Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

BGP routes Restrict

Hi,

I'm new to the whole MPLS Setup. I'm trying to connect remote sides using BGP on the providers side and OSPF on our side.

I receive lots of routes of Service Provider, is there a way to block these routes at MPLS Router without ACL

14 REPLIES
Cisco Employee

Re: BGP routes Restrict

Ronald,

So if I understand you correctly, you are using ospf to receive routes from the SP, right?

Are the routes you received, routes from your remote sites only? If so, why would you want to block them.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: BGP routes Restrict

I receive a lot of service provider routes ; apart from our remote office routes.

Cisco Employee

Re: BGP routes Restrict

Ronald,

Is this an L3VPN (MPLS VPN) service that you are buying from your SP? If so the only routes you should receive locally are the one you have advertised at the remote sites and vice versa. Can you further explain your setup.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: BGP routes Restrict

This is the config provided by service-provider

interface Serial0/0/0

ip address 172.16.1.241 255.255.255.252

ip verify unicast source reachable-via rx 100

no ip redirects

no ip unreachables

no ip proxy-arp

no cdp enable

router bgp 3412

no synchronization

bgp log-neighbor-changes

redistribute connected

redistribute ospf 50

neighbor 172.16.1.242 remote-as 45000

My internal Networks are

192.168.1.0/24

10.1.1.0/24

==========================

Remote site I have

192.168.150.0/24

==========================

when I do show IP Route I see so many routes with different IP ranges comming from

Service Provider.... (( If I stop MPLS connection it doesnt appear ))

Cisco Employee

Re: BGP routes Restrict

Ronald,

If the service you are buying from the SP is l3vpn (MPLS VPN), you show only be receiving routes from your sites. The behavior you are seeing doesn't appear to be correct. There is not much you can do about it by yourself. You definitely want to talk to your SP about it.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: BGP routes Restrict

SP are not really suppportive ; is there any alternative I can do to prevent it.

Re: BGP routes Restrict

I agree with Harold that you should be receiving only what you are sending and you should ask them to stop sending you any routes that you have not requested if they are doing such a thing.

Still, I see that you are running BGP with the provider and you have redistributed OSPF into it (and connected). You might have many smaller subnets in your OSPF network and redistributing them directly into BGP might be causing this issue. Are the networks that you are seeing relevant to your network addressing scheme or not? And how many are they compared to what you expected ?

In any case, if your addressing plan is as simple as you described with distinct ranges at each site, you might consider avoiding redistribution into BGP and inject only those networks in BGP using the "network" command (a high AD static to null 0 might be needed as well). Please let us know if you need any assistance on accomplishing this.

New Member

Re: BGP routes Restrict

Thank you.

Please can you help how could I inject only my networksin BGP using Network command

Re: BGP routes Restrict

Please realize first that this change I suggest can be an intrusive operation. I do not expect any serious downtime, but sometimes the meaning of "serious" depends on the services one runs and other times downtime lasts longer due to unforeseen technical difficulties.

If I haven't scared you enough by now, please make sure the below addresses that you posted previously are the only blocks you have:

Local site: 192.168.1.0/24, 10.1.1.0/24

Remote site :192.168.150.0/24

If this is correct, then:

Local site:

router bgp 3412

network 192.168.1.0 mask 255.255.255.0

network 10.1.1.0 mask 255.255.255.0

ip route 192.168.1.0 255.255.255.0 null0 254

ip route 10.1.1.0 255.255.255.0 null0 254

Remote site :

router bgp 3412

network 192.168.150.0 mask 255.255.255.0

ip route 192.168.150.0 255.255.255.0 null0 254

After you do this, confirm that both endpoints are receiving the corresponding remote routes with the correct masks (sh ip bgp ). It might take some time for the routes to propagate between sites. If you are seeing those /24 routes exchanged between sites, go to your edge routers and remove the redistribution commands (ospf and connected) from the bgp process.

p.s. I will try to check this thread regularly in case you need anything else.

Re: BGP routes Restrict

Also, please let us know about the outcome and any issues you encountered. It is always useful to know this type of information for future reference.

Re: BGP routes Restrict

You can Also implement Route-filtering using "Route-maps"

HTH

Mohamed

Re: BGP routes Restrict

Mohamed,

Route-filtering is a good suggestion in general, especially if the provider is sending irrelevant routes. Still, even in this case, the provider should stop doing this (not only because it is not necessary, but also because it could indicate that the security of the L3 MPLS VPN solution is at risk).

We can move to future protective measures after the routing between sites is confirmed, to make it easier to troubleshoot any unexpected issues. We do not have an answer yet about who is causing this: the customer side redistribution only or the provider as well? If the injection of routes is performed using network command only, then we will know if provider does send anything else not required because the customer routes will be only 3.

Also note that the procedure I suggested is the safest way to go. First propagate the BGP network command injected routes and then remove the redistribution. This will cause minimal disruption if any at all. This procedure can only cause routing issues only if there are additional networks that have not been mentioned or the addressing scheme is not exactly the one that was reported (any unmentioned networks will become unreachable from the one site to the other). And of course there can always be "unforeseen technical difficulties" such as bugs or anything else.

Kind Regards,

M.

Re: BGP routes Restrict

Maria,

The provider Only should redistribute Or actually redistributed into bgp, Why the customer has to do this in his router since he was running OSPF with the provider?

Mohamed

Re: BGP routes Restrict

There has been a misunderstanding at the beginning. Although Harold asked about the protocols there was no clear answer until the configuration was posted. This configuration cannot possibly be the provider side BGP configuration (no vrf forwarding on interface, no ipv4 vrf address-family in BGP process, and there is a remote BGP peer that doesn't apply when OSPF is used as the PE-CE routing protocol), but is rather on the customer side and it has been given to the customer by the provider to help setting the customer side.

Customer uses OSPF as an IGP and uses BGP to connect to the service provider. To advertise networks between sites, customer uses redistribution of connected and ospf into the BGP and passes the routes to the provider via BGP.

394
Views
0
Helpful
14
Replies
CreatePlease to create content