Re: Advertising BGP route learned back to same AS

Paul Dougherty · ‎05-18-2011

I have a situation where my Internet edge routers learn 0.0 from ATT (AS 7018) my provider. I then wish to advertise these learned routes via WAN. However my WAN MPLS provider is also ATT and they use AS 7018 for that as well. When I try to push 0.0 to my other WAN sites 0.0 is suppressed to avoid loops.

What's the best way to tell the WAN routers to advertise 0.0 back to the same AS originally learned from?

Thanks for your suggestions.

You've all been more helpful than I ever expected. Since this has turned more detailed I've added a drawing

Thank you.

Roman Rodichev · ‎05-18-2011

is this all happening on the same router? If not, is there IGP in between? You will need to bring the route into IGP and then back to your MPLS CE BGP process to reset AS path. There is no trick in IPv4 BGP to reset AS path or to hide an AS in an AS PATH (except for removing private AS). In VPNv4 BGP, there is an "as-override" feature to do a similar thing, but VPNv4 runs inside MPLS VPN

Paul Dougherty · ‎05-18-2011

No they are not the same router, but currently I only run BGP (inside too), just to keep things simple. The ISP was suggesting community strings or prepending, but that didn't make sense to me.

Thanks,

Roman Rodichev · ‎05-18-2011

pdougherty@steelpro.us

No they are not the same router, but currently I only run BGP (inside too), just to keep things simple. The ISP was suggesting community strings or prepending, but that didn't make sense to me.

Thanks,

Community strings and prepending won't do a thing. It's not AT&T's router that actually rejects the route, it's your router refusing to send it to a neighbor whose AS is already in the AS_PATH of the route.

It's not their fault either because they run a shared network for Internet and MPLS VPN service, hence they have the same AS# on their side for both services.

And even if they would have assigned a different AS# to your MPLS VPN CE router BGP process, you would still have this issue because their AS# would remain in the AS_PATH regardless of the AS#'s you use.

Your only option is to convert to IGP and then back to BGP.

By the way, don't you have some type of firewall between your Internet and MPLS VPN routers to protect private MPLS VPN network? Are you running BGP through the firewall? (no problems if you do, just asking) Whether you do it or not, you should introduce OSPF between these two routers (and the firewall), inject just the default route from BGP into OSPF on the Internet router, pass it through the Firewall (Cisco, Checkpoint and others support OSPF), and your will end up with an iBGP and an OSPF 0.0.0.0 route on the MPLS VPN CE router. The admin distance of the OSPF (110) will win over iBGP (200), and just simply redistribute it back into BGP with a network statement (network 0.0.0.0) under BGP. Just make sure to block this BGP 0.0.0.0 route from getting advertised back to your Internet BGP router.

Or simpler yet, if you don't have some requirement for a redundant 0.0.0.0 route in another data center, you can just configure static default route on the MPLS VPN CE router, point it inside, and redistribute it into BGP.

Paul Dougherty · ‎05-18-2011

Yes I'm running bgp through the firewall. Your method makes perfect sense to me. I'll give it a try.

Thank you very much!

Paul Dougherty · ‎05-18-2011

I do need the routes for multiple data center. Otherwise static would be the way to go certainly.

bhatajim · ‎10-11-2019

The behaviour actually changes, depending on the platform. Here is a link with a description:

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/214619-configure-disable-peer-as-check-in-bgp-o.html

lgijssel · ‎05-18-2011

This really complicates your BGP setup.

One alternative is to use a different routing protocol on the WAN, for example OSPF but this may not be an option for you.

Probably the best solution is to ask your provider to configure a different AS number on the MPLS.

It is not an acceptable practice to assign the same AS on two networks for the same customer.

They have simply made a mess of it. Let them solve it too.

regards,

Leo

Paul Dougherty · ‎05-18-2011

The ISP requires BGP on the WAN. Otherwise yes that would be easy.

Thanks.

Roman Rodichev · ‎05-18-2011

It is actually quite common for MPLS VPN providers to assign the same AS number for all sites of the same customer. They use as-override for that.

Paul Dougherty · ‎05-18-2011

Yes, I've seen that, but not the other way round. - thanks.

Roman Rodichev · ‎05-18-2011

that was in response to lgijssel

gerald.suiza · ‎05-18-2011

let me see if i understand this in the correct way..your goal is to inject internet in to your MPLS VPN with AT&T right?

If this is correct i would think you could do a default-originate on your MPLS peer to advertise a default route. I dont believe you want to advertise the full routing table from your internet peer.

I have a question too. Since you have 2 peers to the same remote AS do you have VRF lite on your CE? I think VRF lite would make thing more simple in a way since in essence you feel you have two CE's since you have two VPN's on the same CE.

you may want to consider this although its for a catalyst switch the idea is the same.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html

HTH

Roman Rodichev · ‎05-18-2011

Default-originate is a good idea. In his case, he needs a conditional advertising, if main default disappears, he should stop sending the "originate" default. So it would be configured as such:

router bgp x

neighbor x.x.x.x default-originate route-map DEFAULT

!

route-map DEFAULT permit 10

match ip address prefix-list DEFAULT

!

ip prefix-list DEFAULT permit 0.0.0.0/0

gerald.suiza · ‎05-18-2011

i agree with the route-map..but if he has another intenet gateway injected into the MPLS VPN i think the best way is to have AT&T implement SoO on teh default route so he has a back-up route..that's just me thinking ahead..hehe