BGP communties problem
Here is the scenario diagram…
Objective:
Configure using community No-Export so that hosts on R3’s Ethernet have access to VLANs 5 and 43 but AS 1 and AS 3 cannot reach VLANs 43 and 5 respectively.
Configure using community No-Export so that hosts on R3’s Ethernet have access to VLANs 5 and 43 but AS 1 and AS 3 cannot reach VLANs 43 and 5 respectively.
Here is my configuration of R4 and R5
R5:
router bgp 1
no synchronization
bgp log-neighbor-changes
network 155.1.5.0 mask 255.255.255.0
neighbor 155.1.0.2 remote-as 2
neighbor 155.1.0.2 send-community
neighbor 155.1.0.2 route-map SET-COMMUNITY out
no auto-summary
!
access-list 1 permit 155.1.5.0 0.0.0.255
!
route-map SET-COMMUNITY permit 10
match ip address 1
set community no-export
!
route-map SET-COMMUNITY permit 20
R4:
router bgp 3
no synchronization
bgp log-neighbor-changes
network 204.12.1.0
neighbor 155.1.146.1 remote-as 2
neighbor 155.1.146.1 send-community
neighbor 155.1.146.1 route-map SET-COMMUNITY out
no auto-summary
!
access-list 1 permit 204.12.1.0 0.0.0.255
!
route-map SET-COMMUNITY permit 10
match ip address 1
set community no-export
!
route-map SET-COMMUNITY permit 20
!
R5:
router bgp 1
no synchronization
bgp log-neighbor-changes
network 155.1.5.0 mask 255.255.255.0
neighbor 155.1.0.2 remote-as 2
neighbor 155.1.0.2 send-community
neighbor 155.1.0.2 route-map SET-COMMUNITY out
no auto-summary
!
access-list 1 permit 155.1.5.0 0.0.0.255
!
route-map SET-COMMUNITY permit 10
match ip address 1
set community no-export
!
route-map SET-COMMUNITY permit 20
R4:
router bgp 3
no synchronization
bgp log-neighbor-changes
network 204.12.1.0
neighbor 155.1.146.1 remote-as 2
neighbor 155.1.146.1 send-community
neighbor 155.1.146.1 route-map SET-COMMUNITY out
no auto-summary
!
access-list 1 permit 204.12.1.0 0.0.0.255
!
route-map SET-COMMUNITY permit 10
match ip address 1
set community no-export
!
route-map SET-COMMUNITY permit 20
!
Now everything appears to be fine as I check on R1 and R2 which are neighbors of R4 and R5 respectively
R1#sh ip bgp 204.12.1.0
BGP routing table entry for 204.12.1.0/24, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to
EBGP peer)
Advertised to update-groups:
1
3
155.1.146.4 from 155.1.146.4 (204.12.1.4)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-export
And
R2#show ip bgp 155.1.5.0
BGP routing table entry for 155.1.5.0/24, version 2
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to
EBGP peer)
Advertised to update-groups:
2
1
155.1.0.5 from 155.1.0.5 (155.1.5.5)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-export
BGP routing table entry for 204.12.1.0/24, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to
EBGP peer)
Advertised to update-groups:
1
3
155.1.146.4 from 155.1.146.4 (204.12.1.4)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-export
And
R2#show ip bgp 155.1.5.0
BGP routing table entry for 155.1.5.0/24, version 2
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to
EBGP peer)
Advertised to update-groups:
2
1
155.1.0.5 from 155.1.0.5 (155.1.5.5)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-export
But still R5 and R4 see these routes in their routing table and are able to ping each other…
R4#show ip bgp
BGP table version is 8, local router ID is 204.12.1.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 155.1.5.0/24 155.1.146.1 0 2 1 i
*> 155.1.37.0/24 155.1.146.1 0 2 i
*> 204.12.1.0 0.0.0.0 0 32768 i
BGP table version is 8, local router ID is 204.12.1.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 155.1.5.0/24 155.1.146.1 0 2 1 i
*> 155.1.37.0/24 155.1.146.1 0 2 i
*> 204.12.1.0 0.0.0.0 0 32768 i
Now R4 shouldn’t be able to see 155.1.5.0/24 network but it does :S
R4#ping 155.1.5.5 source 204.12.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.5.5, timeout is 2 seconds:
Packet sent with a source address of 204.12.1.4
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 108/213/316 m
Same is the case with R5. It sees and reaches network advertised by R4…
Any help will be appreciated…
Any help will be appreciated…
I guess the acls are the source of error. You can try to use the prefix-list or try to use the following ACL:
access-list 1 permit host 155.1.5.0 host 255.255.255.0
access-list 1 permit host 204.12.1.0 host 255.255.255.0
This's an old fashioned ACL to match a prefix.
HTH
Eric Leung
I wasnt sending the attribute from R1 to R3 and vice versa