BugZero | Cisco BugID CSCvy98872 - Outbound OSPF route-map matching BGP community wro...

Cisco - Defect ID: CSCvy98872

Outbound OSPF route-map matching BGP community wrongly filter BD subnet

Cisco - Defect ID: CSCvy98872

Outbound OSPF route-map matching BGP community wrongly filter BD subnet

Last updated on 11/28/2022

Overall: 5.65.6

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 5.65.6

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

When applying an outbound route-map in an OSPF L3Out matching BGP community (to deny vpnv4 path matching that community) towards OSPF. Community filtering works well for all BGP path or transit prefix. However it also filters all BD subnets to be sent out on OSPF.

Conditions

Configure an outbound route-map in OSPF L3out to deny routes by matching BGP community

Workaround

Issue is not seen if 0.0.0.0/0 le 32 And community are used. You don't need to specify exact prefix as we have aggregate "0.0.0.0/0 le 32" leaf2# show route-map exp-ctx-proto-2654211 route-map exp-ctx-proto-2654211, deny, sequence 16401 Match clauses: ip address prefix-lists: IPv4-proto38-2654211-agg-ext-out-Test-MATCH-Community2MatchComm1MATCH-COMM-dst ipv6 address prefix-lists: IPv6-deny-all community (community-list filter): proto38-2654211-agg-ext-out-Test-MATCH-Community2MatchComm1MATCH-COMM-rgcom Set clauses: metric-type type-1 route-map exp-ctx-proto-2654211, permit, sequence 16601 Match clauses: ip address prefix-lists: IPv4-proto38-2654211-agg-ext-out-Test-MATCH-Community2match1mtch-dst ipv6 address prefix-lists: IPv6-deny-all Set clauses: tag 4294967295 leaf2# show ip prefix-list IPv4-proto38-2654211-agg-ext-out-Test-MATCH-Community2MatchComm1MATCH-COMM-dst ip prefix-list IPv4-proto38-2654211-agg-ext-out-Test-MATCH-Community2MatchComm1MATCH-COMM-dst: 1 entries seq 1 permit 0.0.0.0/0 le 32 bdsol-aci32-leaf2# leaf2# show ip community-list proto38-2654211-agg-ext-out-Test-MATCH-Community2MatchComm1MATCH-COMM-rgcom Standard Community List proto38-2654211-agg-ext-out-Test-MATCH-Community2MatchComm1MATCH-COMM-rgcom permit 1001:1001"

Further Problem Description

RPM sees that the route is not a BGP route( our route is static). Hence RPM wonâ€™t be able to do a match against the configured community values in the route-map. So this is considered as a match and hence the result(permit/deny) of that route-map sequence is provided. This is a day 1 behavior and there are no plans to change the RPM logic, however, issue has been fixed in 6.x by excluding community match from the static route-map.

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvy98872

Outbound OSPF route-map matching BGP community wrongly filter BD subnet

Cisco - Defect ID: CSCvy98872

Outbound OSPF route-map matching BGP community wrongly filter BD subnet

Last updated on 11/28/2022

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?