Re: BGP: conditional routing receiving

kravetc · ‎07-27-2023

Hello.

We have the following setup: ISP A provides BGP with a full view.

One layer of our security model relies on routes, we receive from ISP. To be more precise: on the absence of such routes. We block certain ASNs by adding them into the as-path with the "deny" rule. Something like:

ip as-path access-list 1 deny _22386_

ip as-path access-list 1 permit .*

neighbor xx.yy.zz.aa filter-list 1 in

This setup removes all routes that have ASN 22386 in their path. While incoming traffic from ASN 22386 can reach our network, replies never reach the source, as we do not have routes to ASN 22386. While this schema is not perfect, it works for us.

Now we are adding a second ISP B which only provides the default route over BGP. The question is: how to block the default route from ISP B from appearing in the routing table if ISP A full view is functional? If both ISPs provide us with the full view there would be no problem as we can block unnecessary routes from both ISPs. In the case with the default route all traffic that is missing in the general routing table will go to the default route that breaks the "as-path deny" idea. While I can achieve the goal via bgp advertise-map I wonder if there is a nicer approach to reroute traffic to ISP B, only in case of ISP A failed. It is OK to miss "as-path deny" feature while working over ISP B's default route.

Thank you.

MHM Cisco World · ‎07-27-2023

Config static route toward new ISP with high AD than ebgp(ad=20)

Richard Burts · ‎07-28-2023

Perhaps there is something here that I am not understanding correctly. But it seems to me that a solution could be to use Local Preference (or Weight if both ISP connect on the same router) to make the routes from ISP A preferred. In this case the default from ISP B would be used only if the default route from ISP A is withdrawn.

HTH

Rick

kravetc · ‎07-29-2023

There is no default route received from ISP A. ISP A provides full view BGP. And no default routes are configured on my router. If some network is not in BGP/routing table it means that we do not know where to send the traffic and such traffic is dropped. There is a problem that ISP B does not provide a full view BGP. So, for example, you have a route from ISP A to 8.8.8.0/24 which you, for example, would like to block. Imagine you have 2 ISPs with full view. From both, you are receiving 8.8.8.0/24. So the BGP table looks like this:

8.8.8.0/24 -> via ISP A

8.8.8.0/24 -> via ISP B

The routing table looks like this:

8.8.8.0/24 -> via ISP A

Then you want to block 8.8.8.0/24. You add ASN 15169 (which is the source ASN for 8.8.8.0/24) with "deny" rule to the as-path and your router starts to reject 8.8.8.0/24 (from both ISPs) and now you do not have 8.8.8.0/24 in routing table anymore. The traffic to 8.8.8.0/24 is dropped as no more routes are available (of course, it can be routed via 8.8.0.0/16 or 8.0.0.0/8 if such routes are available, but we do not consider such a possibility here).

But as soon, as you introduce the default route 0.0.0.0 via ISP B, this schema stopped to work, as everything that does not have a more direct route will go via the default route. And the main idea is to prevent the default route to appear in the routing table at all. Only if ISP A goes down the default route via ISP B should appear in the routing table.

Thanks to @Richard Burts and @MHM Cisco World for the suggestions, but AD and Local Pref/Weight will work if you have two the same length routes from both ISPs. If you have 8.8.8.0/24 and 0.0.0.0/0 that will not work, and moreover, you do not want 0.0.0.0/0 to be present at all in our case.

UPD. Basically, I found one solution that should work: tracking the existing route via track/sla and bringing the default route to ISP B up only if tracking goes down. Not as nice as two BGP full-views, but also should work.

https://community.spiceworks.com/topic/2345286-ip-sla-track-reachability-for-static-routing

MHM Cisco World · ‎07-30-2023

And the main idea is to prevent the default route to appear in the routing table at all. Only if ISP A goes down the default route via ISP B should appear in the routing table.

That excatly what I suggest' add defualt route with ad 100 and ebgp is 20 (via ISPa)

And default route not appear in RIB since router select lower AD 20.

When ebgp failed then defualt route will inject

Richard Burts · ‎09-03-2023

Thanks for the update. Using track is an interesting approach and seems like it would work for you.

HTH

Rick

paul driver · ‎09-04-2023

Hello
If you dont recive a default from ISP1 but you do from ISP2 then you can just add a stati null default for ISP1 , track the ip routing of ISP1 and if/when it fails the null route will be removed and the default from ISP2 will be installed in the route table.

Example:
track 1 interface (isp1 interface) ip routing
ip route 0.0.0.0 0.0.0.0 Null0 19 name ISP1_default_null track 1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul