Cisco BGP route-map continue statement confusion


I was confused by the wording of Cisco regarding the route-map continue statement Route maps have a linear behavior, not a nested behavior. Once a route is matched in a route map permit entry with a continue command clause, it will not be processed by the implicit deny at the end of the route-map. Therefore I've designed the following lab to check the actual behaviour
 R1 configuration: 
R1#show run
Building configuration...

!
hostname R1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 20.20.20.1 255.255.255.0
!
interface FastEthernet1/0
 ip address 10.10.10.1 255.255.255.252
 duplex auto
 speed auto
!
router bgp 65001
 no synchronization
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 20.20.20.0 mask 255.255.255.0
 neighbor 10.10.10.2 remote-as 65002
 neighbor 10.10.10.2 send-community both
 neighbor 10.10.10.2 route-map TEST out
 no auto-summary
!
ip bgp-community new-format
!
route-map TEST permit 10
 set community 65001:65002
!
route-map TEST1 permit 10
!
end
Scenario 1: In this one we will match prefix list and community list on continue statement and advertise to R3 : 
hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet1/0
 ip address 10.10.10.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 10.10.10.5 255.255.255.252
 duplex auto
 speed auto
!
router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.10.10.1 remote-as 65001
 neighbor 10.10.10.6 remote-as 65003
 neighbor 10.10.10.6 send-community both
 neighbor 10.10.10.6 route-map BLOCK-IT out
 no auto-summary
!

ip bgp-community new-format
ip community-list 100 permit 65001:65002

!
ip prefix-list SEND-ME seq 5 permit 20.20.20.0/24
!
route-map BLOCK-IT permit 10
 match ip address prefix-list SEND-ME
 continue 100
!
route-map BLOCK-IT permit 100
 match community 100
 set community 65002:65003 additive
!
!
as we expected we see the output on R3: 
R3#show ip bgp 20.20.20.20
BGP routing table entry for 20.20.20.0/24, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer
  65002 65001
    10.10.10.5 from 10.10.10.5 (2.2.2.2)
      Origin IGP, localpref 100, valid, external, best
      Community: 65001:65002 65002:65003
But if we change the community list 100 as follows, still we are observing the prefixes are advertised but no community values are added 
R2#sho ip community-list 100
Community (expanded) access list 100
    permit 65001:10000
If you are expecting the prefixes that not matched the community list should be dropped that is not the case !!! 
R3#show ip bgp 20.20.20.20
BGP routing table entry for 20.20.20.0/24, version 6
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer
  65002 65001
    10.10.10.5 from 10.10.10.5 (2.2.2.2)
      Origin IGP, localpref 100, valid, external, best
      Community: 65001:65002
So cisco says you need to define your explicit deny statement as follows if you want to drop that doesn't match. Therefore if you define the final drop statement it will drop that doesn't match. 
route-map BLOCK-IT permit 10
 match ip address prefix-list SEND-ME
 continue 100
!
route-map BLOCK-IT permit 100
 match community 100
 set community 65002:65003 additive
!
route-map BLOCK-IT deny 110


R3#show ip bgp 20.20.20.20
% Network not in table
as defined in cisco if there is a match in the flow of route-map and then if it is transferred to continue statement you can't expect that it will be denied from the implicit deny statement. Tested in Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T

Comments

Post a Comment

Popular posts from this blog

PPTP Server as Cisco for Mikrotik Client

Image
Following configuration explains the Cisco as PPTP server and connecting two sites: Following Configuration needed to enable the VPDN and default server: vpdn enable ! vpdn-group Mtik ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 interface Virtual-Template1 ip unnumbered Loopback0 peer default ip address pool IPPOOL1 ppp encrypt mppe auto required ppp authentication ms-chap-v2 ms-chap pap ip local pool IPPOOL1 192.168.150.10 192.168.150.224 Few more additional things we need to keep the same ip address for the user: aaa new-model ! ! aaa authentication ppp default local aaa authorization network default local ! aaa attribute list Gobi attribute type addr 192.168.150.13 service ppp protocol ip mandatory attribute type route "10.0.0.0 255.255.255.0 192.168.150.13" attribute type interface-config "description Gobi-test" Finally apply the attribute list to the user: username gobi password 0 test username gobi aaa attri...
Read more

proxy arp

Image
In the above diagram , both hosts don't have default routes. But both are in the same /16 subnet. When host1 tries to ping host2 will it be able to ping ? Yes this behaviour due to the Proxy Arp feature. Note: Cisco by default enabled the proxy arp feature you have to disable it manually . Check the following Debug messages "debug arp" from the router. When the Arp request for 192.168.20.101 received on the router Fa0/1 it replies with its own mac address of fa0/1. (c200.03fc.0001)and vice versa *Mar 1 00:11:43.071: IP ARP: rcvd req src 192.168.12.154 00aa.00f4.6800, dst 192.168.20.101 FastEthernet0/1 *Mar 1 00:11:43.075: IP ARP: sent rep src 192.168.20.101 c200.03fc.0001,dst 192.168.12.154 00aa.00f4.6800 FastEthernet0/1 *Mar 1 00:13:13.067: IP ARP: rcvd req src 192.168.20.101 00aa.0041.1d00, dst 192.168.12.154 FastEthernet0/0 *Mar 1 00:13:13.067: IP ARP: sent rep src 192.168.12.154 c200.03fc.0000, dst 192.168.20.101 00aa.0041.1d00 FastEther...
Read more

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in...
Read more