08-01-2013 08:56 AM - edited 03-04-2019 08:37 PM
Hello
Recenty I aquired another company with (5) L2 only sites. I am phasing them into my L3 AVPN network.
The first phase is to get them onto the AVPN netowrk. Routers and circuits have been ordered
For now, I want to make sure sure the L3 network works amongst their own (5) sites but I do not want to merge them into my
network just yet. See Diagram for how the network will look once ALL aspects of merge are complete.
My question is, what specific WAN config statements will I want to add to their routers so that they only communicate amongst themselves.
WAN routing protocol is BGP, I believe the config should look something like:
router bgp (AS#)
no bgp log-neighbor-changes
network 0.0.0.0
network (Local LAN subnet)192.168.1.x
network (Local LAN subnet)192.168.10.x
network (Local LAN subnet)192.168.20.x
neighbor x.x.40-44.2 remote-as (AS#)
no auto-summary
The .40-43.2 are the AVPN PER WAN ip addresses for the new sites.
Solved! Go to Solution.
08-05-2013 01:15 PM
So if I'm understanding this correctly:
If this is the case, you can achieve the same by creating the prefix-list as outlined previosly and adding it to your "PrependNetgate" route-map
config t
!!! Assuming sequence 20 is actually empty per your posted configs
route-map PrependNetgate deny 20
match ip address prefix-list DENY-NEW-NETWORKS
end
You would need to implement that config on your existing routers. Assuming every X and N router on the AVPN gets the same set of updates, this would allow the X routers to filter routes from the N routers. In other words, the two sets of X and N routers would be disjoint.
I'm assuming you manage those AVPN routers using the WAN interface only?
08-02-2013 01:14 PM
Can anyone provide any technical guidance pertaining to this specific objective?
08-02-2013 05:50 PM
Hi Coady,
Is the *current* routing protocol BGP amongst those acquired routers? Also, can you post the diagram of the final state?
Have you thought about using Private ASNs during the merge process?
08-05-2013 06:29 AM
The acquired are routers are new. Currently the (5) sites do no5t have any layer 3 routing. The diagram does show the final state where all site connect to our AVPN cloud.
08-05-2013 06:46 AM
Please provide more information on using Private AS's during the merge process.
08-05-2013 07:41 AM
Hello
I checked with my WAN provider. Using Private ASN would require cancelling current order and re-ordering new WAN. Not an option. )
With that, ALL of my sites are going to be on same AVPN. What I need to do now is to restrict routing advertisements.
The goal, for now is to only allow these (5) new sites to route amongst eachother until we can merge them into our network.
If we are all on the same AVPN network and using BGP, hpw can I keep those site routing amongst eachother only.
It seems the approach would be to not allow all the other sites to know what ip subnets are being used for the (5) new sites.
08-05-2013 10:11 AM
You could implement a route-map for your existing routers that filter annoucements from the 5 new routers. This route map would be applied to the neighbors with at "neighbor x.x.40-44.2 remote-as route-map
!!! Create a prefix list for matching local routes
ip prefix-list DENY-NEW-NETWORKS seq 10 permit 198.168.x.y/z
!!! Create route map for filtering
route-map DENY-NEW-ROUTERS deny 10
match ip address prefix-list DENY-NEW-NETWORKS
end
!!! On existing routers, apply to neighbor statements for new sites:
router bgp ASN
neighbor x.x.40.2 route-map DENY-NEW-ROUTERS
end
If this config were placed on your existing routers, they would ignore all annoucements from the 5 new routers. If you have a lot of existing routers, this could be cumbersome.
HTH
08-05-2013 11:02 AM
Joseph
Thankyou for the response. I appreciate the command syntax.
Just so I understand, the first statement "ip prefix-list DENY-NEW-NETWORKS seq 10 permit 198.168.x.y/z"
The 192.168.x.x/z are the internal ip addresses of each subnet that would be advertised?
Let's say that 1 of these sites has (10) contiguous subnets to advertise, could the statement looks as follows?
"ip prefix-list Deny-new-networks seq 10 permit 192.168.10.0/255.255.240.0"
Would there be any potential issues caused by this type of summarized statement?
Once agin, thankyou for the great info!
08-05-2013 11:33 AM
To cover multiple networks under a prefix list, you specify the mask length:
ip prefix-list DENY-NEW-NETWORKS seq 10 permit 192.168.10.0/20
This would work if you *actually* summarize the route in BGP (i.e. network 192.168.10.0 255.255.240.0 _and_ you have a static route for that network in your RIB).
If, however, if you don't summarize in BGP, your prefix list changes slightly:
ip prefix-list DENY-NEW-NETWORKS seq 10 permit 192.168.10.0/16 le 20
In this case, you are covering all the networks from 192.168.0.0 - 192.168.15.0.
I'm assuming you have AT&T's MPLS VPN product? For your existing routers, you have iBGP full mesh plus an eBGP connection to an AT&T PE router?
I don't see an attachment with your diagram, that would really help me understand things better.
08-05-2013 12:19 PM
We do have the AT&T AVPN. We are using eBGP. Internal routing is handled by EIGRP.
Each site is setup the same
AVPN router>Cisco 3750 switch stack (MDF)>Cisco 375 switch stack(s) (IDF)
BGP on AVPN routers:
router eigrp #
distribute-list route-map Block_EIGRP_Routes_From_BGP_Redistribution in
default-metric 1000000 10 255 1 1500
network 192.168.x.x 0.0.0.0
redistribute connected
redistribute bgp ASNXYz
distance eigrp 10 10
!
router bgp ASNXYz
no bgp log-neighbor-changes
network 0.0.0.0
network 10.1.x.0 mask 255.255.240.0
network 10.1.x+.0 mask 255.255.240.0
network 192.168.1.0
network 192.168.10.0
network 192.168.100.0
etc...
neighbor x.x.7.2 remote-as !#!#!
neighbor x.x.7.2 soft-reconfiguration inbound
neighbor x.x.7.2 route-map PrependNetgate in
no auto-summary
!
route-map PrependNetgate permit 10
match as-path 1
set local-preference 90
!
route-map PrependNetgate permit 20
!
route-map Block_EIGRP_Routes_From_BGP_Redistribution deny 10
description Block all BGP to EIGRP Redistributed Routes Tagged !#!#!
match tag !#!#!
!
route-map Block_EIGRP_Routes_From_BGP_Redistribution permit 20
description Permit All Untagged Routes Into the Routing Table
EIGRP on MDF siwtch stack
router eigrp #
network 10.0.0.0
network 192.168.1.0
network 192.168.10.0
network 192.168.100.0
eigrp stub connected
08-05-2013 01:15 PM
So if I'm understanding this correctly:
If this is the case, you can achieve the same by creating the prefix-list as outlined previosly and adding it to your "PrependNetgate" route-map
config t
!!! Assuming sequence 20 is actually empty per your posted configs
route-map PrependNetgate deny 20
match ip address prefix-list DENY-NEW-NETWORKS
end
You would need to implement that config on your existing routers. Assuming every X and N router on the AVPN gets the same set of updates, this would allow the X routers to filter routes from the N routers. In other words, the two sets of X and N routers would be disjoint.
I'm assuming you manage those AVPN routers using the WAN interface only?
08-06-2013 06:06 AM
Joseph
Excellent!!. Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide