[c-nsp] BGP question : What's the best way for filtering outgoing prefixes?
chip
chip.gwyn at gmail.com
Thu Aug 18 16:19:30 EDT 2011
Pretty much Option1. On receiving a prefix from a customer, tag it
with a "customer" community. On receiving a prefix from a provider,
tag it with a "provider" community.
Outbound advertisements to providers, only allow prefixes that have
the "customer" community.
Outbound advertisements to customers get prefixes with both "customer"
and "provider" community.
For customers that want only your customer routes, they get prefixes
with "customer" community.
If you're going to go through the trouble of retro-fitting this into
your network, you might as well go ahead and setup a way to allow your
downstream BGP customers to send you communities to control traffic.
Examples,
A: Set a lower than default local-pref in your network so if they
have 2 connections to you they can shift traffic
B: Set a lower local pref than your provider routes so you choose the
provider router over their directly connected route
C: Automatically add 1|2|3 AS-PATH prepends to all, none, or one of
your upstreams
D: Disable advertisements of a prefix to all, one|two|three of your upstreams
E: Set low or high local pref with your upstreams
It's a bit of work, but isn't too difficult to implement and you can
put a lot of control into your customer's hands. Which...may or may
not...be good for your traffic engineering.
--chip
On Thu, Aug 18, 2011 at 4:00 PM, Jay Nakamura <zeusdadog at gmail.com> wrote:
> This is a bit complicated. Let's say we are provider X. X is
> connected to transit provider A and B. X currently uses prefix-list
> to filter outgoing BGP announcement.
>
> We are now getting a customer that wants to multi-home, so their
> transit provider is X and C. We gave them a /24 from our block, let's
> call it IP1.
>
> I was simulating how I should configure our routers so it was secure
> and did all the right things when I noticed IP1 route coming in from
> provider A is getting advertised to provider B through us. It makes
> sense since it passes our outgoing prefix list. (So, AS path was
> "AS_X AS_A AS_Customer" into provider B)
>
> What's the best way to prevent this? Here are the two options I was
> thinking of doing
>
> Option 1
> Set all routes learned from A and B with unique community, and filter
> out any routes with that community for outgoing routes to A and B.
>
> Option 2
> Filter on AS-Path for routes going out A and B with
> <AS-X>$
> <AS-X>_(<AS_CUSTOMER>)+_$
> (I think, I haven't looked closely at AS path syntax)
>
> With Option 1, I don't have to do anything when we add another BGP
> customer but not sure what the overhead of tagging all routes coming
> in with community is. With Option 2, I have to edit the AS-path every
> time we add a customer.
>
> Is there a better option?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Just my $.02, your mileage may vary, batteries not included, etc....
More information about the cisco-nsp
mailing list