07-24-2021 08:08 AM
Good morning. I have a physically connected network that we are advertising to a BGP neighbor using the "redistribute connected" command. I would like to remove 2 smaller subnets from that advertisement and I believe I can do this with an IP Prefix-list, but unsure of something. Is there a hidden default deny at the end of a list much like an ACL? If so, I assume I'd need to place a permit 0.0.0.0/0 le 32 after the two statements to deny the networks I don't want advertised? Would this be correct?
ip prefix-list name deny 10.0.0.252/30
ip prefix-list name deny 10.0.0.248/30
ip prefix list name permit 0.0.0.0/0 le 32
If it helps, the full connected network in this case would be 10.0.0.0/23
07-24-2021 08:59 AM
Why are you using redistribution? I would suggest using "network 10.0.0.0 255.255.254.0" in the "router bgp" section. If that is a summary, you would have to define it as such or create a route for that prefix to Null0. Then BGP would only advertise the network(s) you explicitly list.
07-24-2021 10:00 AM
Hello @xc3ss1v30n3_New ,
your understanding of prefix-list is correct and you need the last statement or you will deny everything.
However, as noted by @Elliot Dierksen the use of redistribute connected can be avoided by using appropriate network commands to match some existing component subnets of the 10.0.0.0/23.
You can use under router bgp the commands
aggregate-address 10.0.0.0 255.255.254.0 summary-only
to suppress component routes and to advertise only the aggregate. The aggregate will be advertised if at least one component subnet is alive and matches a network statement ( the component subnet must be in the local BGP table).
To be noted the aggregate-address command supports an option to specify an unsuppress-map that invokes a route-map where you specify what component routes should still be advertised (those permitted in the invoked route-map)
Hope to help
Giuseppe
07-24-2021 11:37 AM
07-24-2021 12:51 PM - edited 07-24-2021 12:52 PM
You can't advertise anything into the internet routing table smaller than a /24. If you split it up differently inside of routers over which you have administrative control, that is fine. Would you please more specific about what you are trying to accomplish?
07-24-2021 01:28 PM
07-27-2021 01:54 PM
Just to clarify by definition if you are trying to remove 2 x /30 subnets out of a /24 then you are trying to advertise network(s) smaller than a /24 which is the point being made ie. you would then only be able to advertise a /25, a /26, a /27, a /28 and a /29 out of the /24 (assuming the 2 x /30 were contiguous and at the end of the subnet as an example) and none of those would be accepted.
As others have said, minimum is a /24 to an ISP (your own routers are different matter) so if you want to ensure the 2 x /30s are not advertised to the internet unless you can come to an agreement with your ISP you can't do it.
Jon
07-27-2021 02:03 PM
Hello @xc3ss1v30n3_New ,
as almost everyone including @Jon Marshall has tried to explain to you .
Your only option is to advertise the whole /23 prefix.
If you want to avoid that some addresses are reachable from the public Internet because you use them on the MS Azure ExpressRoute you can do the following:
on the edge router connecting to the internet add:
ip route 204.237.245.252 255.255.255.252 null0
ip route 204.237.245.248 255.255.255.252 null0
Here I am assuming that the MS Azure ExpressRoute has its own physical circuit and that all you want is to avoid to have those IP addresses reachable from publici internet.
There is no way in BGP to remove /30 subnets from a /23 or /24 prefix because providers accept only prefix shorter or long as /24.
Hope to help
Giuseppe
07-24-2021 12:55 PM
Hello @xc3ss1v30n3_New ,
BGP works on prefixes and actully current poiicies is to accept specific up to /24
>> Basically, we have a define subnet of public IPs that are advertised to the Internet from this router. I’d like to remove a small set of those IPs from that advertisement and use them elsewhere. So, if x.x.x.x/23 is our public range, what can I do to remove 2 /30 networks that would fall into that range out of the advertisement?
in BGP you will still advertise the /23, then inside your network you will build routing so that the two /30 can be placed in another place.
However, if with other place you mean another site with its own internet connection you will not able to do it at BGP level as explained above.
Hope to help
Giuseppe
07-24-2021 01:23 PM
07-24-2021 11:13 PM
Hello @xc3ss1v30n3_New ,
I have read the network requirements for Azure Express Route
see
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-prerequisites
>>NAT: Microsoft only accepts public IP addresses through Microsoft peering. If you are using private IP addresses in your on-premises network, you or your provider needs to translate the private IP addresses to the public IP addresses using the NAT.
Have you got Expressroute circuit as a dedicated circuit different from Internet uplink ?
I think that for internet connectivty purposes you just need a network command or an aggregate address.
On the edge router facing the internet you can use static route to null0 to make packets with destination those two /30 silenty dropped.
ip route 10.0.0.248 255.255.255.252 null0
ip route 10.0.0.252 255.255.255.252 null0
This should ensure that from the internet packets cannot arrive to the two subnets used for BGP peering with Azure Expressroute.
Hope to help
Giuseppe
07-24-2021 04:21 PM
with respect to all,
deny with deny is not work as table show above,
you need
prefix-list permit "small subnet"
prefix-list permit "other subnet"
!
deny route-map match prefix list "small subnet"
permit route-map match prefix list "other subnet"
that how is work.
please make config and check.
07-24-2021 06:08 PM
Hello. I want to make sure I follow what you're saying because I'm having trouble matching up your commands exactly as you've mentioned. Would it be...
ip prefix-list DoNotDistribute permit 204.237.245.252/30
ip prefix-list DoNotDistribute permit 204.237.245.248/30
ip prefix-list Distribute permit 204.237.244.0/23
!
route-map DoNotDistribute deny
match ip address prefix-list DoNotDistribute
!
route-map Distribute permit
match ip address prefix-list Distribute
Question on the above, if this is correct, would it still work if I'm only advertising the full subnet which is 204.237.244.0/23? I.e. would it be able to break out and deny the smaller subnets?
07-24-2021 08:42 PM
Hi @xc3ss1v30n3_New ,
As other have suggested, it would really be simpler and safer for you to just use a network statement to advertise the /23, rather than using a "redistribute connected". You would need the following command to do so.
router bgp xxx
network 204.237.244.0 mask 255.255.254.0
Regards,
07-24-2021 10:41 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide