Solved: Re: BGP routing information The status of the rout...

zhangchuang · ‎2022-12-05

Hello fellow Check Mates,

The customer configures the following configurations on the peer BGP:

bgp 65015

graceful-restart

peer 172.16.40.78 as-number 65115

peer 172.16.40.78 bfd min-tx-interval 300 min-rx-interval 300

peer 172.16.40.78 bfd enable

peer 172.16.70.78 as-number 65500

peer 172.16.70.78 bfd min-tx-interval 300 min-rx-interval 300

peer 172.16.70.78 bfd enable

peer 198.19.210.85 as-number 18084

peer 198.19.210.85 bfd min-tx-interval 300 min-rx-interval 300

peer 198.19.210.85 bfd enable

#

ipv4-family unicast

undo synchronization

import-route direct

import-route static

peer 172.16.40.78 enable

peer 172.16.40.78 route-policy MAP-CX-IN import

peer 172.16.70.78 enable

peer 172.16.70.78 route-policy AS-PATH import

peer 172.16.70.78 route-policy AS-PATH export

peer 198.19.210.85 enable

#

route-policy AS-PATH permit node 10

if-match ip-prefix AS-PATH

apply as-path 65500 65500 65500 65500 65500 65500 65500 65500 65500 65500 additive

#

ip ip-prefix AS-PATH index 10 permit 192.168.99.0 24

ip ip-prefix AS-PATH index 20 permit 10.7.0.0 19

After A Route-policy is added, the status of the route received by the checkpoint firewall is displayed as Hidden and Rank:N/A

The BGP configurations of the checkpoint firewall are as follows:

set bgp external remote-as 65015 on

set bgp external remote-as 65015 peer 172.16.70.65 on

set bgp external remote-as 65015 peer 172.16.70.65 ping on

set bgp external remote-as 65025 on

set bgp external remote-as 65025 peer 172.16.80.65 on

set bgp external remote-as 65025 peer 172.16.80.65 ping on

Please help to analyze the cause of this, thank you!

Chris_Atkinson · ‎2022-12-05

Local AS and the as-path prepend are the same value, if I recall correctly this would break BGP rules.

If this is absolutely necessary you may need to look at the allow-as-in-count feature to "bend" loop prevention.

CCSM R77/R80/ELITE

View solution in original post

Chris_Atkinson · ‎2022-12-05

Local AS and the as-path prepend are the same value, if I recall correctly this would break BGP rules.

If this is absolutely necessary you may need to look at the allow-as-in-count feature to "bend" loop prevention.

CCSM R77/R80/ELITE

Blason_R · ‎2022-12-05

Or as-override to accept that as a route else @Chris_Atkinson said it will not install the route in route table. Though you can see in received route

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

zhangchuang · ‎2022-12-05

If I change the value of the AS path prefix, can I solve this problem?

Blason_R · ‎2022-12-05

Nope it won't I believe - This is what you are receiving the routes correct? I guess you will have to use as-override

e.g. - In my scenario

set bgp external remote-as 65001 peer 192.168.203.153 allowas-in-count 5

Where my BGP AS and remote BGP AS was same and we had a carrier in between which was not overriding the AS hence I had to do it on firewall

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Chris_Atkinson · ‎2022-12-05

Probably the as-path needs to be changed yes (to the remote-as) or better use a different method altogether such as local preference/med etc.

Usually you would only prepend your own AS number on outbound route advertisements.

CCSM R77/R80/ELITE

zhangchuang · ‎2022-12-05

I now ask the BGP on the opposite side to change the AS path prefix. At present, normal routes can be obtained. Thank you for your support.

Are you a member of CheckMates?

BGP routing information The status of the route is Hidden and Rank:N/A