BGP- Prevent Transit AS using No-Export Community

 By default, BGP will advertise all prefixes to its EBGP neighbors. If you are multi-homed environment (Two ISP's connected), that you might become a transit AS.  

Consider the below topology where R3 is connected to R1 (ISP_1) and R2 (ISP_2)

Since, R3 is connected to two ISP's, it’s possible that the ISPs will use R3 to reach each other. In order to prevent this we’ll have to ensure that R3 only advertises prefixes from its own autonomous system.

There are 4 ways to prevent Transit AS:

• Prefix-list Filtering
• Distribute-list Filtering
• Filter-list with AS PATH access-list.
• No-Export Community

Now in this session we are going to look into Prefix-list prevention.

R1 Interface configuration:

ISP-1#show ip int brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.13.1    YES NVRAM  up                    up

FastEthernet0/1            unassigned      YES NVRAM  administratively down down

Loopback0                  1.1.1.1         YES NVRAM  up                    up

ISP-1#

R2 Interface configuration:

ISP-2#show ip int brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.23.2    YES NVRAM  up                    up

FastEthernet0/1            unassigned      YES NVRAM  administratively down down

Loopback0                  2.2.2.2         YES NVRAM  up                    up

ISP-2#

R3 Interface configuration:

R3#show ip int brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            192.168.13.3    YES NVRAM  up                    up

FastEthernet0/1            192.168.23.3    YES NVRAM  up                    up

Loopback0                  3.3.3.3         YES NVRAM  up                    up

R3#

ISP 1 - R1 BGP Configuration:

ISP-1#conf terminal

Enter configuration commands, one per line.  End with CNTL/Z.

ISP-1(config)#router bgp 1

ISP-1(config-router)#neighbor 192.168.13.3 remote-as 65000

ISP-1(config-router)#redistribute connected

ISP-1(config-router)#end

ISP-1#

ISP 2- R2 BGP Configuration:

ISP-2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

ISP-2(config)#router bgp 2

ISP-2(config-router)#neighbor 192.168.23.3 remote-as 65000

ISP-2(config-router)#redistribute connected

ISP-2(config-router)#end

ISP-2#

R3 BGP Configuration:

R3#conf terminal

Enter configuration commands, one per line.  End with CNTL/Z.

R3(config)#router bgp 65000

R3(config-router)#neighbor 192.168.13.1 remote-as 1

R3(config-router)#neighbor 192.168.23.2 remote-as 2

R3(config-router)#redistribute connected

R3(config-router)#end

R3#

When you look at the BGP table of R1, you can see the network 2.2.2.2/32 is learned which is from the AS_2 (ISP_2) through the router R3.

Now, I am going to create a route-map in R3 and set the community to NO-EXPORT. 

Route-Map Configuration:

R3#conf terminal

Enter configuration commands, one per line.  End with CNTL/Z.

R3(config)#route-map TRANSIT-AS-NO-EXPORT permit

R3(config-route-map)#set community no-export

R3(config-route-map)#exi

R3(config)#route-map TRANSIT-AS-NO-EXPORT permit 20

R3(config-route-map)#end

R3#

R3#show route-map

route-map TRANSIT-AS-NO-EXPORT, permit, sequence 10

  Match clauses:

  Set clauses:

    community no-export

  Policy routing matches: 0 packets, 0 bytes

route-map TRANSIT-AS-NO-EXPORT, permit, sequence 20

  Match clauses:

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

R3#

Mapping the created route-map to the bgp configuration:

R3#conf ter

Enter configuration commands, one per line.  End with CNTL/Z.

R3(config)#

R3(config)#router bgp 65000

R3(config-router)#neighbor 192.168.13.1 route-map TRANSIT-AS-NO-EXPORT in

R3(config-router)#neighbor 192.168.23.2 route-map TRANSIT-AS-NO-EXPORT in

R3(config-router)#end

R3#

R3 BGP Configuration:

R3#show running-config | section router bgp

router bgp 65000

 no synchronization

 bgp log-neighbor-changes

 redistribute connected

 neighbor 192.168.13.1 remote-as 1

 neighbor 192.168.13.1 route-map TRANSIT-AS-NO-EXPORT in

 neighbor 192.168.23.2 remote-as 2

 neighbor 192.168.23.2 route-map TRANSIT-AS-NO-EXPORT in

 no auto-summary

R3#

From the above config, you can see that I have mapped the route-map "TRANSIT-AS-NO-EXPORT" as IN. On doing this, networks that are received from the neighbor will be added with the tag "NO-EXPORT". Once NO-EXPORT is added, it will not pass the networks to other AS.

Below is the output of 1.1.1.1/32 with No-Export tag added,

R3#show ip bgp 1.1.1.1

BGP routing table entry for 1.1.1.1/32, version 7

Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to EBGP peer)

Flag: 0x880

  Not advertised to any peer

  1

    192.168.13.1 from 192.168.13.1 (1.1.1.1)

      Origin incomplete, metric 0, localpref 100, valid, external, best

      Community: no-export

R3#

You need to clear the BGP session to take the newly applied configuration to take effect. 

In-order to clear the bgp session, use the command "clear ip bgp * soft in"

Now on looking in to the BGP table of R1(ISP_1), 2.2.2.2/32 will be removed as R3 will not export this network outside of its AS (R3's AS number is AS_65000).

You can also look into my video tutorial: