I’m trying to follow this document as a guide, the info appears to be in the very bottom under “Route Filter”. BGP — VyOS 1.3.x (equuleus) documentation
So I’m setting up a new vyos (VyOS 1.3.0-epa2 equuleus), with a new pair of bgp peers to the internet provider. We need to advertise/broadcast our local subnet “A.B.C.0/24”, but apparently we’re actually sending the ENTIRE routing table back to the provider as well. (Receiving the entire table from them is, I’m told, working fine.)
I’m following as precisely as I can the given example, where “AS65535-OUT” is just a simple text label, written as “-OUT” below; “A.B.C.0/24” is the only network that should be advertised back to our peer; “” is just my own local AS; and “D.E.F.G” and “H.I.J.K” are the two bgp-connected peers. Transcribing just the “OUT” entries from the examples, that makes my config:
set policy prefix-list <LABEL>-OUT rule 10 action 'deny'
set policy prefix-list <LABEL>-OUT rule 10 prefix 'A.B.C.0/24'
set policy route-map <LABEL>-OUT rule 10 action 'deny'
set policy route-map <LABEL>-OUT rule 10 match ip address prefix-list '<LABEL>-OUT'
set policy route-map <LABEL>-OUT rule 20 action 'permit'
set protocols bgp <LABEL> address-family ipv4-unicast network A.B.C.0/24
set protocols bgp <MINE> neighbor D.E.F.G address-family ipv4-unicast route-map export '<LABEL>-OUT'
set protocols bgp <MINE> neighbor H.I.J.K address-family ipv4-unicast route-map export '<LABEL>-OUT'
So if I’ve followed that example exactly, why then is the ENTIRE table still being broadcast back out to the peers?
Change the action to ‘permit’ for prefix-list and desired action in the route-map
Also there is ‘solo’ option
set protocols bgp xxxx neighbor x.x.x.x solo
solo Do not send back prefixes learned from the neighbor
If I use the “solo” option on both of the bgp peers, then that eliminates the need to also use the policy and route-map entries too?
And your suggestion is to change both of those entries so that it instead reads as:
set policy prefix-list <LABEL>-OUT rule 10 action 'permit'
set policy prefix-list <LABEL>-OUT rule 10 prefix 'A.B.C.0/24'
set policy route-map <LABEL>-OUT rule 10 action 'permit'
set policy route-map <LABEL>-OUT rule 10 match ip address prefix-list '<LABEL>-OUT'
set policy route-map <LABEL>-OUT rule 20 action 'permit'
set protocols bgp <LABEL> address-family ipv4-unicast network A.B.C.0/24
set protocols bgp <MINE> neighbor D.E.F.G address-family ipv4-unicast route-map export '<LABEL>-OUT'
set protocols bgp <MINE> neighbor H.I.J.K address-family ipv4-unicast route-map export '<LABEL>-OUT'
That especially confuses me, as the examples at the docs.vyos.io link ALL explicitly use “deny” in both spots.
I am also wary of making such changes on the “live” system, as I am entirely remote from the server, and don’t want to accidentally lock myself out due to missing routes.
I learned that lesson the HARD way on a Cisco many years ago: when modifying policy lists for an interface, do it in three steps:
- turn off the interface’s usage of the policy
- edit the policy
- turn the interface’s usage of the policy back on
But at least the vyos’ implementation of “commit” then “save” should mean that any changes to the prefix-list and the route-map would all happen together, and not live as I type them out in configuration mode, yes?
Some minor good news; simply setting the “solo” mode on both of the peers did eliminate the MAJORITY of the outbound-advertised routes. But I’ve got a pair of peers, both are AS , and the routes learned from D.E.F.G are still being sent out to H.I.J.K, and vice-versa. So I do indeed still need to finish working out the prefix-list/route-map issues.
But for somebody that only has a single bgp peer, I suppose the “solo” option may be a fully sufficient solution.
I’m still boggled as to why the official documentation for bgp is both: does not even mention the “solo” option, and includes a completely dysfunctional example for the route-map/prefix-list
It is a good practice to use route-map everywhere in the BGP.
Do you want to export just one prefix declared in the prefix-list <LABEL>-OUT?
In that case, you do not need route-map rule 20, which permits all other prefixes.
I am very new to bgp, and utterly new to vyos. I have likely not yet fully grasped all the fundamentals about either, and am still minorly boggled by some of the terminology y’all take for granted.
So minor apologies for describing my issue in English rather than in technical terms:
This new site hosts a single Class C /24 network A.B.C.0/24 ; some of the ip addresses are dynamically pushed by ospf from A.B.C.66/30 (this much seems to work, at least?)
So specifically the routes for A.B.C.0/24 must be advertised/published to both of our bgp peers, and NOTHING else should be advertised from us. I don’t yet understand how your syntax applies to accomplishing this, especially as the pair of examples both use entirely “deny” in the prefix-list in all of the “OUT” rules shown.
And I’m only wanting to filter the “outbound” routes, accepting any route from either peer IS what I want.
set policy prefix-list UPLINK-OUT rule 10 action 'permit'
set policy prefix-list UPLINK-OUT rule 10 prefix '203.0.113.0/24'
set policy route-map UPLINK-OUT rule 10 action 'permit'
set policy route-map UPLINK-OUT rule 10 match ip address prefix-list 'UPLINK-OUT'
It that case only network 203.0.113.0/24 will be exported to bgp neighbors, where this route-map is attached.