BGP Route Aggregation: Per-Neighbor Route Restoration with unsuppress-map

Introduction

The previous post on suppress-map showed how to selectively suppress specific component routes when creating a BGP aggregate. But there’s a complementary scenario that comes up just as often in practice: you have a global suppression policy (like summary-only) applied to an aggregate, and you need to restore one or more suppressed routes to a specific neighbor only.

That’s what unsuppress-map does. It operates at the neighbor level and overrides the global suppression for that peer, re-advertising chosen routes that would otherwise stay hidden behind the aggregate.

Think of it this way:

  • suppress-map = “globally suppress these routes when the aggregate is active”
  • unsuppress-map = “for this specific neighbor, restore these suppressed routes”

Together they give you complete control over what each peer sees.

The Starting Point

This scenario picks up directly from the summary-only post. R-3 in AS 200 has four /24 networks aggregated into a /22 with summary-only:

R-3#sh ip bgp | i 103.1.
 s>   103.1.20.0/24    0.0.0.0                  0         32768 i
 *>   103.1.20.0/22    0.0.0.0                            32768 i
 s>   103.1.21.0/24    0.0.0.0                  0         32768 i
 s>   103.1.22.0/24    0.0.0.0                  0         32768 i
 s>   103.1.23.0/24    0.0.0.0                  0         32768 i

All four /24 routes carry the s (suppressed) flag. Only the 103.1.20.0/22 aggregate is being advertised to anyone. R-3’s BGP configuration at this point:

router bgp 200
 network 3.0.0.0
 network 103.1.20.0 mask 255.255.255.0
 network 103.1.21.0 mask 255.255.255.0
 network 103.1.22.0 mask 255.255.255.0
 network 103.1.23.0 mask 255.255.255.0
 aggregate-address 103.1.20.0 255.255.252.0 summary-only
 neighbor IBGP peer-group
 neighbor IBGP remote-as 200
 neighbor IBGP update-source Loopback10
 neighbor IBGP route-reflector-client
 neighbor IBGP next-hop-self
 neighbor 10.2.2.2 peer-group IBGP
 neighbor 10.4.4.4 peer-group IBGP
 neighbor 192.1.35.5 remote-as 500
 neighbor 192.1.35.5 password Cisco123!

The new requirement: restore 103.1.22.0/24 specifically to R-5 (AS 500), while keeping everything else suppressed to everyone else.

Configuration

Step 1: Create an Access List Matching the Route to Restore

R-3(config)#access-list 3 permit 103.1.22.0 0.0.0.255

This matches exactly 103.1.22.0/24. Only this specific route will be restored.

Step 2: Create the Route-Map

R-3(config)#route-map USM-R5 permit 10
R-3(config-route-map)#match ip address 3

The route-map USM-R5 matches the access list. Routes that match this route-map will have their suppression overridden for the specified neighbor.

Step 3: Apply unsuppress-map to the Specific Neighbor

R-3(config)#router bgp 200
R-3(config-router)#neighbor 192.1.35.5 unsuppress-map USM-R5

This is the key line. It tells BGP: “for neighbor 192.1.35.5 (R-5), re-advertise any suppressed route that matches route-map USM-R5, even though it’s globally suppressed.”

The global summary-only policy is untouched. Only R-5’s view changes.

Results

R-3’s Local BGP Table – Unchanged

R-3#sh ip bgp | i 103.1.
 s>   103.1.20.0/24    0.0.0.0                  0         32768 i
 *>   103.1.20.0/22    0.0.0.0                            32768 i
 s>   103.1.21.0/24    0.0.0.0                  0         32768 i
 s>   103.1.22.0/24    0.0.0.0                  0         32768 i
 s>   103.1.23.0/24    0.0.0.0                  0         32768 i

The local BGP table on R-3 looks identical to before. All four /24 routes are still marked as suppressed (s>). The unsuppress-map does not change R-3’s local table – it only affects what is advertised outbound to the specific neighbor.

eBGP Neighbor R-5 (AS 500) – Receives the Restored Route

R-5#sh ip bgp | i 103.1.
 *>   103.1.20.0/22    192.1.35.3               0             0 200 i
 *>   103.1.22.0/24    192.1.35.3               0             0 200 i

R-5 now sees two routes:

  • The /22 aggregate (always present)
  • 103.1.22.0/24 – restored by the unsuppress-map, even though it’s globally suppressed

The other three /24s (103.1.20.0, 103.1.21.0, 103.1.23.0) remain invisible to R-5.

iBGP Neighbor R-2 (AS 200) – Unchanged

R-2#sh ip bgp | i 103.1.
 *>i  103.1.20.0/22    10.3.3.3                 0    100      0 i

R-2 still only sees the /22 aggregate. The unsuppress-map was applied only to neighbor 192.1.35.5, so R-2’s view is unaffected. This confirms that unsuppress-map is strictly per-neighbor – it does not bleed into other peers.

What Makes unsuppress-map Different

It’s worth being precise about how unsuppress-map fits into the BGP outbound processing pipeline, because it interacts with suppression in a specific way.

When BGP prepares outbound updates for a neighbor, suppressed routes are normally skipped entirely. The unsuppress-map is checked after suppression is evaluated, and if a suppressed route matches the unsuppress-map for that neighbor, it gets pulled back into the update and advertised.

This means:

Route suppressed globally (summary-only or suppress-map)?
    YES → Check unsuppress-map for this neighbor
              Matches? → Advertise to this neighbor
              No match? → Still suppressed, not advertised
    NO  → Advertise normally (suppression not relevant)

The global suppression state (s flag in the BGP table) is never changed. The route remains suppressed in R-3’s table. unsuppress-map only affects the outbound advertisement decision for the specific neighbor it’s applied to.

my DevOps Odyssey

“Σα βγεις στον πηγαιμό για την Ιθάκη, να εύχεσαι να ‘ναι μακρύς ο δρόμος, γεμάτος περιπέτειες, γεμάτος γνώσεις.” - Kavafis’ Ithaka.