Re: BGP/Community No-export

From: fwells12 (fwells12@xxxxxxxxxxx)
Date: Sun Apr 01 2001 - 05:42:09 GMT-3

• Next message: Michel GASPARD: "Re: a question about "dlsw icanreach""
• Previous message: Michel GASPARD: "Re: frame inverse arp"
• Maybe in reply to: fwells12: "Re: BGP/Community No-export"
• Next in thread: Jason1: "Re: BGP/Community No-export"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Your theory could probably work in preventing your AS from becoming a
transit AS with a lot of cooperation from your ISP(s). It does however
require that your ISP(s) configure your policies on your behalf with you
having any control over them. Not a good idea.

As a method of controlling whether your AS became transient or not, I don't
think your ISP(s) or your routers would appreciate you using access lists...

----- Original Message -----
From: Daniel M. Dawson <dandawson@lucent.com>
To: 'fwells12' <fwells12@hotmail.com>; <ccielab@groupstudy.com>
Sent: Saturday, March 31, 2001 11:25 PM
Subject: RE: BGP/Community No-export

> Consider the following:
>
> R1------R2-----R3-----R4--------R5
> AS10 (-----AS 20------) AS30
>
> By putting no export on the routes coming in from R1 when advertised
> thru IBGP to R3 and R4 and putting no export on routes coming in from
> R5 to R4 when advertised thru IGRP to R3 and R2...
>
> R1-----------R2-----R3-----R4----------R5
> AS10 (-----AS 20------) AS30
>
> >routeR1> >>routeR1 NE>> |NOT routeR1|
> (EBGP) (IBGP) (EBGP)
>
> |NOT routeR5| <<routeR5 NE<< <routeR5<
> (EBGP) (IBGP) (EBGP)
>
> In this situation, your AS (20) will know routes from AS10 but not
> advertise those routes out to AS30. Also your AS will know routes from
> AS30 but not advertise them to AS10. As a result you will have all
> known routes but no BGP AS path will ever have your AS as a transient AS.
> i.e. no AS will ever see in their BGP table a path of 10 20 30 or
> vice versus 30 20 10.
>
> The only way you would have transient traffic is for either of the
> neighboring AS's to set your AS in their default route. In this case
> they may send traffic to you if they have no route to it, and if you
> have a route to it out the other side of your AS the traffic will transit
> your AS.
>
> To absolutely insure no traffic is transiting your AS, you could set just
> a plain access-list that allows only traffic destined for your internal
> networks. And apply that access list to the incoming interfaces of your
> EBGP connections. Assuming you have a service agreement with the two
> AS's you connect to, and you can negotiate that they do not set you in
> their default route. Then the no export is much cleaner and prevents
> your border routers to compare all incoming traffic to an access-list.
>
>
> Daniel M. Dawson
> E-mail: dandawson@lucent.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> fwells12
> Sent: Saturday, March 31, 2001 11:20 PM
> To: ccielab@groupstudy.com
> Subject: Re: BGP/Community No-export
>
>
> This is true. However, it still does not stop the directly connected AS'
> from using your AS as a transit, it will only stop the AS' beyond those
> directly connected ones from seeing your routes. If those remote AS' had
> default routes to the directly connected AS', your AS may still be used as
a
> transit AS by the directly connected ones. The only way to be sure your
AS
> will not become a transit it to make sure that only routes that originate
> inside your AS are advertised to other AS'.
>
> To comment on the other comment, it does not make any difference how you
> advertise those routes. Route maps are just a tool to help you filter
and
> manipulate attributes.
>
>
> ----- Original Message -----
> From: Erick B. <erickbe@yahoo.com>
> To: Richard Foltz <globalfx@netropolis.net>; <ccielab@groupstudy.com>
> Sent: Saturday, March 31, 2001 6:39 PM
> Subject: Re: BGP/Community No-export
>
>
> > no export works fine if you set it on the inbound
> > routes / neighbor from another AS. Doing this you're
> > AS will get routes from that AS but other AS's your
> > connected to won't get those routes.
> >
> > --- Richard Foltz <globalfx@netropolis.net> wrote:
> > > In order to not become a transit as you should only
> > > allow your subnets to be
> > > advertised, using a route map. Setting no export
> > > just tells the next AS not
> > > to send your router to any of thier connected AS's.
> > >
> > > Richard Foltz
> > > Sr. Network Engineer
> > > ZettaWorks LLP.
> > > 3rd Attemp @ RTP 11/2-3
> > >
> > > ----- Original Message -----
> > > From: "Jerry Hutcheson" <jhutches@cisco.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Saturday, March 31, 2001 12:23 PM
> > > Subject: BGP/Community No-export
> > >
> > >
> > > > If you have two connections out to an the same
> > > EBGP network and you want
> > > to make sure you do not become a transit AS.
> > > >
> > > > I used the community no export command. Do you
> > > have to do this only on one
> > > side of your IBGP network or on both.?
> > > >
> > > > It seemed to work for me on one side.
> > > >
> > > > thanks,
> > > >
> > > > jerry
> > > > **NOTE** All LAB SWAP messages should now be sent
> > > to the
> > > > LAB SWAP Message board on groupstudy.com.
> > > **NOTE** All LAB SWAP messages should now be sent to
> > > the
> > > LAB SWAP Message board on groupstudy.com.
> > >

• Next message: Michel GASPARD: "Re: a question about "dlsw icanreach""
• Previous message: Michel GASPARD: "Re: frame inverse arp"
• Maybe in reply to: fwells12: "Re: BGP/Community No-export"
• Next in thread: Jason1: "Re: BGP/Community No-export"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:37 GMT-3