Bug #15749
open
BGP advertising all routes and ignoring networks statements.
0%
Description
BGP is advertising ALL routes and does not respect the 'network x.x.x.x' statement within the configuration.
How this should work is that only networks outlined in the network statement(s) is what will be announced to peers. Attaching a route-map which is mandatory, to the neighbors is required to advertise routes. All though the route-map is set to advertise everything, in reality the network statement should control whats sent.
This is not how it should be of course.
sh running-config
Building configuration...
Current configuration:
!
frr version 9.1.1
frr defaults traditional
hostname GAFW-EDGE-FW.networkingtitan.com
log syslog
service password-encryption
service integrated-vtysh-config
!
password 8 p/85eaP85E10o
password 8 0cclW5b6o4m1k
password 8 VF9.M3ICoAu96
password 8 Mx6/XsBveHcB2
!
ip router-id 192.168.50.254
!
router bgp 65001
bgp router-id 192.168.50.254
bgp log-neighbor-changes
bgp default local-preference 400
bgp graceful-restart preserve-fw-state
bgp bestpath as-path multipath-relax as-set
bgp bestpath compare-routerid
no bgp network import-check
neighbor 10.6.106.2 remote-as 65520
neighbor 10.6.106.2 description 790CCV
neighbor 10.6.106.2 bfd
neighbor 172.28.0.5 remote-as 65002
neighbor 172.28.0.5 description k85enterprise
neighbor 172.28.0.5 bfd
!
address-family ipv4 unicast
network 172.26.0.0/24
network 172.27.0.0/24
network 192.168.3.0/24
network 192.168.50.0/24
neighbor 10.6.106.2 soft-reconfiguration inbound
neighbor 10.6.106.2 route-map Access-All in
neighbor 10.6.106.2 route-map Access-All out
neighbor 172.28.0.5 soft-reconfiguration inbound
neighbor 172.28.0.5 route-map Access-All in
neighbor 172.28.0.5 route-map Access-All out
exit-address-family
exit
!
route-map Access-All permit 100
description Match any route
exit
!
end
Updated by Mike Moore 28 days ago
This is actually an issue with how FRR is presenting the announcements of routes.
It is showing that i am sending 19 routes which is.....true...BUT...its routes that are advertised from the neighbor to the firewall and the firewall advertises it back out. Because AS-Path is the native loop prevention of BGP this doesn't cause any issues albiet i can see it causing quite a problem if as-override is implemented and not tightly controlled.
In my opinion, FRR is not doing any sanity checking when advertising routes back out to a peer that it received the route from - SplitHorizon....
IPv4 Unicast Summary (VRF default):
BGP router identifier 192.168.50.254, local AS number 65001 vrf-id 0
BGP table version 366
RIB entries 37, using 3552 bytes of memory
Peers 2, using 26 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc
10.6.106.2 4 65520 1057 1116 366 0 0 08:43:21 2 19 790CCV
172.28.0.5 4 65002 1136 1094 366 0 0 08:43:20 13 19 k85enterprise
Updated by