Cisco Routing – Best Practices for Advertising Routes in BGP

bgpciscocisco-iosrouting

For connect some customer we want to advertise only one network out and different networks in they provide us. For this I read about route-map and advertising-map feature in Cisco Docu.

For example this one for feature advertis-map:

router bgp 2 
 bgp log-neighbor-changes 
 network 128.16.16.0 mask 255.255.255.0 
 neighbor 10.10.10.1 remote-as 1 
 neighbor 10.10.10.1 advertise-map ADVERTISE    
! 
access-list 60 permit 128.16.16.0 0.0.0.255 
!  
route-map ADVERTISE permit 10 
 match ip address 60 
!

And this one for the route-map feature:

router bgp 2 
 bgp log-neighbor-changes 
 network 128.16.16.0 mask 255.255.255.0 
 neighbor 10.10.10.1 remote-as 1 
 neighbor 10.10.10.1 route-map RED out   
! 
ip prefix-list 1 permit 128.16.16.0/24 
!
route-map RED permit 10 
 match ip address prefix-list 1

I have found this booth Solutions to limit the number of networks that announced to customer. The goal is to Create a routing to a BGP Member and advertise only one subnet to the customer, the customer himself advertise one network in our direction? Is it possible with one of this solution and what is the diffrence between this solutions?

Best Answer

You are conflating two different issues:

Route-maps can act as a policy filter, selecting which prefixes are advertised to neighbors and which are accepted from neighbors. Advertise-maps allow you to conditionally advertise prefixes based on the presence of other prefixes. They don't control prefixes received from neighbors. Generally, route-maps are simpler to use, unless you really need the conditional feature.

Access-lists and prefix-lists can do the same thing, but prefix-lists are easier to read and allow more precise control over route policies. In the context of BGP, prefix lists make more intuitive sense, since BGP advertises prefix reachability.

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

There is no reason to limit customer to blackhole only /32, allow them to blackhole anything from them.

Something like this:

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            prefix-list-filter AS42 orlonger;
        }
        then {
            community add NO-EXPORT;
            next-hop 192.0.2.1;
            accept;
        }
    }
    term advertise {
        from {
            prefix-list AS42;
        }
        then {
            community add ADVERTISE;
            next-hop peer-address;
            accept;
        }
    }
    term reject {
        then reject;
    }
}

Remember to set 'accept-remote-nexthop' under BGP settings, so that the next-hop can be changed to something else than link address.

I also strongly support that providers start to support different blackhole communities than just 'full blackhole'. Especially if you operate in more than one country usually attack is from transit and often customer actually mostly wants to access domestic peerings, so it's useful to implement several levels of blackhhole:

Full
Outside local country (local IXP, whole own AS + customers seen)
Outside local area (if applicable, like for me it could be 'Nordics')
Include/Exclude specific peering router in blackhole

I'm happy to give example how to implement something like this with JNPR DCU/SCU, provided your peering routers are JNPR, but it's possible with just communities, just bit more awkward.

If you absolutely want to limit your customer's options you can add this:

policy-statement /32 {
    term /32 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /32-/32;
        }
        then accept;
    }
    term reject {
        then reject;
    }
}

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            policy /32;
            prefix-list-filter AS42 orlonger;
        }
..
}

This way it should be logical AND. But I really don't see the value in creating complexity to reduce expressiveness of configuration.

Cisco – route tags and policy routing alternatives – traffic engineering question

I am not 100% sure whether tags are carried in BGP updates but here is what I put together pretty quick:

enter image description here

Router "Static":

interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback1
 ip address 172.16.2.1 255.255.255.0

interface Ethernet0/1
 ip address 172.16.0.1 255.255.255.0
 half-duplex

ip route 0.0.0.0 0.0.0.0 172.16.0.2

Router R1:

interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.252
 half-duplex

interface Ethernet0/1
 ip address 172.16.0.2 255.255.255.0
 half-duplex

ip route 172.16.1.0 255.255.255.0 172.16.0.1 tag 20
ip route 172.16.2.0 255.255.255.0 172.16.0.1 tag 20

router eigrp 100
 redistribute static route-map MyRouteMap
 network 10.0.0.0 0.0.0.3
 no auto-summary

route-map MyRouteMap permit 10
 match tag 20

Router R2:

interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.252
 half-duplex

interface Ethernet0/1
 ip address 10.0.0.5 255.255.255.252
 half-duplex

router eigrp 100
 network 10.0.0.0 0.0.0.3
 no auto-summary

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 redistribute eigrp 100 route-map MyRouteMap
 neighbor 10.0.0.6 remote-as 65000
 neighbor 10.0.0.6 next-hop-self
 no auto-summary

route-map MyRouteMap permit 10
 match tag 20

R2#show ip route 172.16.1.0
Routing entry for 172.16.1.0/24
  Known via "eigrp 100", distance 170, metric 307200
  Tag 20, type external

Router R3:

interface Ethernet0/1
 ip address 10.0.0.6 255.255.255.252
 half-duplex

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.0.0.5 remote-as 65000
 no auto-summary

R3#show ip bgp 172.16.1.0
BGP routing table entry for 172.16.1.0/24, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  Local
    10.0.0.5 from 10.0.0.5 (10.0.0.2)
      Origin incomplete, metric 307200, localpref 100, valid, internal, best

I hope this is what you were asking for.

Best Answer

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

Cisco – route tags and policy routing alternatives – traffic engineering question

Related Topic