Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2785
Views
6
Helpful
10
Replies

How do I stop BGP from sending full routing tables to my provider?

benrad
Level 1
Level 1

‎12-20-2006 10:05 AM - edited ‎03-03-2019 03:07 PM

I currently have 2 3725s multi-homed to 2 different ISPs. Everything's been working fine, but recently one of the ISPs had me change their session for a hardware upgrade. They require that I NOT send the full routing tables from my router, but they can't/don't feel like telling me how to properly configure the filter. I'm pretty green when it comes to BGP, so I'm trying to figure out how to keep the router from sending the routing table to my provider. I created a filter for our IP block, but that didn't seem to work. Do I need to do anything else? Should I create a "deny" filter for everything else? Can anyone enlighten me?

Thanks.

Labels:
0 Helpful
10 Replies 10

tdrais
Level 7
Level 7

‎12-20-2006 10:21 AM

BGP has lots of ways to do the same thing.

You could match a aspath of ^$ which means you orginated them

You could match the address ranges with a route-map.

You could set the community on the routes as they cam in from the providers to no-export so they do not get sent out.

There are probably more

jackyoung
Level 6
Level 6
In response to tdrais

‎12-20-2006 10:52 PM

In addition to Tim's post. Check below link for the samples.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml

Please post your config if there is still the problem. Let's help to troubleshoot it.

Hope this helps.

0 Helpful

royalblues
Level 10
Level 10
In response to jackyoung

‎12-27-2006 07:48 AM

Just create a simple route-map and advertise the required subnets to the upstream

access-list 1 permit

route-map permit 10 filter-block

match ip address 1

router bgp 100

neighbor x.x.x.x remote-as 200

neighbor x.x.x.x route-map filter-block out

HTH

Narayan

0 Helpful

adrian.chadd
Level 1
Level 1

‎12-27-2006 07:52 PM

I'd suggest a two-pronged approach - use filter-lists to control which ASes you advertise out and use distribute-lists to control which subnets to advertise out.

It avoids the strangest of routing issues from cropping up (which probably won't in your setup) - for example, if you hear about one of your customer networks via another AS then the subnet will match the distribute list but not be originated from you.

Here's an example:

router bgp X

neighbor 1.2.3.4 remote-as 1234 distribute-list ANNOUNCE-TRANSIT out

neighbor 1.2.3.4 remote-as 1234 filter-list 10 out

!

ip as-path access-list 10 permit ^$

ip as-path access-list 10 deny .*

ip access-list standard ANNOUNCE-TRANSIT

permit 10.0.0.0 0.0.0.255

permit 10.0.10.0 0.0.0.255

!

This way you lock down which subnets you're announcing and originating from.

You can check what you're announcing by using "show ip bgp nei adv".

0 Helpful

keduncan
Level 1
Level 1

‎01-05-2007 07:03 AM

Remove the redistribute command under BGP.

add a static route to null0 of the route you want to advertise to the ISP

add a network statement to BGP with the route and mask you want to advertise to the ISP.

EXAMPLE:::

ip route 207.1.0.0 255.255.0.0 null0

router bgp 1111

network 207.1.0.0 mask 255.255.0.0

no redistribute

m-geisler
Level 1
Level 1

‎01-05-2007 08:32 AM

All these ways should work, but there is one more thing. BGP doesn't send updates/withdraw routes when you change your policies!

i.e. after configuring one of the above mentioned filters and assigning it to the appropriate neighbor, you also have to

'clear ip bgp x.x.x.x'

where x.x.x.x is the BGP neighbour addr.

Try to add 'soft out' first!

Mike

0 Helpful

prabha07042000
Level 1
Level 1

‎10-08-2023 02:55 AM

Hi all,

 

 

Pls tell me why isp not doing this ??....

Why we need to create access-list  instead  of that isp can restrict out routes??

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to prabha07042000

‎10-08-2023 05:00 AM

The ISPs likely don't filter out (to client) because client likely wants their Internet routes.

ISPs could, and perhaps should, filter in (from client) routes, but it's more efficient (for ISPs) for client to filter routes.  I.e. why should ISPs use their CPU cycles filtering routes they shouldn't be receiving?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎10-08-2023 05:45 AM

A slightly different perspective is that if the ISP were to filter routes advertised by the customer then the ISP is creating and enforcing a policy for customer routes. How does the ISP know exactly what routes the customer should advertise? How would the ISP know if there were some change in the customer network that meant a new route was added or that an existing route should be removed?

HTH

Rick
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Richard Burts

‎10-08-2023 06:00 AM

Rick is correct although any ISP would likely not accept whatever a client sends to them without some sanity enforcement.  Usually what both ISPs and their client desire is for the client NOT be a transient between the ISPs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card