cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
0
Helpful
10
Replies

Dual homed - BGP filtering

bberry
Level 1
Level 1

I am trying to figure out how to block BGP routes from one ISP to not be distributed to a second ISP. The first ISP is providing full routes where the second is providing just default routes. BGP between me and the second ISP is not establishing and I think it may be because I am trying to possibly redistributing routes from the first ISP to the second. I figure I need to create an ACL but not sure the format given the number of routes. I am hoping there is something within BGP that I can specify?

10 Replies 10

Edison Ortiz
Hall of Fame
Hall of Fame

The command ip as-path access-list 1 permit ^$ will block routes originated by other AS and it will only allow routes originated from you.

You need to link this ACL to a route-map and apply it in the neighbor statement under the BGP process in the outbound direction.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml

HTH,

__

Edison.

so if I have the following ...

router bgp 11725

bgp log-neighbor-changes

neighbor 64.132.245.25 remote-as 4323

neighbor 68.152.201.177 remote-as 6383

address-family ipv4

neighbor 64.132.245.25 activate

neighbor 68.152.201.177 activate

no auto-summary

synchronization

network 206.197.1.0

exit-address-family

I want to block redistribution of full routes from 6383 to 4323..

ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_

then under router bgp 11725...

neighbor 64.132.245.25 filter-list 1 out

It also looks like I am not redisribting my own network though.

The command I pointed out will prevent your router from becoming a 'transit' router between the 2 ISPs.

The ISPs you are connected to, have their own BGP policy in place so I doubt your router can become a 'transit' router - with that said, it doesn't hurt to apply those policies in your router as well.

Reading your initial message, I don't think your peering problem has nothing to do with your connection to another ISP.

Have you worked with the ISP and see if their BGP peering is pointing to you?

Based in the config you've posted, you are announcing network 206.197.1.0

Regarding the ip as-path access-list, I recommend using the command option I highlighted before.

__

Edison.

Please rate helpful posts

Here is the new config but when I look at the BGP stats I am not even sending them my 206.197.1.0 network.

router bgp 11725

bgp log-neighbor-changes

neighbor 64.132.245.25 remote-as 4323

neighbor 64.132.245.25 description Link to Time Warner

neighbor 68.152.201.177 remote-as 6383

neighbor 68.152.201.177 description link to BellSouth

!

address-family ipv4

neighbor 64.132.245.25 activate

neighbor 64.132.245.25 filter-list 1 out

neighbor 68.152.201.177 activate

no auto-summary

synchronization

network 206.197.1.0

exit-address-family

It looks like I have it working. At least the sh ip bgp ne looks better. I forgot to include a permit on the ip as-path access-list. Here is the one I have now...

ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_

ip as-path access-list 1 permit .*

For address family: IPv4 Unicast

BGP table version 325826, neighbor version 325826/0

Output queue size : 0

Index 2, Offset 0, Mask 0x4

2 update-group member

Outbound path policy configured

Outgoing update AS path filter list is 1

Sent Rcvd

Prefix activity: ---- ----

Prefixes Current: 1 1 (Consumes 52 bytes)

Prefixes Total: 1 1

Implicit Withdraw: 0 0

Explicit Withdraw: 0 0

Used as bestpath: n/a 1

Used as multipath: n/a 0

Excellent !

__

Edison.

Thanks for the starting point ...

Brent

Hello Brent,

you need to take care of what you send to AS 6383 also.

the ip as path ACL suggested by collegues has the advantage that can be applied to multiple neighbors without any change because it allows only the IP prefixes with BGP AS path attribute empty that are the locally generated prefixes= your own ones.

Otherwise a new different as path acl has to be created fo the second neighbor and so on.

Hope to help

Giuseppe

jschwam
Level 1
Level 1

Hi-

You want to use an AS-PATH filter that will only advertise routes that originate from you AS.

Attached is a text file with a filter and BGP neighboring configuration that does this.

Best-

-jS

This is what finally worked ...

ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_

ip as-path access-list 1 permit .*

The permit was needed so that my network would be advertised.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco