Setting NO-EXPORT BGP Community

A reader of my blog experienced problems setting no-export BGP community. Here’s a quick how-to guide (if you’re new to BGP, you might want to read BGP Communities and BGP and route maps posts first).

The no-export BGP community is defined in RFC 1997: “All routes received carrying a [BGP] communities attribute containing this value MUST NOT be advertised outside a BGP confederation boundary” (i.e. outside our own AS, or across regular EBGP sessions).

If you want to use the no-export community to ensure some of your prefixes are never announced to routers outside of your AS, then the router originating the prefix should set the community with a network route-map or redistribute route-map BGP router configuration command. This design is commonly used in large ISP networks that propagate provider aggregatable customer prefixes in BGP.

If you want to use the no-export community to prevent the upstream AS (your ISP) from propagating a BGP prefix to the rest of the Internet (example: advertising two /25s for traffic engineering purposes), then you MUST NOT set the community with the network or redistribute command – the default filters applied to every EBGP session would never allow such a prefix to be propagated to EBGP peers.

In this case you MUST attach the no-export community to the BGP prefixes you’re advertising with a neighbor route-map command (or neighbor default-originate route-map command – see the comment by Jose Jara) because the route map attached to a BGP neighbor gets executed (and the no-export community attached to BGP prefixes) after the default filters have already been applied.


  1. Ivan,

    I think there is one exception and that would be if we advertise the default-route via neighbor default-originate. In that case, if we set the community no-export in the route-map that we are going to apply outbound towards the neighbor, this will have no effect in the default route because it does not pass by Adj-Rib-Out ( ).

    The solution would be to set the community in the route-map applied after the default-originate command: neighbor default-originate route-map NO-EXPORT.

    By the way, there is no need to do a soft/hard reset after applying this route-map as it does not pass through BGP output filters.

Add comment