BGP Prevent Transit AS

metodijus12 · July 16, 2022, 8:26am

Hello Laz

Yes , i made it clear already , i finally got it . By the way i had nice interview with Verizon i hope i will get the job .

Regards !

ledzeppelino · August 20, 2022, 1:03am

Hello Rene,

R1(config)#route-map NO-EXPORT
R1(config-route-map)#set community no-export

R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map NO-EXPORT in
R1(config-router)#neighbor 192.168.13.3 route-map NO-EXPORT in

In the config above, since we are advertising why is it “in” instead of “out”?

Thanks in advance.

lagapidis · August 23, 2022, 1:17pm

Hello Leoncio

Let’s reexamine what the goal is in this particular case. We want the prefixes that are advertised from ISP1 and ISP2 towards R1 to be tagged with the no-export community. That means that any BGP updates traveling from ISP1 to R1 or from ISP2 to R1 would enter into R1 in an inbound direction. So the NO-EXPORT route map should be applied in an inbound direction.

Remember, the “in” keyword indicates the direction of the BGP updates that we want to modify and not the actual user traffic being sent.

I hope this has been helpful!

Laz

benavidez.jaime · February 14, 2023, 10:59pm

how would I configure an AS 200 ISP to only advertise 202.0.0.0/8? I’m a little confused

ip prefix-list NO-TRANSIT permit 202.0.0.0/8

neighbor xxx.xxx.xxx.xxx prefix-list TRANSIT out

lagapidis · February 16, 2023, 7:48am

Hello Jaime

In this particular lesson, the prefix list is being used to filter out what R1 advertises to ISP1. Only the 1.1.1.0/24 subnet is being advertised to ISP1. So if you look at the BGP table of ISP1, you will see only 1.1.1.0/24 appear in the BGP table with a next hop of 192.168.12.1 which is the IP address of R1.

Now in your case, when you say “how would I configure an AS 200 ISP to only advertise 202.0.0.0/8?” it really depends upon your topology. If you have an ISP router that exists within AS200, and you want it to advertise only the 202.0.0.0/8 network, then you would indeed use the commands that you placed in your post.

This would result in the ISP router advertising only 202.0.0.0/8 to your xxx.xxx.xxx.xxx neighbor. However, the prerequisite to this is that the 202.0.0.0/8 network is already in your local BGP table.

I hope this has been helpful!

Laz

davidilles · July 21, 2023, 3:53pm

Hello!

A quick question. Could we also use the NO-ADVERTISE BGP community in order to prevent our organization from becoming a transit AS? Would it cause any problems?

Thank you in advance for your help.

David

lagapidis · July 29, 2023, 4:43am

Hello David

The BGP NO-ADVERTISE community is a well-known BGP community that prevents the advertisement of routes to any peer, internal or external. Using the NO-ADVERTISE community will prevent an AS from advertising specific routes to any other AS.

However, it’s important to clarify that this doesn’t directly prevent your organization from becoming a transit AS. A transit AS is an Autonomous System that allows traffic from other ASes to pass through it. Whether an AS acts as a transit AS is more a matter of its peering arrangements than of its routing advertisements.

If you want to prevent your AS from becoming a transit AS, you need to ensure that your AS doesn’t have agreements to forward traffic for other ASes. That’s where the four methods Rene mentioned in the lesson come in.

However, if you don’t want to advertise certain routes to peer ASes to reduce the chance of becoming a transit AS for those specific routes, you could use the NO-ADVERTISE community. But this is by no means a general solution for the issue, but a specific one for the particular routes that are prevented from being advertised.

I hope this has been helpful!

Laz

ahmedamrici · August 1, 2025, 8:59pm

Hello ,

Lets say I’m an ISP and have multiple T1 ISPs not just two as given in the lesson above and I have multiple AS connected to my AS so they will be treating like my clients and need to advertise them to the T1 providers as normally they need to reach internet, what Iam trying to say is what if I’m a T2 provider and i have several ASs alongside with my AS, what is best practice I can use/filter the in/out policy with the T1 providers to prevent being AS transit ?

lagapidis · August 4, 2025, 5:21am

Hello Ahmedlmad

In the scenario that you are describing, your goal is to advertise your customers’ routes upstream (so they can reach the Internet) while preventing your AS from becoming a transit path, meaning you don’t want traffic from one T1 provider (or elsewhere) to traverse your network to reach another T1 or unrelated destination. This is a common concern to avoid resource exhaustion, peering disputes, and potential blackholing.

The most important principle to keep in mind is to advertise only your local routes (your own AS’s prefixes) and your customers’ routes to upstream T1 providers. Do not advertise routes learned from other T1s or peers. To your customers, you can advertise full Internet routes (if you have the capacity) or a default route for simplicity.

Some additional best practices include:

Some tools you can use to ensure that this principle is maintained include route maps and prefix lists for outbound filtering, BGP communities, AS-Path filtering as well as maximum prefix limits on peers to prevent route leaks.
You should also classify your routes to local routes, customer routes, and upstream routes to keep track of where routes were learned from.
Employ inbound and outbound policies to and from your T1 providers to ensure that you limit what you learn from them and what you send out to them.
Employ the appropriate policies to your customers by advertising filtered BGP tables, and also ensuring that customers can’t use you to transit to each other.

These are general guidelines that can be used. Remember, preventing your AS from becoming a transit AS can be applied to customers or upstream ISPs. The concepts are the same, it’s just the connected ASes play different roles.

I hope this has been helpful!

Laz