One of the challenges of cloud is route table limits . For example, AWS has a limit of 100 per table. This can pose a real challenge in hybrid cloud scenarios where the on-prem infrastructure can easily support hundreds or thousands of internal routes no problem, leaving you (aka “cloud guy”) responsible for performing filtering and aggregation.
Consider this scenario:
The CSR1000v learns about 150 routes via EIGRP, mostly in RFC 1918 space:
D EX 10.4.0.0/16 [170/51307520] via 10.1.4.73, 00:05:02, Tunnel100 D EX 10.5.0.0/16 [170/51307520] via 10.1.4.61, 00:05:02, Tunnel100 D EX 10.6.8.0/22 [170/51307520] via 10.1.4.12, 00:05:02, Tunnel100 D EX 192.168.11.0/24 [170/52234240] via 10.1.4.88, 00:05:02, Tunnel100 D EX 192.168.22.0/23 [170/51829760] via 10.1.4.99, 00:05:02, Tunnel100 D EX 192.168.33.0/24 [170/51824640] via 10.1.4.123, 00:05:02, Tunnel100
So obviously we need need to do some filtering or summarization before passing the routes to the AWS route tables via BGP.
The quick and simple fix: summarize the 10.0.0.0/8 & 192.168.0.0/16 prefixes on the CSR1000v:
router bgp 65000 bgp log-neighbor-changes ! address-family ipv4 aggregate-address 10.0.0.0 255.0.0.0 summary-only aggregate-address 192.168.0.0 255.255.0.0 summary-only redistribute eigrp 100 neighbor 169.254.1.2 remote-as 65100 neighbor 169.254.1.2 activate
Upon initial examination, this seems to work great. Only the aggregate routes are passed to the BGP neighbors:
CSR1000v#sh ip bgp nei 169.254.1.2 advertised-routes | inc (10\.|192\.168) *> 10.0.0.0 0.0.0.0 32768 i *> 192.168.0.0/16 0.0.0.0 32768 i
But there’s a nasty surprise when the EIGRP neighbors are reset. The “summary-only” option briefly stops working for about 20 seconds:
CSR1000v#sh ip bgp nei 169.254.1.2 advertised-routes | inc 10\. *> 10.0.0.0 0.0.0.0 32768 i *> 10.4.0.0/16 10.1.4.73 51307520 32768 ? *> 10.5.0.0/16 10.1.4.61 51307520 32768 ? *> 10.6.8.0/22 10.1.4.12 51307520 32768 ? *> 10.7.12.0/22 10.1.4.52 51307520 32768 ? *> 10.8.8.0/24 10.1.4.7 51307520 32768 ? *> 10.9.0.0/24 10.1.4.41 51307520 32768 ? *> 10.77.0.0/16 10.1.4.8 51312640 32768 ?
This exceeds the 100 route limit, and AWS will disable the BGP peering session for 5 minutes.
One fix is use filters instead of the “summary-only” option:
router bgp 65000 bgp log-neighbor-changes ! address-family ipv4 aggregate-address 10.0.0.0 255.0.0.0 aggregate-address 172.16.0.0 255.240.0.0 aggregate-address 192.168.0.0 255.255.0.0 redistribute eigrp 100 distribute-list prefix SUMM_RFC_1918 out ! ip prefix-list SUMM_RFC_1918 seq 10 deny 10.0.0.0/8 ge 9 ip prefix-list SUMM_RFC_1918 seq 20 deny 172.16.0.0/12 ge 13 ip prefix-list SUMM_RFC_1918 seq 30 deny 192.168.0.0/16 ge 17 ip prefix-list SUMM_RFC_1918 seq 99 permit 0.0.0.0/0 le 32
Another solution is simply don’t do EIGRP to BGP redistribution, and instead just advertise the RFC 1918 blocks with the network statement:
router bgp 65000 bgp log-neighbor-changes ! address-family ipv4 network 10.0.0.0 network 172.16.0.0 mask 255.240.0.0 network 192.168.0.0 mask 255.255.0.0 ! ip route 10.0.0.0 255.0.0.0 Null0 254 ip route 172.16.0.0 255.240.0.0 Null0 254 ip route 192.168.0.0 255.255.0.0 Null0 254