Solved: BGP config restrictive

Steve Coady · ‎08-01-2013

Hello

Recenty I aquired another company with (5) L2 only sites. I am phasing them into my L3 AVPN network.

The first phase is to get them onto the AVPN netowrk. Routers and circuits have been ordered

For now, I want to make sure sure the L3 network works amongst their own (5) sites but I do not want to merge them into my

network just yet. See Diagram for how the network will look once ALL aspects of merge are complete.

My question is, what specific WAN config statements will I want to add to their routers so that they only communicate amongst themselves.

WAN routing protocol is BGP, I believe the config should look something like:

router bgp (AS#)

no bgp log-neighbor-changes

network 0.0.0.0

network (Local LAN subnet)192.168.1.x

network (Local LAN subnet)192.168.10.x

network (Local LAN subnet)192.168.20.x

neighbor x.x.40-44.2 remote-as (AS#)

no auto-summary

The .40-43.2 are the AVPN PER WAN ip addresses for the new sites.

sMc

Joseph Nelson · ‎08-05-2013

So if I'm understanding this correctly:

You have X existing routers in you AVPN
You have N=5 additional new routers in your AVPN
Each of the X+N routers have a single eBGP connection with an AT&T PE router
You want X routers to ignore prefixes announced by N routers

If this is the case, you can achieve the same by creating the prefix-list as outlined previosly and adding it to your "PrependNetgate" route-map

config t

!!! Assuming sequence 20 is actually empty per your posted configs

route-map PrependNetgate deny 20

match ip address prefix-list DENY-NEW-NETWORKS

end

You would need to implement that config on your existing routers. Assuming every X and N router on the AVPN gets the same set of updates, this would allow the X routers to filter routes from the N routers. In other words, the two sets of X and N routers would be disjoint.

I'm assuming you manage those AVPN routers using the WAN interface only?

View solution in original post

Steve Coady · ‎08-02-2013

Can anyone provide any technical guidance pertaining to this specific objective?

sMc

Joseph Nelson · ‎08-02-2013

Hi Coady,

Is the *current* routing protocol BGP amongst those acquired routers? Also, can you post the diagram of the final state?

Have you thought about using Private ASNs during the merge process?

Steve Coady · ‎08-05-2013

The acquired are routers are new. Currently the (5) sites do no5t have any layer 3 routing. The diagram does show the final state where all site connect to our AVPN cloud.

sMc

Steve Coady · ‎08-05-2013

Please provide more information on using Private AS's during the merge process.

sMc

Steve Coady · ‎08-05-2013

Hello

I checked with my WAN provider. Using Private ASN would require cancelling current order and re-ordering new WAN. Not an option. )

With that, ALL of my sites are going to be on same AVPN. What I need to do now is to restrict routing advertisements.

The goal, for now is to only allow these (5) new sites to route amongst eachother until we can merge them into our network.

If we are all on the same AVPN network and using BGP, hpw can I keep those site routing amongst eachother only.

It seems the approach would be to not allow all the other sites to know what ip subnets are being used for the (5) new sites.

sMc

Joseph Nelson · ‎08-05-2013

You could implement a route-map for your existing routers that filter annoucements from the 5 new routers. This route map would be applied to the neighbors with at "neighbor x.x.40-44.2 remote-as route-map ":

!!! Create a prefix list for matching local routes

ip prefix-list DENY-NEW-NETWORKS seq 10 permit 198.168.x.y/z

!!! Create route map for filtering

route-map DENY-NEW-ROUTERS deny 10

match ip address prefix-list DENY-NEW-NETWORKS

end

!!! On existing routers, apply to neighbor statements for new sites:

router bgp ASN

neighbor x.x.40.2 route-map DENY-NEW-ROUTERS

end

If this config were placed on your existing routers, they would ignore all annoucements from the 5 new routers. If you have a lot of existing routers, this could be cumbersome.

HTH

Steve Coady · ‎08-05-2013

Joseph

Thankyou for the response. I appreciate the command syntax.

Just so I understand, the first statement "ip prefix-list DENY-NEW-NETWORKS seq 10 permit 198.168.x.y/z"

The 192.168.x.x/z are the internal ip addresses of each subnet that would be advertised?

Let's say that 1 of these sites has (10) contiguous subnets to advertise, could the statement looks as follows?

"ip prefix-list Deny-new-networks seq 10 permit 192.168.10.0/255.255.240.0"

Would there be any potential issues caused by this type of summarized statement?

Once agin, thankyou for the great info!

sMc

Joseph Nelson · ‎08-05-2013

To cover multiple networks under a prefix list, you specify the mask length:

ip prefix-list DENY-NEW-NETWORKS seq 10 permit 192.168.10.0/20

This would work if you *actually* summarize the route in BGP (i.e. network 192.168.10.0 255.255.240.0 _and_ you have a static route for that network in your RIB).

If, however, if you don't summarize in BGP, your prefix list changes slightly:

ip prefix-list DENY-NEW-NETWORKS seq 10 permit 192.168.10.0/16 le 20

In this case, you are covering all the networks from 192.168.0.0 - 192.168.15.0.

I'm assuming you have AT&T's MPLS VPN product? For your existing routers, you have iBGP full mesh plus an eBGP connection to an AT&T PE router?

I don't see an attachment with your diagram, that would really help me understand things better.

Steve Coady · ‎08-05-2013

We do have the AT&T AVPN. We are using eBGP. Internal routing is handled by EIGRP.

Each site is setup the same

AVPN router>Cisco 3750 switch stack (MDF)>Cisco 375 switch stack(s) (IDF)

BGP on AVPN routers:

router eigrp #

distribute-list route-map Block_EIGRP_Routes_From_BGP_Redistribution in

default-metric 1000000 10 255 1 1500

network 192.168.x.x 0.0.0.0

redistribute connected

redistribute bgp ASNXYz

distance eigrp 10 10

!

router bgp ASNXYz

no bgp log-neighbor-changes

network 0.0.0.0

network 10.1.x.0 mask 255.255.240.0

network 10.1.x+.0 mask 255.255.240.0

network 192.168.1.0

network 192.168.10.0

network 192.168.100.0

etc...

neighbor x.x.7.2 remote-as !#!#!

neighbor x.x.7.2 soft-reconfiguration inbound

neighbor x.x.7.2 route-map PrependNetgate in

no auto-summary

!

route-map PrependNetgate permit 10

match as-path 1

set local-preference 90

!

route-map PrependNetgate permit 20

!

route-map Block_EIGRP_Routes_From_BGP_Redistribution deny 10

description Block all BGP to EIGRP Redistributed Routes Tagged !#!#!

match tag !#!#!

!

route-map Block_EIGRP_Routes_From_BGP_Redistribution permit 20

description Permit All Untagged Routes Into the Routing Table

EIGRP on MDF siwtch stack

router eigrp #

network 10.0.0.0

network 192.168.1.0

network 192.168.10.0

network 192.168.100.0

eigrp stub connected

sMc

Joseph Nelson · ‎08-05-2013

So if I'm understanding this correctly:

You have X existing routers in you AVPN
You have N=5 additional new routers in your AVPN
Each of the X+N routers have a single eBGP connection with an AT&T PE router
You want X routers to ignore prefixes announced by N routers

If this is the case, you can achieve the same by creating the prefix-list as outlined previosly and adding it to your "PrependNetgate" route-map

config t

!!! Assuming sequence 20 is actually empty per your posted configs

route-map PrependNetgate deny 20

match ip address prefix-list DENY-NEW-NETWORKS

end

You would need to implement that config on your existing routers. Assuming every X and N router on the AVPN gets the same set of updates, this would allow the X routers to filter routes from the N routers. In other words, the two sets of X and N routers would be disjoint.

I'm assuming you manage those AVPN routers using the WAN interface only?

Steve Coady · ‎08-06-2013

Joseph

Excellent!!. Thank you

sMc