This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Shpilman
Collaborator
‎2024-02-14 07:25 PM
Jump to solution

BGP Community on Inbound Routemaps

Hi CheckMates,

I have a BGP peering with Cisco N9K and need to add a community to routes received from the N9K.

This doesn't seem to work on with inbound routemap, but only outbound, tested with Maestro and non-Maestro and iBGP/eBGP, all with the same outcome.

 

Inbound routemap example:

set routemap lab id 10 on
set routemap lab id 10 allow
set routemap lab id 10 match community 1000 as 65000 on
set routemap lab id 10 match protocol bgp
set routemap lab id 10 action community 100 as 65099 on
set routemap lab id 10 action community append on
set routemap lab id 10 action localpref 400
set routemap lab id 10 action preference 500

The expectation is community 65099:100 to be added to the routes.

set bgp external remote-as 65000 import-routemap lab preference 10 on

show route bgp detailed
1_01:
Route: 10.101.0.0/24
Next Hop: 10.101.199.2, via bond1.1199
MED: None
Local Preference: 400
Age: 25691
Rank: 170
Weight: 500
AS Path: (65099),65000,Incomplete.(Id-8),comm-65000.1000
Local AS: 65099
Peer AS: 65000
Origin: Incomplete
Originator ID: 10.101.0.2
BGP Next Hop Attribute: 10.101.199.2
Communities: 65000:1000
Route: 10.101.198.0/24
Next Hop: 10.101.199.2, via bond1.1199
MED: None
Local Preference: 400
Age: 25691
Rank: 170
Weight: 500
AS Path: (65099),65000,Incomplete.(Id-8),comm-65000.1000
Local AS: 65099
Peer AS: 65000
Origin: Incomplete
Originator ID: 10.101.0.2
BGP Next Hop Attribute: 10.101.199.2
Communities: 65000:1000

 

With outbound routemaps, everything works the peer receives the community.

set routemap lab-out id 10 on
set routemap lab-out id 10 allow
set routemap lab-out id 10 match network 10.101.0.0/16 all
set routemap lab-out id 10 match network 10.102.0.0/16 all
set routemap lab-out id 10 match protocol direct
set routemap lab-out id 10 action community 200 as 65099 on

set bgp external remote-as 65000 export-routemap lab-out preference 10 on

show bgp peer 10.101.199.2 advertise
1_01:

IPv4 Route MED LocalPref Nexthop Communities
10.101.199.0/24 None N/A(EBGP) 10.101.199.254 65099:200
10.102.199.0/24 None N/A(EBGP) 10.101.199.254 65099:200

 

Any ideas? Am I missing something or is it a limitation?

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
Alex_Shpilman
Collaborator
‎2024-02-15 02:33 PM
In response to the_rock
Jump to solution

Looks like still not supported, thanks @the_rock 

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2024-02-15 05:52 AM
Jump to solution

What version/JHF?

0 Kudos
Alex_Shpilman
Collaborator
‎2024-02-15 11:55 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy 

I tried on several deployments, R81.20 JHF 41 (tried both Maestro and non-Maestro) and R81.10 JHF 109, all tests produced the same results.

Thanks

0 Kudos
Alex_Shpilman
Collaborator
‎2024-02-15 01:18 PM
In response to Alex_Shpilman
Jump to solution

Enabled BGP trace all and got the below:


Feb 15 16:14:40.529306 [routed] WARNING: Task BGP_65000: Routemap lab (inst 10) Actions (Set Community List|Append To Community List) not supported during IMPORT by Protocol BGP.They will be ignored

 

So, it looks like a weird limitation ... 

0 Kudos
the_rock
Legend
Legend
‎2024-02-15 01:04 PM
Jump to solution

Last time I worked with TAC on this 2 years ago, they said it was not supported. Maybe its changed, you can ask them.

Best,

Andy

Alex_Shpilman
Collaborator
‎2024-02-15 02:33 PM
In response to the_rock
Jump to solution

Looks like still not supported, thanks @the_rock 

the_rock
Legend
Legend
‎2024-02-15 02:35 PM
In response to Alex_Shpilman
Jump to solution

No worries.

Best,

Andy

0 Kudos
Alex_Shpilman
Collaborator
‎2024-02-15 03:06 PM
In response to the_rock
Jump to solution

I will open an RFE through our local SE here in New Zealand.

0 Kudos
the_rock
Legend
Legend
‎2024-02-15 03:07 PM
In response to Alex_Shpilman
Jump to solution

That sounds like a good idea.

Best,

Andy

0 Kudos
APopisteru
Ambassador
Ambassador
‎2025-02-07 09:02 AM
Jump to solution

R82: the limitation persists, trace says:

Task BGP_xxxxx: Routemap xxxxxx (inst 100) Actions (Set Community List|Append To Community List) not supported during IMPORT by Protocol BGP. They will be ignored

Will open a RFE too.

KlowikiOne
Employee
Employee
‎2025-05-30 07:41 AM
In response to APopisteru
Jump to solution

Appends in BGP for community are an export feature only.  

RFC 1997 describes 

   A BGP speaker may use this attribute to control which routing
   information it accepts, prefers or distributes to other neighbors.

   A BGP speaker receiving a route that does not have the COMMUNITIES
   path attribute may append this attribute to the route when
   propagating it to its peers.
Key word and phrase to understand. BGP Speaker is stating that the community will be spoken to others. Not listening to set the append.  "propagating it to its peers." Reinforcing that this attribute will be sent to the peers.

I hope this helps.

 

APopisteru
Ambassador
Ambassador
‎2025-05-31 11:55 AM
In response to KlowikiOne
Jump to solution

I know that communities are optional attributes and we are implementing by the RFCs, but in large ISP networks (I found our interpretation of processing communities in such a network) it's a common practice to append ISP's communities to prefixes received by the customer (that may already have other communities as attributes), to have those prefixes imported in the routing tables for various policed exports based on appended communities. It's not a big deal and there are workarounds, but an ISP that has entire routing and forwarding infrastructure based on, let's say, Junipers, that implement the feature, might find cumbersome to accommodate our peculiarities. Usually I'm saying that it might be better to do dynamic routing through the firewall not with the firewall (remember gated?) .

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events