BGP essentials: Non-transit AS

Sometimes I find the information on the Internet that is so far from the facts that it might actually hurt someone. For example, the configuration in this post supposedly prevents you from becoming a transit AS (which is a really bad idea if you're a multi-homed end-user). Actually, it achieves the goal as it drops all incoming routes due to a malformed AS-path access-list that denies everything :) … but then, why do you need BGP in the first place?

Fortunately, someone provided correct configuration in the comments to the post, just made in unnecessarily complex with the introduction of a route-map.

It really pays off to study all the available BGP filtering mechanisms: AS-path access-list can be applied to updates directly with the neighbor filter-list command. The minimum configuration that guarantees you won't become a transit AS is thus as follows:

router bgp 65000
 neighbor 10.1.1.1 filter-list 1 out
!
ip as-path access-list 1 permit ^$

Of course you can make things really interesting by introducing BGP communities: if you mark all routes received from the EBGP peers with the NO_EXPORT community, they will be filtered out on other EBGP sessions automatically :) Here's a sample configuration:

router bgp 65001
 neighbor 10.0.1.2 route-map setNoExport in
 neighbor 10.0.1.3 route-map setNoExport in

!
route-map setNoExport permit 10
 set community no-export additive

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.

10 comments:

  1. link you posted doesn't exist. Can you explain in details?

    ReplyDelete
  2. Link said (via Google cache) :


    Preventing AS from becoming Transit AS
    Published October 24, 2007 Access-lists , IP Routing , bgp

    To prevent your AS from becoming a Transit AS, use following startegy

    Create a route map say “transit” in config mode

    route-map transit permit 10

    match as-path 1

    In config mode, use following command

    ip as-path access-list 1 deny ^$

    This command will only allow routes with origin code “i” and filter all routes with incomplete as-path.

    Apply the above route-map with neighbor statement

    router bgp 64000

    neighbor 2.2.2.2 route-map transit in

    Only routes with origin code” i” will enter your AS.

    ReplyDelete
  3. @jdenoy: Thanks for the text. It's amazing how quickly the Internet landscape changes (and luckily Google caches a few things :).

    @singh: I apologize for the brevity of my text, I shall write a follow-up one explaining the principles of the non-transit AS (and what you have to filter and where). However, here are the details as they relate to the text jdenoy included:

    * Every as-path access-list has an implicit "deny all" at the end. The as-path access-list in the example thus matches nothing at all.

    * The routes received from an EBGP neighbor always have at least one AS number in the AS path. The "deny ^$" pattern (which matches an empty AS-path) is thus irrelevant. But, as said above, everything else would be dropped as well.

    * You cannot use an as-path access-list to match the origin code (even though it looks like the origin code is part of an AS-path, it's not).

    * There is no such thing as incomplete AS-paths.

    * The 'incomplete' origin code is a leftover of the past long gone and is mostly irrelevant these days. It definitely has nothing to do with (non)transit behavior.

    * The route-map in the text supplied by jdenoy when applied to inbound updates from an EBGP peer would drop all inbound BGP prefixes.

    Hope this helps
    Ivan

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. I think the comment by jdenoy above just shows an ip as-path access list. if a person reading BGP article doesn't know that every acceess-list has implicit deny at the end then I am not sure how come reader is jumping his horses and learning about BGP communities :). anyway I used the as-path access list mentioned by jdenoy, and addedd

    ip as-path aceess-list 1 permit any and it prevent AS from becoming the transit AS. so I think even if blogger has mistyped something, readers should use their brains while using it on production network.

    ReplyDelete
  6. I do it proper way:

    router bgp 12345
    [...]
    neighbor 1.2.3.4 prefix-list AS12345 out
    [...]
    !
    ip prefix-list AS12345 seq 5 permit 2.3.4.0/24
    ip prefix-list AS12345 seq 10 permit 2.3.5.0/24
    ip prefix-list AS12345 seq 15 permit 2.3.6.0/24
    !

    ReplyDelete
  7. Thanks for the prefix-list hint. I've included it in the non-transit AS tutorial.

    ReplyDelete
  8. :-E *DONT_KNOW*

    ReplyDelete
  9. :-E *DONT_KNOW*

    ReplyDelete
  10. Thank you for the explanation.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.