EBGP routing manupilation

SJ K · ‎01-09-2022

Hi all

I am new to EBGP and is task to do some immediate setup

Not asking for direct answers but rather hope gurus here be able to confirm my understanding and provide some suggestions to avoid any rookie mistake i might make

R10 are connected to R1-3 through 2 x /30 point to point links

1) R10 will learn R1-3 prefixes and R1-3 will learn R10 prefixes
2) R1-3 will not learn prefixes of each other through R10
3) R10 to make sure traffic always go through the 1st link and also make sure that R1-3 always send traffic through the 1st link as well / only when 1st link is down, then traffic should use the 2nd link

4) R10 will not learn any prefix that is not pre-negotiated with the neighbor technical team (e.g. R1 suppose to only advertise 1.1.1.1/24 - R10 will only accept this )

For 3) I am thinking of using

local preference to make sure traffic always use the 1st link

med to influence the peer to send traffic through the 1st link

- is this the right way to do it ? anyway to make sure the peer always send traffic through the 1st link as well ?

For 2) read about the no-export community - but that seems to require the peer to send it to me instead ? - is this correct ?

For 4) i have no idea ... how do i make sure that R10 only accept those prefixes that it is supposed to received ?

Any help / advice will be useful

paul driver · ‎01-09-2022

Based on your OP the following could be an applicable approach, However I’m sure others will have differing views or better viable suggestions given the complexity of bgp and the many options available within this EGP

1- Advertise via bgp network command
2- Apply as-path filtering to ensure ASN 10 doesn’t become a transit path between your ISPs
3- Set weight preference on ingress routes between ISP neighbours highest value most preferred.
Set as-path prepend towards ISP3/ISP2 giving ISP3 the longest prepend then ISP2, this would in theory make ISP1 preferred ingress path - however you have no control how the ISPs advertised their own routes so its not 100% the return path would always be through ISP1.

4 - You could filter inbound locally with prefix-list or use a feature call outbound route filtering, to negotiate with you ISP as to what routes you would like to receive thus
it would negate your router from receiving all routes unprocessed before they are subjected to any filtering, saves rtrs cpu/memory processes (requires input from your ISP)

Summary-
ip as-path access-list 10 permit ^$

route-map as-path-prepend-isp2
set as-path prepend 10 10

route-map as-path-prepend-isp3
set as-path prepend 10 10 10

ip prefix-list ORFx seq 5 deny x.y.0.0/
ip prefix-list ORFx seq 10 deny x.0.0.0/y
etc..
ip prefix-list ORFx seq 99 permit 0.0.0.0/0 le 32

router bgp 10
1
network x.x.x.x. mask x.x.x.
network x.x.x.x. mask x.x.x.
etc..
2
neighbor <isp1> filter-list 10 out
neighbor <isp2> filter-list 10 out
neighbor <isp3> filter-list 10 out

3
neighbour <isp1> weight 5xxxx
neighbour <isp2> weight 4xxxx
neighbour <isp2> route-map as-path-prepend-isp2 out
neighbour <isp3> route-map as-path-prepend-isp3 out

4
neighbor <isp1> prefix-list ORF in
neighbor <isp1> capability orf prefix-list send
neighbor <isp2> prefix-list ORF in
neighbor <isp2> capability orf prefix-list send
neighbor <isp3> prefix-list ORF in
neighbor <isp3> capability orf prefix-list send

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Giuseppe Larosa · ‎01-09-2022

Hello @SJ K ,

R10 has three eBGP sessions with R1 in AS1, R2 in AS2, R3 in AS3.

All routers will use eBGP sessions terminated on loopbacks (best practice) instead of activating two eBGP sessions per peer. This requires static routes , the use of neighbor x.x.x.x update-source loop0, the use of an increased eBGP TTL of 2 (default is 1 valid for direct physical links only).

2) the best way is to configure an AS path access-list that allows only empty AS path to be advertised. The local AS is appended to routes only after check

! ^$ = ''' means an empty string

ip as-path 1 permit ^$

route-map NO-TRANSIT1 permit 10

match as-path 1

router bgp 10

neigh 1.1.1.1 route-map NO-TRANSIT1 out

neigh 2.2.2.2 route-map NO-TRANSIT2 out

neigh 3.3.3.3 route-map NO-TRANSIT3 out

Edit: as noted by @paul driver for return traffic you need to add your own AS prepend in an increasing way to AS2 and then AS3, but be aware that in real world this can work or not. Using MED would be appropriate only if the AS1, AS2, AS3 have agreements between them and the customer. AS path prepending is the way to go in general.

3) neighbor local-preference or Cisco proprietary weigtht can be used for this

4)

You can use prefix-lists and route-maps to be invoked inbound

ip prefix-list AS1-PREFIXES permit 0.0.0.0/0

ip prefix-list AS1-PREFIXES permit 195.200.0.0/16 le 24

route-map AS1-PREFIXES-IN permit 10

match address prefix AS1-PREFIXES

Please note in real world for internet access all providers must provide the default route to AS 10 0.0.0.0/0

router bgp 10

neighbor 1.1.1.1 route-map AS1-PREFIXES-IN in

The same for all the others.

This allows for :

rx def route only or def route + partial routes

the preference / weight applies only for those prefixes that are advertised by all three providers AS1, AS2 and AS3.

Hope to help

Giuseppe