deny specific prefixes in bgp


Hi,
i am trying to deny exact prefixes 66.133.0.0/23 and 66.133.2.0/23 from being advertised and allow everyhting else to an iBGP neighbor (214.63.21.4) the configuration should be done on 214.63.21.3. using a neighbor route-policy command.

Neighbor 214.63.21.3 is connected to neighbor 214.63.21.4.

can someone help .
thank you,
elie

16 replies

Userlevel 7
Hi Elie,

You should be able to do this with a routing policy. See the link below for syntax details:
http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

For example, you could do:entry ip_entry { if match any { nlri 66.133.0.0/23 exact; nlri 66.133.0.2/23 exact; } then { deny; } }[/code]
Brandon Clay wrote:

Hi Elie,

You should be able to do this with a routing policy. See the link below for syntax details:
http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

For example, you could do:entry ip_entry { if match any { nlri 66.133.0.0/23 exact; nlri 66.133.0.2/23 exact; } then { deny; } }[/code]

Hi Brandon,
all other routes other than 66.133.0.0 66.133.2.0 will be allowed correct ? or everything else will be blocked too ?
Userlevel 7
Brandon Clay wrote:

Hi Elie,

You should be able to do this with a routing policy. See the link below for syntax details:
http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

For example, you could do:entry ip_entry { if match any { nlri 66.133.0.0/23 exact; nlri 66.133.0.2/23 exact; } then { deny; } }[/code]

Hi Elie,

There is an implicit deny on routing policies, so you would need an explicit permit all entry to allow other prefixes.
Brandon Clay wrote:

Hi Elie,

You should be able to do this with a routing policy. See the link below for syntax details:
http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

For example, you could do:entry ip_entry { if match any { nlri 66.133.0.0/23 exact; nlri 66.133.0.2/23 exact; } then { deny; } }[/code]

so the End Result for only denying the 66 and allow all others would be something like this :
configure bgp neighbor 30.119.210.6 route-policy out AS1187_OUT

edit policy AS1187_OUT
entry TOEXP{
if match {
nlri 66.133.0.0/23 exact;
nlri 66.133.2.0/23 exact;
}then{
deny;
}
}
entry TOEXP1 {
if match any {
nlri 0.0.0.0/0;
}then{
permit;
}
}

Please, correct me if I am wrong .
thank you very much for your help
Userlevel 7
Brandon Clay wrote:

Hi Elie,

You should be able to do this with a routing policy. See the link below for syntax details:
http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

For example, you could do:entry ip_entry { if match any { nlri 66.133.0.0/23 exact; nlri 66.133.0.2/23 exact; } then { deny; } }[/code]

That's correct. Just make sure to use 'if match any' for the entries with multiple of the same match conditions.
Brandon Clay wrote:

Hi Elie,

You should be able to do this with a routing policy. See the link below for syntax details:
http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

For example, you could do:entry ip_entry { if match any { nlri 66.133.0.0/23 exact; nlri 66.133.0.2/23 exact; } then { deny; } }[/code]

Thank You Brandon .
Brandon Clay wrote:

Hi Elie,

You should be able to do this with a routing policy. See the link below for syntax details:
http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/r_routing-policy-file-...

For example, you could do:entry ip_entry { if match any { nlri 66.133.0.0/23 exact; nlri 66.133.0.2/23 exact; } then { deny; } }[/code]

Hi Brandon, i advertised these 2 prefixes 66.133.0.0/23 66.133.2.0/23 on the primary router connected to the primary ISP . i used the policy written above to block these 2 routes from being advertised to the standby router that i connected to the secondary ISP . the router said . Error: Failed to read policy file AS1187_OUT

can you please advice ?
thank you,
elie
Userlevel 4
First you create policy

edit policy bgp-out


An editor based on vi will be opened (press i to edit, ESC to stop editing, then type :wq to exit

Enter following

entry bgp-out-00 {if match any {
nlri 66.133.0.0/23;
nlri 66.133.2.0/23; }
then {
deny ;
}
}

Then you apply the policy to a neighbor:

configure bgp neighbor 214.63.21.4 route-policy out bgp-out

if you ever after edit the policy, you may refresh changes issuing the command

refresh policy bgp-out

Nick Yakimenko wrote:

First you create policy

edit policy bgp-out


An editor based on vi will be opened (press i to edit, ESC to stop editing, then type :wq to exit

Enter following

entry bgp-out-00 {if match any {
nlri 66.133.0.0/23;
nlri 66.133.2.0/23; }
then {
deny ;
}
}

Then you apply the policy to a neighbor:

configure bgp neighbor 214.63.21.4 route-policy out bgp-out

if you ever after edit the policy, you may refresh changes issuing the command

refresh policy bgp-out


Thank You Nick
Thank You Nick!
why didnt you use the exact keyword after the nlri 66.133.0.0/23 ?
Userlevel 4
Elie Raad wrote:

Thank You Nick!
why didnt you use the exact keyword after the nlri 66.133.0.0/23 ?

in fact, without exact keyword you may filter out only 66.133.0.0/22
that will filter all specific announces of your inetnum 66.133.0.0-66.133.3.254 from a /22 to a /32
Elie Raad wrote:

Thank You Nick!
why didnt you use the exact keyword after the nlri 66.133.0.0/23 ?

hi Nick,
can you please explain to me what this route-policy do when applied to a bgp neighbor out
entry TOEXP{
if match all {
nlri 66.133.0.0/23 exact;
nlri 66.133.2.0/23 exact;
}then{
deny;
}
}
entry TOEXP1{
if match any{
nlri 0.0.0.0/0;
}then{
}
}
. once i applied this config on the primary bgp router out toward the standby router the Switch reboots with EPM application wdg timer warning messages and the rtmgr process memory went high
Userlevel 3
Elie Raad wrote:

Thank You Nick!
why didnt you use the exact keyword after the nlri 66.133.0.0/23 ?

Elie,

what EXOS you have on those switches ?

Maybe you are facing: https://gtacknowledge.extremenetworks.com/articles/Solution/Switch-reboots-with-EPM-application-wdg-...

--
Jarek
Userlevel 4
Elie Raad wrote:

Thank You Nick!
why didnt you use the exact keyword after the nlri 66.133.0.0/23 ?

Elie,

I supuse you forgot

then{
permit;
}
Elie Raad wrote:

Thank You Nick!
why didnt you use the exact keyword after the nlri 66.133.0.0/23 ?

thank you Nick you are right
Elie Raad wrote:

Thank You Nick!
why didnt you use the exact keyword after the nlri 66.133.0.0/23 ?

Jared, that is what i found too . i need to upgrade the OS

Reply