Re: Remove Subnet from BGP Advertisement with IP Prefix-List

xc3ss1v30n3_New · ‎07-24-2021

Good morning. I have a physically connected network that we are advertising to a BGP neighbor using the "redistribute connected" command. I would like to remove 2 smaller subnets from that advertisement and I believe I can do this with an IP Prefix-list, but unsure of something. Is there a hidden default deny at the end of a list much like an ACL? If so, I assume I'd need to place a permit 0.0.0.0/0 le 32 after the two statements to deny the networks I don't want advertised? Would this be correct?

ip prefix-list name deny 10.0.0.252/30

ip prefix-list name deny 10.0.0.248/30

ip prefix list name permit 0.0.0.0/0 le 32

If it helps, the full connected network in this case would be 10.0.0.0/23

Elliot Dierksen · ‎07-24-2021

Why are you using redistribution? I would suggest using "network 10.0.0.0 255.255.254.0" in the "router bgp" section. If that is a summary, you would have to define it as such or create a route for that prefix to Null0. Then BGP would only advertise the network(s) you explicitly list.

Giuseppe Larosa · ‎07-24-2021

Hello @xc3ss1v30n3_New ,

your understanding of prefix-list is correct and you need the last statement or you will deny everything.

However, as noted by @Elliot Dierksen the use of redistribute connected can be avoided by using appropriate network commands to match some existing component subnets of the 10.0.0.0/23.

You can use under router bgp the commands

aggregate-address 10.0.0.0 255.255.254.0 summary-only

to suppress component routes and to advertise only the aggregate. The aggregate will be advertised if at least one component subnet is alive and matches a network statement ( the component subnet must be in the local BGP table).

To be noted the aggregate-address command supports an option to specify an unsuppress-map that invokes a route-map where you specify what component routes should still be advertised (those permitted in the invoked route-map)

Hope to help

Giuseppe

xc3ss1v30n3_New · ‎07-24-2021

Hmm. So I think the prefix-list isn’t what I need. Let me explain what I’m trying to do and maybe you guys can direct me. Basically, we have a define subnet of public IPs that are advertised to the Internet from this router. I’d like to remove a small set of those IPs from that advertisement and use them elsewhere. So, if x.x.x.x/23 is our public range, what can I do to remove 2 /30 networks that would fall into that range out of the advertisement?

Elliot Dierksen · ‎07-24-2021

You can't advertise anything into the internet routing table smaller than a /24. If you split it up differently inside of routers over which you have administrative control, that is fine. Would you please more specific about what you are trying to accomplish?

xc3ss1v30n3_New · ‎07-24-2021

Well, I’m not trying to advertise anything smaller than a /24 to the Internet. I’m trying to REMOVE subnet smaller than a /24 (specifically 2 /30 networks) from the advertisement to the Internet.

We’re trying to enable Microsoft Peering which requires 2 public /30 networks to be used on either end of the express route. We own 204.237.244.0/23 which is advertised out of our edge router. I’d like to take 204.237.245.252/30 and 204.237.245.248/30 out of that advertisement if possible so that they aren’t advertised to the public Internet.

Jon Marshall · ‎07-27-2021

Just to clarify by definition if you are trying to remove 2 x /30 subnets out of a /24 then you are trying to advertise network(s) smaller than a /24 which is the point being made ie. you would then only be able to advertise a /25, a /26, a /27, a /28 and a /29 out of the /24 (assuming the 2 x /30 were contiguous and at the end of the subnet as an example) and none of those would be accepted.

As others have said, minimum is a /24 to an ISP (your own routers are different matter) so if you want to ensure the 2 x /30s are not advertised to the internet unless you can come to an agreement with your ISP you can't do it.

Jon

Giuseppe Larosa · ‎07-27-2021

Hello @xc3ss1v30n3_New ,

as almost everyone including @Jon Marshall has tried to explain to you .

Your only option is to advertise the whole /23 prefix.

If you want to avoid that some addresses are reachable from the public Internet because you use them on the MS Azure ExpressRoute you can do the following:

on the edge router connecting to the internet add:

ip route 204.237.245.252 255.255.255.252 null0

ip route 204.237.245.248 255.255.255.252 null0

Here I am assuming that the MS Azure ExpressRoute has its own physical circuit and that all you want is to avoid to have those IP addresses reachable from publici internet.

There is no way in BGP to remove /30 subnets from a /23 or /24 prefix because providers accept only prefix shorter or long as /24.

Hope to help

Giuseppe

Giuseppe Larosa · ‎07-24-2021

Hello @xc3ss1v30n3_New ,

BGP works on prefixes and actully current poiicies is to accept specific up to /24

>> Basically, we have a define subnet of public IPs that are advertised to the Internet from this router. I’d like to remove a small set of those IPs from that advertisement and use them elsewhere. So, if x.x.x.x/23 is our public range, what can I do to remove 2 /30 networks that would fall into that range out of the advertisement?

in BGP you will still advertise the /23, then inside your network you will build routing so that the two /30 can be placed in another place.

However, if with other place you mean another site with its own internet connection you will not able to do it at BGP level as explained above.

Hope to help

Giuseppe

xc3ss1v30n3_New · ‎07-24-2021

So the two /30 networks would be used on a different firewall inside the network that is terminating an express route to Azure. Basically, those two public subnet should not be advertised to the Internet whatsoever.

That’s why I’m trying to remove it from the BGP advertisement to the Internet.

Giuseppe Larosa · ‎07-24-2021

Hello @xc3ss1v30n3_New ,

I have read the network requirements for Azure Express Route

see

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-prerequisites

>>NAT: Microsoft only accepts public IP addresses through Microsoft peering. If you are using private IP addresses in your on-premises network, you or your provider needs to translate the private IP addresses to the public IP addresses using the NAT.

Have you got Expressroute circuit as a dedicated circuit different from Internet uplink ?

I think that for internet connectivty purposes you just need a network command or an aggregate address.

On the edge router facing the internet you can use static route to null0 to make packets with destination those two /30 silenty dropped.

ip route 10.0.0.248 255.255.255.252 null0

ip route 10.0.0.252 255.255.255.252 null0

This should ensure that from the internet packets cannot arrive to the two subnets used for BGP peering with Azure Expressroute.

Hope to help

Giuseppe

MHM Cisco World · ‎07-24-2021

with respect to all,

deny with deny is not work as table show above,

you need

prefix-list permit "small subnet"

prefix-list permit "other subnet"

!

deny route-map match prefix list "small subnet"

permit route-map match prefix list "other subnet"

that how is work.

please make config and check.

xc3ss1v30n3_New · ‎07-24-2021

Hello. I want to make sure I follow what you're saying because I'm having trouble matching up your commands exactly as you've mentioned. Would it be...

ip prefix-list DoNotDistribute permit 204.237.245.252/30

ip prefix-list DoNotDistribute permit 204.237.245.248/30

ip prefix-list Distribute permit 204.237.244.0/23

!

route-map DoNotDistribute deny

match ip address prefix-list DoNotDistribute

!

route-map Distribute permit

match ip address prefix-list Distribute

Question on the above, if this is correct, would it still work if I'm only advertising the full subnet which is 204.237.244.0/23? I.e. would it be able to break out and deny the smaller subnets?

Harold Ritter · ‎07-24-2021

Hi @xc3ss1v30n3_New ,

As other have suggested, it would really be simpler and safer for you to just use a network statement to advertise the /23, rather than using a "redistribute connected". You would need the following command to do so.

router bgp xxx

network 204.237.244.0 mask 255.255.254.0

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

xc3ss1v30n3_New · ‎07-24-2021

Yes. I was planning on changing the connected advertisement to a network command. That’s actually how we distribute on all other routers. But, I’m still confused as to if/how I could remove part of that advertisement.

I thought about breaking up the advertisement into two statements, but someone else mentioned that you can’t advertise less than a /24 to the Internet.