BGP Conditional Advertisement.
This features allows for advertisement of routes to other neighbours only when a specific condition is met. Particularly by checking the existence of another prefix in the BGP RIB such that the advertisement of a specific prefix or set of prefixes depends on the existence or inexistence of another prefix in the bgp table.
Objective
AS64513 is the source of the prefix 172.31/16 which it announce to its two peers in AS64512 and AS64515 who in turn announce it to AS64516. AS64516 itself is a source of two prefixes 10.1.1/24 and 172.18.0/24. The objective is to have AS64516 announce the prefix 10.1.1/24 to AS64515 only when AS64515 announces the prefix 172.31/16 (from AS64513) to AS64516. When AS64515 is not advertising 172.31/16 to AS64516, AS64516 should stop advertising its prefix 10.1.1/24 to AS64515 while still advertising the other prefixes (except 10.1.1/24) to AS64515 as well as advertising 10.1.1/24 and other prefixes to AS64512.
Configuration
AS64516
interface FastEthernet0/0 description CONNECTION TO AS64515 ip address 10.0.0.10 255.255.255.252 ! interface FastEthernet0/1 description CONNECTION TO AS64512 ip address 10.0.0.13 255.255.255.252 ! router bgp 64516 neighbor 10.0.0.9 remote-as 64515 neighbor 10.0.0.14 remote-as 64512 ! address-family ipv4 network 10.1.1.0 mask 255.255.255.0 network 172.18.0.0 mask 255.255.255.0 neighbor 10.0.0.9 activate neighbor 10.0.0.9 advertise-map MAP_AS64515_CONDITIONAL_OUT exist-map MAP_AS64513_FROM_AS64515 neighbor 10.0.0.9 soft-reconfiguration inbound neighbor 10.0.0.14 activate neighbor 10.0.0.14 soft-reconfiguration inbound exit-address-family ! ip as-path access-list 1 permit 64515 64513.* ! ip route 10.1.1.0 255.255.255.0 Null0 ip route 172.18.0.0 255.255.255.0 Null0 ! ip prefix-list PL_AS64513 seq 5 permit 172.31.0.0/16 ! ip prefix-list PL_AS64516 seq 5 permit 10.1.1.0/24 ! route-map MAP_AS64513_FROM_AS64515 permit 10 description MATCH AS64513 PREFIX RECEIVED FROM AS64515 match ip address prefix-list PL_AS64513 match as-path 1 ! route-map MAP_AS64515_CONDITIONAL_OUT permit 10 match ip address prefix-list PL_AS64516The route-maps applied tell the router to use
MAP_AS64515_CONDITIONAL_OUT only when the conditions in MAP_AS64513_FROM_AS64515 are satisfied if the conditions are not satisfied it does the opposite of what is specified in MAP_AS64515_CONDITIONAL_OUT which in this case the opposite of MAP_AS64515_CONDITIONAL_OUT is to deny prefixes from prefix-list PL_AS64516 since the route map MAP_AS64515_CONDITIONAL_OUT does not have any other entries the implicit deny in the end of the route-map turns to allow all that is not matched with the prefix-list PL_AS64516
The configuration on the other routers is just standard BGP stuff.
AS64513
interface FastEthernet0/0 description CONNECTION TO AS64515 ip address 10.0.0.1 255.255.255.252 interface FastEthernet0/1 description CONNECTION TO AS64512 ip address 10.0.0.5 255.255.255.252 router bgp 64513 bgp log-neighbor-changes neighbor 10.0.0.2 remote-as 64512 neighbor 10.0.0.6 remote-as 64515 ! address-family ipv4 network 172.31.0.0 neighbor 10.0.0.2 activate neighbor 10.0.0.6 activate exit-address-family ip route 172.31.0.0 255.255.0.0 Null0
AS64515
interface FastEthernet0/0 description CONNECTION TO AS64516 ip address 10.0.0.9 255.255.255.252 interface FastEthernet0/1 description CONNECTION TO AS64513 ip address 10.0.0.6 255.255.255.252 router bgp 64515 neighbor 10.0.0.5 remote-as 64513 neighbor 10.0.0.10 remote-as 64516 ! address-family ipv4 neighbor 10.0.0.5 activate neighbor 10.0.0.10 activate neighbor 10.0.0.10 soft-reconfiguration inbound neighbor 10.0.0.10 route-map MAP_AS64516_OUT out exit-address-family ip prefix-list PL_AS6513 seq 5 permit 172.31.0.0/16 route-map MAP_AS64516_OUT deny 10 description DENY AS64513 match ip address prefix-list PL_AS6513 route-map MAP_AS64516_OUT permit 20 description PERMIT OTHERS
AS64512
interface FastEthernet0/0 description CONNECTION TO AS64513 ip address 10.0.0.2 255.255.255.252 interface FastEthernet0/1 description CONNECTION TO AS64516 ip address 10.0.0.14 255.255.255.252 router bgp 64512 bgp log-neighbor-changes neighbor 10.0.0.1 remote-as 64513 neighbor 10.0.0.13 remote-as 64516 ! address-family ipv4 network 192.168.0.0 mask 255.255.0.0 neighbor 10.0.0.1 activate neighbor 10.0.0.13 activate neighbor 10.0.0.13 soft-reconfiguration inbound exit-address-family ip route 192.168.0.0 255.255.0.0 Null0
BGP Flowspec.
BGP Flowspec is an alternative and a more granular method to RTBH described in RFC5575 that can be used to mitigate a distributed denial-of-service (DDoS) attack. Match criteria allow network operators to define a particular flow with source, destination, L4 parameters and packet specifics such as length. These are sent in a BGP UPDATE message to BGP border routers within FLOW_SPEC_NLRI along with the action criteria.
Actions are carried in the extended communities Path attribute. They can drop traffic matching the flow specification, redirect traffic to a particular VRF for further analysis or policy traffic at a defined rate. BGP Flowspec resembles access lists or firewall filters that provide matching criteria and traffic filtering actions. They are injected to BGP and propagated to BGP peers. This mechanism allows an upstream AS system to perform inbound filtering in their ingress routers of traffic that a downstream AS wishes to drop or policy.
FlowSpec Actions
RFC 5575 has defined 4 minimum Actions that routes matching FlowSpec NRLI types can take. These actions are carried as BGP extended communities added to the FlowSpec route. These actions are:- Traffic-Rate Community The Traffic-Rate community is non-transitive, that tells the receiving BGP peer, what to rate limit matching traffic to. If the traffic needs to be discarded or dropped, this will be limit of 0 should be used.
- Traffic-Action Community The Traffic-Action community is used to sample defined traffic. This allows sampling and logging metrics to be collected from the FlowSpec route, that could be used to get a better understand of the attack traffic.
- Redirect Community The Redirect community allows the FlowSpec traffic to be redirected into a Virtual Routing and Forward Instance VRF. As the same Route-Targets and Route-Distinguisher can be used, you are able to import routes into a dedicated blackhole VPN or any other VPNv4.
- Traffic-Marking Community The Traffic-Marking community is used to modify the Differentiated Service Code Point DSCP bits of a transiting IP packet to the defined value. This could be used to set to FlowSpec routes to highest discard probability, allowing traffic not to dropped/discarded until co
Flow spec demonstration
Configuration of FlowSpec in the provider network
Edge router
fisi@big# show protocols bgp group CUSTOM
local-as 64516;
neighbor 192.168.56.26 {
family inet {
unicast;
flow;
}
peer-as 64512;
}
Border router
KH16#sh run | se router bgp router bgp 64512 bgp log-neighbor-changes neighbor CUSTOM peer-group neighbor CUSTOM remote-as 64516 neighbor 192.168.56.36 peer-group CUSTOM ! address-family ipv4 neighbor 192.168.56.36 activate exit-address-family ! address-family ipv4 flowspec neighbor 192.168.56.36 activate exit-address-family flowspec local-install interface-all
Verification
Border routerKH16#sh bgp ipv4 unicast summary | b Neighbor Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.56.36 4 64516 35 36 5 0 0 00:14:27 0 KH16#sh bgp ipv4 flowspec summary | b Neighbor Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.56.36 4 64516 35 36 1 0 0 00:14:30 0Edge router
fisi@big# run show bgp summary | find 192.168.56.26 192.168.56.26 64512 49 52 0 2 20:37 Establ inet.0: 0/0/0/0 inetflow.0: 0/0/0/0
Configuration of Flowspec server to signal flowspec
Once the provider detects a DDoS attack targeting the servers 172.16.0.0/29. Service provider decides to drop all traffic to the prefix 172.16.0.0/29. To achieve this service provider will configure the flowspec server to tell other routers to drop traffic for the prefix 172.16.0.0/29Edge router
fisi@big# show routing-options flow
route EXAMPLE {
match destination 172.16.0.0/29;
then discard;
}
term-order standard;
Verification
fisi@big# run show firewall filter __flowspec_default_inet__ Filter: __flowspec_default_inet__ Counters: Name Bytes Packets 172.16.0.0/29,* 0 0Flowspec routes are installed into their own routing table inetflow.0 and if dedicated VRF is used, FlowSpec routes will be under routing-instance-name.inetflow.0.
fisi@big# run show route table inetflow.0
inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.0.0/29,*/term:1
*[Flow/5] 00:06:41
Fictitious
fisi@big# run show route advertising-protocol bgp 192.168.56.26
inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
172.16.0.0/29,*/term:1
* Self I
The BGP update with Flowspec SAFI 133 is advertised to the provider border router .The UPDATE message contains flow specification, matching the 172.16.0.0/29 prefix, The action criterion that drops traffic matching flow specification, are carried as BGP extended communities. The border router programs the rules into TCAM. Traffic received from the internet that corresponds to the match criteria is dropped.
KH16#sh bgp ipv4 flowspec summary | b Neighbor Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.56.36 4 64516 35 36 1 0 0 00:14:30 1
KH16#sh bgp ipv4 flowspec
BGP table version is 1, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* Dest:172.16.0.0/29
0.0.0.0 0 64516 i
KH16#sh bgp ipv4 flowspec detail
BGP routing table entry for Dest:172.16.0.0/29, version 0
Paths: (1 available, no best path)
Not advertised to any peer
Refresh Epoch 1
64516, (FS invalid: originator)
0.0.0.0 from 192.168.56.36 (1.1.1.1)
Origin IGP, localpref 100, valid, external
Extended Community: FLOWSPEC Traffic-rate:0,0
rx pathid: 0, tx pathid: 0
KH16#show flowspec ipv4
AFI: IPv4
Flow :Dest:172.16.0.0/29
Actions :Traffic-rate: 0 bps (bgp.1)
When the attacker tries to access the servers again all traffic is dropped. We can test by simple ping
attacker#do ping 172.16.0.1 re 10000 Type escape sequence to abort. Sending 10000, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds: ................ Success rate is 0 percent (0/37)We can see all the 37 packets sent from the hacker to the server have been dropped by the border router in the provider network
KH16#sh flowspec afi-all detail
AFI: IPv4
Flow :Dest:172.16.0.0/29
Actions :Traffic-rate: 0 bps (bgp.1)
Statistics (packets/bytes)
Matched : 37/4218
Dropped : 37/4218
Note: In my testing I have observed traffic sourced from the border router or the edge router itself for example ping with source of loopback from the border router to the servers was working. Therefore the flowspec rule seem to be affecting only the transit traffic, will need more testing and reading the docs to verify this.
Configuration of Flowspec Signalized from Customer to Provider
Once Customer detects a DDoS attack targeting a destination UDP port 53 (DNS) on the servers 172.16.0.0/29, the BGP update is advertised to the provider edge router. The UPDATE message contains flow specification, matching the 172.16.0.0/29 prefix, UDP protocol (17) and destination port 53. Subsequently, the edge router sends the BGP update to the border router. Traffic received from the internet that corresponds to the match criteria is dropped. This time fow spec from the customer is more specific containing port and protocol to match this avoids blackholing all traffic. This could also be done in the option where the service provider flow spec server was signalling.Flowspec Server (Controller) Configuration on CE running IOSXR
Create class-map attack-fs matching the IP address of the servers, protocol (17) – UDP and destination port 53 (DNS).class-map type traffic match-all attack-fs match destination-address ipv4 172.16.0.0 255.255.255.248 match protocol 17 match destination-port 53 end-class-mapConfigure policy-map attack_pbr and associate class-map attack-fs. Use the class-map to define an action.
policy-map type pbr attack_pbr class type traffic attack-fs drop class type traffic class-default end-policy-mapWe need to define a route policy that allows exporting and importing routes to/from eBGP peers.
route-policy PASS pass end-policy router bgp 64501 bgp router-id 10.4.4.4 address-family ipv4 unicast network 172.16.0.0/24 address-family ipv4 flowspec neighbor 10.0.0.2 remote-as 64516 address-family ipv4 unicast route-policy PASS in route-policy PASS out address-family ipv4 flowspec route-policy PASS in route-policy PASS outConfigure flowspec and assign service-policy type PBR policy-map attack_pbr.
flowspec address-family ipv4 service-policy type pbr attack_pbr
Verification on the CE router
RP/0/0/CPU0:CE# show flowspec ipv4 detail
Sun Jul 28 12:07:41.925 UTC
AFI: IPv4
Flow :Dest:172.16.0.0/29,Proto:=17,DPort:=53
Actions :Traffic-rate: 0 bps (policy.1.attack_pbr.attack-fs)
RP/0/0/CPU0:CE#
BGP Table Map .
This feature allows for selective download of prefixes from the BGP RIB to the routing table.
It is primary used to suppress the unnecessary downloading of certain BGP routes to the RIB or Forwarding Information Base (FIB) on a dedicated route reflector, which propagates BGP updates without carrying transit traffic.
Essesntially filtering the routes in RIB/FIB on the dedicated route-reflectors provides essential saving on the memory and CPU resources on the router.
This feature is applicable not only to route reflectors but also any router that require control of prefixes that are put in the routing table due to resources constraints
Configurations
In below example the ASBR1 router receives 50 prefixes from its upstream however we are only interested in specific prefixes which we'll use the table map to install in the routing tableASBR1#sh ver | i Software Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) BOOTLDR: 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) ASBR1#sh bgp summary | b Neighbor Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.29.0.2 4 64515 7 6 151 0 0 00:01:53 50 ASBR1#sh bgp nei 172.29.0.2 received-routes | count ^ \* Number of lines which match regexp = 50 ASBR1#sh ip route bgp | count ^B Number of lines which match regexp = 50Creating a prefix-list and route-map to match our intersting destinations
ASBR1(config)#ip prefix-list PREFIXLIST_INTERSTING_DESTINATIONS seq 5 permit 10.1.0.0/16 ASBR1(config)#ip prefix-list PREFIXLIST_INTERSTING_DESTINATIONS seq 10 permit 192.168.21.0/24 ASBR1(config)#route-map MAP_BGPIB_TO_RIB permit 10 ASBR1(config-route-map)# match ip address prefix-list PREFIXLIST_INTERSTING_DESTINATIONS ASBR1(config-route-map)#exitApplying the table-map
ASBR1(config)#router bgp 64512 ASBR1(config-router)#address-family ipv4 ASBR1(config-router-af)#table-map MAP_BGPIB_TO_RIB filter ASBR1(config-router-af)#exit ASBR1(config-router)#exit ASBR1(config)#do clear ip bgp 172.29.0.2 all *Aug 11 22:54:12.887: %BGP-5-ADJCHANGE: neighbor 172.29.0.2 Down User reset *Aug 11 22:54:12.887: %BGP_SESSION-5-ADJCHANGE: neighbor 172.29.0.2 IPv4 Unicast topology base removed from session User reset *Aug 11 22:54:13.823: %BGP-5-ADJCHANGE: neighbor 172.29.0.2 Up
Verification
We are still receiving and accepting the 50 prefixes from the upstream but only 2 of those are allowed to the routing table
ASBR1(config)#do sh bgp summary | b Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.29.0.2 4 64515 5 4 251 0 0 00:00:17 50
ASBR1(config)#do sh bgp nei 172.29.0.2 received-routes | count ^ \*
Number of lines which match regexp = 50
ASBR1(config)#do sh ip route bgp | count ^B
Number of lines which match regexp = 2
ASBR1(config)#do sh ip route bgp | begin ^B
B 10.1.0.0 [20/0] via 172.29.0.2, 00:00:54
B 192.168.21.0/24 [20/0] via 172.29.0.2, 00:00:54
ASBR1(config)#do sh route-map
route-map MAP_BGPIB_TO_RIB, permit, sequence 10
Match clauses:
ip address prefix-lists: PREFIXLIST_INTERSTING_DESTINATIONS
Set clauses:
Policy routing matches: 0 packets, 0 bytes
ASBR1(config)#
ASBR1(config)#do sh ip prefix-list
ip prefix-list PREFIXLIST_INTERSTING_DESTINATIONS: 2 entries
seq 5 permit 10.1.0.0/16
seq 10 permit 192.168.21.0/24
ASBR1(config)#
BIRD.
The BIRD Internet Routing Daemon project aims to develop a fully functional dynamic IP routing daemon primarily targeted on (but not limited to) Linux, FreeBSD and other UNIX-like systems
BIRD supports Internet Protocol version 4 and version 6 by running separate daemons. It establishes multiple routing tables, and uses BGP, RIP, and OSPF routing protocols, as well as statically defined routes.
Learn more about the project here
Note: I have used awk to only print the lines I have modified in the file
Installation and configuration on debian distributions
Here we install bird on linux box running ubuntu 18 and configure local BGP using BIRD between the box and a junos router.
Install birdbasondole@box $ sudo apt install birdCheck the if ip forwarding is enable in the file
/etc/sysctl.conf if the lines are starting with “#” that means they are commented and hence ip forwarding is disabled
basondole@box $ cat /etc/sysctl.conf | egrep "ip.*forward" #net.ipv4.ip_forward=1 #net.ipv6.conf.all.forwarding=1Use nano editor or any editor of your choice to edit the file
/etc/sysctl.conf and remove the “#” preceeding the lines save and verify the lines have been uncommented
basondole@box $ cat /etc/sysctl.conf | egrep "ip.*forward" net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1Make a backup of the default bird configuration you may need it in the future
basondole@box $ cp /etc/bird/bird.conf /etc/bird/bird.conf.oldEdit the
/etc/bird/bird.conf to specify your bgp and neighbor parameters and prefixes to announce.
Sample configuration below Note: I have used awk to only print the lines I have modified in the file
basondole@box $ sudo awk 'NR>=22' /etc/bird/bird.conf
# Below is additional non default configuration added by Paul S.I.Basondole
router id 192.168.56.2;
# The Device protocol is not a real routing protocol. It doesn't generate any
# routes and it only serves as a module for getting information about network
# interfaces from the kernel.
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
# Static routes (again, there can be multiple instances, so that you
# can disable/enable various groups of static routes on the fly).
protocol static static_bgp {
route 192.168.56.2:255.255.255.255 via 192.168.56.2;
route 192.168.56.0:255.255.255.0 via 192.168.56.2;
}
#BGP Configuration
protocol bgp {
import all;
export where proto = "static_bgp";
local as 64512;
neighbor 192.168.56.36 as 64512;
}
Start the bird service on the machine. If there is something wrong in the /etc/bird/bird.conf the service will not start. In such case the terminal will suggest some methods to follow so as to view the logs
$ sudo invoke-rc.d bird startVerify the service is started
$ systemctl status bird
● bird.service - BIRD Internet Routing Daemon (IPv4)
Loaded: loaded (/lib/systemd/system/bird.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-01-18 00:47:58 EAT; 5min ago
Process: 612 ExecStartPre=/usr/sbin/bird -p (code=exited, status=0/SUCCESS)
Process: 587 ExecStartPre=/usr/lib/bird/prepare-environment (code=exited, status=0/SUCCESS)
Main PID: 646 (bird)
Tasks: 1 (limit: 4657)
CGroup: /system.slice/bird.service
└─646 /usr/sbin/bird -f -u bird -g bird
Jan 18 00:51:55 plasma bird[646]: KRT: Received route 192.168.56.2/32 with strange next-hop 192.168.56.2
Jan 18 00:51:55 plasma bird[646]: Netlink: File exists
Jan 18 00:51:55 plasma bird[646]: Netlink: File exists
Jan 18 00:51:55 plasma bird[646]: Netlink: File exists
Jan 18 00:52:55 plasma bird[646]: KRT: Received route 0.0.0.0/0 with strange next-hop 192.168.56.2
Jan 18 00:52:55 plasma bird[646]: KRT: Received route 192.168.56.0/24 with strange next-hop 192.168.56.2
Jan 18 00:52:55 plasma bird[646]: KRT: Received route 192.168.56.2/32 with strange next-hop 192.168.56.2
Jan 18 00:52:55 plasma bird[646]: Netlink: File exists
Jan 18 00:52:55 plasma bird[646]: Netlink: File exists
Jan 18 00:52:55 plasma bird[646]: Netlink: File exists
Verify BGP by getting into the bird client issue command birdc as super user
Use the command show protocols all bgp1 to check the bgp summary. We see the configured neighbour 192.168.56.36 is up and we are receiving 1 prefix.
To view the prefix issue the command show route protocol bgp1 This shows we are receiving a default route
$ sudo birdc
BIRD 1.6.3 ready.
bird> show protocol all bgp1
name proto table state since info
bgp1 BGP master up 00:51:07 Established
Preference: 100
Input filter: ACCEPT
Output filter: (unnamed)
Routes: 1 imported, 2 exported, 1 preferred
Route change stats: received rejected filtered ignored accepted
Import updates: 1 0 0 0 1
Import withdraws: 0 0 --- 0 0
Export updates: 3 1 0 --- 2
Export withdraws: 0 --- --- --- 0
BGP state: Established
Neighbor address: 192.168.56.36
Neighbor AS: 64512
Neighbor ID: 10.1.1.1
Neighbor caps: refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.168.56.2
Hold timer: 61/90
Keepalive timer: 23/30
bird> show route protocol bgp1
0.0.0.0/0 via 192.168.56.2 on enp0s8 [bgp1 00:51:07 from 192.168.56.36] ! (100/?) [i]
bird> exit
Verify the host machine routing table. We see the default route we receive from the bgp neighbour 192.168.56.36 is installed in the local machine routing table with the next-hop 192.168.56.2
$ route -n | egrep -i "^(dest|0)" Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.56.2 0.0.0.0 UG 64 0 0 enp0s8 0.0.0.0 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3Login to the router 192.168.56.36 we see the bgp session is up. The router is advertising the default route to the machine running bird and receiving the two prefixes as we announce them on the bird configuration
ssh fisi@192.168.56.36 --- JUNOS 12.1R1.9 built 2012-03-24 12:52:33 UTC fisi@big> show bgp summary | find 192.168.56.2 192.168.56.2 64512 22 24 0 0 9:11 Establ inet.0: 0/2/2/0 fisi@big> show route advertising-protocol bgp 192.168.56.2 inet.0: 14 destinations, 15 routes (13 active, 0 holddown, 1 hidden) Prefix Nexthop MED Lclpref AS path * 0.0.0.0/0 192.168.56.1 100 IHowever the received prefixes are not active routes due to presence of more preferable options on the router
fisi@big> show route receive-protocol bgp 192.168.56.2 all table inet.0
inet.0: 14 destinations, 15 routes (13 active, 0 holddown, 1 hidden)
Prefix Nexthop MED Lclpref AS path
192.168.56.0/24 192.168.56.2 100 I
192.168.56.2/32 192.168.56.2 100 I
fisi@big> show route 192.168.56.0/24 table inet.0
inet.0: 14 destinations, 15 routes (13 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.56.0/24 *[Direct/0] 00:10:35
> via em0.0
[BGP/170] 00:10:27, localpref 100
AS path: I
> to 192.168.56.2 via em0.0
192.168.56.36/32 *[Local/0] 00:10:36
Local via em0.0
fisi@big>