BGP Transit AS


Hello !

I wanted to create to this because it is one of those issues with BGP that network engineers do not look into until it’s too late and I’m saying this based on real life experience.

Imaging our company offices consist of R1,R2,R3 and R4.
Let’s say :
Office R1 – UK
Office R2 – US
Office R3 – Australia
You’ve signed up with 3 different ISPs BB1,BB2 and BB3

BGP_TRANSIT_ASThis concept is the idea of avoiding to becoming a transit area.
R1 EBGP peers with BB1 and send all the routes learned from it to it IBGP peers R3 and R4
R3 EBGP peers with BB3 and send all the routes learned from it to it IBGP peers R1 and R4
R4 EBGP peers with BB2 and send all the routes learned from it to it IBGP peers R1 and R3

R1 from BB1 learns 64.0.0.0 network

R1_BB1

R3 from BB3 learns 102.0.0.0 network

R3_BB3

 

R4 from BB2 learns 202.0.0.0 network

R4_BB2

 

and of course R1 advertises to BB1 anything it learns from R3 and R4 and so on …

Then what will happen is that R1,R3 and R4 will turn around and send that information learned from it IBGP peers to its connected Backbone EBGP ISP peers , you see the idea ?

So our Company’s AS will end up becoming an advertising mechanism between these ISPs which is in 99% of the cases  something we don not want to have happened.

If ISPs representing BB1,BB2 and BB3 are not directly peering with each other we all of the sudden may become a better path available to them which of course means that your company will start carrying their traffic what of course can result in congestion, slow network, user complaints in your company etc …

So firstly in CCIE R&S lab you will most likely be asked to make sure that this does not happen and secondly in the real world before connecting to your ISPs literally think of the same , meaning do let them use your network as a transit path ! well unless you want it which is a different story 🙂

There are 4 different methods available to us and they boil down to
EASY BUT NOT SCALABLE
DISTRIBUTE LIST which call an ACL – you have to keep re-visit them everytime anything changes
PREFIX LIST which call an IP Prefix-list – you have to keep re-visit them everytime anything changes

NOT VERY EASY BUT SCALABLE
COMMUNITIES – in our case no-export community idea being that I tag every route on its way in to our AS as no-export
FILTER-LIST which calls BGP Regular Expressions

TASK LIST
Make sure that routes R1 learns from BB1 DO NOT get advertised to BB2 and BB3 – use Communities
Make sure that routes R3 learns from BB3 DO NOT get advertised to BB1 and BB2 – use Filter-List
Make sure that routes R4 learns from BB2 DO NOT get advertised to BB1 and BB3 – use Distribute List or Prefix-List

—————————————————————————————————-

COMMUNITIES
R1(config)#ip bgp-community new-format
R1(config)#route-map EXPORTS permit 10
R1(config-route-map)#set community no-export
R1(config-route-map)#router bgp 1001
R1(config-router)#neigh 100.100.100.100 route-map EXPORTS in
R1(config-router)#neigh 200.0.0.3 send-community
R1(config-router)#neigh 200.0.0.4 send-community

We are not matching anything cause we want to TAG all routes and we do not care if it’s 10 routes today and 1153 tomorrow which is why this option is scalable cause it would be almost impossible to accomplish the same using Distribute-list or Prefix-list which is why they are not scalable

Implement Communities as seen above and now we check a random route that R1 learns from BB1 on R3 and R4

R1_R3_COMM_TEST

R1_R4_COMM_TEST

As you can see it is tagged as “no-export” and neither R3 nor R4 sends that information to its EBGP peers

—————————————————————————————————-

FILTER-LIST
R3(config)#ip as-path access-list 1 permit ^$
R3(config)#router bgp 1001
R3(config-router)#neigh 100.100.250.250 filter-list 1 out
R3(config-router)#do clear ip bgp * so
R3(config-router)#do sh ip bgp nei 100.100.250.250 adver

Total number of prefixes 0

By the way RegEx ^$ match empty AS path only which is why R3 is not sending any routes with AS path in them.

Which is exactly what we want! We will only be sending routes that we originate ,in this case we do not have any but go ahead and create one or two loopbacks , advertise them into BGP and again issue “sh ip bgp nei 100.100.250.250 adver” command and you should only see these two routes being sent out but not routes that R1 learns from BB1 and sends to you or R4 learns from BB2 and sends to you for that matter.

That why these above options are scalable cause once you implement them you do not have to touch them unlike you most likely would with distribute-list or prefix-list

—————————————————————————————————-

DISTRIBUTE-LIST
R4(config)#access-list 50 deny 102.0.0.0 0.0.255.255
R4(config)#router bgp 1001
R4(config-router)#neigh 100.100.200.200 distribute-list 50 out
R4(config)#do clear ip bgp * so
R4(config)#do sh ip bgp ne 100.100.200.200 adver

Total number of prefixes 0

Exactly what we want but bear in mind that if one of the BB routes start advertising some other network except for 64.0.0.0 ,102.0.0.0 or 202.0.0.0 we are going to have to re-visit our access-list and modify it cause if we don’t we might end up being transit AS between these Backbones ISPs.

—————————————————————————————————-

PREFIX-LIST
R4(config)#ip prefix-list DONTSEND deny 102.0.0.0/16
R4(config)#router bgp 1001
R4(config-router)#neigh 100.100.200.200 prefix-list DONTSEND out
R4(config)#do clear ip bgp * so
R4(config)#do sh ip bgp ne 100.100.200.200 adver

Total number of prefixes 0

and again exactly what we expect !

—————————————————————————————————-

Go ahead create this lab based on below GNS3 file , load up initial configs and see what happens.

GNS3 – Net_file

Initial configs : Intial_conf_all_routers

Enjoy !

Tom

Advertisements

About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog https://ccie4all.wordpress.com/ information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to https://ccie4all.wordpress.com/ ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: