Thursday, July 3, 2008

BGP no-export community

This is gonna be short and hopefully sweet. I'll leave some blanks in here so you can fill in the rest...

R4 (AS3) connects to R1 via EBGP
R1 connects to R2 via IBGP (AS 2)
R2 connects to R5 (AS1) via EBGP

We don't want AS2 to become a transit AS between R4 and R5 so we can use the no-export community to accomplish this. There are several ways to do is but here is a way with using the as-path access-lists. AS-path access-lists are awesome because they use regexp.

So on R1 we create an AS-path access list to match any routes originating in R4 AS:

ip as-path access-list 1 permit _3$

Then we create a route-map and apply it to the R2 neighbor going outbound:

route-map noexport permit 10
match as-path 1
set community no-export

route-map noexport permit 20

router bgp 2
neighbor 155.1.23.2 send-community
neighbor 155.1.23.2 route-map noexport out

Now on R2 we have this:

R2#show ip bgp 204.12.1.0 | inc Community
Community: no-export

R5 does not have the route!

R5#show ip bgp 204.12.1.0
% Network not in table
R5#

You can do the reverse on R2 to accomplish the two way restriction. Also note that R4 can bypass this by prepending an AS# to its routes! A better way would be to add the no-export community to all routes learned from R4 not just the ones originating in R4's AS. But I just wanted to see the flexibility of route-maps and as-path access lists with communities.

3 comments:

  1. If I put the no-export in a route-map on router 4 with the send community on the neighbour statement with router 1, then somehow I see the following:

    Rack1R1#sh ip bgp 204.12.1.4
    BGP routing table entry for 204.12.1.0/24, version 24
    Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to EBGP peer)
    Flag: 0x820
    Advertised to update-groups:
    2 3
    3
    155.1.146.4 from 155.1.146.4 (4.4.4.4)
    Origin IGP, metric 0, localpref 100, valid, external, best
    Community: no-export

    but I still am able to get it on R5 (AS3).
    but instead if I put no-advertise instead of no-export on R4, then R5 does not get the route any more.

    Could you advice as to why this is happening?

    ReplyDelete
  2. Are you sending community from R1 to R2?

    If you use no-advertise than R1 will not send it to R2 either so that's why R5 is not getting it. Remember that R2 is the router sending routes to R5, so you need to make sure the community exists on r2. This can be done by using "send-community" on the neighbor statement on R1 to R2.

    The key thing to remember is no-advertise will prevent it from being advertised to any router, no-export is used to prevent it from being advertise outside an AS (e.g. via EBGP).

    -hth

    ReplyDelete
  3. That's exactly what I had omitted. When I put the 'send-community' on R1, it worked. Thanks a lot for your help.

    -bcs

    ReplyDelete

Note: Only a member of this blog may post a comment.