BGP Prevent AS from being a Transit AS

  • 1
  • Question
  • Updated 5 months ago
I have a BGP setup that looks like this, and although it is working great for two WAN circuits (for redundancy), I would rather advertise only local routes though..  Currently, I am doing an AS Pre-Pend to load-balance the incoming traffic a little, and it is working great in that if I go to another site and do a traceroute, I can confirm the subnets come in from the proper eBGP neighbors.  In fact, if I do it from a BGP enabled router, it even shows the AS PATH in the traceroute...

This works perfectly fine thus far but no filtering to only advertise local routes out:


router bgp
 local-as <my AS number>
 neighbor <eBGP Neighbor 1 IP> remote-as <ATT AS Number for our WAN>
 neighbor <eBGP Neighbor 2 IP> remote-as <SAME ATT AS Number as above for WAN>

 address-family ipv4 unicast
 redistribute connected
 neighbor <eBGP Neighbor 1 IP> route-map out PreferBGP-A
 neighbor <eBGP Neighbor 2 IP> route-map out PreferBGP-B
 exit-address-family

 address-family ipv6 unicast
 exit-address-family
!


route-map PreferBGP-A permit 10
 match ip address prefix-list Deliver-BGP-B
 set as-path prepend  <my AS number>
route-map PreferBGP-A permit 20
 match ip address prefix-list permitAny
!
route-map PreferBGP-B permit 10
 match ip address prefix-list Deliver-BGP-A
 set as-path prepend  <my AS number>
route-map PreferBGP-B permit 20
 match ip address prefix-list permitAny
!

ip prefix-list permitAny seq 5 permit 0.0.0.0/0 le 32
!
ip prefix-list Deliver-BGP-B seq 5 permit <a private local data subnet>/21
ip prefix-list Deliver-BGP-B seq 10 permit <a private local voice subnet>/23
ip prefix-list Deliver-BGP-B seq 15 permit <a private device quarantine subnet>/24
!
ip prefix-list Deliver-BGP-A seq 5 permit <a different local data subnet>/21
ip prefix-list Deliver-BGP-A seq 10 permit <a wireless data subnet>/21
ip prefix-list Deliver-BGP-A seq 15 permit <a wireless management subnet>/24
ip prefix-list Deliver-BGP-A seq 20 permit <a PCI compliance separation subnet>/28


If I do a 

SwitchName# show ip bgp neighbors <eBGP Neighbor 2 IP> advertised-routes

I see at or about 400 advertised routes because it is learning my WAN from the first neighbor and advertising to the second neighbor.

While I doubt AT&T is going to set <my AS number> as a Transit AS being it surely has a longer AS path, I would rather not advertise what I learn from one neighbor to the other.  That is I want to advertise my Local-Only out.


What if I add this:

[email protected](config)# ip as-path access-list Local-Only seq 5 permit ^$

and this:

[email protected](config)#router bgp

[email protected](config-bgp-router)#neighbor <eBGP Neighbor 1 IP> filterlist Local-Only out
[email protected](config-bgp-router)#neighbor <eBGP Neighbor 2 IP> filterlist Local-Only out





Or what if I change the second line of my route-map to no longer permit any but instead:

route-map PreferBGP-A permit 10
 match ip address prefix-list Deliver-BGP-B
 set as-path prepend  <my AS number>
route-map PreferBGP-A permit 20
 match as-path Local-Only
!
route-map PreferBGP-B permit 10
 match ip address prefix-list Deliver-BGP-A
 set as-path prepend  <my AS number>
route-map PreferBGP-B permit 20
 match as-path Local-Only
!


Overall, this explains what I am trying to do:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/23675-27.html


I think I like the idea of the filter-list better:
https://networklessons.com/bgp/bgp-prevent-transit-as





Is there any issue with doing it either of these two ways?  This just happens to be on a 6610-24F

Thank you

Photo of NETWizz

NETWizz

  • 213 Posts
  • 67 Reply Likes

Posted 5 months ago

  • 1
Photo of NETWizz

NETWizz

  • 213 Posts
  • 67 Reply Likes
I should respond back and indicate I did this as a filter-list, and it worked very well.  I was announcing about 392 routes though locally I had 9 subnets at this site.

After the tweak, I checked each neighbor and it is only announcing local routes.  The AS Pretending I already have is still working perfect.

I am checking with this:

sh ip bgp neighbors <ip of neighbor> advertised-routes