Blocking Prefix Advertisement Between BGP Neighbors

bgpbgp-ipv6route-filterrouterrouting

I have a eBGP topology as follows:

RTR1 ------ DUT ------ RTR2
(AS100)    (AS200)     (AS300)

I do not want any routes sent by RTR1 to be advertised into RTR2 by DUT
I do not know what exactly the prefix of the routes would be so I cannot use any prefix lists to statically block the advertisement.

What I am looking for is something like this:

  1. Tag all incoming routes from RTR1 with a label
  2. When advertising routes to RTR2, if route has a specific label, skip the advertisement.

Any pointers on how this could be achieved.?

I have some control over device RTR2, but I would prefer if we do not need to make any config changes in that router.

Best Answer

As mentioned by Ron, you can use no-export (Don't advertise to any eBGP peers) or no-advertise (Don't advertise to iBGP or eBGP peers) to achieve this. However, this may strain scalability issues if bringing on another eBGP peer which you do wish to advertise these to.

What I'd recommend is applying an inbound route-map/policy-statement on AS200/DUT for the eBGP session with AS100/RTR1 that sets an additive community on ingress, something like 200:65535. From here, you can apply an outbound route-map/policy-statment on AS200/DUT facing the AS300/RTR2 eBGP peer that specifically has a term to deny prefixes tagged with 200:65535.

You haven't mentioned your hardware version but here is a Cisco (IOS, IOS-XE) & Juniper configuration example (Note, not tested and written free hand):

Cisco

DUT:

ip community-list expanded DENY-AS100-OUT permit 200:65535

route-map AS100-IN permit 10
 match ip address prefix-list <please use a prefix list where possible>
 set community 200:65535 additive

route-map AS300-OUT deny 10
 match community DENY-AS100-OUT
route-map AS300-OUT permit 20
 match ip address prefix-list <please use a prefix list where possible>

router bgp 200
 neighbor x.x.x.x remote-as 100
 neighbor y.y.y.y remote-as 300
 address-family ipv4
  neighbor x.x.x.x route-map AS100-IN in
  neighbor y.y.y.y route-map AS300-OUT out

Juniper

DUT:

set policy-options community DENY-AS100-OUT members 200:65535

set policy-options policy-statement AS100-IN from prefix-list <please use a prefix list where possible>
set policy-options policy-statement AS100-IN then community add DENY-AS100-OUT

set policy-options policy-statement AS300-OUT term 10 from community DENY-AS100-OUT
set policy-options policy-statement AS300-OUT term 10 then reject
set policy-options policy-statement AS300-OUT term 20 from prefix-list <please use a prefix list where possible>
set policy-options policy-statement AS300-OUT term 20 then accept

set protocols bgp group AS100 neighbor x.x.x.x
set protocols bgp group AS100 peer-as 100
set protocols bgp group AS100 import AS100-IN

set protocols bgp group AS300 neighbor y.y.y.y
set protocols bgp group AS300 peer-as 300
set protocols bgp group AS300 export AS300-OUT
Related Topic