BGP Prevent Transit AS

By default BGP will advertise all prefixes to EBGP (External BGP) neighbors. This means that if you are multi-homed (connected to two or more ISPs) that you might become a transit AS. Let me show you an example:

R1 two ISPs 3 loopbacks

R1 is connected to ISP1 and ISP2 and each router is in a different AS (Autonomous System). Since R1 is multi-homed it’s possible that the ISPs will use R1 to reach each other. In order to prevent this we’ll have to ensure that R1 only advertises prefixes from its own autonomous system.

As far as I know there are 4 methods how you can prevent becoming a transit AS:

  • Filter-list with AS PATH access-list.
  • No-Export Community.
  • Prefix-list Filtering
  • Distribute-list Filtering

Prefix-lists or distribute-lists will work but it’s not a very scalable solution if  you have thousands of prefixes in your BGP table. The filter-list and no-export community work very well since you only have to configure them once and it will not matter if new prefixes show up. First we’ll configure BGP on each router:

R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 remote-as 2
R1(config-router)#neighbor 192.168.13.3 remote-as 3
ISP1(config)#router bgp 2
ISP1(config-router)#neighbor 192.168.12.1 remote-as 1
ISP2(config)#router bgp 3
ISP2(config-router)#neighbor 192.168.13.1 remote-as 1

The commands above will configure EBGP (External BGP) between R1 – ISP1 and R1 – ISP2. To make sure we have something to look at, I’ll advertise the loopback interfaces in BGP on each router:

R1(config)#router bgp 1
R1(config-router)#network 1.1.1.0 mask 255.255.255.0
ISP1(config)#router bgp 2
ISP1(config-router)#network 2.2.2.0 mask 255.255.255.0
ISP2(config)#router bgp 3
ISP2(config-router)#network 3.3.3.0 mask 255.255.255.0

With the networks advertised, let’s take a look at the BGP table of ISP1 and ISP2 to see what they have learned:

ISP1#show ip bgp 
BGP table version is 4, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1             0             0 1 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
*> 3.3.3.0/24       192.168.12.1                           0 1 3 i
ISP2#show ip bgp 
BGP table version is 4, local router ID is 33.33.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.13.1             0             0 1 i
*> 2.2.2.0/24       192.168.13.1                           0 1 2 i
*> 3.3.3.0/24       0.0.0.0                  0         32768 i

The ISP routers have learned about each other networks and they will use R1 as the next hop. We now have everything in place to play with the different filtering techniques.

Filter-list with AS PATH access-list

Using an filter-list with the AS PATH access-list is probably the most convenient solution. It will ensure that you will always only advertise prefixes from your own autonomous system. Here’s how to do it:

R1(config)#ip as-path access-list 1 permit ^$

R1(config-router)#neighbor 192.168.12.2 filter-list 1 out
R1(config-router)#neighbor 192.168.13.3 filter-list 1 out

The ^$ regular expression ensures that we will only advertise locally originated prefixes. We’ll have to apply this filter to both ISPs.

Keep in mind that BGP is slow…if you are doing labs, it’s best to speed things up with clear ip bgp *

Let’s verify our configuration:

R1#show ip bgp 
BGP table version is 4, local router ID is 22.22.22.22
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       0.0.0.0                  0         32768 i
*> 2.2.2.0/24       192.168.12.2             0             0 2 i
*> 3.3.3.0/24       192.168.13.3             0             0 3 i

R1 still knows about the prefixes from the ISP routers. What about ISP1 and ISP2?

ISP1#show ip bgp 
BGP table version is 7, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1             0             0 1 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
ISP2#show ip bgp 
BGP table version is 7, local router ID is 33.33.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.13.1             0             0 1 i
*> 3.3.3.0/24       0.0.0.0                  0         32768 i

ISP1 and ISP2 only know about the 1.1.1.0 /24 network. Excellent, we are no longer a transit AS!

Configurations

Want to take a look for yourself? Here you will find the final configuration of each device.

ISP1

hostname ISP1
!
interface Loopback 0
 ip address 2.2.2.2 255.255.255.0
!
interface fastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
router bgp 2
 neighbor 192.168.12.1 remote-as 1
 network 2.2.2.0 mask 255.255.255.0
!
end

ISP2

hostname ISP2
!
interface Loopback 0
 ip address 3.3.3.3 255.255.255.0
!
interface fastEthernet0/0
 ip address 192.168.13.3 255.255.255.0
!
router bgp 3
 neighbor 192.168.13.1 remote-as 1
 network 3.3.3.0 mask 255.255.255.0
!
end

R1

hostname R1
!
interface Loopback 0
 ip address 1.1.1.1 255.255.255.0
!
interface fastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
interface fastEthernet0/1
 ip address 192.168.13.1 255.255.255.0
!
router bgp 1
 neighbor 192.168.12.2 remote-as 2
 neighbor 192.168.13.3 remote-as 3
 network 1.1.1.0 mask 255.255.255.0
 neighbor 192.168.12.2 filter-list 1 out
 neighbor 192.168.13.3 filter-list 1 out
!
ip as-path access-list 1 permit ^$
!
end


On to the next method…

No-Export Community

Using the no-export community will also work pretty well. We will configure R1 so that prefixes from the ISP routers will be tagged with the no-export community. This ensures that the prefixes from those routers will be known within AS 1 but won’t be advertised to other routers.

R1(config)#route-map NO-EXPORT
R1(config-route-map)#set community no-export

R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map NO-EXPORT in
R1(config-router)#neighbor 192.168.13.3 route-map NO-EXPORT in
I’m only using one router in AS 1, if you have other routers and are running IBGP (Internal BGP) then don’t forget to send communities to those routers with the neighbor <ip> send-community command.

Let’s see what ISP1 and ISP2 think about our configuration:

ISP1#show ip bgp 
BGP table version is 11, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1             0             0 1 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
ISP2#show ip bgp 
BGP table version is 11, local router ID is 33.33.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.13.1             0             0 1 i
*> 3.3.3.0/24       0.0.0.0                  0         32768 i

They only know about network 1.1.1.0 /24.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

ISP1

hostname ISP1
!
interface Loopback 0
ip address 2.2.2.2 255.255.255.0
!
interface fastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
router bgp 2
 neighbor 192.168.12.1 remote-as 1
 network 2.2.2.0 mask 255.255.255.0
!
end

ISP2

hostname ISP2
!
interface Loopback 0
ip address 3.3.3.3 255.255.255.0
!
interface fastEthernet0/0
 ip address 192.168.13.3 255.255.255.0
!
router bgp 3
 neighbor 192.168.13.1 remote-as 1
 network 3.3.3.0 mask 255.255.255.0
!
end

R1

hostname R1
!
interface Loopback 0
 ip address 1.1.1.1 255.255.255.0
!
interface fastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
interface fastEthernet0/1
 ip address 192.168.13.1 255.255.255.0
!
router bgp 1
 neighbor 192.168.12.2 remote-as 2
 neighbor 192.168.13.3 remote-as 3
 network 1.1.1.0 mask 255.255.255.0
 neighbor 192.168.12.2 route-map NO-EXPORT in
 neighbor 192.168.13.3 route-map NO-EXPORT in
!
route-map NO-EXPORT
 set community no-export
!
end


Onto the next method!

Prefix-List Filtering

Using a prefix-list we can determine what prefixes are advertised to our BGP neighbors. This works fine but it’s not a good solution to prevent becoming a transit AS. Each time you add new prefixes you’ll have to reconfigure the prefix-list. Anyway let me show you how it works:

R1(config)#ip prefix-list NO-TRANSIT permit 1.1.1.0/24

R1(config-router)#neighbor 192.168.12.2 prefix-list NO-TRANSIT out 
R1(config-router)#neighbor 192.168.13.3 prefix-list NO-TRANSIT out

The prefix-list above will only advertise 1.1.1.0 /24 to the ISP routers. Let’s verify the configuration:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 707 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

467 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Jason,
    This is actually a very good question which required wireshark and some musing on my part to figure out.

    Here’s the short answer:
    If you included R1’s AS in the filter:
    R1(config)#ip as-path access-list 1 permit ^4444$
    It would indeed stop ISP1 and ISP2 from using R1 as a transit path. However, there is also a negative consequence. R1’s advertisements to ISP1 and ISP2 would also be filter out.

    Here’s the long answer:
    The interesting question is why does it do this? To answer this question, the first point to understand is what the ip as-path command i

    ... Continue reading in our forum

  2. hello Rene, I am a bit confused, No-Export community tells BGP neighbors to advertise a prefix only to iBGP neighbors so why if we use the “no-export” community we still need to use the command “send-community”? it should still export the prefixes to iBGP based on the no-export community… am I wrong?

  3. RT VS GRT

    Hi Rene,

    Can you please tell what is the diff. between routing table and global routing table in terms of NEXT HOP.
    example :
    I am an enterprise and i am peering with ISP thru GP. now i have to go to prefix 202.x.y.z (www.gmail.com)

    So how my outbound traffic will go in above case ?

    Now if get global routing table in my internet router - How the outbound traffic will go ?

    Thanks in adv
    Abhishek

  4. Hello Bruce

    First of all, I’m assuming your R2 is the R1 in the lesson, and R1 and R3 are ISP2 and ISP2 respectively.

    The neighbor 192.168.12.1 filter-list 1 in command should only filter BGP routes that are being received from the neighbor on which they were configured, namely ISP1 (192.168.12.1). This command should not filter out the routes received from ISP2, so something else is taking place in your topology.

    As for the deny 3$ statement, this would deny any AS that ends in 3, that is the AS of ISP2.

    If you want to deny this you would have to apply it as

    ... Continue reading in our forum

  5. Hello Giovanni

    You are correct, that if a provider does not allow its own network to become a transit network, then this can potentially cause problems to routing on the Internet.

    Remember that the Internet has a hierarchical structure. Within its structure, we have Tier 1, Tier 2, and Tier three networks. The following diagram shows an example of how these interconnect:

    https://cdn-forum.networklessons.com/uploads/default/original/2X/3/3a715a806ed069cedffad407d6f71d4c7292758d.png

    Tier 1 networks must route all traffic that they receive, to any other connecte

    ... Continue reading in our forum

40 more replies! Ask a question or join the discussion by visiting our Community Forum