BGP Prevent AS from being a Transit AS

netwizz — Wed, 04 Mar 2020 13:53:13 GMT

I have a BGP setup that looks like this, and although it is working great for two WAN circuits (for redundancy), I would rather advertise only local routes though.. Currently, I am doing an AS Pre-Pend to load-balance the incoming traffic a little, and it is working great in that if I go to another site and do a traceroute, I can confirm the subnets come in from the proper eBGP neighbors. In fact, if I do it from a BGP enabled router, it even shows the AS PATH in the traceroute...

This works perfectly fine thus far but no filtering to only advertise local routes out:

router bgp
local-as
neighbor remote-as
neighbor remote-as

address-family ipv4 unicast
redistribute connected
neighbor route-map out PreferBGP-A
neighbor route-map out PreferBGP-B
exit-address-family

address-family ipv6 unicast
exit-address-family
!

route-map PreferBGP-A permit 10
match ip address prefix-list Deliver-BGP-B
set as-path prepend
route-map PreferBGP-A permit 20
match ip address prefix-list permitAny
!
route-map PreferBGP-B permit 10
match ip address prefix-list Deliver-BGP-A
set as-path prepend
route-map PreferBGP-B permit 20
match ip address prefix-list permitAny
!

ip prefix-list permitAny seq 5 permit 0.0.0.0/0 le 32
!
ip prefix-list Deliver-BGP-B seq 5 permit /21
ip prefix-list Deliver-BGP-B seq 10 permit /23
ip prefix-list Deliver-BGP-B seq 15 permit /24
!
ip prefix-list Deliver-BGP-A seq 5 permit /21
ip prefix-list Deliver-BGP-A seq 10 permit /21
ip prefix-list Deliver-BGP-A seq 15 permit /24
ip prefix-list Deliver-BGP-A seq 20 permit /28

If I do a

SwitchName# show ip bgp neighbors advertised-routes

I see at or about 400 advertised routes because it is learning my WAN from the first neighbor and advertising to the second neighbor.

While I doubt AT&T is going to set as a Transit AS being it surely has a longer AS path, I would rather not advertise what I learn from one neighbor to the other. That is I want to advertise my Local-Only out.

What if I add this:

SSH@SwitchName(config)# ip as-path access-list Local-Only seq 5 permit ^$

and this:

SSH@SwitchName(config)#router bgp

SSH@SwitchName(config-bgp-router)#neighbor filterlist Local-Only out
SSH@SwitchName(config-bgp-router)#neighbor filterlist Local-Only out

Or what if I change the second line of my route-map to no longer permit any but instead:

route-map PreferBGP-A permit 10
match ip address prefix-list Deliver-BGP-B
set as-path prepend
route-map PreferBGP-A permit 20
match as-path Local-Only
!
route-map PreferBGP-B permit 10
match ip address prefix-list Deliver-BGP-A
set as-path prepend
route-map PreferBGP-B permit 20
match as-path Local-Only
!

Overall, this explains what I am trying to do:
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/23675-27.html

I think I like the idea of the filter-list better:
https://networklessons.com/bgp/bgp-prevent-transit-as

Is there any issue with doing it either of these two ways? This just happens to be on a 6610-24F

Thank you

Re: BGP Prevent AS from being a Transit AS

netwizz — Thu, 12 Mar 2020 16:42:46 GMT

I should respond back and indicate I did this as a filter-list, and it worked very well. I was announcing about 392 routes though locally I had 9 subnets at this site.

After the tweak, I checked each neighbor and it is only announcing local routes. The AS Pretending I already have is still working perfect.

I am checking with this:

sh ip bgp neighbors advertised-routes

topic Re: BGP Prevent AS from being a Transit AS in ICX Switches

BGP Prevent AS from being a Transit AS

Re: BGP Prevent AS from being a Transit AS