ip prefix-list filter

[altf4arnold]

I'm using frr for BGP in DN42 (wich use private ip subnets) For whatever reason, if I apply any filter on a bgp peer, I won't install any routes.

If I do a show bgp ipv4 unicast sum ,I can see that it receives the routes, but even with a prefix-list that contains only the rule : ip prefix-list test seq 10 permit any , it will still have the same problem.

the build is : frr-3.0.3-11-g4b8b2e567

Output sample of sh bgp ipv4 unicast sum :

BGP router identifier (censored), local AS number 424242(censored) vrf-id 0
BGP table version 2
RIB entries 3, using 408 bytes of memory
Peers 3, using 62 KiB of memory

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd
172.20.*********   4 424242*******     411      39        0    0    0 00:05:45            0
172.23.*********   4 424242*******       9       9        0    0    0 00:06:42            0
172.23.**********  4 424242******     458       9        0    0    0 00:06:23            0

Total number of neighbors 3

When I remove filters, even the one that has only permit any, I can get my routes

[kssoman]

Tried the following configuration, the issue could not be reproduced

Please provide the detailed configuration and steps to reproduce the issue :

      Router A -------------------------- Router B

Router A

dev# show version FRRouting 3.0.3-MyOwnFRRVersion-gUNKNOWN (). Copyright 1996-2005 Kunihiro Ishiguro, et al. This is a git build of frr-3.0.3

router bgp 1 neighbor 192.168.1.2 remote-as 2 ! address-family ipv4 unicast neighbor 192.168.1.2 route-map rmap in exit-address-family vnc defaults response-lifetime 3600 exit-vnc ! ip prefix-list plist seq 10 permit any ! route-map rmap permit 1 match ip address prefix-list plist

Router B

ip route 50.1.1.0/24 10.1.1.1 ! router bgp 2 neighbor 192.168.1.1 remote-as 1 ! address-family ipv4 unicast network 50.1.1.0/24 exit-address-family

==================================

LOGS

dev# show ip bgp summary

IPv4 Unicast Summary: BGP router identifier 1.1.1.1, local AS number 1 vrf-id 0 BGP table version 1 RIB entries 1, using 136 bytes of memory Peers 1, using 21 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 2 15 17 0 0 0 00:12:57 1

Total number of neighbors 1

dev# show ip bgp

BGP table version is 1, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path *> 50.1.1.0/24 192.168.1.2 0 0 2 i

Displayed 1 routes and 1 total paths

dev# show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, P - PIM, N - NHRP, T - Table, v - VNC, V - VNC-Direct,

• selected route, * - FIB route

K> 0.0.0.0/0 via 10.112.157.253, ens160 C> 1.1.1.1/32 is directly connected, lo C> 10.1.1.0/24 is directly connected, ens192 C> 10.112.156.0/23 is directly connected, ens160 B> 50.1.1.0/24 [20/0] via 192.168.1.2, ens224, 00:03:28 C> 192.168.1.0/24 is directly connected, ens224

[altf4arnold]

So this is the router config on my side (other side is running cisco and I don't have access to it)

router bgp 4242422935 bgp router-id 172.20.128.34 neighbor 172.20.14.220 remote-as 4242422700 neighbor 172.20.14.220 description SomeNick neighbor 172.20.14.220 interface dn42-SomeNick neighbor 172.23.215.96 remote-as 4242421978 neighbor 172.23.215.96 description Someothernick neighbor 172.23.215.96 interface dn42-1 neighbor 172.23.215.167 remote-as 4242421955 neighbor 172.23.215.167 description alsoanothernic neighbor 172.23.215.167 interface alsoanothernick

address-family ipv4 unicast network 172.20.33.32/28 network 172.20.128.32/32 neighbor 172.20.14.220 filter-list dn42 in neighbor 172.23.215.96 filter-list dn42 in neighbor 172.23.215.167 filter-list empty in exit-address-family

ip prefix-list dn42 seq 5 deny 172.20.128.32/29 ge 30 ip prefix-list dn42 seq 6 deny 172.20.33.32/28 ge 29 ip prefix-list dn42 seq 7 permit 172.20.0.0/14 le 29 ip prefix-list dn42 seq 30 deny any ip prefix-list empty seq 10 permit any ip prefix-list vpn-in seq 3 deny 172.20.33.32/28 ge 29 ip prefix-list vpn-in seq 4 deny 172.20.128.32/29 ge 30 ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28 ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28 ip prefix-list vpn-in seq 11 permit 172.22.0.43/32 ip prefix-list vpn-in seq 12 permit 172.22.0.53/32 ip prefix-list vpn-in seq 1000 deny 0.0.0.0/0 ip prefix-list vpn-in seq 1001 deny 10.2.0.0/24 le 32 ip prefix-list vpn-in seq 1002 deny 10.8.0.0/24 le 32 ip prefix-list vpn-in seq 1050 deny any

As you can see, I have multiple filter samples. The problem is that whatever is in the filter, if I apply a filter with : neighbor 172.23.215.167 filter-list filtername in, I get this :

darkangel# show bgp ipv4 unicast summary BGP router identifier 172.20.128.34, local AS number 4242422935 vrf-id 0 BGP table version 2 RIB entries 3, using 408 bytes of memory Peers 3, using 62 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.20.14.220 4 4242422700 619408 104293 0 0 0 6d23h54m 0 172.23.215.96 4 4242421978 19130 17392 0 0 0 01w5d01h 0 172.23.215.167 4 4242421955 451045 17395 0 0 0 5d12h32m 0

Total number of neighbors 3

And If I deactivate any filter for example for 172.23.215.167 I get :

darkangel(config)# exit darkangel# sh bgp ipv4 unicast summary BGP router identifier 172.20.128.34, local AS number 4242422935 vrf-id 0 BGP table version 462 RIB entries 895, using 119 KiB of memory Peers 3, using 62 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.20.14.220 4 4242422700 619454 104558 0 0 0 6d23h55m 0 172.23.215.96 4 4242421978 19131 17651 0 0 0 01w5d01h 0 172.23.215.167 4 4242421955 451385 17655 0 0 0 5d12h33m 460

Total number of neighbors 3

[vishaldhingra]

Thanks for the CLI. We got your problem. We will provide the fix soon.

[vishaldhingra]

The current behaviour of the code is If you have mapped filter-list to a bgp peer, and you have not defined the filter-list, then it would deny all the routes.

The CLI's you have provided, you have defined prefix-list but mapping the filter-list to bgp peer. So it is denying all the routes.

Are you looking for a behaviour when filter-list is mapped but not defined then it should allow the routes ?

Please confirm.

[altf4arnold]

Can you explain a little bit further? I'm not quiet sure about what you mean

[vishaldhingra]

Here you have mapped filter-list to a neighbor

address-family ipv4 unicast network 172.20.33.32/28 network 172.20.128.32/32 neighbor 172.20.14.220 filter-list dn42 in neighbor 172.23.215.96 filter-list dn42 in neighbor 172.23.215.167 filter-list empty in exit-address-family

Here you have defined the prefix-list

ip prefix-list dn42 seq 5 deny 172.20.128.32/29 ge 30 ip prefix-list dn42 seq 6 deny 172.20.33.32/28 ge 29 ip prefix-list dn42 seq 7 permit 172.20.0.0/14 le 29 ip prefix-list dn42 seq 30 deny any ip prefix-list empty seq 10 permit any ip prefix-list vpn-in seq 3 deny 172.20.33.32/28 ge 29 ip prefix-list vpn-in seq 4 deny 172.20.128.32/29 ge 30 ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28 ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28 ip prefix-list vpn-in seq 11 permit 172.22.0.43/32 ip prefix-list vpn-in seq 12 permit 172.22.0.53/32 ip prefix-list vpn-in seq 1000 deny 0.0.0.0/0 ip prefix-list vpn-in seq 1001 deny 10.2.0.0/24 le 32 ip prefix-list vpn-in seq 1002 deny 10.8.0.0/24 le 32 ip prefix-list vpn-in seq 1050 deny any

prefix-list and filter-list are different. Here you have not defined the filter-list.

[altf4arnold]

That's what I did

[vishaldhingra]

So the default behaviour is to deny all the routes for this configuration. This is applicable for route maps also. do you have a specific use case for this ? do you want to modify this default behaviour ?

[altf4arnold]

Yes, when it's configured like this, it's denying all the routes. If put no neighbor 172.23.215.167 filter-list empty in for example, it's going to work.

But if I re apply filters while putting allow any in it, it still blocks everything

[vishaldhingra]

here you are trying the below operations

1. If put no neighbor 172.23.215.167 filter-list empty in for example, it's going to work. address-family ipv4 unicast no neighbor 172.23.215.167 filter-list empty in

   This installs the routes in FIB, which is correct behaviour.

2. But if I re apply filters while putting allow any in it, it still blocks everything

====== Filter configuration ========= ip prefix-list dn42 seq 5 permit any ip prefix-list empty seq 10 permit any ip prefix-list vpn-in seq 3 permit any

===== peer configuration ========== address-family ipv4 unicast neighbor 172.23.215.167 filter-list empty in

Here when you re-applying the filter, you are still using filter-list in PEER configuration, without defining the "ip filter-list". Is it correct ?

You have to define ip filter-list if you need to install your routes.

[altf4arnold]

I didn't understood the last question. What do you mean by defining the ip filter-list?

Meanwhile, if I do step 1 from your previous message, then I can install routes. if afterwards I put the filters back (even with permit any in the filter list) it still works until I take the interface down/up where it refuses again to install anything.

[vishaldhingra]

Please paste the exact CLIs and steps(all the things that what you are trying like interface down/up) in a sequence .

[vishaldhingra]

may i know ur slack id ? My slack id : vdhingra in FRRouting workspace.

[altf4arnold]

can you add my email to the frrouting workspace please? (or we can use IRC)

[donaldsharp]

@altf4arnold -> slack invite sent