Hunting a BGP advertisement leak ...

Discussion in 'Cisco' started by Garry, Mar 16, 2005.

  1. Garry

    Garry Guest

    Hi *,

    this one is driving me nuts ...

    We have internal MPLS VPN Networks set up that work fine ... one of the
    routers involved in routing the VPNs internally through our backbone is
    also involved in peering/uplink with other ASNs. The IPs used in the
    MPLS VPN are RFC IPs from the 10/8 range.

    Somehow, two of the networks get advertised to the outside ... two out
    of 5 ... for the last couple days I have been trying to locate how or
    where, but have not been able to locate the leak ...

    The peerings and uplinks have prefix filters in place that - according
    to the router output - seem to work fine ("show ip bgp nei x.x.x.x adv"
    does not list the prefixes, "show ip bgp 10.x.0.0/24" says they are not
    advertised to any peer). I did the "show .. adv" output for ALL peering
    and uplink partners, but none showed the networks in question ...

    What other way is there to locate the origin of this leak???

    Tnx!
     
    Garry, Mar 16, 2005
    #1
    1. Advertising

  2. Garry

    Ivan Ostreš Guest

    In article <d197eb$52v$>, says...
    >
    > The peerings and uplinks have prefix filters in place that - according
    > to the router output - seem to work fine ("show ip bgp nei x.x.x.x adv"
    > does not list the prefixes, "show ip bgp 10.x.0.0/24" says they are not
    > advertised to any peer). I did the "show .. adv" output for ALL peering
    > and uplink partners, but none showed the networks in question ...
    >
    > What other way is there to locate the origin of this leak???
    >


    Find out what is the "next-hop" vaule of the network you're advertising
    but do not want to. Then, you will know which router is leaking since
    when passing a prefix to EBGP peer, router puts it's interface address
    as the next-hop address.

    It's kind of hard to comment not seeing the picture. If you could add
    some more details, it would be great. (show ip bgp outputs, sh run,
    ....).

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Mar 16, 2005
    #2
    1. Advertising

  3. Garry

    Garry Guest

    Ivan Ostreš wrote:
    > Find out what is the "next-hop" vaule of the network you're advertising
    > but do not want to. Then, you will know which router is leaking since
    > when passing a prefix to EBGP peer, router puts it's interface address
    > as the next-hop address.


    OK, we basically have two routers that do our external connectivity via
    uplinks and peerings ... one doesn't get the prefixes at all ("show ip
    bgp" doesn't have the route, though the router does still get the route
    via OSPF). The other receives the prefixes both via OSPF and BGP, though
    - as written before - "show ip bgp nei ... adv" will not list it on ANY
    neighbor as being advertised ... this router lists the net with next hop
    of the other router of course -- but as that router does no have any
    EBGP connections, it can't advertise it to any peers or uplinks ...

    Is there any other way a prefix might be advertised to a peer without it
    being shown on the "show ip bgp nei ... adv" output?

    Also, I still don't understand why two nets would be advertised, while
    another three nets that are used and configured exactly identical
    (AFAICT) are not advertised?

    > It's kind of hard to comment not seeing the picture. If you could add
    > some more details, it would be great. (show ip bgp outputs, sh run,
    > ...).


    show ip bgp only lists the IBGP connection to the originating router
    (DSL router for customer connections), not for any external connection
    .... sh run is about 80k long ... ;)

    Tnx ..
     
    Garry, Mar 16, 2005
    #3
  4. Garry

    Ivan Ostreš Guest

    In article <d1aaff$js9$>, says...
    > Is there any other way a prefix might be advertised to a peer without it
    > being shown on the "show ip bgp nei ... adv" output?
    >
    > Also, I still don't understand why two nets would be advertised, while
    > another three nets that are used and configured exactly identical
    > (AFAICT) are not advertised?
    >


    It's possible that you're running in a bug. I've seen similar stuff
    before but was not able to find bugID for that. Please look at bugTrack
    tool at CCO. If I were you, I would open a TAC case since some bugs are
    hidden (mostly found internally).

    > show ip bgp only lists the IBGP connection to the originating router
    > (DSL router for customer connections), not for any external connection
    > ... sh run is about 80k long ... ;)


    Hm.. yeah, that was a thing that could have been expected :). Sorry I
    was not able to help more.


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Mar 17, 2005
    #4
  5. Garry

    Toby Guest

    "Ivan Ostres" <> wrote in message
    news:...
    > In article <d1aaff$js9$>, says...
    >> Is there any other way a prefix might be advertised to a peer without it
    >> being shown on the "show ip bgp nei ... adv" output?
    >>
    >> Also, I still don't understand why two nets would be advertised, while
    >> another three nets that are used and configured exactly identical
    >> (AFAICT) are not advertised?
    >>

    >
    > It's possible that you're running in a bug. I've seen similar stuff
    > before but was not able to find bugID for that. Please look at bugTrack
    > tool at CCO. If I were you, I would open a TAC case since some bugs are
    > hidden (mostly found internally).
    >
    >> show ip bgp only lists the IBGP connection to the originating router
    >> (DSL router for customer connections), not for any external connection
    >> ... sh run is about 80k long ... ;)

    >
    > Hm.. yeah, that was a thing that could have been expected :). Sorry I
    > was not able to help more.
    >
    >
    > --
    > -Ivan.
    >
    > *** Use Rot13 to see my eMail address ***


    As Ivan has stated this may be a bug but I would ask your peer to check what
    routes they have recieved from you on the BGP neighborship prior to raising
    the TAC. i.e. if you can not see the advert and they can there is definately
    a bug. If they cant see it in the BGP they should be able to identify why
    they are routing a certain network to you. Static etc.

    Toby
     
    Toby, Mar 18, 2005
    #5
  6. In article <9%G_d.3411$>,
    "Toby" <> wrote:

    > "Ivan Ostres" <> wrote in message
    > news:...
    > > In article <d1aaff$js9$>, says...
    > >> Is there any other way a prefix might be advertised to a peer without it
    > >> being shown on the "show ip bgp nei ... adv" output?
    > >>
    > >> Also, I still don't understand why two nets would be advertised, while
    > >> another three nets that are used and configured exactly identical
    > >> (AFAICT) are not advertised?
    > >>

    > >
    > > It's possible that you're running in a bug. I've seen similar stuff
    > > before but was not able to find bugID for that. Please look at bugTrack
    > > tool at CCO. If I were you, I would open a TAC case since some bugs are
    > > hidden (mostly found internally).
    > >
    > >> show ip bgp only lists the IBGP connection to the originating router
    > >> (DSL router for customer connections), not for any external connection
    > >> ... sh run is about 80k long ... ;)

    > >
    > > Hm.. yeah, that was a thing that could have been expected :). Sorry I
    > > was not able to help more.
    > >
    > >
    > > --
    > > -Ivan.
    > >
    > > *** Use Rot13 to see my eMail address ***

    >
    > As Ivan has stated this may be a bug but I would ask your peer to check what
    > routes they have recieved from you on the BGP neighborship prior to raising
    > the TAC. i.e. if you can not see the advert and they can there is definately
    > a bug. If they cant see it in the BGP they should be able to identify why
    > they are routing a certain network to you. Static etc.


    Another thing you can do is turn on "debug ip bgp" and then "clear ip
    bgp <neighbor>". The debugging messages should show whether you're
    actually advertising the network.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, Mar 19, 2005
    #6
  7. Garry

    Cisco Fan Guest

    > Another thing you can do is turn on "debug ip bgp" and then "clear ip
    > bgp <neighbor>". The debugging messages should show whether you're
    > actually advertising the network.


    Tried that, but the debug output didn't show any advertisements ...
    neither the 10/8 subnets, nor the regular ones ... !?

    -gg
     
    Cisco Fan, Mar 21, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ivan Ostres

    BGP conditional advertisement

    Ivan Ostres, Aug 2, 2004, in forum: Cisco
    Replies:
    8
    Views:
    5,034
    Ivan Ostres
    Aug 9, 2004
  2. harald rüger
    Replies:
    0
    Views:
    568
    harald rüger
    Oct 25, 2004
  3. Replies:
    0
    Views:
    574
  4. essenz

    Adding a BGP advertisement

    essenz, Jan 31, 2008, in forum: Cisco
    Replies:
    3
    Views:
    1,013
    Trendkill
    Jan 31, 2008
  5. qamar

    BGP Conditional advertisement with Community attributes

    qamar, Sep 15, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    1,580
    qamar
    Sep 15, 2009
Loading...

Share This Page