BGP local preference or default-originate?

thepopp · ‎12-26-2016

I am trying to re-route default route traffic out a different interface than it currently exits.

The problem is that there is an ISP-provided firewall that I have no experience with, and concern that it won't pass traffic that it should or block traffic it shouldn't.

The ISP has already told me things that weren't correct from the very beginning therefore I would like to be able to control whether I use their advertised default route or the currently defined one.

I have been told that I can set the community value to something larger than 100 (their default value) and ignore their BGP advertised routes (or lower to accept). The ONLY thing I will ever send down this path is the default route traffic.

I have been told that I can set the community value to something larger than 100 and this effectively ignores their advertised routes (which is really the default route anyway).

I haven't done much with BGP so I'm not sure what the command(s) is/are, so any help here would be appreciated.

The initial effort to do this required that I remove the config step by entering no neighbor x.x.x.x default-originate statement under router bgp config. Re-entering the command neighbor x.x.x.x default originate appeared to effectively re-route traffic as it originally was.

I would like to be able to effectively re-route traffic in order to test the functionality of the ISP-provided firewall as time permits.

Is there any drawback to using the (no) default-originate method or is there any benefit to using the set community option?

Thanks!

Georg Pauwen · ‎12-26-2016

Hello,

the 'neighbor x.x.x.x default-originate command' advertises the default route to just this neighbor and no other neighbor. Removing that configuration obviously removes the default route as well. If you remove the default route, the only thing that gets advertised is what you configure under the BGP process with the 'network' command (provided that what you advertise is in the routing table).

Actually, if this is a live network, I would be careful with removing anything including the default-originate. Also, if you have the 'set community' configured for your neighbor, the reason for that is probably that your ISP only accepts routes with the specified community, and if you remove it, all traffic will be rejected.

Can you post the BGP part of the configuration ? That would make it easier to tell you what to look out for...

thepopp · ‎12-26-2016

Thanks for your reply gpauwen!

The following is the config statements related to this neighbor.

neighbor x.x.x.155 remote-as 10000
neighbor x.x.x.155 update-source GigabitEthernet1/1
neighbor x.x.x.155 send-community
neighbor x.x.x.155 default-originate
neighbor x.x.x.155 soft-reconfiguration inbound
neighbor x.x.x.155 prefix-list LocalRoutes-Out out
neighbor x.x.x.155 route-map ISPPREF in
neighbor x.x.x.155 route-map SET_AS_PATH out

My earlier statements were incorrect. We actually send all traffic into an MPLS cloud and then it is routed through the MPLS cloud and out a different company sites, depending on the private IP address range. What we are trying to do is dump all default traffic (not company specific-traffic) out their MPLS firewall.

Georg Pauwen · ‎12-27-2016

Hello,

are there any 'network' statements under your BGP configuration ? It looks like you are just advertising the default route out to your BGP neighbor, and no traffic is filtered at your site.

Do you have any control or access to the firewall ? My guess is that if any traffic filtering is done, that is where it is done.

thepopp · ‎12-27-2016

Hi,

There is a single network statement in BGP (or anywhere) which is the company specific private IP network range. There is a proxy server and proxy scripts involved locally.

I have configuration access to the firewall and that is certainly where filtering is done. I know that I can recreate the filtering rules as needed. There is a low comfort level for things not functioning as they do currently and I am trying to test this as completely as possible during non-business hours. My goal is to be able to use the current path during business hours and change the default path for testing after hours until I have validated it thoroughly.