Dual homed - BGP filtering

Unanswered Question
Aug 18th, 2008
User Badges:

I am trying to figure out how to block BGP routes from one ISP to not be distributed to a second ISP. The first ISP is providing full routes where the second is providing just default routes. BGP between me and the second ISP is not establishing and I think it may be because I am trying to possibly redistributing routes from the first ISP to the second. I figure I need to create an ACL but not sure the format given the number of routes. I am hoping there is something within BGP that I can specify?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Mon, 08/18/2008 - 06:14
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The command ip as-path access-list 1 permit ^$ will block routes originated by other AS and it will only allow routes originated from you.


You need to link this ACL to a route-map and apply it in the neighbor statement under the BGP process in the outbound direction.


http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml


HTH,


__


Edison.

bberry Mon, 08/18/2008 - 07:04
User Badges:

so if I have the following ...


router bgp 11725

bgp log-neighbor-changes

neighbor 64.132.245.25 remote-as 4323

neighbor 68.152.201.177 remote-as 6383


address-family ipv4

neighbor 64.132.245.25 activate

neighbor 68.152.201.177 activate

no auto-summary

synchronization

network 206.197.1.0

exit-address-family



I want to block redistribution of full routes from 6383 to 4323..


ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_


then under router bgp 11725...


neighbor 64.132.245.25 filter-list 1 out



It also looks like I am not redisribting my own network though.

Edison Ortiz Mon, 08/18/2008 - 07:11
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The command I pointed out will prevent your router from becoming a 'transit' router between the 2 ISPs.


The ISPs you are connected to, have their own BGP policy in place so I doubt your router can become a 'transit' router - with that said, it doesn't hurt to apply those policies in your router as well.


Reading your initial message, I don't think your peering problem has nothing to do with your connection to another ISP.


Have you worked with the ISP and see if their BGP peering is pointing to you?


Based in the config you've posted, you are announcing network 206.197.1.0


Regarding the ip as-path access-list, I recommend using the command option I highlighted before.


__


Edison.


Please rate helpful posts


bberry Mon, 08/18/2008 - 07:15
User Badges:

Here is the new config but when I look at the BGP stats I am not even sending them my 206.197.1.0 network.


router bgp 11725

bgp log-neighbor-changes

neighbor 64.132.245.25 remote-as 4323

neighbor 64.132.245.25 description Link to Time Warner

neighbor 68.152.201.177 remote-as 6383

neighbor 68.152.201.177 description link to BellSouth

!

address-family ipv4

neighbor 64.132.245.25 activate

neighbor 64.132.245.25 filter-list 1 out

neighbor 68.152.201.177 activate

no auto-summary

synchronization

network 206.197.1.0

exit-address-family

bberry Mon, 08/18/2008 - 07:30
User Badges:

It looks like I have it working. At least the sh ip bgp ne looks better. I forgot to include a permit on the ip as-path access-list. Here is the one I have now...


ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_

ip as-path access-list 1 permit .*



For address family: IPv4 Unicast

BGP table version 325826, neighbor version 325826/0

Output queue size : 0

Index 2, Offset 0, Mask 0x4

2 update-group member

Outbound path policy configured

Outgoing update AS path filter list is 1

Sent Rcvd

Prefix activity: ---- ----

Prefixes Current: 1 1 (Consumes 52 bytes)

Prefixes Total: 1 1

Implicit Withdraw: 0 0

Explicit Withdraw: 0 0

Used as bestpath: n/a 1

Used as multipath: n/a 0

Edison Ortiz Mon, 08/18/2008 - 07:32
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Excellent !


__


Edison.

bberry Mon, 08/18/2008 - 10:48
User Badges:

Thanks for the starting point ...


Brent

Giuseppe Larosa Mon, 08/18/2008 - 10:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Brent,

you need to take care of what you send to AS 6383 also.

the ip as path ACL suggested by collegues has the advantage that can be applied to multiple neighbors without any change because it allows only the IP prefixes with BGP AS path attribute empty that are the locally generated prefixes= your own ones.

Otherwise a new different as path acl has to be created fo the second neighbor and so on.


Hope to help

Giuseppe

jschwam Mon, 08/18/2008 - 10:28
User Badges:

Hi-


You want to use an AS-PATH filter that will only advertise routes that originate from you AS.


Attached is a text file with a filter and BGP neighboring configuration that does this.


Best-


-jS





bberry Mon, 08/18/2008 - 10:50
User Badges:

This is what finally worked ...


ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_

ip as-path access-list 1 permit .*


The permit was needed so that my network would be advertised.

Actions

This Discussion