BGP Prevent Transit AS

andrew · February 14, 2016, 4:39pm

Jason,
This is actually a very good question which required wireshark and some musing on my part to figure out.

Here’s the short answer:
If you included R1’s AS in the filter:
R1(config)#ip as-path access-list 1 permit ^4444$
It would indeed stop ISP1 and ISP2 from using R1 as a transit path. However, there is also a negative consequence. R1’s advertisements to ISP1 and ISP2 would also be filter out.

Here’s the long answer:
The interesting question is why does it do this? To answer this question, the first point to understand is what the ip as-path command is saying. It is using regex where the “^” means “beginning of string” and “$” means “end of string.” So, " ^4444$ " means “this string contains exactly 4444.” Since the as-path access list has an implicit deny at the end, everything except 4444 in the as-path is rejected.

To figure out why the R1 is filtering out its own route, you need to look at the BGP Topology table. Here’s what it looks like:

R1#show ip bgp topology *
For address family: IPv4 Unicast

BGP table version is 4, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, &gt; best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *&gt;  1.1.1.0/24       0.0.0.0                  0         32768 i

Notice the Path field in the table–specifically what is NOT there. It lists only the origin code and no AS-Path. Self-originated routes are not stamped with the AS-Path in the host router’s BGP Topology table. The route is associated with the 4444 AS Path attribute once it leaves R1 (after the filter has already done its work).

Essentially, the reason putting 4444 in the as-path filter will not work comes down the order in which BGP operates: Filter based on Topology table first, then send BGP Update message with added AS-Path attribute to neighbors.

jmwalker24 · February 20, 2016, 2:46pm

So for the - Filter-list with AS PATH access-list –

R1(config)#ip as-path access-list 1 permit ^$

R1(config-router)#neighbor 192.168.12.2 filter-list 1 out
R1(config-router)#neighbor 192.168.13.3 filter-list 1 out

Does a route-map also need to be configured with this?

andrew · February 20, 2016, 5:23pm

A route-map is not needed. Tying the as-path access-list to the neighbor via the filter-list argument is sufficient.

electrogoth · March 1, 2016, 1:43pm

hello Rene, I am a bit confused, No-Export community tells BGP neighbors to advertise a prefix only to iBGP neighbors so why if we use the “no-export” community we still need to use the command “send-community”? it should still export the prefixes to iBGP based on the no-export community… am I wrong?

ReneMolenaar · March 1, 2016, 3:28pm

Hi Cristian,

By default a BGP router will not send any community values, that includes the no-export community. So if you want to send them…you’ll have to enable “send-community” on the router.

Rene

electrogoth · March 1, 2016, 3:30pm

oh, now I see, I confused the export of the community with the prefixes so no export will make sure we won’t expotr the prefix but then we need send community to make sure the “no export” is propagated?

ReneMolenaar · March 1, 2016, 3:31pm

That’s right

electrogoth · March 1, 2016, 3:32pm

thanks a lot

adave1103 · July 16, 2016, 7:55pm

Fantastic …it was never so easy to understand “transit AS” issue…many thanks Rene.

adave1103 · July 16, 2016, 7:59pm

Hi Rene,

why should it be inbound and not outbound? Please help in understanding:

R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map NO-EXPORT in
R1(config-router)#neighbor 192.168.13.3 route-map NO-EXPORT in

thanks

ReneMolenaar · July 18, 2016, 3:35pm

Hi Abhishek,

We want to make changes in our AS and we receive prefixes from the ISP routers. When we receive these prefixes, we set the no-export community. This means our AS won’t advertise them to another AS.

Using an outbound route-map in BGP is useful if you want to advertise something to another router or AS.

Rene

adave1103 · August 3, 2016, 8:12am

RT VS GRT

Hi Rene,

Can you please tell what is the diff. between routing table and global routing table in terms of NEXT HOP.
example :
I am an enterprise and i am peering with ISP thru GP. now i have to go to prefix 202.x.y.z (www.gmail.com)

So how my outbound traffic will go in above case ?

Now if get global routing table in my internet router - How the outbound traffic will go ?

Thanks in adv
Abhishek

ReneMolenaar · August 30, 2016, 12:03pm

Hi Abhishek,

By default, you have one routing table which is your global routing table. Once you start working with VRFs, that’s when you will have more than one routing table.

Take a look at this lesson to learn more about this:

VRF Lite

Rene

shantel · December 26, 2016, 6:20pm

19 posts were merged into an existing topic: BGP Prevent Transit AS

iniguezjuan · July 5, 2017, 12:59am

Hey Rene,

Thanks for your great lessons and labs you post. I have a question regarding BGP when using 2 ISPs.

I have a muti-homes ISR with two ISPs both advertising a default route via BGP I have manipulated the weight attribute to prefer ISP1 over ISP2. My question is why when I learn the default route through ISP1 my ISR also advertises it to ISP2 becoming a transit AS, even though I didnt manually configure it under my BGP instance ?

Thanks in advance.

ReneMolenaar · July 6, 2017, 5:42pm

Hi @iniguezjuan,

By default, BGP will advertise prefixes that you have learned from one eBGP neighbor to another eBGP neighbor. That’s why you will have to configure your router to prevent this

malneediniranjan · October 24, 2018, 12:55pm

HI ’

R1--?   ( I want this in Tansit AS)
router bgp 1
 bgp log-neighbor-changes
 network 1.1.1.0 mask 255.255.255.0
 neighbor 10.0.0.2 remote-as 2
 neighbor 20.0.0.2 remote-as 3


R2--  (ISP-1)
router bgp 2
 bgp log-neighbor-changes
 network 2.2.2.0 mask 255.255.255.0
 neighbor 10.0.0.1 remote-as 1


R3--(ISP 2)
router bgp 3
 bgp log-neighbor-changes
 network 3.3.3.0 mask 255.255.255.0
 neighbor 20.0.0.1 remote-as 1
 auto-summary

All loopback IP are reachable from customer router which is placed in Transit AS, however from ISP 1 loopback 2.2.2.2 am unable to ping ISP 2-loopback 3.3.3.3 please help

lagapidis · October 27, 2018, 1:28pm

Hello Kaza

At first glance there doesn’t seem to be an issue with your configs. However, keep in mind that BGP is slow. It’s a good idea to use the clear ip bgp * command to speed things up.

Also, the config you are setting up is similar to that in the lesson. Try duplicating the lesson first and see that that works. You can then adjust your IP addresses accordingly to match the lab you want. Let us know of your results…

I hope this has been helpful!

Laz

sales2161 · February 26, 2019, 1:40pm

Hello Laz, I was asking myself why can’t we use route-map with AS-PATH access-list instead of using filter-list in the first example?

ip as-path access-list 1 permit ^$
!
route-map LAZ permit 10
     match as-path 1
exit
!
router bgp 1
     neighbor <ip> route-map LAZ out
exit

Regards.

lagapidis · February 26, 2019, 3:12pm

Hello sales2161

Hmm, that’s an interesting solution that actually looks correct. I don’t see why this wouldn’t work. Can you lab it up and share the results? We can share it with Rene and see what he thinks…

Laz