Cisco BGP route-map continue statement confusion


I was confused by the wording of Cisco regarding the route-map continue statement Route maps have a linear behavior, not a nested behavior. Once a route is matched in a route map permit entry with a continue command clause, it will not be processed by the implicit deny at the end of the route-map. Therefore I've designed the following lab to check the actual behaviour
 R1 configuration: 
R1#show run
Building configuration...

!
hostname R1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 20.20.20.1 255.255.255.0
!
interface FastEthernet1/0
 ip address 10.10.10.1 255.255.255.252
 duplex auto
 speed auto
!
router bgp 65001
 no synchronization
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 20.20.20.0 mask 255.255.255.0
 neighbor 10.10.10.2 remote-as 65002
 neighbor 10.10.10.2 send-community both
 neighbor 10.10.10.2 route-map TEST out
 no auto-summary
!
ip bgp-community new-format
!
route-map TEST permit 10
 set community 65001:65002
!
route-map TEST1 permit 10
!
end
Scenario 1: In this one we will match prefix list and community list on continue statement and advertise to R3 : 
hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet1/0
 ip address 10.10.10.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 10.10.10.5 255.255.255.252
 duplex auto
 speed auto
!
router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.10.10.1 remote-as 65001
 neighbor 10.10.10.6 remote-as 65003
 neighbor 10.10.10.6 send-community both
 neighbor 10.10.10.6 route-map BLOCK-IT out
 no auto-summary
!

ip bgp-community new-format
ip community-list 100 permit 65001:65002

!
ip prefix-list SEND-ME seq 5 permit 20.20.20.0/24
!
route-map BLOCK-IT permit 10
 match ip address prefix-list SEND-ME
 continue 100
!
route-map BLOCK-IT permit 100
 match community 100
 set community 65002:65003 additive
!
!
as we expected we see the output on R3: 
R3#show ip bgp 20.20.20.20
BGP routing table entry for 20.20.20.0/24, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer
  65002 65001
    10.10.10.5 from 10.10.10.5 (2.2.2.2)
      Origin IGP, localpref 100, valid, external, best
      Community: 65001:65002 65002:65003
But if we change the community list 100 as follows, still we are observing the prefixes are advertised but no community values are added 
R2#sho ip community-list 100
Community (expanded) access list 100
    permit 65001:10000
If you are expecting the prefixes that not matched the community list should be dropped that is not the case !!! 
R3#show ip bgp 20.20.20.20
BGP routing table entry for 20.20.20.0/24, version 6
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer
  65002 65001
    10.10.10.5 from 10.10.10.5 (2.2.2.2)
      Origin IGP, localpref 100, valid, external, best
      Community: 65001:65002
So cisco says you need to define your explicit deny statement as follows if you want to drop that doesn't match. Therefore if you define the final drop statement it will drop that doesn't match. 
route-map BLOCK-IT permit 10
 match ip address prefix-list SEND-ME
 continue 100
!
route-map BLOCK-IT permit 100
 match community 100
 set community 65002:65003 additive
!
route-map BLOCK-IT deny 110


R3#show ip bgp 20.20.20.20
% Network not in table
as defined in cisco if there is a match in the flow of route-map and then if it is transferred to continue statement you can't expect that it will be denied from the implicit deny statement. Tested in Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T

Comments

Post a Comment

Popular posts from this blog

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in
Read more

mikrotik queue tree - Per connection queuing.

Image
One of the cool feature on Mikrotik queuing is Per Connection Queuing . we can equally distribute the bandwidth among Number of users.[1] This setup explores the per connection queuing in the congestion situation and how to utilize the priority queuing features. [Please note Mikrotik Queue lowest priority value have highest priority eg: queue priority 7 traffic gets highest preference over queue priority 8  ] In this test setup 192.168.92.50 and 51 given 512Kbps per connection queuing(PCQ) Priority 6 . 192.168.52 and 54 placed under 256Kbps PCQ (Priority 8) and further youtube users given 384Kbps irrespective to the queue they are currently placed ( FIFO) . 1) Bridge setup - " Don't forget to enable the bridge firewall :) " /interface bridge add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=1522 \ max-message-age=20s mtu=1500 name=br_traffic_shaper priority=0x8000 protocol-mode=none
Read more

Decoding BGP Notification Error

Following Log messages are normal in the IX scenario but decode the error message is quite interesting: We will see why this error message popped up : : %BGP-3-NOTIFICATION: sent to neighbor 10.10.194.236 2/7 (unsupported/disjoint capability) 0 bytes  FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0039 0104 xx0D 00B4 C06A 1102 1C02 0601 0400 0200 0102 0280 0002 0202 0002 0246 0002 0641 0400 00C4 0D its a raw hex out  of the BGP open message and starts from the marker  16byte FF so the actual output starts from 0039  2 byte length value : 00 39 - 57 1 byte Type : 01 open message 1 byte Version : 04 2 byte ASN : xx0D  [ modified to remove the relevant information ] 2 byte holdtime : 00 B4 - 180 Seconds 4 byte BGP identifier : C06A 1102 [ modified ] 1 byte Optional parameter length : 1C   - 28 bytes Refer RFC: http://tools.ietf.org/html/rfc5492 http://tools.ietf.org/html/draft-ietf-idr-ext-opt-param-02 http://www.iana.org/assignments/capability-codes/capability-c
Read more