Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

BGP - control outbound traffic - allow only specific ASN to use provider

This scenario goes well beyond my BGP skills. We have a case where we want only specific ASNs to go through a specific provider while maintaining our AS as the transit AS between the customer AS and the provider AS. Controlling inbound traffic appears to be easier because we have the capability to only advertise specific ASNs out through a specific provider (without advertising our own). Controlling outbound traffic is where I'm having trouble. I know we can use communities with local preference to make one provider more desirable than another but I don't know how to stop our own AS traffic from going out a provider while allowing specific ASNs. I'm including a diagram to help explain. Thanks!

3 REPLIES
Hall of Fame Super Silver

Re: BGP - control outbound traffic - allow only specific ASN to

Hello Tod,

I have some doubts that is possible using only BGP to achieve what you want to do.

BGP has a great set of tools to influence routing choices but it obeys to a basic rule:

you cannot advertise to somebody else (another AS) IP prefixes that wouldn't be used by yourself (your AS).

So if you accept BGP prefixes from ISPB in order to advertise them to your customers you should use them.

Or also just to be able to use ISPB for customer traffic.

If you filter them inbound on ISPB session you cannot advertise them to the customer.

So here you can be facing a technology limit more then limits in your skills.

You may try to setup a PBR policy using the set ip default next-hop or interface so that its action is triggered when a detailed route is not seen ( under the hyphotesis you are receiving a full table from primary ISPA).

You should advrtise a BGP default route to your customer in any case.

in the PBR you will match on source address using an ACL that matches customerA space only.

To ISPB you will use an outbound filter to advertise only customer's routes to ISPB.

All this looks like rather complex.

If you implement MPLS in your network, the usage of an MPLS VPN may help:

you place your customer and ISPB session and link in a VRF.

you need also to export to Global routing table CustomerA routes.

The simplest way is to have two links with the customerA:

the preferred one in Global routing table

the backup in a VRF as explained above.

the links can be two 802.1Q Vlan subifs on the same physical link.

The advantage of the second solution is that you can be sure that backup will be used only by customer originated traffic being in a different routing table.

Customer should accept your MED to prefer primary path and advertise its prefixes on both eBGP sessions with you.

Hope to help

Giuseppe

Community Member

Re: BGP - control outbound traffic - allow only specific ASN to

Hello Giuseppe,

Thanks for the quick and detailed reply. You bring up some very valid points and I agree with you that we may be trying to do things that are not meant to be done.

The story behind this is that in the event of a disaster and we lose one of our data centers that certain customers are still guaranteed access to the Internet via a special upstream provider. We have also considered just using a separate pair of routers that would peer only with the specific customers and the special upstream provider and not pass traffic to our other customers or other providers (due to a lack of connectivity on our network). Does this sound like it would work?

Obviously I need to give this some more thought.

Thanks,

Tod

Hall of Fame Super Silver

Re: BGP - control outbound traffic - allow only specific ASN to

Hello Tod,

thanks for your kind remarks.

>> using a separate pair of routers that would peer only with the specific customers and the special upstream provider and not pass traffic to our other customers or other providers (due to a lack of connectivity on our network)

this is a way to define a L3 MPLS VPN ..

I think this can work but it doesn't scale.

If next year another customer asks the same treatment you would need to deploy other two routers for him.

However,it is a possible solution that doesn't require to learn, test and implement MPLS VPN services.

There is no absolute best choice and the decision may require to involve management.

Hope to help

Giuseppe

457
Views
5
Helpful
3
Replies
CreatePlease to create content