Simple BGP announcement the correct way

General questions
, ,
1

Hello everyone.
This is my first post on the forums. So please be bear with me if I am being stupid or dumb. I’ve searched the forums and the documentation and I didn’t found a straight answer to my doubt.

I am setting up a eBGP session to announce some subnets and accept announcements.
So far, here’s the config I got:

set protocols bgp system-as 65000
set protocols bgp parameters router-id 10.0.0.1
set protocols bgp address-family ipv4-unicast network 172.16.20.0/24
set protocols bgp address-family ipv4-unicast network 172.16.21.0/24
set protocols bgp address-family ipv6-unicast network fd00:0:0:100::/64
set protocols bgp neighbor 192.168.0.114
set protocols bgp neighbor 192.168.0.114 description 'Service-Peer-4'
set protocols bgp neighbor 192.168.0.114 capability dynamic
set protocols bgp neighbor 192.168.0.114 remote-as 65001
set protocols bgp neighbor 192.168.0.114 update-source tun1
set protocols bgp neighbor 192.168.0.114 address-family ipv4-unicast nexthop-self force
set protocols bgp neighbor 192.168.0.114 address-family ipv6-unicast nexthop-self force
set protocols bgp neighbor 192.168.0.114 address family ipv4-unicast remove-private-as
set protocols bgp neighbor 192.168.0.114 address family ipv6-unicast remove-private-as

So, my 1st question is: Is the above correct or should I create a session for IPv4 and a session for IPv6?
And then what is the correct way to announce the subnets?
Is it like this:

set prefix-list 65001-OUT description 'Subnets to be announced'
set prefix-list 65001-OUT rule 10 action permit
set prefix-list 65001-OUT rule 10 prefix 172.16.20.0/24
set prefix-list 65001-OUT rule 20 action permit
set prefix-list 65001-OUT rule 20 prefix 172.16.21.0/24
set prefix-list 65001-OUT rule 30 action permit
set prefix-list 65001-OUT rule 30 prefix fd00:0:0:100::/64
set prefix-list 65001-OUT rule 40 action deny
set prefix-list 65001-OUT rule 40 prefix 0.0.0.0/0
set prefix-list 65001-OUT rule 50 action deny
set prefix-list 65001-OUT rule 50 prefix ::/0
set prefix-list 65001-IN description 'Subnets received'
set prefix-list 65001-IN rule 10 action deny
set prefix-list 65001-IN rule 10 prefix 172.16.20.0/24
set prefix-list 65001-IN rule 20 action deny
set prefix-list 65001-IN rule 20 prefix 172.16.21.0/24
set prefix-list 65001-IN rule 30 action deny
set prefix-list 65001-IN rule 30 prefix fd00:0:0:100::/64
set prefix-list 65001-IN rule 40 action permit
set prefix-list 65001-IN rule 40 prefix 0.0.0.0/0
set prefix-list 65001-IN rule 50 action permit
set prefix-list 65001-IN rule 50 prefix ::/0
set route-map 65001-OUT rule 10 action permit
set route-map 65001-OUT rule 10 match ip address prefix-list 65001-OUT
set protocols bgp neighbor 192.168.0.114 address-family ipv4-unicast prefix-list import 65001-IN
set protocols bgp neighbor 192.168.0.114 address-family ipv4-unicast route-map export 65001-OUT
set protocols bgp neighbor 192.168.0.114 address-family ipv6-unicast prefix-list import 65001-IN
set protocols bgp neighbor 192.168.0.114 address-family ipv6-unicast route-map export 65001-OUT

Or is it better and more clean to do like this:

set prefix-list MYSUBNET description 'List of my Subnets'
set prefix-list MYSUBNET rule 10 prefix 172.16.20.0/24
set prefix-list MYSUBNET rule 20 prefix 172.16.21.0/24
set prefix-list MYSUBNET rule 30 prefix fd00:0:0:100::/64
set prefix-list ALLSUBNET description 'List of all Subnets'
set prefix-list ALLSUBNET rule 10 prefix 0.0.0.0/0
set prefix-list ALLSUBNET rule 20 prefix ::/0
set route-map 65001-OUT description 'Rules export for AS65001'
set route-map 65001-OUT rule 10 action permit
set route-map 65001-OUT rule 10 match ip address prefix-list MYSUBNET
set route-map 65001-OUT rule 20 action deny
set route-map 65001-OUT rule 20 match ip address prefix-list ALLSUBNET 
set route-map 65001-IN description 'Rules import for AS65001'
set route-map 65001-IN rule 10 action deny
set route-map 65001-IN rule 10 match ip address prefix-list MYSUBNET
set route-map 65001-IN rule 20 action permit
set route-map 65001-IN rule 20 match ip address prefix-list ALLSUBNET 
set protocols bgp neighbor 192.168.0.114 address-family ipv4-unicast route-map export 65001-OUT
set protocols bgp neighbor 192.168.0.114 address-family ipv4-unicast route-map import 65001-IN
set protocols bgp neighbor 192.168.0.114 address-family ipv6-unicast route-map export 65001-OUT
set protocols bgp neighbor 192.168.0.114 address-family ipv6-unicast route-map import 65001-IN
2

  • Regarding whether to use separate sessions for IPv6 vs IPv4 - this is personal taste. However, I’ve found that the majority of Internet connected peers prefer separate sessions. That is to say, if you’re controlling both sides of the session, feel free to use either style, but if you’re not, you must coordinate with the other side - and you’ll find the “combined” session to be much more rare.

  • Regarding prefix-lists - either your syntax is wrong or you are using a shortcut - i.e. when you say “set prefix-list” you mean “set policy prefix-list”. You don’t mention which version you’re using. A lot of your commands are probably not going to commit successfully under any version so perhaps you’re just providing a “simplified” config for comment?

  • Also: you probably won’t be able to use an IPv6 address in your IPv4 prefix list. You have to use “set policy prefix-list” with your IPv4 addresses and “set policy prefix-list6” with your IPv6 addresses.

  • With the “using route-maps versus prefix-lists in BGP neighbor” - this is personal preference but I find prefix-lists too limiting for all but the most trivial cases and nearly ALWAYS use the “route-map export Foo-OUT/route-map import FOO-IN” usage, and call prefix lists accordingly in the route-maps.

3

Hello @rgrant,
Thank you for your feedback.
Yes the syntax is just for demonstration only (to not have to write down the full line).
The thing that bothers me is that even if you use the route-map, you still have to create the prefix-list.
What happens when you create a prefix-list with deny ranges and then a route-map to allow the prefix-list?

4

Yes, if you use a route-map you still need the prefix-list, so why use a route-map?

If you need to set as-path-prepend or local-preference or weight or change the next-hop or reject invalid routes, you need a route-map. If you want to check multiple prefix lists or separate your lists by function in order to self-document your configuration, you need a route-map - or repetitive prefix-lists, which violates DRY.

That’s why it’s a “personal taste” issue - in certain circumstances I too just add the prefix-list. But it’s 5% of the time these days. Just sayin’

Vyos prefix-lists and route-maps are “default deny” so if you have deny ranges at the end of the list they’re pointless - a deny rule ahead of other permit rules is the only useful configuration. The curious thing about matching a prefix-list in a route-map is that the route-map rule is applied ONLY if the prefix list MATCHES. So in your example,

set route-map 65001-OUT rule 20 action deny
set route-map 65001-OUT rule 20 match ip address prefix-list ALLSUBNET

is useless because you don’t have another rule after it. You could have just used rule 10 to match “MYSUBNET” and leave it at that.

BTW, a useful tip is that you can use the same prefix-list name for IPv4 and for IPV6. So:

set policy prefix-list MYSUBNET rule 10 action permit
set policy prefix-list MYSUBNET rule 10 prefix 172.16.20.0/24
set policy prefix-list MYSUBNET rule 20 action permit
set policy prefix-list MYSUBNET rule 20 prefix 172.16.21.0/24
set policy prefix-list6 MYSUBNET rule 10 action permit
set policy prefix-list6 MYSUBNET rule 10 prefix fd00:0:0:100::/64

results in TWO “prefix lists” with the same name, NOT three prefixes in ONE list.

You could either then use TWO separate route-maps, calling two separate prefix-lists:

set policy route-map 65001v4-OUT rule 10 action permit
set policy route-map 65001v4-OUT rule 10 match ip address prefix-list MYSUBNET
set policy route-map 65001v6-OUT rule 10 action permit
set policy route-map 65001v6-OUT rule 10 match ipv6 address prefix-list MYSUBNET

(you’ll notice the same prefix-list name, but they’re actually DIFFERENT)

OR combine them:

set policy route-map 65001-OUT rule 10 action permit
set policy route-map 65001-OUT rule 10 match ip address prefix-list MYSUBNET
set policy route-map 65001-OUT rule 20 action permit
set policy route-map 65001-OUT rule 20 match ipv6 address prefix-list MYSUBNET

(obviously, an IPv4 prefix will never match rule 20, and vice versa)

And then your BGP Session gets ANY ONE of these configurations:

set protocols bgp neighbor 192.168.0.114 address-family ipv4-unicast route-map export 65001v4-OUT
set protocols bgp neighbor 192.168.0.114 address-family ipv6-unicast route-map export 65001v6-OUT

set protocols bgp neighbor 192.168.0.114 address-family ipv4-unicast route-map export 65001-OUT
set protocols bgp neighbor 192.168.0.114 address-family ipv6-unicast route-map export 65001-OUT

set protocols bgp neighbor 192.168.0.114 address-family ipv4-unicast prefix-list export MYSUBNET
set protocols bgp neighbor 192.168.0.114 address-family ipv6-unicast prefix-list export MYSUBNET

Whichever suits your taste.

3 Likes
5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.