No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

When use aggregate command to summary route in BGP ACL will not match for the subnetwork that was summary in aggregate

Publication Date:  2019-07-17  |   Views:  322  |   Downloads:  0  |   Author:  anusorn  |   Document ID:  EKB0000355113


Issue Description

We deploy BGP route policy on the new link that connect between GW and ISP for mapping and filter the traffic forwarding to ISP and make the traffic balance between GW and ISP. But it cannot match the route so traffic will be discarding and no have traffic pass through the new link
 Modify ACL 2101  and 2102 that was filter route to be advertised out to TI network by separate some IP pool out from those ACL and create it into new ACL 2501 and 2502 
Create new route-policy new-med-TI1 and match new ACL into this new policy then apply cost by follow the old policy med-TI1 on each router.

Alarm Information

no have traffic pass through

Handling Process

We try to modify new ACL to match the Pool to be full class not sub-class and deny this pool out from the old ACL as below
acl number 2502
rule 130 permit source
 rule 140 permit source
 rule 150 permit source
 rule 160 permit source
rule 5000 deny
acl number 2102
undo rule 130 permit source
undo  rule 140 permit source
undo  rule 150 permit source
undo  rule 160 permit source
rule 130 deny source
 rule 140 deny source
 rule 150 deny source
 rule 160 deny source

Root Cause

We check the ACL match on the new link and found that it cannot match the IP pool that we put it in the ACL.
We display the statistics of traffic flow on the interface and found that no have any traffic pass out to MTG-GW


Before send routing to peer, router will check if the routing already be aggregated, and then check ACL. Because the routing already is aggregated, so when it checking ACL, all the rules that are the sub-network cannot be matched, only rule 5000 is matched, so it will be deny.