ExtremeSwitching (Other)

Expand all | Collapse all

deny specific prefixes in bgp

Elie Raad

Elie Raad06-22-2017 13:54

  • 1.  deny specific prefixes in bgp

    Posted 06-22-2017 13:10
    Hi,
    i am trying to deny exact prefixes 66.133.0.0/23 and 66.133.2.0/23 from being advertised and allow everyhting else to an iBGP neighbor (214.63.21.4) the configuration should be done on 214.63.21.3. using a neighbor route-policy command.

    Neighbor 214.63.21.3 is connected to neighbor 214.63.21.4.

    can someone help .
    thank you,
    elie



  • 2.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:48
    Hi Elie,

    You should be able to do this with a routing policy. See the link below for syntax details:
    http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

    For example, you could do:entry ip_entry { if match any { nlri 66.133.0.0/23 exact; nlri 66.133.0.2/23 exact; } then { deny; } }[/code]


  • 3.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 16:52
    Thank You Nick!
    why didnt you use the exact keyword after the nlri 66.133.0.0/23 ?


  • 4.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:54
    First you create policy
    edit policy bgp-out

    An editor based on vi will be opened (press i to edit, ESC to stop editing, then type :wq to exit

    Enter following

    entry bgp-out-00 {if match any {
    nlri 66.133.0.0/23;
    nlri 66.133.2.0/23; }
    then {
    deny ;
    }
    }
    Then you apply the policy to a neighbor:
    configure bgp neighbor 214.63.21.4 route-policy out bgp-out
    if you ever after edit the policy, you may refresh changes issuing the command

    refresh policy bgp-out



  • 5.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:48
    Hi Brandon,
    all other routes other than 66.133.0.0 66.133.2.0 will be allowed correct ? or everything else will be blocked too ?



  • 6.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:48
    Hi Elie,

    There is an implicit deny on routing policies, so you would need an explicit permit all entry to allow other prefixes.


  • 7.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:48
    so the End Result for only denying the 66 and allow all others would be something like this :
    configure bgp neighbor 30.119.210.6 route-policy out AS1187_OUT

    edit policy AS1187_OUT
    entry TOEXP{
    if match {
    nlri 66.133.0.0/23 exact;
    nlri 66.133.2.0/23 exact;
    }then{
    deny;
    }
    }
    entry TOEXP1 {
    if match any {
    nlri 0.0.0.0/0;
    }then{
    permit;
    }
    }

    Please, correct me if I am wrong .
    thank you very much for your help



  • 8.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:48
    That's correct. Just make sure to use 'if match any' for the entries with multiple of the same match conditions.


  • 9.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:48
    Thank You Brandon .



  • 10.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:48
    Hi Brandon, i advertised these 2 prefixes 66.133.0.0/23 66.133.2.0/23 on the primary router connected to the primary ISP . i used the policy written above to block these 2 routes from being advertised to the standby router that i connected to the secondary ISP . the router said . Error: Failed to read policy file AS1187_OUT

    can you please advice ?
    thank you,
    elie



  • 11.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 13:54
    Thank You Nick



  • 12.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 16:52
    in fact, without exact keyword you may filter out only 66.133.0.0/22
    that will filter all specific announces of your inetnum 66.133.0.0-66.133.3.254 from a /22 to a /32


  • 13.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 16:52
    hi Nick,
    can you please explain to me what this route-policy do when applied to a bgp neighbor out
    entry TOEXP{
    if match all {
    nlri 66.133.0.0/23 exact;
    nlri 66.133.2.0/23 exact;
    }then{
    deny;
    }
    }
    entry TOEXP1{
    if match any{
    nlri 0.0.0.0/0;
    }then{
    }
    }
    . once i applied this config on the primary bgp router out toward the standby router the Switch reboots with EPM application wdg timer warning messages and the rtmgr process memory went high



  • 14.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 16:52
    Elie,

    what EXOS you have on those switches ?

    Maybe you are facing: https://gtacknowledge.extremenetworks.com/articles/Solution/Switch-reboots-with-EPM-application-wdg-...

    --
    Jarek


  • 15.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 16:52
    Elie,

    I supuse you forgot

    then{
    permit;
    }


  • 16.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 16:52
    thank you Nick you are right



  • 17.  RE: deny specific prefixes in bgp

    Posted 06-22-2017 16:52
    Jared, that is what i found too . i need to upgrade the OS