By default, BGP will advertise all prefixes to its EBGP neighbors. If you are multi-homed environment (Two ISP's connected), that you might become a transit AS.
Consider the below topology where R3 is connected to R1 (ISP_1) and R2 (ISP_2)
There are 4 ways to prevent Transit AS:
- Prefix-list Filtering
- Distribute-list Filtering
- Filter-list with AS PATH access-list.
- No-Export Community
Now in this session we are going to look into Prefix-list prevention.
R1 Interface configuration:
ISP-1#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.13.1 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Loopback0 1.1.1.1 YES NVRAM up up
ISP-1#
R2 Interface configuration:
ISP-2#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.23.2 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Loopback0 2.2.2.2 YES NVRAM up up
ISP-2#
R3 Interface configuration:
R3#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.13.3 YES NVRAM up up
FastEthernet0/1 192.168.23.3 YES NVRAM up up
Loopback0 3.3.3.3 YES NVRAM up up
R3#
ISP 1 - R1 BGP Configuration:
ISP-1#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
ISP-1(config)#router bgp 1
ISP-1(config-router)#neighbor 192.168.13.3 remote-as 65000
ISP-1(config-router)#redistribute connected
ISP-1(config-router)#end
ISP-1#
ISP 2- R2 BGP Configuration:
ISP-2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISP-2(config)#router bgp 2
ISP-2(config-router)#neighbor 192.168.23.3 remote-as 65000
ISP-2(config-router)#redistribute connected
ISP-2(config-router)#end
ISP-2#
R3 BGP Configuration:
R3#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router bgp 65000
R3(config-router)#neighbor 192.168.13.1 remote-as 1
R3(config-router)#neighbor 192.168.23.2 remote-as 2
R3(config-router)#redistribute connected
R3(config-router)#end
R3#
When you look at the BGP table of R1, you can see the network 2.2.2.2/32 is learned which is from the AS_2 (ISP_2) through the router R3.
Now, I am going to create a ACL permitting only Loopback 0 of R3 (3.3.3.3/32) in R3 router.
Creating an ACL named as PREVENT-AS:
R3(config)#ip access-list standard PREVENT-AS
R3(config-std-nacl)#permit host 3.3.3.3
R3(config-std-nacl)#end
R3#
R3#show ip access-lists
Standard IP access list PREVENT-AS
10 permit 3.3.3.3
R3#
Mapping the created ACL in BGP configuration:
R3#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router bgp 65000
R3(config-router)#neighbor 192.168.13.1 distribute-list PREVENT-AS out
R3(config-router)#neighbor 192.168.23.2 distribute-list PREVENT-AS out
R3(config-router)#end
R3#
R3#show running-config | section router bgp
router bgp 65000
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 192.168.13.1 remote-as 1
neighbor 192.168.13.1 distribute-list PREVENT-AS out
neighbor 192.168.23.2 remote-as 2
neighbor 192.168.23.2 distribute-list PREVENT-AS out
no auto-summary
R3#
You need to clear the BGP session to take the newly applied configuration to take effect.
In-order to clear the bgp session, use the command "clear ip bgp * soft in"
Now on looking in to the BGP table of R1(ISP_1), 2.2.2.2/32 will be removed and only 3.3.3.3/32 will only be available because this is the only network advertised through distribute-list from R3.
You can also look in to my video tutorial in tamil:
Post a Comment
Post a Comment