Sunday, 5 December 2010

Status Update

Things have been a little quiet on the blog lately but I have been pretty much keeping the study momentum going.

I don't think I mentioned it but I haven't actually sat for the CCIE Written Exam yet.  Here in Brisbane there used to be two centres you could sit the exam but one went out of business a few months ago and there is a 4-5 month lead time on doing a computer based exam! In a few weeks I plan to go to Sydney so I will make time to do the exam then.  The CCIE R&S Version 4.0 blueprint for Written and Lab are pretty much in alignment, right now I am moving more to looking at things from what the written exam is interested in.

That said, I'm now at the end of the IPExpert Volume 1 Labs - the final lab has an estimated timelimit of 10 hours and touches on NAT and IOS security topics particularly IOS firewalls both topics which aren't really my strong points.  So I think I'm going to do some more self study in those areas before I face that particular lab.  How do I feel so far about the Volume 1 Workbook?  I've been pretty happy with it, most of the labs have been good but some have been more challenging than others (I guess the areas I spent a lot of time on projects I found particularly easy compared to others I havent had a lot of experience with) - I know I'm going to redo particular labs in the future but it's been good to touch on technology areas.  I'm looking forward to facing the Volume 3 labs. 

One of the things I'm planning on doing is getting used to working to the estimated timeframes for the labs, while I do attempt to black out enough time to sit a lab at home, the reality is there are some interruptions that occur, so I've decided to use a timer program that I can pause when these events crop up.  So far XNote Stopwatch seems fairly reasonable at the moment - I like the idea of being able to set it to be always on top but partly transparent so I can see the time remaining and not lose screen real estate.

Saturday, 30 October 2010

BGP allow-as-in and as-override

If you are a service provider providing a managed MPLS based IP-VPN service some of the things you may worry about could include scaling your customer provisioning process.  If you have a customer that has 10 sites and requires BGP routing to CE devices at each site besides dealing with interface addressing allocations and so on - technically you may need to also allow unique BGP ASNs per site/CE as well.

There are a few techniques that I know that allows us to allocate the same BGP ASN to every router.

Let's start with a simple topology..

CE1 S0/0===S0/0 PE1 Fa0/0 ==Fa0/0 PE2 S0/0 ===S0/0 CE2

PE1 and PE1 are running OSPF, MPLS and LDP between themselves and MP-iBGP on ASN 666 to carry the customer routing information

CE1 has an EBGP connection to PE1 while CE2 has an EBGP connection to PE2 and each of these are redistributing a number of loopbacks into bgp

PE1 Config:
hostname PE1
!
ip vrf CustA
 rd 666:1
 route-target export 666:1
 route-target import 666:1
!
mpls label protocol ldp
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 description To PE2
 ip address 192.168.255.253 255.255.255.252
 duplex auto
 speed auto
 mpls ip
!
interface Serial0/0
 ip vrf forwarding CustA
 ip address 192.168.12.2 255.255.255.252
 clock rate 128000
!
router ospf 100
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.255.253 0.0.0.0 area 0
!
router bgp 666
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 666
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CustA
  neighbor 192.168.12.1 remote-as 64512
  neighbor 192.168.12.1 activate
  no synchronization
 exit-address-family
!
mpls ldp router-id Loopback0


PE2 Config:
hostname PE2
!
ip vrf CustA
 rd 666:1
 route-target export 666:1
 route-target import 666:1
!
mpls label protocol ldp
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 description To PE1
 ip address 192.168.255.254 255.255.255.252
 duplex auto
 speed auto
 mpls ip
!
interface Serial0/0
 ip vrf forwarding CustA
 ip address 192.168.34.2 255.255.255.0
 clock rate 128000
!
router ospf 100
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.255.254 0.0.0.0 area 0
!
router bgp 666
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 666
 neighbor 1.1.1.1 update-source Loopback0
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CustA
  neighbor 192.168.34.1 remote-as 64512
  neighbor 192.168.34.1 activate
  no synchronization
 exit-address-family

!
mpls ldp router-id Loopback0
CE1 Config:
hostname CE1
!
interface Loopback0
 ip address 1.2.3.4 255.255.255.255
!
interface Loopback1
 ip address 2.3.4.5 255.255.255.255
!
interface Loopback2
 ip address 3.4.5.6 255.255.255.255
!
interface Loopback3
 ip address 4.5.6.7 255.255.255.255
!
interface Serial0/0
 ip address 192.168.12.1 255.255.255.252
!
router bgp 64512
 no synchronization
 bgp log-neighbor-changes
 redistribute connected metric 100
 neighbor 192.168.12.2 remote-as 666
 neighbor 192.168.12.2 soft-reconfiguration inbound
 no auto-summary
!

CE2 Config:
hostname CE2
!
interface Loopback0
 ip address 9.8.7.6 255.255.255.255
!
interface Loopback1
 ip address 8.7.6.5 255.255.255.255
!
interface Loopback2
 ip address 7.6.5.4 255.255.255.255
!
interface Loopback3
 ip address 6.5.4.3 255.255.255.255
!
interface Serial0/0
 ip address 192.168.34.1 255.255.255.252
!
router bgp 64512
 no synchronization
 bgp log-neighbor-changes
 redistribute connected metric 100
 neighbor 192.168.34.2 remote-as 666
 neighbor 192.168.34.2 soft-reconfiguration inbound
 no auto-summary
!


Lets see if we can see our routes from the other CE router:

CE1#sh ip route bgp

CE2#sh ip route bgp
 

Nothing... not a good sign, is BGP running?

CE1#sh ip bgp summ
BGP router identifier 4.5.6.7, local AS number 64512
BGP table version is 6, main routing table version 6
5 network entries using 600 bytes of memory
5 path entries using 260 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1140 total bytes of memory
BGP activity 15/10 prefixes, 15/10 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.12.2    4   666      71      52        6    0    0 00:03:57        0

CE2#sh ip bgp summ
BGP router identifier 9.8.7.6, local AS number 64512
BGP table version is 6, main routing table version 6
5 network entries using 600 bytes of memory
5 path entries using 260 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory
BGP using 1140 total bytes of memory
BGP activity 5/0 prefixes, 5/0 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.34.2    4   666      53      89        6    0    0 00:00:27        0

Yes, we're just not seeing any prefixs coming in - can we see them on the PE routers?

PE1#sh ip route vrf CustA

Routing Table: CustA
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.12.0/30 is subnetted, 1 subnets
C       192.168.12.0 is directly connected, Serial0/0
     1.0.0.0/32 is subnetted, 1 subnets
B       1.2.3.4 [20/100] via 192.168.12.1, 00:08:15
     2.0.0.0/32 is subnetted, 1 subnets
B       2.3.4.5 [20/100] via 192.168.12.1, 00:08:15
     3.0.0.0/32 is subnetted, 1 subnets
B       3.4.5.6 [20/100] via 192.168.12.1, 00:08:15
     4.0.0.0/32 is subnetted, 1 subnets
B       4.5.6.7 [20/100] via 192.168.12.1, 00:08:15
     6.0.0.0/32 is subnetted, 1 subnets
B       6.5.4.3 [200/100] via 2.2.2.2, 00:01:49
     7.0.0.0/32 is subnetted, 1 subnets
B       7.6.5.4 [200/100] via 2.2.2.2, 00:01:49
     8.0.0.0/32 is subnetted, 1 subnets
B       8.7.6.5 [200/100] via 2.2.2.2, 00:01:49
     9.0.0.0/32 is subnetted, 1 subnets
B       9.8.7.6 [200/100] via 2.2.2.2, 00:01:49
     192.168.34.0/30 is subnetted, 1 subnets
B       192.168.34.0 [200/100] via 2.2.2.2, 00:01:49

PE2#sh ip route vrf CustA

Routing Table: CustA
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.12.0/30 is subnetted, 1 subnets
B       192.168.12.0 [200/100] via 1.1.1.1, 00:08:09
     1.0.0.0/32 is subnetted, 1 subnets
B       1.2.3.4 [200/100] via 1.1.1.1, 00:08:09
     2.0.0.0/32 is subnetted, 1 subnets
B       2.3.4.5 [200/100] via 1.1.1.1, 00:08:09
     3.0.0.0/32 is subnetted, 1 subnets
B       3.4.5.6 [200/100] via 1.1.1.1, 00:08:09
     4.0.0.0/32 is subnetted, 1 subnets
B       4.5.6.7 [200/100] via 1.1.1.1, 00:08:09
     6.0.0.0/32 is subnetted, 1 subnets
B       6.5.4.3 [20/100] via 192.168.34.1, 00:02:00
     7.0.0.0/32 is subnetted, 1 subnets
B       7.6.5.4 [20/100] via 192.168.34.1, 00:02:00
     8.0.0.0/32 is subnetted, 1 subnets
B       8.7.6.5 [20/100] via 192.168.34.1, 00:02:00
     9.0.0.0/32 is subnetted, 1 subnets
B       9.8.7.6 [20/100] via 192.168.34.1, 00:02:00
     192.168.34.0/24 is variably subnetted, 2 subnets, 2 masks
B       192.168.34.0/30 [20/100] via 192.168.34.1, 00:02:00
C       192.168.34.0/24 is directly connected, Serial0/0

Ok, so the PE routers appear to be happy enough at the situation....


What's the problem? Let's have a look at the BGP updates coming in

CE1#debug ip bgp updates
BGP updates debugging is on for address family: IPv4 Unicast
CE1#clear ip bgp *
*Mar  1 01:02:23.675: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Down User reset
*Mar  1 01:02:50.755: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Up
*Mar  1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE w/ attr: nexthop 192.168.12.2, origin ?, originator 0.0.0.0, path 666 64512, community , extended community
*Mar  1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 192.168.34.0/30 -- DENIED due to: AS-PATH contains our own AS;
*Mar  1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 9.8.7.6/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar  1 01:02:50.763: BGP(0): 192.168.12.2 rcv UPDATE about 8.7.6.5/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar  1 01:02:50.767: BGP(0): 192.168.12.2 rcv UPDATE about 7.6.5.4/32 -- DENIED due to: AS-PATH contains our own AS;
*Mar  1 01:02:50.767: BGP(0): 192.168.12.2 rcv UPDATE about 6.5.4.3/32 -- DENIED due to: AS-PATH contains our own AS;

Well this explains it - BGP loop avoidance is based on the AS-PATH, since CE1 and CE2 are both allocated the same ASN, we need to fix this.


CE1 EBGP AS 64512 - EBGP AS 666 PE1 I-MPBGP AS 666 PE2 EBGP AS 666 - EBGP AS 64512 CE2


Option 1 - allow-as-in on the CE

CE1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CE1(config)#router bgp 64512
CE1(config-router)#neighbor 192.168.12.2 allowas-in ?
  <1-10>  Number of occurances of AS number
 

CE1(config-router)#neighbor 192.168.12.2 allowas-in 1

This allows us to add some flexibility to the AS-PATH checks - in this case if we see our ASN once in the path already, it's ok to allow it in

CE1(config-router)#do clear ip bgp * soft
CE1(config-router)#do sh ip route bgp
     6.0.0.0/32 is subnetted, 1 subnets
B       6.5.4.3 [20/0] via 192.168.12.2, 00:00:11
     7.0.0.0/32 is subnetted, 1 subnets
B       7.6.5.4 [20/0] via 192.168.12.2, 00:00:11
     8.0.0.0/32 is subnetted, 1 subnets
B       8.7.6.5 [20/0] via 192.168.12.2, 00:00:11
     9.0.0.0/32 is subnetted, 1 subnets
B       9.8.7.6 [20/0] via 192.168.12.2, 00:00:11
     192.168.34.0/30 is subnetted, 1 subnets
B       192.168.34.0 [20/0] via 192.168.12.2, 00:00:11



Lets see the AS-Path

CE1(config-router)#do sh ip bgp
BGP table version is 31, local router ID is 4.5.6.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.2.3.4/32       0.0.0.0                100         32768 ?
*> 2.3.4.5/32       0.0.0.0                100         32768 ?
*> 3.4.5.6/32       0.0.0.0                100         32768 ?
*> 4.5.6.7/32       0.0.0.0                100         32768 ?
*> 6.5.4.3/32       192.168.12.2                           0 666 64512 ?
*> 7.6.5.4/32       192.168.12.2                           0 666 64512 ?
*> 8.7.6.5/32       192.168.12.2                           0 666 64512 ?
*> 9.8.7.6/32       192.168.12.2                           0 666 64512 ?
*> 192.168.12.0/30  0.0.0.0                100         32768 ?
*> 192.168.34.0/30  192.168.12.2                           0 666 64512 ?

Option 2 - as-override on the PE

An alternate method is to remove the ASN of the other CE from the AS-PATH loop check doesn't fail on the local CE

PE2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
PE2(config)#router bgp 666
PE2(config-router)#address-family ipv4 unicast vrf CustA
PE2(config-router-af)#neighbor 192.168.34.1 as-override
PE2(config-router-af)#do clear ip bgp * soft


Now lets see if CE2 is happy:

CE2#sh ip route bgp
     192.168.12.0/30 is subnetted, 1 subnets
B       192.168.12.0 [20/0] via 192.168.34.2, 00:02:46
     1.0.0.0/32 is subnetted, 1 subnets
B       1.2.3.4 [20/0] via 192.168.34.2, 00:02:46
     2.0.0.0/32 is subnetted, 1 subnets
B       2.3.4.5 [20/0] via 192.168.34.2, 00:02:46
     3.0.0.0/32 is subnetted, 1 subnets
B       3.4.5.6 [20/0] via 192.168.34.2, 00:02:46
     4.0.0.0/32 is subnetted, 1 subnets
B       4.5.6.7 [20/0] via 192.168.34.2, 00:02:46
 
Yep, and what is the AS path?

CE2#sh ip bgp
BGP table version is 21, local router ID is 9.8.7.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.2.3.4/32       192.168.34.2                           0 666 666 ?
*> 2.3.4.5/32       192.168.34.2                           0 666 666 ?
*> 3.4.5.6/32       192.168.34.2                           0 666 666 ?
*> 4.5.6.7/32       192.168.34.2                           0 666 666 ?
*> 6.5.4.3/32       0.0.0.0                100         32768 ?
*> 7.6.5.4/32       0.0.0.0                100         32768 ?
*> 8.7.6.5/32       0.0.0.0                100         32768 ?
*> 9.8.7.6/32       0.0.0.0                100         32768 ?
*> 192.168.12.0/30  192.168.34.2                           0 666 666 ?
*> 192.168.34.0/30  0.0.0.0                100         32768 ?

So the final test - L3 data plane connectivity:

CE2#ping 1.2.3.4 source 9.8.7.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
Packet sent with a source address of 9.8.7.6
!!!!!
 

It seems like for the CCIE lab there is usually more than one way to do something, and quite often you will be restricted from using particular methods, so it is always handy to have an alternate up your sleeve.
 

Tuesday, 12 October 2010

IOS Based Menu Configuration

I've never really had a need to create router based menus before, however there is a requirement in the blueprint to be able to know how to do it.

Where to find info about this on the Cisco Website:
www.cisco.com -> Support -> IOS and NX-OS Software -> Cisco IOS -> 12.4 Family -> 12.4T -> Configuration Guides -> Configuration Fundamentals Configuration Guide

Part 4: Managing Connections, Menus, and System Banners has what we want (by the way if you decide to go to the Network Management Configuration Guide - there is a different framework called Embedded Menu Manager which relies on XML based configs and is not what you want at all)

Task: 

When user NetDiag (password NetDiag) logs into the router immediately provide them a diagnostics menu to be able to quickly ping and traceroute other routers.

This task is actually two parts - the menu and the setting the account for the user to automatically start the menu.


Subtask 1 - the Menu:

Multiple Menus can exist and call other menus, so they each need a name to identify them, in this example I'm just going to use "diag".  Defining a menu title is required - just like setting a banner, as it is a free-form string, you need to select a character that lets the router know that this is the end of input (we're using the ^ character here)

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#menu diag title ^
Enter TEXT message.  End with the character '^'
####################
# Diagnostics Menu #
####################^


After the menu, we'll show the list of options and the descriptions of each option


R1(config)#menu diag text 1 Ping R2
R1(config)#menu diag text 2 Ping R3
R1(config)#menu diag text 3 Traceroute R2
R1(config)#menu diag text 4 Traceroute R3
R1(config)#menu diag text x Exit

Now we enter the actual commands we want to execute for each option

R1(config)#menu diag command 1 ping 200.0.0.2 repeat 2 source loopback0
R1(config)#menu diag command 2 ping 200.0.0.3 repeat 2 source loopback0
R1(config)#menu diag command 3 trace 200.0.0.2 source loopback0
R1(config)#menu diag command 4 trace 200.0.0.3 source loopback0
R1(config)#menu diag command x menu-exit

If you like, you can also specify the message prompt when requesting a menu selection

R1(config)#menu diag prompt $
Enter TEXT message.  End with the character '$'
What is thy wish Master? $

Optionally, we can pause the display after each command before presenting the menu again - this would only be worth using if we cleared the screen before displaying the menu

R1(config)#menu diag clear-screen
R1(config)#menu diag option 1 pause
R1(config)#menu diag option 2 pause
R1(config)#menu diag option 3 pause
R1(config)#menu diag option 4 pause

To Test:

R1(config)#do menu diag
####################
# Diagnostics Menu #
####################
    1          Ping R2
    2          Ping R3
    3          Traceroute R2
    4          Traceroute R3
    x          Exit
 
What is thy wish Master? 1

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 200.0.0.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 4/6/8 ms
--More--


Subtask 2 - Autocommand:

With the menu is sorted - time to create the user and enable them to only have access to the menu.  This will be achieved with the autocommand which gets run as soon as the user connects.



R1(config)#username NetDiag password NetDiag
R1(config)#username NetDiag autocommand menu diag

If you noticed in the menu commands, extended ping commands are used which require enable mode.

R1(config)#username NetDiag privilege 15

Make sure we are allowing users to telnet in to us

R1(config)#line vty 0 4
R1(config-line)#login local

Let's test it from R6.

R6#telnet 200.0.0.1
Trying 200.0.0.1 ... Open

User Access Verification

Username: NetDiag
Password:

####################
# Diagnostics Menu #
####################
    1          Ping R2
    2          Ping R3
    3          Traceroute R2
    4          Traceroute R3
    x          Exit

What is thy wish Master? x
R1#

The only possible problem here is when we exit the menu, we are at the CLI prompt with a user in enable mode.  If you wanted to disconnect the user when they exit the menu, change it so that they are logged out instead:

R1(config)#menu diag command x logout

Friday, 1 October 2010

BGP Route Aggregation and unsuppress-map

Route aggregation is a generally good thing to do.

When you enable it within your BGP instance and you elected to suppress the contributing routes from being advertised to your peers by using the "summary-only" keyword.   In some cases though, you may not want to suppress the contributing routes for certain peers and want a way to disable this global behaviour on an individual peer basis.

Through the application of the swiss army knife known as a route-map in conjunction with the "unsuppress-map" keyword on your neighbor declaration; it is possible to allow the more-specific routes to still be transmitted.

In my configuration example, I have three routers, R4, R5 and R6 in a string where R5 is directly peering with R4 and R6.

R4 Configuration
hostname R4
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 description To R5 Fa0/0
 ip address 100.100.45.4 255.255.255.0
 duplex auto
 speed auto
!
router bgp 64512
 no synchronization
 bgp router-id 4.4.4.4
 bgp log-neighbor-changes
 network 4.4.4.4 mask 255.255.255.255
 neighbor 100.100.45.5 remote-as 64513
 no auto-summary
!


R5 Initial Configuration
hostname R5
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface Loopback10
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback11
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback12
 ip address 192.168.3.1 255.255.255.0
!
interface Loopback20
 ip address 172.16.0.1 255.255.255.0
!
interface Loopback21
 ip address 172.16.7.1 255.255.255.0
!
interface FastEthernet0/0
 description R4 Fa0/0
 ip address 100.100.45.5 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description R5 Fa0/1
 ip address 100.100.56.5 255.255.255.0
 duplex auto
 speed auto
!
router bgp 64513
 no synchronization
 bgp router-id 5.5.5.5
 bgp log-neighbor-changes
 network 5.5.5.5 mask 255.255.255.255
 network 172.16.0.0 mask 255.255.255.0
 network 172.16.7.0 mask 255.255.255.0
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 aggregate-address 172.16.0.0 255.255.248.0 summary-only
 aggregate-address 192.168.0.0 255.255.252.0 summary-only
 neighbor 100.100.45.4 remote-as 64512 
 neighbor 100.100.56.6 remote-as 64514
 no auto-summary


R6 Configuration
hostname R6
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/1
 description R5 Fa0/1
 ip address 100.100.56.6 255.255.255.0
 duplex auto
 speed auto
!
router bgp 64514
 no synchronization
 bgp log-neighbor-changes
 network 6.6.6.6 mask 255.255.255.255
 neighbor 100.100.56.5 remote-as 64513
 no auto-summary
!

As you can see there are some loopbacks on R5 which are summarised thanks to the "aggregate-address" commands and with the "summary-only" keyword, the contributing routes will be suppressed from advertisement.

Lets have a look at what R4 and R6 see:

R4#sh ip route bgp
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [20/0] via 100.100.45.5, 00:09:48
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 100.100.45.5, 00:10:18
     172.16.0.0/21 is subnetted, 1 subnets
B       172.16.0.0 [20/0] via 100.100.45.5, 00:09:48
B    192.168.0.0/22 [20/0] via 100.100.45.5, 00:09:48

R6# sh ip route bgp
     4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [20/0] via 100.100.56.5, 00:10:29
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [20/0] via 100.100.56.5, 00:09:59
     172.16.0.0/21 is subnetted, 1 subnets
B       172.16.0.0 [20/0] via 100.100.56.5, 00:09:59
B    192.168.0.0/22 [20/0] via 100.100.56.5, 00:09:59

Which certainly matches what R5 says it's doing:

R5#sh ip bgp neighbors 100.100.45.4 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       100.100.45.4             0             0 64512 i
*> 5.5.5.5/32       0.0.0.0                  0         32768 i
*> 6.6.6.6/32       100.100.56.6             0             0 64514 i
*> 172.16.0.0/21    0.0.0.0                            32768 i
*> 192.168.0.0/22   0.0.0.0                            32768 i

Total number of prefixes 5
R5#sh ip bgp neighbors 100.100.56.6 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       100.100.45.4             0             0 64512 i
*> 5.5.5.5/32       0.0.0.0                  0         32768 i
*> 6.6.6.6/32       100.100.56.6             0             0 64514 i
*> 172.16.0.0/21    0.0.0.0                            32768 i
*> 192.168.0.0/22   0.0.0.0                            32768 i

Total number of prefixes 5


Lets say for arguments sake we want to see the specific routes from 192.168.0.0/22 to appear on R4 and the specific routes from 172.16.0.0/21 to appear on R6

The way we do this is to set the neighbor to have an unsuppress-map (a route-map) which when matched will allow the contributing routes to be transferred. In this example, the route-map for R4 is matching the route with an access list, and the route-map for R6 is using a prefix-list


R5(config)#router bgp 64513
R5(config-router)#neighbor 100.100.45.4 unsuppress-map UnsuppressR4
R5(config-router)#neighbor 100.100.56.6 unsuppress-map UnsuppressR6
R5(config-router)#route-map UnsuppressR4
R5(config-route-map)#match ip address 4
R5(config-route-map)#exit
R5(config)#access-list 4 permit 192.168.0.0 0.0.3.255
R5(config)#route-map UnsuppressR6
R5(config-route-map)#match ip address prefix-list R6
R5(config-route-map)#exit
R5(config)#ip prefix-list R6 permit 172.16.0.0/21


After clearing the peerings (clear ip bgp *) and waiting for BGP to come up and stabilise, lets see what R5 is advertising to its peers

Below we can see that R5 is advertising some routes with the "s" flag which means that they were suppressed but we're advertising them:

R5#sh ip bgp neighbors 100.100.45.4 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 5.5.5.5/32       0.0.0.0                  0         32768 i
*> 6.6.6.6/32       100.100.56.6             0             0 64514 i
*> 172.16.0.0/21    0.0.0.0                            32768 i
*> 192.168.0.0/22   0.0.0.0                            32768 i
s> 192.168.1.0      0.0.0.0                  0         32768 i
s> 192.168.2.0      0.0.0.0                  0         32768 i
s> 192.168.3.0      0.0.0.0                  0         32768 i

R4>sh ip route bgp
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [20/0] via 100.100.45.5, 00:02:45
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 100.100.45.5, 00:03:31
     172.16.0.0/21 is subnetted, 1 subnets
B       172.16.0.0 [20/0] via 100.100.45.5, 00:02:45
B    192.168.1.0/24 [20/0] via 100.100.45.5, 00:02:45
B    192.168.2.0/24 [20/0] via 100.100.45.5, 00:02:45
B    192.168.3.0/24 [20/0] via 100.100.45.5, 00:02:45
B    192.168.0.0/22 [20/0] via 100.100.45.5, 00:02:45

Now here is a problem with R5... we aren't advertising the specific routes for the 172.16.0.0/21 network to R6!

R5#sh ip bgp neighbors 100.100.56.6 advertised-routes
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       100.100.45.4             0             0 64512 i
*> 5.5.5.5/32       0.0.0.0                  0         32768 i
*> 172.16.0.0/21    0.0.0.0                            32768 i
*> 192.168.0.0/22   0.0.0.0                            32768 i

Total number of prefixes 4

The problem is that the prefix-list is only matching on the summary route and not the contributing routes.  All we need to do is fix up the prefix-list and all should be well

R5(config)#no ip prefix-list R6 permit 172.16.0.0/21
R5(config)#ip prefix-list R6 permit 172.16.0.0/21 le 24
R5(config)#do clear ip bgp 100.100.56.6 soft
R5(config)#do sh ip bgp nei 100.100.56.6 adv
BGP table version is 16, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       100.100.45.4             0             0 64512 i
*> 5.5.5.5/32       0.0.0.0                  0         32768 i
s> 172.16.0.0/24    0.0.0.0                  0         32768 i
*> 172.16.0.0/21    0.0.0.0                            32768 i
s> 172.16.7.0/24    0.0.0.0                  0         32768 i
*> 192.168.0.0/22   0.0.0.0                            32768 i

Total number of prefixes 6

Things are now working as expected and R6 agrees

R6>sh ip route bgp
     4.0.0.0/32 is subnetted, 1 subnets
B       4.4.4.4 [20/0] via 100.100.56.5, 00:09:45
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [20/0] via 100.100.56.5, 00:08:58
     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B       172.16.7.0/24 [20/0] via 100.100.56.5, 00:02:03
B       172.16.0.0/24 [20/0] via 100.100.56.5, 00:02:03
B       172.16.0.0/21 [20/0] via 100.100.56.5, 00:08:58
B    192.168.0.0/22 [20/0] via 100.100.56.5, 00:08:58