Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual homed - BGP filtering

I am trying to figure out how to block BGP routes from one ISP to not be distributed to a second ISP. The first ISP is providing full routes where the second is providing just default routes. BGP between me and the second ISP is not establishing and I think it may be because I am trying to possibly redistributing routes from the first ISP to the second. I figure I need to create an ACL but not sure the format given the number of routes. I am hoping there is something within BGP that I can specify?

10 REPLIES
Hall of Fame Super Bronze

Re: Dual homed - BGP filtering

The command ip as-path access-list 1 permit ^$ will block routes originated by other AS and it will only allow routes originated from you.

You need to link this ACL to a route-map and apply it in the neighbor statement under the BGP process in the outbound direction.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml

HTH,

__

Edison.

New Member

Re: Dual homed - BGP filtering

so if I have the following ...

router bgp 11725

bgp log-neighbor-changes

neighbor 64.132.245.25 remote-as 4323

neighbor 68.152.201.177 remote-as 6383

address-family ipv4

neighbor 64.132.245.25 activate

neighbor 68.152.201.177 activate

no auto-summary

synchronization

network 206.197.1.0

exit-address-family

I want to block redistribution of full routes from 6383 to 4323..

ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_

then under router bgp 11725...

neighbor 64.132.245.25 filter-list 1 out

It also looks like I am not redisribting my own network though.

Hall of Fame Super Bronze

Re: Dual homed - BGP filtering

The command I pointed out will prevent your router from becoming a 'transit' router between the 2 ISPs.

The ISPs you are connected to, have their own BGP policy in place so I doubt your router can become a 'transit' router - with that said, it doesn't hurt to apply those policies in your router as well.

Reading your initial message, I don't think your peering problem has nothing to do with your connection to another ISP.

Have you worked with the ISP and see if their BGP peering is pointing to you?

Based in the config you've posted, you are announcing network 206.197.1.0

Regarding the ip as-path access-list, I recommend using the command option I highlighted before.

__

Edison.

Please rate helpful posts

New Member

Re: Dual homed - BGP filtering

Here is the new config but when I look at the BGP stats I am not even sending them my 206.197.1.0 network.

router bgp 11725

bgp log-neighbor-changes

neighbor 64.132.245.25 remote-as 4323

neighbor 64.132.245.25 description Link to Time Warner

neighbor 68.152.201.177 remote-as 6383

neighbor 68.152.201.177 description link to BellSouth

!

address-family ipv4

neighbor 64.132.245.25 activate

neighbor 64.132.245.25 filter-list 1 out

neighbor 68.152.201.177 activate

no auto-summary

synchronization

network 206.197.1.0

exit-address-family

New Member

Re: Dual homed - BGP filtering

It looks like I have it working. At least the sh ip bgp ne looks better. I forgot to include a permit on the ip as-path access-list. Here is the one I have now...

ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_

ip as-path access-list 1 permit .*

For address family: IPv4 Unicast

BGP table version 325826, neighbor version 325826/0

Output queue size : 0

Index 2, Offset 0, Mask 0x4

2 update-group member

Outbound path policy configured

Outgoing update AS path filter list is 1

Sent Rcvd

Prefix activity: ---- ----

Prefixes Current: 1 1 (Consumes 52 bytes)

Prefixes Total: 1 1

Implicit Withdraw: 0 0

Explicit Withdraw: 0 0

Used as bestpath: n/a 1

Used as multipath: n/a 0

Hall of Fame Super Bronze

Re: Dual homed - BGP filtering

Excellent !

__

Edison.

New Member

Re: Dual homed - BGP filtering

Thanks for the starting point ...

Brent

Hall of Fame Super Silver

Re: Dual homed - BGP filtering

Hello Brent,

you need to take care of what you send to AS 6383 also.

the ip as path ACL suggested by collegues has the advantage that can be applied to multiple neighbors without any change because it allows only the IP prefixes with BGP AS path attribute empty that are the locally generated prefixes= your own ones.

Otherwise a new different as path acl has to be created fo the second neighbor and so on.

Hope to help

Giuseppe

New Member

Re: Dual homed - BGP filtering

Hi-

You want to use an AS-PATH filter that will only advertise routes that originate from you AS.

Attached is a text file with a filter and BGP neighboring configuration that does this.

Best-

-jS

New Member

Re: Dual homed - BGP filtering

This is what finally worked ...

ip as-path access-list 1 deny ^6383$

ip as-path access-list 1 deny _6383_

ip as-path access-list 1 permit .*

The permit was needed so that my network would be advertised.

340
Views
0
Helpful
10
Replies