Thursday, March 18, 2010

BGP transit AS's and how to avoid

How can you prevent your own BGP AS becoming a transit path? This can be achieved by making use of a distribute-list or a prefix-list. However these methods do not scale well as future ip addressing changes or additions require access lists to be revisited.

BB1 ------ R1 (AS 101) ------- R2 (AS 101) ------- BB2

Here are 2 options that scale and do not require revisiting when ip addresses change.

OPTION 1 - Make use of the no-export community.

Here i apply the community no-export to ALL incoming bgp routes.

route-map NOEXPORT
set community no-export

router bgp 101
neigh {ip addr BB1} route-map NOEXPORT in
neigh {ip addr r2} send-community

OPTION 2 – Make use of the filter-list command

Here i create an as-path access list and only allow bgp routes originated in the routers own as (AS 101) to be advertised out.

ip as-path access-list 1 permit ^$

router bgp 101
neigh {ip addrBB2} filter-list 1 out

With both commands i use show ip bgp {ip address} advertise for verification of advertised routes.

No comments: