BGP Update Issue from Peer?

Hey there,

I’m on VyOS 1.3.

I’m seeing these BGP messages in my log saying DENIED due to: route-map and I’m unsure what I’m doing wrong. When I check the received routes, they’re there. (Peer IP changed to 5.5.5.5 to sanitize)

Log Messages:

Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE w/ attr: nexthop 5.5.5.5, origin i, community 6327:2, path 6327 6939 37662 9498 36926 327708 37133 37349 327792
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE wlen 0 attrlen 59 alen 4
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 165.16.192.0/21 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE w/ attr: nexthop 5.5.5.5, origin i, community 6327:3, path 6327 3356 53013 267662
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE wlen 0 attrlen 39 alen 12
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 45.224.164.0/23 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 45.224.164.0/22 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 45.224.166.0/23 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE w/ attr: nexthop 5.5.5.5, origin i, community 6327:2, path 6327 6939 37662 12455 327972
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE wlen 0 attrlen 43 alen 4
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 169.239.168.0/22 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE w/ attr: nexthop 5.5.5.5, origin i, community 6327:2, path 6327 6939 23947 46063
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE wlen 0 attrlen 39 alen 4
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 27.112.70.0/24 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE w/ attr: nexthop 5.5.5.5, origin i, community 6327:3, path 6327 3356 6453 327708 37343 37343 37343 37343
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE wlen 0 attrlen 55 alen 4
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 197.158.208.0/20 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE w/ attr: nexthop 5.5.5.5, origin i, community 6327:3, path 6327 3356 209 6223 4155
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE wlen 0 attrlen 43 alen 4
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 199.146.19.0/24 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE w/ attr: nexthop 5.5.5.5, origin i, community 6327:3, path 6327 174 2914 135097 133180
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE wlen 0 attrlen 43 alen 4
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 38.207.248.0/21 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE w/ attr: nexthop 5.5.5.5, origin i, community 6327:2, path 6327 16509
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE wlen 0 attrlen 31 alen 8
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 130.137.230.0/24 IPv4 unicast -- DENIED due to: route-map;
Jun 14 14:42:15 VyOS-GW1 bgpd[1115]: 5.5.5.5 rcvd UPDATE about 130.137.219.0/24 IPv4 unicast -- DENIED due to: route-map;

BGP Peer configuration (ASN Sanitized):

set protocols bgp XXXXX neighbor 5.5.5.5 address-family ipv4-unicast route-map export 'V4-BGP-ADV'
set protocols bgp XXXXX neighbor 5.5.5.5 address-family ipv4-unicast route-map import 'V4-BGP-RECEIVED'
set protocols bgp XXXXX neighbor 5.5.5.5 address-family ipv4-unicast soft-reconfiguration inbound

BGP Prefix List for Received Routes:

set policy prefix-list V4-BGP-RECEIVED rule 10 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 10 prefix '0.0.0.0/8'
set policy prefix-list V4-BGP-RECEIVED rule 20 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 20 prefix '10.0.0.0/8'
set policy prefix-list V4-BGP-RECEIVED rule 30 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 30 prefix '100.64.0.0/10'
set policy prefix-list V4-BGP-RECEIVED rule 40 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 40 prefix '127.0.0.0/8'
set policy prefix-list V4-BGP-RECEIVED rule 50 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 50 prefix '169.254.0.0/16'
set policy prefix-list V4-BGP-RECEIVED rule 60 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 60 prefix '172.16.0.0/12'
set policy prefix-list V4-BGP-RECEIVED rule 70 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 70 prefix '192.0.0.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 80 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 80 prefix '192.0.2.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 90 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 90 prefix '192.168.0.0/16'
set policy prefix-list V4-BGP-RECEIVED rule 100 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 100 prefix '198.18.0.0/15'
set policy prefix-list V4-BGP-RECEIVED rule 110 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 110 prefix '198.51.100.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 120 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 120 prefix '203.0.113.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 130 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 130 prefix '224.0.0.0/4'
set policy prefix-list V4-BGP-RECEIVED rule 140 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 140 prefix '240.0.0.0/4'
set policy prefix-list V4-BGP-RECEIVED rule 150 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 150 prefix '255.255.255.255/32'
set policy prefix-list V4-BGP-RECEIVED rule 160 action 'permit'
set policy prefix-list V4-BGP-RECEIVED rule 160 prefix '0.0.0.0/0'

BGP Route Map:

set policy route-map V4-BGP-RECEIVED rule 10 action 'permit'
set policy route-map V4-BGP-RECEIVED rule 10 match as-path 'BGP-ASN'
set policy route-map V4-BGP-RECEIVED rule 10 match ip address prefix-list 'V4-BGP-RECEIVED'
set policy route-map V4-BGP-RECEIVED rule 10 set local-preference '100'
set policy route-map V4-BGP-RECEIVED rule 10 set metric '80'
set policy route-map V4-BGP-RECEIVED rule 10 set weight '100'

Regex to make sure we only accept from our peer’s BGP ASN:

set policy as-path-list BGP-ASN rule 10 action 'permit'
set policy as-path-list BGP-ASN rule 10 description 'Match AS 6237'
set policy as-path-list BGP-ASN rule 10 regex '^6327$'

Here’s the output when I check the received routes for one of those networks

admin@VyOS-GW1:~$ show ip bgp neighbors 5.5.5.5 received-routes | grep 197.158.208.0/20
*> 197.158.208.0/20 5.5.5.5                            0 6327 3257 6453 327708 37343 37343 37343 37343 i

Any idea why those messages are appearing and how to resolve it?

Thanks!

Are you expecting to receive those routes? Or just the default from your peer?

Those will be denied due to your as-path-list. You should see them in received-routes, but they won’t get installed (check show ip bgp)

Good catch…

When it comes to route-maps (and prefix-lists) when you define for example:

set policy prefix-list V4-BGP-RECEIVED rule 80 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 80 prefix '192.0.2.0/24'

That will ONLY block a route that EXACTLY matches “192.0.2.0/24”. If the neighbor sends you for example 192.0.2.0/29 that will not get denied by that rule since both the netaddress AND prefix of the received route must match.

To fix this (in your case) you must add “ge” to your statement something like:

set policy prefix-list V4-BGP-RECEIVED rule 80 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 80 prefix '192.0.2.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 80 ge 24

The above means that if a route that matches 192.0.2.0/24 or with a more specific prefix such as /25, /26 … /32 is received this will be matched by this rule whos verdict is “deny”. “ge” means greater-or-equal. There is also “le” if you want to go the other way around with less-or-equal.

So try this as your prefix-list and it should work as you expected it to work from beginning:

set policy prefix-list V4-BGP-RECEIVED rule 10 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 10 prefix '0.0.0.0/8'
set policy prefix-list V4-BGP-RECEIVED rule 10 ge 8
set policy prefix-list V4-BGP-RECEIVED rule 20 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 20 prefix '10.0.0.0/8'
set policy prefix-list V4-BGP-RECEIVED rule 20 ge 8
set policy prefix-list V4-BGP-RECEIVED rule 30 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 30 prefix '100.64.0.0/10'
set policy prefix-list V4-BGP-RECEIVED rule 30 ge 10
set policy prefix-list V4-BGP-RECEIVED rule 40 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 40 prefix '127.0.0.0/8'
set policy prefix-list V4-BGP-RECEIVED rule 40 ge 8
set policy prefix-list V4-BGP-RECEIVED rule 50 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 50 prefix '169.254.0.0/16'
set policy prefix-list V4-BGP-RECEIVED rule 50 ge 16
set policy prefix-list V4-BGP-RECEIVED rule 60 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 60 prefix '172.16.0.0/12'
set policy prefix-list V4-BGP-RECEIVED rule 60 ge 12
set policy prefix-list V4-BGP-RECEIVED rule 70 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 70 prefix '192.0.0.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 70 ge 24
set policy prefix-list V4-BGP-RECEIVED rule 80 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 80 prefix '192.0.2.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 80 ge 24
set policy prefix-list V4-BGP-RECEIVED rule 90 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 90 prefix '192.168.0.0/16'
set policy prefix-list V4-BGP-RECEIVED rule 90 ge 16
set policy prefix-list V4-BGP-RECEIVED rule 100 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 100 prefix '198.18.0.0/15'
set policy prefix-list V4-BGP-RECEIVED rule 100 ge 15
set policy prefix-list V4-BGP-RECEIVED rule 110 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 110 prefix '198.51.100.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 110 ge 24
set policy prefix-list V4-BGP-RECEIVED rule 120 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 120 prefix '203.0.113.0/24'
set policy prefix-list V4-BGP-RECEIVED rule 120 ge 24
set policy prefix-list V4-BGP-RECEIVED rule 130 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 130 prefix '224.0.0.0/4'
set policy prefix-list V4-BGP-RECEIVED rule 130 ge 4
set policy prefix-list V4-BGP-RECEIVED rule 140 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 140 prefix '240.0.0.0/4'
set policy prefix-list V4-BGP-RECEIVED rule 140 ge 4
set policy prefix-list V4-BGP-RECEIVED rule 150 action 'deny'
set policy prefix-list V4-BGP-RECEIVED rule 150 prefix '255.255.255.255/32'
set policy prefix-list V4-BGP-RECEIVED rule 150 ge 32
set policy prefix-list V4-BGP-RECEIVED rule 160 action 'permit'
set policy prefix-list V4-BGP-RECEIVED rule 160 prefix '0.0.0.0/0'
set policy prefix-list V4-BGP-RECEIVED rule 160 ge 0

Adding to what Apachez said, I generally recommend not bundling everything into a single prefix list. You have 3 groups you’re taking action on; RFC1918, Bogons, and a Default. Those would be individual prefix-lists in my suggestion.

Additionally, I recommend keeping all permit//deny actions within the route-map, and always make a prefix-list rule a permit. This makes it a reusable object. Take RFC1918 and Default as examples.

• Default you want to receive from your provider, but not send to them. So you could match the same object in both directions, but just change the action on the directional route-maps to either permit (for import) or deny (for export).

• RFC1918 addresses you don’t want to send or receive with a provider, but you may want to send those prefixes to a private peer (like over a VPN). You’ll be able to use the same object for all of those actions.

Using separate prefix-lists allows you to have 3 separate entries in your route-map, and the route-maps allow you to do a per rule description. It’ll make following the bouncing ball later much easier.

RFC1918 are part of Bogons but could still be handy to keep them separate as by your suggestion.

Since we already denied V4-RFC1918, V4-BOGONS and V4-BROADCAST there is no need to match ip for rule 40 just do the match as-path for BGP-ASN.

The resulting route-map could look something like:

set policy route-map V4-BGP-RECEIVED rule 10 action 'deny'
set policy route-map V4-BGP-RECEIVED rule 10 match ip address prefix-list 'V4-RFC1918'
set policy route-map V4-BGP-RECEIVED rule 20 action 'deny'
set policy route-map V4-BGP-RECEIVED rule 20 match ip address prefix-list 'V4-BOGONS'
set policy route-map V4-BGP-RECEIVED rule 30 action 'deny'
set policy route-map V4-BGP-RECEIVED rule 30 match ip address prefix-list 'V4-BROADCAST'
set policy route-map V4-BGP-RECEIVED rule 40 action 'permit'
set policy route-map V4-BGP-RECEIVED rule 40 match as-path 'BGP-ASN'
set policy route-map V4-BGP-RECEIVED rule 40 set local-preference '100'
set policy route-map V4-BGP-RECEIVED rule 40 set metric '80'
set policy route-map V4-BGP-RECEIVED rule 40 set weight '100'

And the prefixlists since you want a hit to be true (so the route-map can deny it if it exists/gets a hit) the content will be like in reverse when written (action accept instead of deny) so something like:

set policy prefix-list v4-RFC1918 description 'https://datatracker.ietf.org/doc/html/rfc1918'
set policy prefix-list V4-RFC1918 rule 10 action 'accept'
set policy prefix-list V4-RFC1918 rule 10 prefix '10.0.0.0/8'
set policy prefix-list V4-RFC1918 rule 10 ge 8
set policy prefix-list V4-RFC1918 rule 20 action 'accept'
set policy prefix-list V4-RFC1918 rule 20 prefix '172.16.0.0/12'
set policy prefix-list V4-RFC1918 rule 20 ge 12
set policy prefix-list V4-RFC1918 rule 30 action 'accept'
set policy prefix-list V4-RFC1918 rule 30 prefix '192.168.0.0/16'
set policy prefix-list V4-RFC1918 rule 30 ge 16

set policy prefix-list v4-BOGONS description 'https://team-cymru.org/Services/Bogons/bogon-bn-agg.txt'
set policy prefix-list V4-BOGONS rule 10 action 'accept'
set policy prefix-list V4-BOGONS rule 10 prefix '0.0.0.0/8'
set policy prefix-list V4-BOGONS rule 10 ge 8
set policy prefix-list V4-BOGONS rule 20 action 'accept'
set policy prefix-list V4-BOGONS rule 20 prefix '10.0.0.0/8'
set policy prefix-list V4-BOGONS rule 20 ge 8
set policy prefix-list V4-BOGONS rule 30 action 'accept'
set policy prefix-list V4-BOGONS rule 30 prefix '100.64.0.0/10'
set policy prefix-list V4-BOGONS rule 30 ge 10
set policy prefix-list V4-BOGONS rule 40 action 'accept'
set policy prefix-list V4-BOGONS rule 40 prefix '127.0.0.0/8'
set policy prefix-list V4-BOGONS rule 40 ge 8
set policy prefix-list V4-BOGONS rule 50 action 'accept'
set policy prefix-list V4-BOGONS rule 50 prefix '169.254.0.0/16'
set policy prefix-list V4-BOGONS rule 50 ge 16
set policy prefix-list V4-BOGONS rule 60 action 'accept'
set policy prefix-list V4-BOGONS rule 60 prefix '172.16.0.0/12'
set policy prefix-list V4-BOGONS rule 60 ge 12
set policy prefix-list V4-BOGONS rule 70 action 'accept'
set policy prefix-list V4-BOGONS rule 70 prefix '192.0.0.0/24'
set policy prefix-list V4-BOGONS rule 70 ge 24
set policy prefix-list V4-BOGONS rule 80 action 'accept'
set policy prefix-list V4-BOGONS rule 80 prefix '192.0.2.0/24'
set policy prefix-list V4-BOGONS rule 80 ge 24
set policy prefix-list V4-BOGONS rule 90 action 'accept'
set policy prefix-list V4-BOGONS rule 90 prefix '192.168.0.0/16'
set policy prefix-list V4-BOGONS rule 90 ge 16
set policy prefix-list V4-BOGONS rule 100 action 'accept'
set policy prefix-list V4-BOGONS rule 100 prefix '198.18.0.0/15'
set policy prefix-list V4-BOGONS rule 100 ge 15
set policy prefix-list V4-BOGONS rule 110 action 'accept'
set policy prefix-list V4-BOGONS rule 110 prefix '198.51.100.0/24'
set policy prefix-list V4-BOGONS rule 110 ge 24
set policy prefix-list V4-BOGONS rule 120 action 'accept'
set policy prefix-list V4-BOGONS rule 120 prefix '203.0.113.0/24'
set policy prefix-list V4-BOGONS rule 120 ge 24
set policy prefix-list V4-BOGONS rule 130 action 'accept'
set policy prefix-list V4-BOGONS rule 130 prefix '224.0.0.0/4'
set policy prefix-list V4-BOGONS rule 130 ge 4

set policy prefix-list V4-BROADCAST rule 10 action 'accept'
set policy prefix-list V4-BROADCAST rule 10 prefix '255.255.255.255/32'

And these can be handy in future:

set policy prefix-list V4-MULTICAST rule 10 action 'accept'
set policy prefix-list V4-MULTICAST rule 10 prefix '224.0.0.0/4'
set policy prefix-list V4-MULTICAST rule 10 ge 4

set policy prefix-list V4-DEFAULT rule 10 action 'accept'
set policy prefix-list V4-DEFAULT rule 10 prefix '0.0.0.0/0'

set policy prefix-list V4-ANY rule 10 action 'accept'
set policy prefix-list V4-ANY rule 10 prefix '0.0.0.0/0'
set policy prefix-list V4-ANY rule 10 le 32

Yep, I always separate RFC1918 from any Bogon list (for both routing and firewall). Reason being is I’m always hostile towards everything else on the list, but I’m only hostile towards RFC1918 for external connections.

Another one I frequently separate is APIPA, since it has become somewhat typical for people to use that range for tunnel IPs (which I hate, but thank cloud services for pushing that).

Thanks a lot for taking the time to explain and give suggestions!

I’ll be taking and implementing these changes in our configuration. I’ll keep you posted

Cheers,