12.1 rcvd 192.168.2.0/24 -- DENIED due to: route-map;
00:05:15: BGP(0): no valid path for 192.168.2.0/24
00:05:15: BGP(0): Revise route installing 1 of 1 route for 172.16.1.0/24 -> 12.12.12.1 to main IP table
00:05:15: BGP(0): nettable_walker 172.16.2.0/24 no best path
00:05:15: BGP(0): nettable_walker 192.168.1.0/24 no best path
00:05:15: BGP(0): nettable_walker 192.168.2.0/24 no best path
00:05:15: BGP(0): 12.12.12.1 computing updates, afi 0, neighbor version 28, table version 32, starting at 0.0.0.0
00:05:15: BGP(0): 12.12.12.1 update run completed, afi 0, ran for 4ms, neighbor version 28, start version 32, throttled to 32
RT2(config)#
RT2(config)#do sh ip bgp
BGP table version is 32, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.1.0/24    12.12.12.1               0             0 1 i
RT2(config)#
RT2(config)#do sh route-map
route-map map01, deny, sequence 10
  Match clauses:
    ip address (access-lists): 1
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map map01, permit, sequence 20
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
RT2(config)#
RT2(config)#do sh access-list 1
Standard IP access list 1
    10 deny   172.16.1.0, wildcard bits 0.0.0.255 (1 match)
    20 permit any (3 matches)
RT2(config)#
Posted by Yap Chin Hoong at 9:51 PM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)