03-20-2024 01:06 AM - edited 03-20-2024 01:29 AM
hello everyone.
My knowledge of bgp is not very great. I started administering some infrastructure and I don't know it completely yet.
I don't have much knowledge about Cisco routers, I used Juniper.
Namely.
I have two cisco 8300 edge routers running cisco ios xe 17.3.
I have bgp sessions with two ISPs on both routers, the session to ISP 3 is disabled because the ISP1 and ISP2 operators offer ddos protection, and the condition was to disable ISP3 so that an unwanted attack would not come through this operator - this is not important at the moment.
all traffic enters us through ISP1, and also goes out through ISP1 to the Internet. I have Fortigate as a firewall, it receives two default gateways from router r1 and r2. I weakened the traffic to r2 so that traffic entering through r1 would also go out through r1. there was a situation where traffic entered through r1 and went out through r2 - I wanted to avoid asymmetric routing.
incoming traffic goes isp1->r1->fortigate, outgoing traffic goes fortigate->r1-ISP1, R2 is basically a slave together with ISP2.
but this is not important either - I want to explain the scheme to you.
I mean advertising my prefixes, currently my entire /23 subnet is advertising. and I wouldn't like to advertise some of my prefixes to the ISP. but I can't achieve it.
I have route-map BGP-PEER-EXPORT
neighbor 77.10.10.11 route-map BGP-PEER-EXPORT out
but it seems to me that it does not filter my prefixes when I check:
1_8300# show ip bgp neighbors 77.10.10.11 advertised-routes
BGP table version is 86384481, local router ID is 90.10.6.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 90.10.6.0/23 0.0.0.0 0 32768 and
and my route map looks like this:
R1_8300#show route-map BGP-PEER-EXPORT
route-map BGP-PEER-EXPORT, permit, sequence 10
Match clauses:
ip address (access-lists): BGP-PEER-EXPORT
Set clauses:
Policy routing matches: 0 packets, 0 bytes
community no-export
R1_8300#show ip access-lists BGP-PEER-EXPORT
Standard IP access list BGP-PEER-EXPORT
5 deny 90.10.6.2
10 permit 90.10.6.0, wildcard bits 0.0.1.255 (9 matches)
20 permit 90.10.6.0, wildcard bits 0.0.0.255
30 permit 90.10.7.0, wildcard bits 0.0.0.255
40 deny any (73173543 matches)
in the address family configuration I have the following configuration:
address-family ipv4
network 90.10.6.0 mask 255.255.254.0
aggregate-address 90.10.6.0 255.255.254.0 summary-only
and I don't know if it conflicts with my route map?
I see that I can add route-map to network:
network 90.10.6.0 mask 255.255.254.0 BGP-PEER-EXPORT
like this, but I don't know how it will work? Will I stop advertising the example prefix 90.10.6.2?
I would like to know how to filter what I advertise to my neighbors?
my configs :
03-20-2024 07:32 AM
Use prefix list instead of Acl with route map Out
The acl is not so effect like prefix list to filter prefix.
Waiting your reply
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide