How to advertise default gateway to only certain subnets in BGP

Unanswered Question
Aug 19th, 2009
User Badges:

Hi Folks,


Scenario:

The company are migrating each region network into a MPLS cloud. Each region has their own

subnets to take care and they manage their own internet gateway. The internet access for each region is

serve by the region office internet gateway.


Question:

How can I advertise my own default gateway(internet access traffic gateway) only to those subnets I specify?

Is there a way I can tell a selected subnet (like 10.226.1.0/24) that if the traffic is bound for internet

go to say region office(subnet 10.224.1.0/24) internet gateway(10.224.1.1) via the BGP router(10.224.1.254) that

is pointing to the MPLS cloud.


BGP router 10.224.1.254

=======================

router bgp 66666

network 10.224.1.0 mask 255.255.255.0

network 0.0.0.0 mask 0.0.0.0

neighbor 1.1.1.1 remote-as 12345

ip route 0.0.0.0 0.0.0.0 10.224.1.1


What else do I need to add to advertise the default gateway if I only want to advertise the default route to

say 10.226.1.0/24 only?Please advise.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 08/20/2009 - 02:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kok,


BGP works on neighbor sessions so the question should become how I can send a default route to remote sites?



In a L3 MPLS VPN you have a peer-to-peer relationship between your node at central site and the provider edge node.


Normal service is that the default route you send out will be propagated to all remote sites within the MPLS VPN routing context.


neigh 1.1.1.1 default-originate [route-map map-name]


is what you need to have a default route sent to all other sites.


if you want that this default route has to be sent to only some sites that is a different matter but requires cooperation with service provider


Hope to help

Giuseppe


connect2world Thu, 08/20/2009 - 16:34
User Badges:

Hi giuslar,


Thanks for the reply.


After doing some research, I was wondering if the below config as show below will

help to advertise the default gateway only to 10.224.0.0/11 subnets:


ip prefix-list Advertise-Subnet seq 5 permit 10.224.0.0/11

!

route-map Default_Route_From_AS66666 permit 10

match ip address prefix-list Advertise-Subnet

!

router bgp 66666

network 10.224.1.0 mask 255.255.255.0

neigbhbor 1.1.1.1 default-originate route-map Default_Route_From_AS66666

no network 0.0.0.0

neighbor 1.1.1.1 remote-as 12345

!

ip route 0.0.0.0 0.0.0.0 10.224.1.1

Giuseppe Larosa Thu, 08/20/2009 - 23:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kok,

I would say no.


This configuration advertises a default route to PE node 1.1.1.1 if prefixes matching the prefix-list Advertise-Subnet exist in the ip routing table.

To be noted that they are probably learned by the same PE node eBGP peer.


if you want to have this default route advertised to only some VRF sites you need to cooperate with the service provider.


If you look the problem from another point of view: if you want to limit internet access to only

10.224.0.0/11

you have another point when you can do this:

the NAT configuration on the internet gateway at your central site.


if you use an ACL for NAT that says what is translated to public address you can decide that ip addresses of remote sites not belonging to that range 10.224.0.0/11 will not access the internet at all (if they are not translated)

being the range a private ip address per RFC 1918.

this is valid unless you have masked your real ip addresses for safety.


Hope to help

Giuseppe


connect2world Fri, 08/21/2009 - 00:11
User Badges:

Hi giuslar,


So I should probably just need to tell the WAN service provider my requirement and they should be able to take care it?

Giuseppe Larosa Fri, 08/21/2009 - 03:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kok,

the provider can propagate the default only to a subset of your remote sites regardless of what IP subnets are deployed in each of them.


if this fits with your needs you are fine otherwise you need to play also with NAT


Another possibility is that of using two MPLS VPN (no additional hardware is required) and to have the ip subnets advertised in the two VPNs

VPN1 will have the default route to reach the internet

VPN2 will not have the default route.


This requires some work also on remote sites.


However, the NAT approach should be enough.


in other words a default route to reach the internet is useless if the ip addresses cannot be natted.


Hope to help

Giuseppe


connect2world Sun, 08/23/2009 - 17:38
User Badges:

Hi giuslar,


The internet gateway is already configured to do nating for the entire subnet of 10.224.224.0/11. I am looking for central control of route advertisement on 10.224.1.254 without involving the remote site configuration. I still do not understand your reply as to whether the propose config will work or not?Please advise.

Giuseppe Larosa Sun, 08/23/2009 - 22:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Kok,


let me say in a different way:


with a L3 MPLS VPN model you have a peer to peer relationship


that is :


router 10.224.1.254 advertises net 0.0.0.0/0 to its BGP peer 1.1.1.1


The SP propagates this route to all your remote sites (default behaviour)


There is no way in BGP to have a specific route including default route advertised to only one or a few subnets.


BGP works on neighbor sessions you can decide what you send to 1.1.1.1 but then SP has control of everything.


If you are only natting the desired subset of routes that is 10.224.224.0/11 you are fine: hosts outside this range cannot reach the internet (if this is your concern).


The level of control SP can implement is per site:

it can decide to propagate or block net 0.0.0.0/0 on per remote site basis.


Hope to help

Giuseppe


Actions

This Discussion