12-20-2006 10:05 AM - edited 03-03-2019 03:07 PM
I currently have 2 3725s multi-homed to 2 different ISPs. Everything's been working fine, but recently one of the ISPs had me change their session for a hardware upgrade. They require that I NOT send the full routing tables from my router, but they can't/don't feel like telling me how to properly configure the filter. I'm pretty green when it comes to BGP, so I'm trying to figure out how to keep the router from sending the routing table to my provider. I created a filter for our IP block, but that didn't seem to work. Do I need to do anything else? Should I create a "deny" filter for everything else? Can anyone enlighten me?
Thanks.
12-20-2006 10:21 AM
BGP has lots of ways to do the same thing.
You could match a aspath of ^$ which means you orginated them
You could match the address ranges with a route-map.
You could set the community on the routes as they cam in from the providers to no-export so they do not get sent out.
There are probably more
12-20-2006 10:52 PM
In addition to Tim's post. Check below link for the samples.
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml
Please post your config if there is still the problem. Let's help to troubleshoot it.
Hope this helps.
12-27-2006 07:48 AM
Just create a simple route-map and advertise the required subnets to the upstream
access-list 1 permit
route-map permit 10 filter-block
match ip address 1
router bgp 100
neighbor x.x.x.x remote-as 200
neighbor x.x.x.x route-map filter-block out
HTH
Narayan
12-27-2006 07:52 PM
I'd suggest a two-pronged approach - use filter-lists to control which ASes you advertise out and use distribute-lists to control which subnets to advertise out.
It avoids the strangest of routing issues from cropping up (which probably won't in your setup) - for example, if you hear about one of your customer networks via another AS then the subnet will match the distribute list but not be originated from you.
Here's an example:
router bgp X
neighbor 1.2.3.4 remote-as 1234 distribute-list ANNOUNCE-TRANSIT out
neighbor 1.2.3.4 remote-as 1234 filter-list 10 out
!
ip as-path access-list 10 permit ^$
ip as-path access-list 10 deny .*
ip access-list standard ANNOUNCE-TRANSIT
permit 10.0.0.0 0.0.0.255
permit 10.0.10.0 0.0.0.255
!
This way you lock down which subnets you're announcing and originating from.
You can check what you're announcing by using "show ip bgp nei
01-05-2007 07:03 AM
Remove the redistribute command under BGP.
add a static route to null0 of the route you want to advertise to the ISP
add a network statement to BGP with the route and mask you want to advertise to the ISP.
EXAMPLE:::
ip route 207.1.0.0 255.255.0.0 null0
router bgp 1111
network 207.1.0.0 mask 255.255.0.0
no redistribute
01-05-2007 08:32 AM
All these ways should work, but there is one more thing. BGP doesn't send updates/withdraw routes when you change your policies!
i.e. after configuring one of the above mentioned filters and assigning it to the appropriate neighbor, you also have to
'clear ip bgp x.x.x.x'
where x.x.x.x is the BGP neighbour addr.
Try to add 'soft out' first!
Mike
10-08-2023 02:55 AM
Hi all,
Pls tell me why isp not doing this ??....
Why we need to create access-list instead of that isp can restrict out routes??
10-08-2023 05:00 AM
The ISPs likely don't filter out (to client) because client likely wants their Internet routes.
ISPs could, and perhaps should, filter in (from client) routes, but it's more efficient (for ISPs) for client to filter routes. I.e. why should ISPs use their CPU cycles filtering routes they shouldn't be receiving?
10-08-2023 05:45 AM
A slightly different perspective is that if the ISP were to filter routes advertised by the customer then the ISP is creating and enforcing a policy for customer routes. How does the ISP know exactly what routes the customer should advertise? How would the ISP know if there were some change in the customer network that meant a new route was added or that an existing route should be removed?
10-08-2023 06:00 AM
Rick is correct although any ISP would likely not accept whatever a client sends to them without some sanity enforcement. Usually what both ISPs and their client desire is for the client NOT be a transient between the ISPs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide