This topic is to discuss the following lesson:
Thank you Rene for making it easy to learn this kind of stuff
thanks your rene, you d best !
quick check : why you gave next-hope-self on 4. without that also I get the same result.
Hi Abhishek,
Without next-hop-self, R4 would learn the IP address of R1 as the next hop address. As long as you advertise the network in between R1/R2 into BGP, you will be fine. If you don’t, you have to use next hop self.
Rene
R2 do not send-community to R4, in this case what happens if R4 is connected to another AS ?
i think R4 will advertise the prefix because it does not any thing about the community, please correct me if wrong
Mahmoud,
You are exactly right! This is the output of R2 with respect to the BGP advertised route of 1.1.1.1
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-export
If R2 isn’t configured to send communities to R4, this would be R4’s output of 1.1.1.1
Origin IGP, metric 0, localpref 100, valid, internal, best
Notice the community is missing. Because of this, R4 doesn’t know that it isn’t supposed to advertise this to another AS, so any other AS connected via R4 would also learn of 1.1.1.1/32
Andrew,
Many thanks for your support
Hi Rene,
In BGP community no export example.You said that it prevent route from being advertise to the ebgp peer and only advertise to IBGP neighbors. so why it is advertising to AS24 as it is also an ebgp peer for AS1. Router is in AS 1 and R2 ,R4 is in AS 24.Kindly explain.
Hello Naman,
R1 is the router that adds the no-export community, but the action does not apply to R1 itself. Only the router that receives the community has to process it, in this case R2.
Does this make sense?
Rene
Hi,
ıf we connect another router R5(in AS 24 also) to R4, then can’t R4 advertise the 1.1.1.1 to R5? R5 is a iBGP neighbor so Why? Can R2 advertise to only it’s iBGP neighbors and can’t the other iBGP routers advertise to another iBGP neighbors?
regards
Hello Murat
If you have R5 in AS24 then yes, R2 will be able to advertise 1.1.1.1 to R5 as well. The No Export community only restricts routers from sharing particular routes with other eBGP neighbors. iBGP neighbors are not affected and they can freely share these routes between themselves.
Remember that this community is applied to particular routes, not to all routes in general. In this example, R1 sends the 1.1.1.1 route with the no export community set. This means that R2 will behave accordingly ONLY for that one particular route. All other routes can be shared freely according to the default behaviour of BGP.
I hope this has been helpful!
Laz
Hi Rene,
How can I send a /32 prefix to a blackhole, on a router that also has received both /22 and /23. For example: R1 announces to R2 some /22 and /23, that suppose to be announced to R3. But R1, under an attack, for example, wants to blackhole (on R2) a specific /32 and also no-export it to external AS.
Thanks!
Hello Marcelo
Blackholing is a technique that is commonly used by ISPs. It’s not necessarily an “attack” although it can be use maliciously. You can statically advertise a /32 route in BGP and route it to the null interface.
Because BGP will only advertise networks that exist in the local routing table specific to the exact subnet mask, you will have to do two things. First, create a static route to a null interface. This can be done line so:
R1(config)#ip route 1.1.1.1 255.255.255.255 null 0
This will create the route to this destination (the loopback of R1 in this lesson’s example) and will “black hole” it.
You can then create the BGP network command like so:
R1(config)#router bgp 1
R1(config-router)#network 1.1.1.1 mask 255.255.255.255
This will advertise this network on BGP to neighboring AS’es. The result is that traffic to this destination is black holed, and R2 has learned about it as well. You can find out more detailed information about such a configuration under the Network Command heading in the following lesson:
Now there are several methods to achieve this, and one other one is using the black hole community of BGP. More information about this can be found in RFC7999.
I hope this has been helpful!
Laz
Hi,
My ISP is sending default route with community : no-export and its their policy that they can’t change. Is there way to override or strip community ?
Thanks
Umesh
Hello Umesh
It is possible to change the community on the incoming prefixes being sent to you from your ISP. You can do this by creating an inbound route-map that matches their default route, and then change the community to none
. For example:
route-map REMOVE_COMMUNITY permit 10
match ip address prefix-list 1
set community none
!
ip prefix-list 1 seq 5 permit 0.0.0.0/0
The above will match everything coming from the ISP router. And then apply this route-map to the neighbor peering with your ISP’s router (with an IP address of A.B.C.D) in the BGP configuration like so:
neighbor A.B.C.D route-map REMOVE_COMMUNITY in
If you choose to, you can completely omit the match statement and the prefix list and the route map will match everything that comes from the BGP neighbor. For more info on route maps, take a look at the following lesson:
Now having said that, my question to you is why do you want to remove the no-export community? It is there as a precautionary measure to protect your network from becoming a transit network for Internet traffic. For more info on that, take a look at this lesson:
I hope this has been helpful!
Laz
Lets say i am advertising a community called no-export to my neighbor , is it possible my neighbor router can reset the community value no-export to a specific community and advertise further upstream as well ??
Hello Narad
By default, no communities attributes are propagated further to BGP neighbors. So in the example in this lesson, because the neighbor send-community
command is used on R1, it sends community information. If R2 is not also configured with this command, the community information stops there.
In order to further propagate the communities futher, the neighbor send-community
command must be present in each router along the way. You can also choose what kind of community attributes to propagate, either standard communities, extended communities, or both, depending on the keywords used:
neighbor X.X.X.X send-community [standard | extended | both]
In order to achieve this in the lab, R2 must also be configured with this command for the specific neighbors for which you want to propagate this information.
I hope this has been helpful!
Laz
Hi Rene,
What is difference between “no-export out” and “no-export in” ?
Hello Champion
In the lesson, a route map is used to set the community of particular prefixes to no-export. That route map is always applied to a neighbor using a command similar to this, as seen in the lesson:
R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map NO_EXPORT out
At the end of the command, either the in
or out
keywords can be used. What do they signify? They define in what direction prefixes should be modified. So looking at this particular portion of the topology:
The route map is applied on R1 in an outbound direction. This means that all prefixes within BGP updates sent from R1 to R2 will first have the route map applied to them before going out of the Fa0/0 interface. Any prefixes received from R2 will not have the route map applied since those updates are moving in an inbound direction.
Remember, the in
and out
keywords don’t refer to the direction of actual user traffic, but the direction of the updates passing from one BGP peer to the next. Take a look at these two NetworkLessons notes for more info on how route maps and their applied direction affect how BGP operates:
I hope this has been helpful!
Laz
Thanks Lagapides,
SO Basically the no export community applies to the neighbouring (EBG peer) IBGP AS.
I guess what I am trying to say is that the traffic needs go past the to the ebgp peer, but terminates in that peers AS? Correct?