Solved: Re: BGP connect to two different ASNs, private network, keep isolated

NeverOutofTune · ‎01-28-2023

BGP running across IPSEC tunnels routing private IP addresses as shown below between HQ and VendorA. Need to add VendorB for routing between HQ and VendorB. VendorA and VendorB shall not communicate with each other (at least not via HQ).

Current configuration operational to VendorA. WIll the BGP configurations in R1 and R2 for VendorA need to be placed into an IP ADDRESS FAMILY and a second IP ADDRESS FAMILY configuration created for VendorB?

Current Configuration snips:

R1:


router bgp 65001
bgp log-neighbor-changes
timers bgp 10 30 30
neighbor 172.16.0.1 remote-as 100
neighbor 172.16.0.1 default-originate route-map VendorA-out
neighbor 172.16.0.1 distribute-list 1 in
neighbor 172.16.0.1 route-map VendorA-out out

access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 deny any

route-map VerndorA-out permit 10
set as-path prepend 65001 65001 65001 65001 65001

R2:


router bgp 65001
bgp log-neighbor-changes
timers bgp 10 30 30
neighbor 172.16.1.1 remote-as 100
neighbor 172.16.1.1 default-originate route-map VendorA-out
neighbor 172.16.1.1 distribute-list 1 in
neighbor 172.16.1.1 route-map VendorA-out out

access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 deny any

route-map VendorA-out permit 10
set as-path prepend 65001 65001 65001

----

paul driver · ‎01-29-2023

Hello
Using BGP Address Family (AF) within separate VRFs will provide the isolation you require.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

balaji.bandi · ‎01-28-2023

what will be AS for Vendor B?

you need to create an IPv4 address family and activate it, if you do not like vendor A and vendor B should not talk to each other,

you need to create ACL. also filter ACL.

you can see some BGP case studies in general to get the idea :

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/26634-bgp-toc.html?referring_site=bodynav

Personally these kinds of scenarios I use VRF from the security point of view and isolation is easy.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NeverOutofTune · ‎01-29-2023

VendorB ASN is 200. Please keep in mind the ASN and IP addresses have been sanitized and are not the actual values.

I too would like to use VRFs. For this scenario, adding VendorB must not cause any down time to VendorA so modifications to VendorA must be non-disruptive.

MHM Cisco World · ‎01-29-2023

in HQ advertise default route to both vendors,
you answer to your Q is in Vendor side not in HQ side, please can I see the config of Vendor?

NeverOutofTune · ‎01-29-2023

I do not have configurations for Vendors A & B. These are not ISPs.

HQ will advertize the default route to Vendors A & B. Vendors A & B only have the two subnets (one each) as shown in the drawing. The default route to the Internet is through a firewall not shown.

paul driver · ‎01-29-2023

Hello
Are showing all the BGP configuration of your rtrs? , I don't see any IBGP sessions between the rtrs in ASN65001 and HQ, so the assumption is you are redistributing into an IGP within the HQ

To keep the those vendors separate , without using any ACLS or having MBGP running would be to to use VRF for each vendor as such they will have path isolation.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

NeverOutofTune · ‎01-29-2023

I am using EIGRP internally on the two routers and the layer 3 switch. I am redistrubuting BGP into the EIGRP process.

I believe I have a handle on the the route advertisements and this may not be a problem for me as the only routes Vendor A and Vendor B should be advertising are the private subnets as shown.

My question is more around the BGP configurations in R1 and R2 if they need to be redone such that Vendor A information is put into an ip address family sub configuration or can I just add Vendor B information in an ip address family and leave Vendor A configuration as is assuming it is using the

invisible

 ip address family

paul driver · ‎01-29-2023

Hello
Using BGP Address Family (AF) within separate VRFs will provide the isolation you require.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

NeverOutofTune · ‎01-29-2023

The requirements changed and Vendor A will need to communicate with Vendor B through HQ. This simiplifies the configuration to just adding another neighbor to the BGP configuration.

From what I can tell, the Address Family (AF) configuration is cosmetic for my situation.