Unable to drop subnet for particular neighbor in BGP

blason · September 6, 2022, 3:50am

Hi Team,

I am trying to drop one subnet in my BGP using route-map however I am unable to do so. While doing that is dropping all the subnet. Any idea if I am doing anything wrong here?

Wanted to drop 192.168.40.0/23 for neighbot 169.254.22.1 in Import stage

set policy prefix-list InDropLocalSubnets rule 10 action permit
set policy prefix-list InDropLocalSubnets rule 10 prefix 192.168.40.0/23
set policy route-map InDrop rule 10 action deny
set policy route-map InDrop rule 10 match ip address prefix-list InDropLocalSubnets
set protocols bgp 65506 neighbor 169.254.22.1 address-family ipv4-unicast route-map import InDrop

blason · September 6, 2022, 4:24am

I got it - Is that the correct filter?

set policy prefix-list InDropLocalSubnets rule 10 action deny
set policy prefix-list InDropLocalSubnets rule 10 prefix 192.168.40.0/23
set protocols bgp 65505 neighbor 169.254.22.1 address-family ipv4-unicast prefix-list import InDropLocalSubnets

Viacheslav · September 6, 2022, 5:04am

The correct and best filter via route map
Just clear soft in bgp neighbor

blason · September 6, 2022, 5:35am

@Viacheslav Would you please provide us the correct statements then?

e.khudiyev · September 6, 2022, 5:56am

try to add rule 20 action permit in your route-map and see if that works

rgrant · September 6, 2022, 5:57pm

yep you’re right - I discovered the hard way that Vyos != Cisco. Route-maps and prefix-lists do not add an IMPLICIT PERMIT when your first rule is a DENY.

It’s ALWAYS implicit deny.

So if you’re trying to reject a SINGLE prefix whether by using “route-map import” or “prefix-list import” don’t use a double negative - PERMIT the single prefix in the prefix-list, and DENY the prefix-list in the route-map, while PERMITting everything else.

set policy prefix-list InDropLocalSubnets rule 10 action deny
set policy prefix-list InDropLocalSubnets rule 10 prefix 192.168.40.0/23
set policy prefix-list InDropLocalSubnets rule 20 action permit
set protocols bgp 65506 neighbor 169.254.22.1 address-family ipv4-unicast prefix-list import InDropLocalSubnets

or

set policy prefix-list InDropLocalSubnets rule 10 action permit
set policy prefix-list InDropLocalSubnets rule 10 prefix 192.168.40.0/23
set policy route-map InDrop rule 10 action deny
set policy route-map InDrop rule 10 match ip address prefix-list InDropLocalSubnets
set policy route-map InDrop rule 20 action permit
set protocols bgp 65506 neighbor 169.254.22.1 address-family ipv4-unicast route-map import InDrop

I always used route-maps in BGP sessions instead of prefix-lists because it’s easier to change things afterwards - add communities or local-preferences, etc. More consistent. But that’s just a personal preference.

Also: the OP didn’t mention the version number - so the “clear soft” command might also be needed - not sure when but VyOS now doesn’t seem to need it - picks up changes by itself.

blason · September 6, 2022, 6:02pm

blason:

set policy prefix-list InDropLocalSubnets rule 10 action deny
set policy prefix-list InDropLocalSubnets rule 10 prefix 192.168.40.0/23
set protocols bgp 65505 neighbor 169.254.22.1 address-family ipv4-unicast prefix-list import InDropLocalSubnets

Thanks man for the valuable inputs.

system · September 8, 2022, 6:03pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.