How would I do this?

Unanswered Question
Feb 19th, 2009

I have a location that we don't want anyone to accidentally route to. We run BGP as the only routing protocol along with some statics. The attached picture is what I currently have, but this is causing a problem. The router on the right side of the page connects to a switch that reloads itself occassionally. When it does this, it brings that link, from the left router to the right router, down. I want to know if I'm able to run a routing protocol between just those two routers, and will keep BGP from propagating that information out to my other locations. If I run EIGRP for just those two networks, can I keep BGP from propagating that learned route? Basically, I want to have the same functionality that I have with a static route now, but I don't want anyone else being able to see it other than my data center. I've thought about ACLs, and this may be the only way I can do it.

Thanks,

John

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marikakis Thu, 02/19/2009 - 07:50

Router 10.5.5.5 is in one of your other locations (represented by the cloud) and is receiving the update for 10.127.1.0/24 included in the diagram by router 10.5.5.1 (left), right? And you do not want this to happen, right?

In the BGP networks listed on the left, I don't see 10.127.1.0/24. How exactly is router 10.5.5.1 (left) injecting this into BGP? Are you redistributing the static into BGP?

In any case, you can certainly filter routes in various ways in the out direction of sessions from router 10.5.5.1 (distribute-list, prefix-list, route-map). You can run any dynamic IGP within the particular site to assure BGP next-hop reachability. BGP will not advertise the network unless you instruct it to do so (e.g. via network or redistribute command), and even if you do inject some network into BGP, you can still filter it in the sessions with particular neighbors. If you need to do some redistribution into BGP for the dynamic IGP scenario, you can filter at the point of redistribution. This way, you won't need a filter in the BGP session.

John Blakley Thu, 02/19/2009 - 07:59

Not exactly. I forgot to note it, but 10.5.5.5 is my core switch, but it is receiving the update from 10.5.5.1 and it's via BGP from a static route on 10.5.5.1.

What I want is to be able to see 10.127.1.0 and 172.27.1.0 via some routing protocol because the statics don't seem to bring the link back up when the provider's switch loses power. I'm thinking that a routing protocol may be the way to go. Currently, I have to telnet into the 10.5.5.1 router and ping the 172.27.1.1 address in order to bring the link back up, and I'm hoping that a routing protocol would do this for me when it saw the link back up.

I'm not well versed on bgp beyond the basics of redistributing statics.

So, you're saying that I could run eigrp on router 10.127.1.1 and advertise the 10.127.1.0 and 172.27.1.0 networks with the 10.5.5.1 router, and on the 10.5.5.1 router only advertise 172.27.1.0 and 10.5.5.0 via eigrp and bgp won't distribute this route to anyone else?

Thanks!

John

marikakis Thu, 02/19/2009 - 08:06

I added a couple of sentences at the end of my last post. BGP might look difficult, but can be controlled more easily from propagating routes than other protocols. If you don't inject some network into it, it won't creep in. If you do inject, you can still filter. I am still not sure I understand all your requirements, but those things are generally true.

marikakis Thu, 02/19/2009 - 09:15

Just to be a little more practical, here is a link about filtering networks with BGP:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00801310cb.shtml

It is about filtering updates received from a neighbor (in direction), but the concepts are the same when sending updates to a neighbor (out direction). You just specify the direction in/out, depending on what you are trying to do. In your case, even if some route reaches a router and you don't want it there, you can still filter the update in the in direction at the particular router (or in the out on the sending router). Note that prefix-list is more elegant and easier to configure.

Remember to clear the sessions softly if needed. You have access to all your BGP routers, so you can clear softly in the out direction of the router that is sending the update for the policy to take effect (clear ip bgp soft out):

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp2.html#wp1011840

When you redistribute into BGP, you can filter the routes that are injected into BGP with a route-map, as per the redistribute command syntax:

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1015390

Actions

This Discussion