Distribute List in BGP With Incorrect Access List Name

Rashmi Bhardwaj | Blog,BUZZ,Config & Troubleshoot,Routing & Switching,Security
Google ADs

Sometimes a small configuration error in BGP can create havoc in network and especially in service provider network affecting large set of customers. Hence, it becomes imperative for network administrators and implementers to understand small changes in filtering/advertisement and the changes caused in learnt routes.

In this scenario we will understand what happens when incorrect Access List name is given while using Distribute List for selectively advertising routes to BGP neighbour. In other words , an incorrect Access list is called by Distribute list which is not created on the BGP Router. Below is the scenario giving more clarity –

Router R1 and R2 connected to each other directly and forming eBGP neighborship to each other .R1 is advertising 2 Loopbacks (1.1.1.0/2 and 1.1.2.0/24) while R2 is advertising 1 Loopback (2.2.2.0/24).

Google ADs

using-distribute-list-in-bgp-with-incorrect-access-list

(R1 Configuration)

interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback2
ip address 1.1.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
!
router bgp 1
no synchronization
network 1.1.1.0 mask 255.255.255.0
network 1.1.2.0 mask 255.255.255.0
network 192.168.12.0
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 soft-reconfiguration inbound
(R2 Configuration)
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
!
router bgp 2
no synchronization
network 2.2.2.0 mask 255.255.255.0
network 192.168.12.0
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.12.1 soft-reconfiguration inbound
The output on each Router (R1 and R2) with no traffic filtering configured is shown below –
R1#sh ip bgp
BGP table version is 7, local router ID is 1.1.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       0.0.0.0                  0         32768 i
*> 1.1.2.0/24       0.0.0.0                  0         32768 i
*> 2.2.2.0/24       192.168.12.2         0              0 2 i
*> 192.168.12.0   0.0.0.0                  0         32768 i
*                            192.168.12.2         0              0 2 i
R2#sh ip bgp
BGP table version is 17, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1          0             0 1 i
*> 1.1.2.0/24       192.168.12.1          0             0 1 i
*> 2.2.2.0/24       0.0.0.0                    0         32768 i
*  192.168.12.0    192.168.12.1          0             0 1 i
*>                          0.0.0.0                    0         32768 i
Now we will implement a Distribute List to filter routes advertised from R1 towards BGP neighbor ie R2. The Distribute List should ideally block network 1.1.2.0/24 (via access list NET1) from being advertised to R2. However, due to error in configuration, Distribute List calls wrong access list i.e. NET2 instead of NET1 as below –

using-distribute-list-in-bgp-with-incorrect-access-list

R1(config)#ip access-list standard NET1
R1(config-std-nacl)#deny 1.1.2.0 0.0.0.255
R1(config-std-nacl)#permit anyR1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 distribute-list NET2 out

BGP routing output is shown below when incorrect Access list is called out by distribute list –
R2#sh ip bgp
BGP table version is 17, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1           0              0 1 i
*> 1.1.2.0/24      192.168.12.1           0             0 1 i
*> 2.2.2.0/24       0.0.0.0                     0         32768 i
*  192.168.12.0    192.168.12.1          0             0 1 i
*>                          0.0.0.0                    0         32768 i
As shown above, distribute list is unable to block any network route due to non existent distribute list (access list) being called out and R2 is able to receive all BGP Routes from R1.

Now, we will call out the correct Distribute/Access list ie NET1 on BGP Router R1 as below –

R1(config)#router bgp 1
R1(config-router)#no neighbor 192.168.12.2 distribute-list NET2 out
R1(config-router)#neighbor 192.168.12.2 distribute-list NET1 out
Once configured with correct Access List , distribute List NET1 is able to block network 1.1.2.0/24 from being advertised to R2 neighbor as per below output –
R2#sh ip bgp
BGP table version is 18, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1        0              0 1 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
*  192.168.12.0    192.168.12.1       0               0 1 i
*>                          0.0.0.0                  0         32768 i

ABOUT THE AUTHOR


1 thought on “Distribute List in BGP With Incorrect Access List Name”

Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart