BGP communties problem

Category: By Barooq

Here is the scenario diagram…
Objective:
Configure using community No-Export so that hosts on R3’s Ethernet have access to VLANs 5 and 43 but AS 1 and AS 3 cannot reach VLANs 43 and 5 respectively.
Here is my configuration of R4 and R5
R5:
router bgp 1
no synchronization
bgp log-neighbor-changes
network 155.1.5.0 mask 255.255.255.0
neighbor 155.1.0.2 remote-as 2
neighbor 155.1.0.2 send-community
neighbor 155.1.0.2 route-map SET-COMMUNITY out
no auto-summary
!
access-list 1 permit 155.1.5.0 0.0.0.255
!
route-map SET-COMMUNITY permit 10
match ip address 1
set community no-export
!
route-map SET-COMMUNITY permit 20

R4:

router bgp 3
no synchronization
bgp log-neighbor-changes
network 204.12.1.0
neighbor 155.1.146.1 remote-as 2
neighbor 155.1.146.1 send-community
neighbor 155.1.146.1 route-map SET-COMMUNITY out
no auto-summary
!
access-list 1 permit 204.12.1.0 0.0.0.255
!
route-map SET-COMMUNITY permit 10
match ip address 1
set community no-export
!
route-map SET-COMMUNITY permit 20
!
Now everything appears to be fine as I check on R1 and R2 which are neighbors of R4 and R5 respectively

R1#sh ip bgp 204.12.1.0
BGP routing table entry for 204.12.1.0/24, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to
EBGP peer)
Advertised to update-groups:
1
3
155.1.146.4 from 155.1.146.4 (204.12.1.4)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-export

And

R2#show ip bgp 155.1.5.0
BGP routing table entry for 155.1.5.0/24, version 2
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to
EBGP peer)
Advertised to update-groups:
2
1
155.1.0.5 from 155.1.0.5 (155.1.5.5)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-export
But still R5 and R4 see these routes in their routing table and are able to ping each other…
R4#show ip bgp
BGP table version is 8, local router ID is 204.12.1.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*>
155.1.5.0/24 155.1.146.1 0 2 1 i
*> 155.1.37.0/24 155.1.146.1 0 2 i
*> 204.12.1.0 0.0.0.0 0 32768 i

Now R4 shouldn’t be able to see 155.1.5.0/24 network but it does :S


R4#ping 155.1.5.5 source 204.12.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.5.5, timeout is 2 seconds:
Packet sent with a source address of 204.12.1.4
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 108/213/316 m
Same is the case with R5. It sees and reaches network advertised by R4…
Any help will be appreciated…


 

3 comments so far.

  1. Eric L October 19, 2007 at 4:30 PM
    Hi there,

    I guess the acls are the source of error. You can try to use the prefix-list or try to use the following ACL:

    access-list 1 permit host 155.1.5.0 host 255.255.255.0

    access-list 1 permit host 204.12.1.0 host 255.255.255.0

    This's an old fashioned ACL to match a prefix.

    HTH
    Eric Leung
  2. Barooq October 19, 2007 at 6:25 PM
    Eric, thanks for help but the problem was much more basic :)
    I wasnt sending the attribute from R1 to R3 and vice versa
  3. GCFA July 9, 2012 at 8:29 AM
    Thank you for such an in depth review and thank you for sharing this! You never know when you are going to need it, but when you do you realize it’s a life saver!

Something to say?