By default, BGP advertises all prefixes to External BGP neighbours. When a router is dual homed to two or more ISP using BGP, the local router could become as transit AS unless explictly configured to prevent this.
There are several methods available to prevent a BGP router becoming a transit AS, these include:-
- AS Path filtering
- Distribute list filtering
- No export community
- Prefix-list filtering
This post represents the configuration of BGP transit AS preventative measures. The figure below represents the topology used.
AS Path
AS Path with a filter list can be used to ensure the router only advertises prefixes from its own AS. The filter list uses a REGEX (regular expression) of ^$ which is an empty string, when a path has no AS-PATH value the route is locally originated. The filter list is then applied as a filter, allowing only routes that match the filter, thus not advertising routes learnt from another AS and therefore not become a transit AS.
ip as-path access-list 1 permit ^$ ! router bgp 100 bgp log-neighbor-changes neighbor 1.1.1.2 remote-as 200 neighbor 2.2.2.3 remote-as 300 ! address-family ipv4 neighbor 1.1.1.2 activate neighbor 1.1.1.2 filter-list 1 out neighbor 2.2.2.3 activate neighbor 2.2.2.3 filter-list 1 out
Before the filter is applied to the local router, we can see the ISP route has two paths to 4.4.4.0/24.
ISP-2#show ip bgp BGP table version is 12, local router ID is 172.21.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path * 4.4.4.0/24 2.2.2.1 0 100 200 400 i *> 5.5.5.4 0 0 400 i
With the filter applied on the local router, the ISP router no longer has the second router, with the local router no longer being a transit AS.
ISP-2#show ip bgp BGP table version is 14, local router ID is 172.21.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 4.4.4.0/24 5.5.5.4 0 0 400 i
No Export Community
Once configured, a “no-export” tag is applied to the inbound ISP router routes learnt by the local router, this ensures the routers will not be exported by the local router to other routers.
A route-map is used, setting the “set community no-export” value, this route-map is then applied to each neighbour in the inbound direction, tagging the learnt routes from the ISP routers.
route-map NO-EXPORT set community no-export ! router bgp 100 bgp log-neighbor-changes neighbor 1.1.1.2 remote-as 200 neighbor 2.2.2.3 remote-as 300 ! address-family ipv4 neighbor 1.1.1.2 activate neighbor 1.1.1.2 route-map NO-EXPORT in neighbor 2.2.2.3 activate neighbor 2.2.2.3 route-map NO-EXPORT in
With the no-export community set, only advertises it’s local routes and is is no longer a transit AS.
Distribution List
With a distribution list you use an access control list to define (permit) exactly which routes are advertised to peers, any new route to be advertised must be explictly configured in the prefix-list. Any route not explictly permitting, will be denied, thus not advertised to other routers.
access-list 1 permit 192.168.250.0 0.0.0.255 access-list 1 permit 192.168.251.0 0.0.0.255 ! router bgp 100 bgp log-neighbor-changes neighbor 1.1.1.2 remote-as 200 neighbor 2.2.2.3 remote-as 300 ! address-family ipv4 neighbor 1.1.1.2 activate neighbor 1.1.1.2 distribute-list 1 out neighbor 2.2.2.3 activate neighbor 2.2.2.3 distribute-list 1 out
Prior to being configured we can see the ISP-2 router is receiving 4.4.4.0/24 via the local router AS 100 with a second route via AS 400 and the local 192.168.250.0/30 and 192.168.251.0/30 routes.
ISP-2#show ip bgp BGP table version is 44, local router ID is 172.21.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path * 4.4.4.0/24 2.2.2.1 0 100 200 400 i *> 5.5.5.4 0 0 400 i *> 5.5.5.0/24 0.0.0.0 0 32768 i *> 192.168.250.0/30 2.2.2.1 0 0 100 i *> 192.168.251.0/30 2.2.2.1 0 0 100 i
Once configured, the output of the ISP-2 router is no longer receiving the 4.4.4.0/24 route from the local router AS 100, therefore is no longer a transit AS.
ISP-2#show ip bgp BGP table version is 48, local router ID is 172.21.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 4.4.4.0/24 5.5.5.4 0 0 400 i *> 5.5.5.0/24 0.0.0.0 0 32768 i * 192.168.250.0/30 5.5.5.4 0 400 200 100 i *> 2.2.2.1 0 0 100 i * 192.168.251.0/30 5.5.5.4 0 400 200 100 i *> 2.2.2.1 0 0 100 i
Prefix List
With a prefix-list you define exactly which routes are advertised to peers, any new route to be advertised must be explictly configured in the prefix-list.
The prefix-list defines the route(s) to be advertised, this prefix-list is applied to each neighbour in the outbound direction, therefore only routes match that prefix-list will be advertised.
ip prefix-list FILTER seq 10 permit 192.168.250.0/30 ip prefix-list FILTER seq 15 permit 192.168.251.0/30 ! router bgp 100 bgp log-neighbor-changes neighbor 1.1.1.2 remote-as 200 neighbor 2.2.2.3 remote-as 300 ! address-family ipv4 neighbor 1.1.1.2 activate neighbor 1.1.1.2 prefix-list FILTER out neighbor 2.2.2.3 activate neighbor 2.2.2.3 prefix-list FILTER out
Before configuring prefix-list, we can determine the 4.4.4.0/24 is a transit route learnt by ISP-2 through the local router AS 100 and via another AS 400.
ISP-2#show ip bgp
BGP table version is 54, local router ID is 172.21.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
* 4.4.4.0/24 2.2.2.1 0 100 200 i
*> 5.5.5.4 0 0 400 i
* 5.5.5.0/24 5.5.5.4 0 0 400 i
*> 0.0.0.0 0 32768 i
After configuring the prefix-list, only the 192.168.250.0/30 and 192.168.251.0/30 networks are learnt via AS 100, ISP-2 now only has a single route to 4.4.4.0/24, via another path.
ISP-2#show ip bgp
BGP table version is 58, local router ID is 172.21.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.0/24 5.5.5.4 0 0 400 i
* 5.5.5.0/24 5.5.5.4 0 0 400 i
*> 0.0.0.0 0 32768 i
* 192.168.250.0/30 5.5.5.4 0 400 200 100 i
*> 2.2.2.1 0 0 100 i
* 192.168.251.0/30 5.5.5.4 0 400 200 100 i
*> 2.2.2.1 0 0 100 i