08-18-2008 05:56 AM - edited 03-03-2019 11:10 PM
I am trying to figure out how to block BGP routes from one ISP to not be distributed to a second ISP. The first ISP is providing full routes where the second is providing just default routes. BGP between me and the second ISP is not establishing and I think it may be because I am trying to possibly redistributing routes from the first ISP to the second. I figure I need to create an ACL but not sure the format given the number of routes. I am hoping there is something within BGP that I can specify?
08-18-2008 06:14 AM
The command ip as-path access-list 1 permit ^$ will block routes originated by other AS and it will only allow routes originated from you.
You need to link this ACL to a route-map and apply it in the neighbor statement under the BGP process in the outbound direction.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml
HTH,
__
Edison.
08-18-2008 07:04 AM
so if I have the following ...
router bgp 11725
bgp log-neighbor-changes
neighbor 64.132.245.25 remote-as 4323
neighbor 68.152.201.177 remote-as 6383
address-family ipv4
neighbor 64.132.245.25 activate
neighbor 68.152.201.177 activate
no auto-summary
synchronization
network 206.197.1.0
exit-address-family
I want to block redistribution of full routes from 6383 to 4323..
ip as-path access-list 1 deny ^6383$
ip as-path access-list 1 deny _6383_
then under router bgp 11725...
neighbor 64.132.245.25 filter-list 1 out
It also looks like I am not redisribting my own network though.
08-18-2008 07:11 AM
The command I pointed out will prevent your router from becoming a 'transit' router between the 2 ISPs.
The ISPs you are connected to, have their own BGP policy in place so I doubt your router can become a 'transit' router - with that said, it doesn't hurt to apply those policies in your router as well.
Reading your initial message, I don't think your peering problem has nothing to do with your connection to another ISP.
Have you worked with the ISP and see if their BGP peering is pointing to you?
Based in the config you've posted, you are announcing network 206.197.1.0
Regarding the ip as-path access-list, I recommend using the command option I highlighted before.
__
Edison.
Please rate helpful posts
08-18-2008 07:15 AM
Here is the new config but when I look at the BGP stats I am not even sending them my 206.197.1.0 network.
router bgp 11725
bgp log-neighbor-changes
neighbor 64.132.245.25 remote-as 4323
neighbor 64.132.245.25 description Link to Time Warner
neighbor 68.152.201.177 remote-as 6383
neighbor 68.152.201.177 description link to BellSouth
!
address-family ipv4
neighbor 64.132.245.25 activate
neighbor 64.132.245.25 filter-list 1 out
neighbor 68.152.201.177 activate
no auto-summary
synchronization
network 206.197.1.0
exit-address-family
08-18-2008 07:30 AM
It looks like I have it working. At least the sh ip bgp ne looks better. I forgot to include a permit on the ip as-path access-list. Here is the one I have now...
ip as-path access-list 1 deny ^6383$
ip as-path access-list 1 deny _6383_
ip as-path access-list 1 permit .*
For address family: IPv4 Unicast
BGP table version 325826, neighbor version 325826/0
Output queue size : 0
Index 2, Offset 0, Mask 0x4
2 update-group member
Outbound path policy configured
Outgoing update AS path filter list is 1
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 1 1 (Consumes 52 bytes)
Prefixes Total: 1 1
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 1
Used as multipath: n/a 0
08-18-2008 07:32 AM
Excellent !
__
Edison.
08-18-2008 10:48 AM
Thanks for the starting point ...
Brent
08-18-2008 10:56 AM
Hello Brent,
you need to take care of what you send to AS 6383 also.
the ip as path ACL suggested by collegues has the advantage that can be applied to multiple neighbors without any change because it allows only the IP prefixes with BGP AS path attribute empty that are the locally generated prefixes= your own ones.
Otherwise a new different as path acl has to be created fo the second neighbor and so on.
Hope to help
Giuseppe
08-18-2008 10:28 AM
08-18-2008 10:50 AM
This is what finally worked ...
ip as-path access-list 1 deny ^6383$
ip as-path access-list 1 deny _6383_
ip as-path access-list 1 permit .*
The permit was needed so that my network would be advertised.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: