deny specific prefixes in bgp

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hi, 
i am trying to deny exact prefixes 66.133.0.0/23 and 66.133.2.0/23 from being advertised and allow everyhting else  to an iBGP neighbor (214.63.21.4) the configuration should be done on 214.63.21.3. using a neighbor route-policy command.

Neighbor 214.63.21.3 is connected to neighbor 214.63.21.4. 

can someone help .
thank you,
elie
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,254 Points 10k badge 2x thumb
Hi Elie,

You should be able to do this with a routing policy. See the link below for syntax details:
http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

For example, you could do:
entry ip_entry {
	if match any {
		nlri  66.133.0.0/23 exact;
		nlri  66.133.0.2/23 exact;
	} then {
		deny;
	}
}
(Edited)
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,254 Points 10k badge 2x thumb
Hi Elie,

There is an implicit deny on routing policies, so you would need an explicit permit all entry to allow other prefixes.
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb
so the End Result for only denying the 66 and allow all others  would be something like this :
configure bgp neighbor 30.119.210.6 route-policy out AS1187_OUT

edit policy AS1187_OUT
entry TOEXP{
if match {
nlri 66.133.0.0/23 exact;
nlri 66.133.2.0/23 exact;
}then{
deny;
}
}
entry TOEXP1 {
if match any {
nlri 0.0.0.0/0;
}then{
permit;
}
}


Please, correct me if I am wrong .
thank you very much for your help 
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,254 Points 10k badge 2x thumb
That's correct. Just make sure to use 'if match any' for the entries with multiple of the same match conditions.
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb
Thank You Brandon . 
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb
Hi Brandon,  i advertised these 2 prefixes 66.133.0.0/23 66.133.2.0/23  on the primary router connected to the primary ISP . i used the policy written above to block these 2 routes from being advertised to the standby router that i connected to the secondary ISP . the router said . Error:  Failed to read policy file AS1187_OUT 

can you please advice ?
thank you,
elie
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,404 Points 2k badge 2x thumb
First you create policy
edit policy bgp-out

An editor based on vi will be opened (press i to edit, ESC to stop editing, then type :wq to exit 

Enter following

entry bgp-out-00 {if match any {
        nlri 66.133.0.0/23;
        nlri 66.133.2.0/23;        }
then {
        deny ;
        }
}
Then you apply the policy to a neighbor:
configure bgp neighbor 214.63.21.4 route-policy out bgp-out
if you ever after edit the policy, you may refresh changes issuing the command

refresh policy bgp-out
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb
Thank You Nick
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb
Thank You Nick! 
why didnt you use the exact keyword after the nlri 66.133.0.0/23 ? 
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb
hi Nick,
can you please explain to me what this route-policy do when applied to a bgp neighbor out 
entry TOEXP{
if match all {
nlri 66.133.0.0/23 exact;
nlri 66.133.2.0/23 exact;
}then{
deny;
}
}
entry TOEXP1{
if match any{
nlri 0.0.0.0/0;
}then{
}
}
. once i applied this config on the primary bgp router out toward the standby router the Switch reboots with EPM application wdg timer warning messages and the rtmgr process memory went high 
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Elie,

what EXOS you have on those switches ?

Maybe you are facing: https://gtacknowledge.extremenetworks.com/articles/Solution/Switch-reboots-with-EPM-application-wdg-...

--
Jarek
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,404 Points 2k badge 2x thumb
Elie,

I supuse you forgot 

then{
permit; 
}
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb
thank you Nick you are right 
Photo of Elie Raad

Elie Raad

  • 252 Points 250 badge 2x thumb
Jared, that is what i found too . i need to upgrade the OS