Re: BGP transit AS

Hasrat Raja · ‎03-10-2018

Hello,

I have 2 MPLS routers from different carriers on remote site, iBGP between them is via core switch over ospf, they don't have a direct connection between them. I have following access list applied to both router's EBGP peers to carriers

!
ip as-path access-list 1 permit ^$
ip as-path access-list 1 deny .*
!

When I enable both circuits, traffic from hub site learnt form one carrier is advertised from other causing a loop, I have shut down one circuit, what is needed to fix this ?

Thanks

Deepak Kumar · ‎03-10-2018

Hi,

How are you applied to the BGP configuration?

Did you applied to BGP neighbor:

neighbor x.x.x.x filter-list 1 out

The ^$ regular expression ensures that we will only advertise locally originated prefixes. We’ll have to apply this filter to both ISPs.

or you can apply the same to the route map.

ip as-path access-list 1 permit ^$ 

router bgp XX 
 neighbor XXXXXX route-map Test out 

route-map Test permit 10 
 match as-path 1

and second thing:

I am not sure that ip as-path access-list 1 deny .* is making any help to you. Try to remove it.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Predrag Jovic · ‎03-11-2018

ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny .*

is equivalent to

ip as-path access-list 1 permit ^$

implicit deny is at the end = ip as-path access-list 1 deny .*

:)

Richard Burts · ‎03-11-2018

As both previous posts have pointed out the deny statement in the as path access list is not needed. But having it in the access list would not cause the AS to become a transit AS. As Deepak points out the issue may be in the way that it was applied. The original poster should either confirm that the suggestions have been implemented and it now works or if it is still not working then should post the configs so that we can evaluate the problem.

HTH

Rick

HTH

Rick

Hasrat Raja · ‎03-11-2018

Hi Deepak,

Thank you for your reply, it is applied to both ISP's, it works on site where iBGP is established over direct link between routers not via OSPF, is there a difference in BGP routing table for iBGP if learnt through IGP.

regards,

Deepak Kumar · ‎03-11-2018

Hi,

Can you share both configurations for better understand the issue?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hasrat Raja · ‎03-11-2018

Hi Deepak,

Please see BGP configurations:

Working with direct connection, iBGP peer as loopback
======================================================
!
neighbor ibgp-peer peer-group
neighbor ibgp-peer remote-as 64888
neighbor ibgp-peer update-source Loopback0
neighbor ibgp-peer next-hop-self
neighbor ebgp-peer peer-group
neighbor ebgp-peer remote-as 65000
neighbor ebgp-peer route-map BGP_in in
neighbor ebgp-peer route-map BGP_out out
neighbor 10.0.X.X peer-group ibgp-peer
neighbor 152.X.X.X peer-group ebgp-peer
!
ip as-path access-list 1 permit ^$
ip as-path access-list 1 deny .*
!
route-map BGP_out permit 10
match as-path 1
!

Not Working iBGP via core OSPF, iBGP peer as loopback
======================================================
!
neighbor INTERNAL peer-group
neighbor INTERNAL remote-as 64456
neighbor INTERNAL update-source Loopback0
neighbor 10.0.X.X peer-group INTERNAL
neighbor 10.0.X.X description iBGP
neighbor 152.X.X.X remote-as 65000
neighbor 152.X.X.X route-map BGP_in in
neighbor 152.X.X.X route-map BGP_out out
!
ip as-path access-list 1 permit ^$
ip as-path access-list 1 deny .*
!
route-map BGP_out permit 10
match as-path 1
!

Thanks

Predrag Jovic · ‎03-11-2018

iBGP neighbors in different AS?

neighbor ibgp-peer remote-as 64888

neighbor INTERNAL remote-as 64456

Second router does not have neighbor ibgp-peer next-hop-self.

Is there present network command or redistribution to advertise anything into BGP (since there is no configuration details regarding BGP networks)?

Hasrat Raja · ‎03-11-2018

Hi,

These configs are from 2 different remote sites from router1 of each site, using "aggregate-address 10.0.X.0 255.255.240.0 summary-only" command for BGP routes, issue is routes learnt from one ISP is sent out other ISP on not working site

Thanks

Predrag Jovic · ‎03-11-2018

Does exact matching route to summary route exist in routing table?

Predrag Jovic · ‎03-11-2018

What you are trying is to advertise only local routes. According to as-path REGEX routes learned from any site will not be readvertised to other routers - only local routes can be advertised.

Hasrat Raja · ‎03-11-2018

Hi,

This is what I thought, but these are being re advertised & I have to shut iBGP peer, that's why wondering if BGP routing table treats iBGP routes learnt via OSPF differently than if there is a direct connection between routers & iBGP routes are learnt via direct connection

thanks

Hasrat Raja · ‎03-11-2018

Hi,

there is "redistribute ospf" command in BGP of working site, if it make any difference to advertised routes

thanks

Richard Burts · ‎03-11-2018

I am wondering about this statement "if BGP routing table treats iBGP routes learnt via OSPF differently than if there is a direct connection between routers" and especially trying to understand the learnt via OSPF part. Is the router really learning the routes via OSPF? The BGP routes should be learned via BGP and not learned via OSPF. Perhaps you can post the output of show ip bgp from one of the routers that is not working as expected, and identify some of the routes in the table that are at issue (learned from one external peer and advertised to the other external peer).

HTH

Rick

HTH

Rick

Hasrat Raja · ‎03-11-2018

Hi,

There was a typo in route map applied to peer in router 2, BGP-out instead of BGP_out, should have picked it up before posting

thanks