“Insanity: doing the same thing over and over again and expecting different results.”
Albert Einstein
This is an appropriate way to start this post because over the last three nights, I have done the same BGP lab a few times, and I keep doing the same configuration and am getting the same result when I expect something completely different.
I have been messing around with INE’s VOL1 BGP labs lately, trying to focus on a weak point before my next lab attempt, and I came across BGP Conditional Route Injection. A relatively simple topic, you inject more specific routes if your match conditions are present (exist) or not present (non-exist). Your match conditions are usually the aggregate address and the next-hop (your BGP neighbor) that sent you the route.
This is the topology we are going to be working with
Let us say you are tasked with the following,
“On R2 and R3 configure an aggregate for subnets, 172.16.0.0/24, 172.16.1.0/24, 172.16.2.0/24, 172.16.2.0/24, 172.16.3.0/24, 172.16.4.0/24, 172.16.5.0/24, 172.16.6.0/24, 172.16.7.0/24 and do not allow any specific routes to be installed in R4, R5 or R6. On R4, configure BGP Conditional Route Injection to advertise 172.16.0.0/24, 172.16.2.0/24, and 172.16.7.0/24 to R5 and R6. Do not allow the more specific routes to return to R3 and R2.”
OK, without confusing myself anymore, here is the proper way to configure this. Along the way, I will show where I was constantly messing up and why my mind couldn’t get over it.
Configuration
OK, so the aggregation configuration applied to R2 and R3
# R2 Config
R2(config)# router bgp 123
R2(config-router)# aggregate-address 172.16.0.0 255.255.248.0 summary-only
# R3 Config
R3(config)# router bgp 123
R3(config-router)# aggregate-address 172.16.0.0 255.255.248.0 summary-onlySo now, if we look at the BGP table on R4, we will only see the summary for 172.16.0.0/21 and no specific routes that make up that summary
R4#sh ip bgp | beg 172.16.[01234567].0
* 172.16.0.0/21 172.17.34.3 0 0 123 i
*> 172.17.24.2 0 0 123 iInject-Map Configuration
OK, we have the aggregate now; let us configure R4 to inject the networks requested if the aggregate is present.
R4(config)#ip prefix-list AGGREGATE permit 172.16.0.0/21
R4(config)#ip prefix-list NEXT_HOP_ROUTER permit 172.17.24.2/32
R4(config)#ip prefix-list NEXT_HOP_ROUTER permit 172.17.34.3/32
R4(config)#ip prefix-list INJECT permit 172.16.0.0/24
R4(config)#ip prefix-list INJECT permit 172.16.2.0/24
R4(config)#ip prefix-list INJECT permit 172.16.7.0/24
R4(config)#route-map EXIST permit 1
R4(config-route-map)#match ip address pre
R4(config-route-map)#match ip address prefix-list AGGREGATE
R4(config-route-map)#match ip route-source prefix-list NEXT_HOP_ROUTER
R4(config-route-map)#exit
R4(config)#route-map INJECT permit 1
R4(config-route-map)#set ip address prefix-list INJECT
R4(config-route-map)#set origin igp
R4(config-route-map)#exit
R4(config)#router bgp 4
R4(config-router)#bgp inject-map INJECT exist-map EXISTAbove is the correct way to do it; every time I labbed it under the inject route-map, I would match it on the prefix-list. This would not do anything. What you are doing here is matching the criteria in the “Exist” route-map, the “Inject” route-map is setting what you want to be done, and since you are injecting routes, a match would not work as it would in a normal route-map to inject routes, in this particular scenario you must set in the inject route-map.
Verification of Injected Paths
OK, now that the rant is over and this is now burnt into the frontal cortex of my brain, we can move on. So, we are left with another fundamental problem here. If we look at what R4 is injecting into the BGP table, we can see a big potential problem
R4#sh ip bgp injected-paths
BGP table version is 36, local router ID is 172.18.46.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 172.16.0.0/24 172.17.24.2 0 i
*> 172.17.34.3 0 i
* 172.16.2.0/24 172.17.24.2 0 i
*> 172.17.34.3 0 i
* 172.16.7.0/24 172.17.24.2 0 i
*> 172.17.34.3 0 iR4 injects the routes, not copying any attributes from the aggregate. So, these two routes are getting reinstalled into R2 and R3. So, because R3 has the routes currently, it discards the routes;
BGP(0): 172.17.34.4 rcvd UPDATE w/ attr: nexthop 172.17.34.4, origin i, atomic-aggregate, aggregated by 123 172.16.123.3, path 4
BGP(0): 172.17.34.4 rcvd 172.16.7.0/24...duplicate ignored
BGP(0): 172.17.34.4 rcvd 172.16.2.0/24...duplicate ignored
BGP(0): 172.17.34.4 rcvd 172.16.0.0/24...duplicate ignoredBut what if we did some route filtering and denied the routes from going to R3 from R2 and R1
R3(config)#ip prefix-list DENYTEST deny 172.16.0.0/24
R3(config)#ip prefix-list DENYTEST deny 172.16.2.0/24
R3(config)#ip prefix-list DENYTEST deny 172.16.7.0/24
R3(config)#ip prefix-list DENYTEST permit 0.0.0.0/0 le 32
R3(config)#router bgp 123
R3(config-router)#nei 2.2.2.2 prefix-list DENYTEST in
R3(config-router)#nei 1.1.1.1 prefix-list DENYTEST in
R3(config-router)#end
R3#clear ip bgp 172.17.34.4 soft
BGP(0): 172.17.34.4 rcvd UPDATE w/ attr: nexthop 172.17.34.4, origin i, atomic-aggregate, aggregated by 123 172.16.123.3, path 4
BGP(0): 172.17.34.4 rcvd 172.16.7.0/24...duplicate ignored
BGP(0): 172.17.34.4 rcvd 172.16.2.0/24...duplicate ignored
BGP(0): 172.17.34.4 rcvd 172.16.0.0/24...duplicate ignoredSo we see the duplicates are still being ignored, but if we look at the BGP table, we see that the next-hops are no longer 1.1.1.1, but they are 172.17.34.4, which is R4
R3#sh ip bgp | inc 172.16.[0127].0
s> 172.16.0.0/24 172.17.34.4 0 4 i
*> 172.16.0.0/21 0.0.0.0 32768 i
s>i172.16.1.0/24 1.1.1.1 0 100 0 i
s> 172.16.2.0/24 172.17.34.4 0 4 i
s> 172.16.7.0/24 172.17.34.4 0 4 iSo there are a few easy ways to fix this,
1. Create a filter on R4 denying the more specific routes from going to R2 and R3
2. Create a filter on R2 and R3 from denying the routes in from R4
3. Add copy-attributes at the end of the inject map statement
We are going to go with option 3. So, we are leaving the filtering in on R3, denying the prefix R1 and R2. On R4, we are going to configure the following.
R4(config)#router bgp 4
R4(config-router)#bgp inject-map INJECT exist-map EXIST copy-attributesThis will yield the following in the R4.
R4#sh ip bgp injected-paths
BGP table version is 39, local router ID is 172.18.46.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 172.16.0.0/24 172.17.24.2 0 0 123 i
* 172.17.34.3 0 0 123 i
*> 172.16.2.0/24 172.17.24.2 0 0 123 i
* 172.17.34.3 0 0 123 i
*> 172.16.7.0/24 172.17.24.2 0 0 123 i
* 172.17.34.3 0 0 123 i
R4#If we clear the BGP table on R3, we should see the prefix denied because of the AS Path loop prevention mechanism.
BGP(0): 172.17.34.4 rcv UPDATE w/ attr: nexthop 172.17.34.4, origin i, atomic-aggregate, aggregated by 123 2.2.2.2, originator 0.0.0.0, path 4 123, community , extended community
BGP(0): 172.17.34.4 rcv UPDATE about 172.16.7.0/24 -- DENIED due to: AS-PATH contains our own AS;
BGP(0): no valid path for 172.16.7.0/24
BGP(0): 172.17.34.4 rcv UPDATE about 172.16.2.0/24 -- DENIED due to: AS-PATH contains our own AS;
BGP(0): no valid path for 172.16.2.0/24
BGP(0): 172.17.34.4 rcv UPDATE about 172.16.0.0/24 -- DENIED due to: AS-PATH contains our own AS;
BGP(0): no valid path for 172.16.0.0/24