Disable-Network-Import-Check

Scenario to verify BGP disable-network-import-check parameter configuration.

By default, BGP performs an IGP route check for networks configured via the network command. This means BGP will only advertise a network if it exists in the RIB (Routing Information Base) - learned from IGP protocols, static routes, or connected interfaces. This prevents accidentally advertising unreachable destinations. Routes that fail this validation appear in the BGP table with the “=” symbol but without “*” (valid) or “>” (best) markers, indicating they are present but not usable for advertisement.

The disable-network-import-check parameter disables this safety check, allowing BGP to advertise networks regardless of their presence in the RIB. This is useful when advertising aggregate routes, blackhole routes for traffic filtering, or in scenarios where network existence checking is handled by other mechanisms. This implements the “no-install” pattern where aggregates are announced externally but not installed locally.

In this test, DUT0 (AS 100) advertises an aggregate network 192.168.0.0/16 via BGP. In the first phase, a static route exists and the network is marked as valid and best in the BGP table, so it is advertised successfully. In the second phase, the static route is removed and BGP stops advertising the network because it no longer exists in the RIB. In the third phase, after enabling disable-network-import-check, BGP advertises the network to DUT1 (AS 200) again even without a RIB entry, demonstrating the “no-install” aggregate pattern.

Test BGP Disable Network Import Check

Description

This test demonstrates the effect of disable-network-import-check on BGP network advertisement for aggregate routes. DUT0 (AS 100) is configured to advertise an aggregate network 192.168.0.0/16. The test follows three phases: first, a static blackhole route exists and BGP advertises the aggregate successfully. Second, the static route is removed and BGP stops advertising it due to default import-check validation. Finally, disable-network-import-check is enabled, allowing BGP to advertise the aggregate to DUT1 (AS 200) even though it doesn’t exist in the RIB. This demonstrates the common “no-install” pattern for aggregate route advertisement.

Scenario

Note

Configure eBGP with aggregate network and static blackhole route. BGP should advertise the aggregate because it exists in the RIB.

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.10.0.100/24
set protocols bgp 100 neighbor peer remote-address 10.10.0.200
set protocols bgp 100 neighbor peer remote-as 200
set protocols bgp 100 neighbor peer route-map export PERMIT
set protocols bgp 100 network 192.168.0.0/16
set protocols route-map PERMIT rule 1 action permit
set protocols static route 192.168.0.0/16 blackhole
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.10.0.200/24
set protocols bgp 200 neighbor peer remote-address 10.10.0.100
set protocols bgp 200 neighbor peer remote-as 100
set protocols bgp 200 neighbor peer route-map import PERMIT
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify eBGP session establishes between DUT0 and DUT1.

Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

10.10.0.200.*Established
Show output
IPv4 Unicast Summary:
BGP router identifier 10.10.0.100, local AS number 100 VRF default vrf-id 0
BGP table version 1
RIB entries 1, using 128 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.10.0.200     10.10.0.100     4        200         2         4        0    0    0 00:00:01  Established (Policy)        0 N/A

Total number of neighbors 1

Attention

Verify static route 192.168.0.0/16 exists in DUT0’s routing table.

Step 4: Run command protocols ip show route 192.168.0.0/16 at DUT0 and check if output matches the following regular expressions:

Known via "static"[\s\S]+blackhole
Show output
Routing entry for 192.168.0.0/16
  Known via "static", distance 1, metric 0, best
  Last update 00:00:02 ago
  * unreachable (blackhole), weight 1

Attention

Verify DUT0 advertises 192.168.0.0/16 (route exists in RIB).

Step 5: Run command protocols bgp show ip at DUT0 and check if output matches the following regular expressions:

[*].*192.168.0.0/16
Show output
BGP table version is 1, local router ID is 10.10.0.100, vrf id 0
Default local pref 100, local AS 100
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.0.0/16   0.0.0.0                  0         32768 i

Displayed 1 routes and 1 total paths

Attention

Verify DUT1 receives the aggregate route from DUT0.

Step 6: Run command protocols bgp show ip at DUT1 and check if output matches the following regular expressions:

[*].*192.168.0.0/16
Show output
BGP table version is 1, local router ID is 10.10.0.200, vrf id 0
Default local pref 100, local AS 200
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.0.0/16   10.10.0.100              0             0 100 i

Displayed 1 routes and 1 total paths

Note

Remove the static route. With default import-check enabled, BGP should stop advertising the aggregate because it no longer exists in the RIB.

Step 7: Modify the following configuration lines in DUT0 :

delete protocols static

Attention

Verify static route no longer exists in DUT0’s routing table.

Step 8: Run command protocols ip show route at DUT0 and check if output does not match the following regular expressions:

S>.*192.168.0.0/16.*blackhole
Show output
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
C>* 10.10.0.0/24 is directly connected, eth0, weight 1, 00:00:05
K * 10.10.0.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:05
L>* 10.10.0.100/32 is directly connected, eth0, weight 1, 00:00:05

Attention

Verify DUT0 marks 192.168.0.0/16 as invalid (shows as = without * or >). In FRR, routes that fail network import-check validation appear with = symbol, indicating the route exists in BGP configuration but lacks the valid (*) and best (>) flags. This means the route is present but not usable for advertisement because it doesn’t exist in the RIB.

Step 9: Run command protocols bgp show ip at DUT0 and check if output does not match the following regular expressions:

[*>]\s*192.168.0.0/16
Show output
BGP table version is 2, local router ID is 10.10.0.100, vrf id 0
Default local pref 100, local AS 100
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
  =  192.168.0.0/16   0.0.0.0                  0         32768 i

Displayed 1 routes and 1 total paths

Attention

Verify DUT1 no longer receives the route (withdrawn due to import-check).

Step 10: Run command protocols bgp show ip at DUT1 and check if output does not match the following regular expressions:

192.168.0.0/16
Show output
No BGP prefixes displayed, 0 exist

Note

Enable disable-network-import-check. BGP should now advertise the aggregate even though it doesn’t exist in the RIB, implementing the “no-install” aggregate pattern.

Step 11: Modify the following configuration lines in DUT0 :

set protocols bgp 100 parameters disable-network-import-check

Attention

Verify eBGP session remains established after configuration change.

Step 12: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

10.10.0.200.*Established
Show output
IPv4 Unicast Summary:
BGP router identifier 10.10.0.100, local AS number 100 VRF default vrf-id 0
BGP table version 3
RIB entries 1, using 128 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.10.0.200     10.10.0.100     4        200         4        11        3    0    0 00:00:04  Established (Policy)        1 N/A

Total number of neighbors 1

Attention

Verify DUT0 now advertises 192.168.0.0/16 despite it not existing in the RIB.

Step 13: Run command protocols bgp show ip at DUT0 and check if output matches the following regular expressions:

[*].*192.168.0.0/16
Show output
BGP table version is 3, local router ID is 10.10.0.100, vrf id 0
Default local pref 100, local AS 100
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.0.0/16   0.0.0.0                  0         32768 i

Displayed 1 routes and 1 total paths

Attention

Verify DUT1 receives the aggregate route (advertised without RIB validation).

Step 14: Run command protocols bgp show ip at DUT1 and check if output matches the following regular expressions:

[*].*192.168.0.0/16
Show output
BGP table version is 3, local router ID is 10.10.0.200, vrf id 0
Default local pref 100, local AS 200
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.0.0/16   10.10.0.100              0             0 100 i

Displayed 1 routes and 1 total paths