How to advertise default gateway to only certain subnets in BGP

Unanswered Question
Aug 19th, 2009

Hi Folks,


The company are migrating each region network into a MPLS cloud. Each region has their own

subnets to take care and they manage their own internet gateway. The internet access for each region is

serve by the region office internet gateway.


How can I advertise my own default gateway(internet access traffic gateway) only to those subnets I specify?

Is there a way I can tell a selected subnet (like that if the traffic is bound for internet

go to say region office(subnet internet gateway( via the BGP router( that

is pointing to the MPLS cloud.

BGP router


router bgp 66666

network mask

network mask

neighbor remote-as 12345

ip route

What else do I need to add to advertise the default gateway if I only want to advertise the default route to

say only?Please advise.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Thu, 08/20/2009 - 02:24

Hello Kok,

BGP works on neighbor sessions so the question should become how I can send a default route to remote sites?

In a L3 MPLS VPN you have a peer-to-peer relationship between your node at central site and the provider edge node.

Normal service is that the default route you send out will be propagated to all remote sites within the MPLS VPN routing context.

neigh default-originate [route-map map-name]

is what you need to have a default route sent to all other sites.

if you want that this default route has to be sent to only some sites that is a different matter but requires cooperation with service provider

Hope to help


connect2world Thu, 08/20/2009 - 16:34

Hi giuslar,

Thanks for the reply.

After doing some research, I was wondering if the below config as show below will

help to advertise the default gateway only to subnets:

ip prefix-list Advertise-Subnet seq 5 permit


route-map Default_Route_From_AS66666 permit 10

match ip address prefix-list Advertise-Subnet


router bgp 66666

network mask

neigbhbor default-originate route-map Default_Route_From_AS66666

no network

neighbor remote-as 12345


ip route

Giuseppe Larosa Thu, 08/20/2009 - 23:22

Hello Kok,

I would say no.

This configuration advertises a default route to PE node if prefixes matching the prefix-list Advertise-Subnet exist in the ip routing table.

To be noted that they are probably learned by the same PE node eBGP peer.

if you want to have this default route advertised to only some VRF sites you need to cooperate with the service provider.

If you look the problem from another point of view: if you want to limit internet access to only

you have another point when you can do this:

the NAT configuration on the internet gateway at your central site.

if you use an ACL for NAT that says what is translated to public address you can decide that ip addresses of remote sites not belonging to that range will not access the internet at all (if they are not translated)

being the range a private ip address per RFC 1918.

this is valid unless you have masked your real ip addresses for safety.

Hope to help


connect2world Fri, 08/21/2009 - 00:11

Hi giuslar,

So I should probably just need to tell the WAN service provider my requirement and they should be able to take care it?

Giuseppe Larosa Fri, 08/21/2009 - 03:01

Hello Kok,

the provider can propagate the default only to a subset of your remote sites regardless of what IP subnets are deployed in each of them.

if this fits with your needs you are fine otherwise you need to play also with NAT

Another possibility is that of using two MPLS VPN (no additional hardware is required) and to have the ip subnets advertised in the two VPNs

VPN1 will have the default route to reach the internet

VPN2 will not have the default route.

This requires some work also on remote sites.

However, the NAT approach should be enough.

in other words a default route to reach the internet is useless if the ip addresses cannot be natted.

Hope to help


connect2world Sun, 08/23/2009 - 17:38

Hi giuslar,

The internet gateway is already configured to do nating for the entire subnet of I am looking for central control of route advertisement on without involving the remote site configuration. I still do not understand your reply as to whether the propose config will work or not?Please advise.

Giuseppe Larosa Sun, 08/23/2009 - 22:35

Hello Kok,

let me say in a different way:

with a L3 MPLS VPN model you have a peer to peer relationship

that is :

router advertises net to its BGP peer

The SP propagates this route to all your remote sites (default behaviour)

There is no way in BGP to have a specific route including default route advertised to only one or a few subnets.

BGP works on neighbor sessions you can decide what you send to but then SP has control of everything.

If you are only natting the desired subset of routes that is you are fine: hosts outside this range cannot reach the internet (if this is your concern).

The level of control SP can implement is per site:

it can decide to propagate or block net on per remote site basis.

Hope to help



This Discussion