Bug #15749
closed
BGP advertising all routes and ignoring networks statements.
0%
Description
BGP is advertising ALL routes and does not respect the 'network x.x.x.x' statement within the configuration.
How this should work is that only networks outlined in the network statement(s) is what will be announced to peers. Attaching a route-map which is mandatory, to the neighbors is required to advertise routes. All though the route-map is set to advertise everything, in reality the network statement should control whats sent.
This is not how it should be of course.
sh running-config Building configuration... Current configuration: ! frr version 9.1.1 frr defaults traditional hostname GAFW-EDGE-FW.networkingtitan.com log syslog service password-encryption service integrated-vtysh-config ! password 8 p/85eaP85E10o password 8 0cclW5b6o4m1k password 8 VF9.M3ICoAu96 password 8 Mx6/XsBveHcB2 ! ip router-id 192.168.50.254 ! router bgp 65001 bgp router-id 192.168.50.254 bgp log-neighbor-changes bgp default local-preference 400 bgp graceful-restart preserve-fw-state bgp bestpath as-path multipath-relax as-set bgp bestpath compare-routerid no bgp network import-check neighbor 10.6.106.2 remote-as 65520 neighbor 10.6.106.2 description 790CCV neighbor 10.6.106.2 bfd neighbor 172.28.0.5 remote-as 65002 neighbor 172.28.0.5 description k85enterprise neighbor 172.28.0.5 bfd ! address-family ipv4 unicast network 172.26.0.0/24 network 172.27.0.0/24 network 192.168.3.0/24 network 192.168.50.0/24 neighbor 10.6.106.2 soft-reconfiguration inbound neighbor 10.6.106.2 route-map Access-All in neighbor 10.6.106.2 route-map Access-All out neighbor 172.28.0.5 soft-reconfiguration inbound neighbor 172.28.0.5 route-map Access-All in neighbor 172.28.0.5 route-map Access-All out exit-address-family exit ! route-map Access-All permit 100 description Match any route exit ! end
Updated by Mike Moore about 2 months ago
This is actually an issue with how FRR is presenting the announcements of routes.
It is showing that i am sending 19 routes which is.....true...BUT...its routes that are advertised from the neighbor to the firewall and the firewall advertises it back out. Because AS-Path is the native loop prevention of BGP this doesn't cause any issues albiet i can see it causing quite a problem if as-override is implemented and not tightly controlled.
In my opinion, FRR is not doing any sanity checking when advertising routes back out to a peer that it received the route from - SplitHorizon....
IPv4 Unicast Summary (VRF default): BGP router identifier 192.168.50.254, local AS number 65001 vrf-id 0 BGP table version 366 RIB entries 37, using 3552 bytes of memory Peers 2, using 26 KiB of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc 10.6.106.2 4 65520 1057 1116 366 0 0 08:43:21 2 19 790CCV 172.28.0.5 4 65002 1136 1094 366 0 0 08:43:20 13 19 k85enterprise
Updated by yon Liu about 1 month ago
There is an option no bgp network import-check. When you do not add this option parameter, it will check the local network and the IP prefixes transmitted downstream
you should use Prefix Lists and rouemap Control and filter
Updated by Alhusein Zawi 19 days ago
only listed networks (in Network Distribution) were advertised in my lab.
Please provide more details about your network/configurations.
Updated by Mike Moore 18 days ago
Here is a set up that i have.
Device: SG-1100
Software: 24.03-RELEASE
Networks local to SG-1100: 192.168.70.0/24, 172.26.1.0/24
show ip bgp summary IPv4 Unicast Summary (VRF default): BGP router identifier 192.168.70.254, local AS number 65520 vrf-id 0 BGP table version 11 RIB entries 17, using 1632 bytes of memory Peers 1, using 13 KiB of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc 10.6.106.1 4 65001 1231 1234 11 0 0 20:12:29 7 9 N/A
As you can see the output shows that PfxSent are 9. 9 routes is being sent.
nyc-fw1-inet.moore.lan# show ip bgp neighbors 10.6.106.1 advertised-routes
BGP table version is 11, local router ID is 192.168.70.254, vrf id 0
Default local pref 100, local AS 65520
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 172.26.0.0/24 0.0.0.0 0 65001 i
*> 172.26.1.0/24 0.0.0.0 0 32768 i
*> 172.27.0.0/24 0.0.0.0 0 65001 i
*> 192.168.2.0/30 0.0.0.0 0 65001 i
*> 192.168.3.0/24 0.0.0.0 0 65001 i
*> 192.168.6.0/24 0.0.0.0 0 65001 i
*> 192.168.17.0/30 0.0.0.0 0 65001 i
*> 192.168.50.0/24 0.0.0.0 0 65001 i
*> 192.168.70.0/24 0.0.0.0 0 32768 i
nyc-fw1-inet.moore.lan# show ip bgp neighbors 10.6.106.1 advertised-routes
BGP table version is 11, local router ID is 192.168.70.254, vrf id 0
Default local pref 100, local AS 65520
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 172.26.0.0/24 0.0.0.0 0 65001 i
*> 172.26.1.0/24 0.0.0.0 0 32768 i
*> 172.27.0.0/24 0.0.0.0 0 65001 i
*> 192.168.2.0/30 0.0.0.0 0 65001 i
*> 192.168.3.0/24 0.0.0.0 0 65001 i
*> 192.168.6.0/24 0.0.0.0 0 65001 i
*> 192.168.17.0/30 0.0.0.0 0 65001 i
*> 192.168.50.0/24 0.0.0.0 0 65001 i
*> 192.168.70.0/24 0.0.0.0 0 32768 i
PROBLEM: As part of the advertisement, the SG1100 is re-advertsing routes that it learned from its peer. The way BGP works is that the receiving peer will reject the routes seeing its own AS-PATH in the advertisements.
TO REPRODUCE.
1. Two pfsense firewalls connected to each other. Each in their own ASN. Each with local networks being advertised to each peer.
2. On the remote peer observe what routes are being advertised. It will be routes received from neighbor which is the problem.
Updated by Alhusein Zawi 12 days ago
are the following enabled on 65520 peer?
redistribute connected
redistribute static
redistribute kernel
what is the routing table showing up if BGP was disabled?
Updated by Mike Moore 9 days ago
I am not redistrbuting connected/local/kernel.
I would assume the route table would only contain directly connected routes only if BGP was disabled. Im not clear what the question has to do with how the BGP advertisements are being advertised. Can you explain what you are looking for?
Updated by Chris Linstruth 5 days ago
BGP is advertising ALL routes and does not respect the 'network x.x.x.x' statement within the configuration. How this should work is that only networks outlined in the network statement(s) is what will be announced to peers. Attaching a route-map which is mandatory, to the neighbors is required to advertise routes. All though the route-map is set to advertise everything, in reality the network statement should control whats sent.
This is incorrect. The network statement has nothing to do with what eBGP routes are sent to other eBGP peers.
This site is not for support or diagnostic discussion.
For assistance in solving problems, please post on the Netgate Forum .
Updated by Mike Moore 5 days ago
Jesus Christ…you didn’t read the redmine…
Ehhh…alright man.
I’ll follow up Glen Shok.
Incredible….
Updated by Marcos M 1 day ago
- Status changed from New to Not a Bug
I don't believe there is a bug, at least not with pfSense or the GUI package. The stated behavior looks to be intentional - I see the same between two VMs. Adding filtering to avoid the issue worked in my testing and seems like an acceptable solution.