Skip to main content

214 Messages

 • 

3.7K Points

Wed, Mar 4, 2020 1:53 PM

BGP Prevent AS from being a Transit AS

I have a BGP setup that looks like this, and although it is working great for two WAN circuits (for redundancy), I would rather advertise only local routes though..  Currently, I am doing an AS Pre-Pend to load-balance the incoming traffic a little, and it is working great in that if I go to another site and do a traceroute, I can confirm the subnets come in from the proper eBGP neighbors.  In fact, if I do it from a BGP enabled router, it even shows the AS PATH in the traceroute...

This works perfectly fine thus far but no filtering to only advertise local routes out:


router bgp
 local-as
 neighbor remote-as
 neighbor remote-as

 address-family ipv4 unicast
 redistribute connected
 neighbor  route-map out PreferBGP-A
 neighbor  route-map out PreferBGP-B
 exit-address-family

 address-family ipv6 unicast
 exit-address-family
!


route-map PreferBGP-A permit 10
 match ip address prefix-list Deliver-BGP-B
 set as-path prepend  
route-map PreferBGP-A permit 20
 match ip address prefix-list permitAny
!
route-map PreferBGP-B permit 10
 match ip address prefix-list Deliver-BGP-A
 set as-path prepend  
route-map PreferBGP-B permit 20
 match ip address prefix-list permitAny
!

ip prefix-list permitAny seq 5 permit 0.0.0.0/0 le 32
!
ip prefix-list Deliver-BGP-B seq 5 permit /21
ip prefix-list Deliver-BGP-B seq 10 permit
/23
ip prefix-list Deliver-BGP-B seq 15 permit
/24
!
ip prefix-list Deliver-BGP-A seq 5 permit
/21
ip prefix-list Deliver-BGP-A seq 10 permit
/21
ip prefix-list Deliver-BGP-A seq 15 permit
/24
ip prefix-list Deliver-BGP-A seq 20 permit
/28


If I do a 

SwitchName# show ip bgp neighbors  advertised-routes

I see at or about 400 advertised routes because it is learning my WAN from the first neighbor and advertising to the second neighbor.

While I doubt AT&T is going to set  as a Transit AS being it surely has a longer AS path, I would rather not advertise what I learn from one neighbor to the other.  That is I want to advertise my Local-Only out.


What if I add this:

[email protected](config)# ip as-path access-list Local-Only seq 5 permit ^$

and this:

[email protected](config)#router bgp

[email protected](config-bgp-router)#neighbor  filterlist Local-Only out
[email protected](config-bgp-router)#neighbor  filterlist Local-Only out





Or what if I change the second line of my route-map to no longer permit any but instead:

route-map PreferBGP-A permit 10
 match ip address prefix-list Deliver-BGP-B
 set as-path prepend  
route-map PreferBGP-A permit 20
 match as-path Local-Only
!
route-map PreferBGP-B permit 10
 match ip address prefix-list Deliver-BGP-A
 set as-path prepend  
route-map PreferBGP-B permit 20
 match as-path Local-Only
!


Overall, this explains what I am trying to do:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/23675-27.html


I think I like the idea of the filter-list better:
https://networklessons.com/bgp/bgp-prevent-transit-as





Is there any issue with doing it either of these two ways?  This just happens to be on a 6610-24F

Thank you

Responses

214 Messages

 • 

3.7K Points

9 months ago

I should respond back and indicate I did this as a filter-list, and it worked very well.  I was announcing about 392 routes though locally I had 9 subnets at this site.

After the tweak, I checked each neighbor and it is only announcing local routes.  The AS Pretending I already have is still working perfect.

I am checking with this:

sh ip bgp neighbors advertised-routes