Unable to filter routes from EBGP peer with AS path filer list..as regular expression

ganpatspatilganpatspatil
in CCIE Routing & Switching Technical

 

Unable t filter routes from EBGP peer with AS path filer list

R1(AS100)-----------------R3(AS200)

 router bgp 100
  no synchronization
  bgp log-neighbor-changes
  bgp dmzlink-bw
  network 1.1.1.1 mask 255.255.255.255
  aggregate-address 112.0.0.0 248.0.0.0 as-set summary-only attribute-map ATT
   neighbor 155.1.13.3 remote-as 200
   neighbor 155.1.13.3 send-community both
  neighbor 155.1.13.3 soft-reconfiguration inbound
  neighbor 155.1.13.3 unsuppress-map TO_AS200
  no auto-summary

i dont to advt.28.119.16.0/24  and 28.119.17.0/24 to R3...these routes are from AS 54

 Rack1R1#sh ip bgp regexp _54$
    Network          Next Hop            Metric LocPrf Weight Path
 *> 28.119.16.0/24   155.1.146.6                            0 146 54 i
 *                   155.1.146.4                            0 146 54 i
 *> 28.119.17.0/24   155.1.146.6                            0 146 54 i
 *                   155.1.146.4                            0 146 54 i


I have applied filer on R3 to match AS 54 and deny.

 router bgp 200
  no synchronization
 bgp always-compare-med
 bgp log-neighbor-changes
  bgp bestpath as-path ignore
   neighbor 155.1.13.1 remote-as 100
  neighbor 155.1.13.1 send-community both
  neighbor 155.1.13.1 route-map TOAS_60 in
  no auto-summary


Rack1R3#sh route-map TOAS_60

 route-map TOAS_60, permit, sequence 10
   Match clauses:
     community (community-list filter): 200:200
   Set clauses:
     local-preference 200
   Policy routing matches: 0 packets, 0 bytes

 route-map TOAS_60, permit, sequence 20
   Match clauses:
     as-path (as-path filter): 300 <--------------AS path 54
   Set clauses:
   Policy routing matches: 0 packets, 0 bytes

 route-map TOAS_60, permit, sequence 30
   Match clauses:
   Set clauses:
   Policy routing matches: 0 packets, 0 bytes


 Rack1R3#sh ip as-path-access-list 300
 AS path access list 300
     deny _54$ <<<<<<<<<<<<<<<<<<<<<<<

As route-map excuted sequestially the in route-map TOAS_60, permit, sequence 10...these routes are not matching the
community...

 Rack1R3#sh ip bgp community 200:200


    Network          Next Hop            Metric LocPrf Weight Path
 *> 112.0.0.0        155.1.13.1                    200      0 100 146 54 50 60 i
 *> 113.0.0.0        155.1.13.1                    200      0 100 146 54 50 60 i


So in permit 20 its should match the AS number 54.

However i can the route in BGP table to R3...

Rack1R3#sh ip bgp  28.119.16.0
BGP routing table entry for 28.119.16.0/24, version 89
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Advertised to update-groups:
        1    2    3
  100 146 54
    155.1.13.1 from 155.1.13.1 (150.1.1.1)
      Origin IGP, localpref 100, valid, external, best

Not sure why R3 is accepting the route 28.119.16.0/24  and 28.119.17.0/24 from R1.
Please suggest.

/Ganpat

· Share on FacebookShare on Twitter

Comments

  • daniel.dibdaniel.dib

    You have missed a port of the route-map logic. If you want to deny then you should put a deny in the route-map and permit in the AS-path ACL. As you have configured you have a permit with a deny, this means that routes are denied from matching that clause. Then you have an explicit permit at the end (statement 30). This statement since it has no matching is allowing everything else through.

    So you need to reverse the logic to deny the routes.

    · Share on FacebookShare on Twitter
  • ganpatspatilganpatspatil

    I got it!!!

    Thanks!!!

     

    · Share on FacebookShare on Twitter
  • ganpatspatilganpatspatil

    Hi,

     

    As you mentioned ..."As you have configured you have a permit with a deny, this means that routes are denied from matching that clause."

     

    If routes are denied here then why it getting macthed in seq 30 again.

    /Ganpat

    · Share on FacebookShare on Twitter
  • daniel.dibdaniel.dib

    They are not denied. They are denied from matching clause 20. If there was no clause 30 there would be an implicit deny and then these routes would not go through. Route-maps are a bit messy in the beginning but when you get the hold of it it's not that difficult.

    Lets make a table

    Route-map               Filter            Action

    permit                      permit          Routes are permitted

    permit                      deny            Routes denied from matching, subject to other clauses.

    deny                        permit          Routes are denied

    deny                        deny            Routes denied from being denied. Subject to other clauses.

    So to deny routes we can either use permit in route-map with deny in filter and rely on implicit deny in end. We can't have an explicit permit in route-map then this will fail. The most straightforward way is to use deny in route-map and permit in filter. Routes that are denied in filter will not match the deny statement and move on to either implicit deny or other statements that follow.

    · Share on FacebookShare on Twitter
  • dcanceriandcancerian ✭✭✭

    Similar discussion with Scott Morris input

    https://learningnetwork.cisco.com/thread/5857

     

    · Share on FacebookShare on Twitter
  • ganpatspatilganpatspatil

    Thanks a lot daniel...thats the perfect explanation...thanks!!!

    · Share on FacebookShare on Twitter
  • ganpatspatilganpatspatil

    Thanks Dan!!!

    · Share on FacebookShare on Twitter
Sign In or Register to comment.