From: Jason1 (jason1@xxxxxxxxxx)
Date: Sun Apr 01 2001 - 12:25:07 GMT-3
With BGP, to prevent your AS from becoming a transit AS, NO co-operation
from the ISP is necessary !! That is the idea of having a AS in the first
place, that each AS would have a independant policy.
The basic steps to prevent transit traffics is two fold, the first step is
to define a BGP related access list on the BGP updates and to permit access
for the matching condition.
e.g.
ip as-path access-list 10 permit ^$
router-map localonly permit 10
match as-path 10
neighbor a.b.c.d route-map localonly out
This will prevent BGP from setting your AS as a transit AS, however, if you
ISP chose to do so, they can still force a default route or insert a route
such that traffics still pass through your AS anyway. Therefore the 2nd step
is to use a extended ACL to deny all incoming traffic with a destination
other than your own network. So in general , Daniel is correct. As for the
appreciation of the ISP, there is no issues. If I own the network, it is up
to me to define the access-list as I see fit. This is also generally how
everybody prevent transit traffic through a AS anyway.
Jason Wong(CCSI,CCNP,MCT,MCSE+I,MCNE)
----- Original Message -----
From: "fwells12" <fwells12@hotmail.com>a
To: <ccielab@groupstudy.com>
Sent: Sunday, April 01, 2001 4:42 PM
Subject: Re: BGP/Community No-export
> Your theory could probably work in preventing your AS from becoming a
> transit AS with a lot of cooperation from your ISP(s). It does however
> require that your ISP(s) configure your policies on your behalf with you
> having any control over them. Not a good idea.
>
> As a method of controlling whether your AS became transient or not, I
don't
> think your ISP(s) or your routers would appreciate you using access
lists...
>
>
> ----- Original Message -----
> From: Daniel M. Dawson <dandawson@lucent.com>
> To: 'fwells12' <fwells12@hotmail.com>; <ccielab@groupstudy.com>
> Sent: Saturday, March 31, 2001 11:25 PM
> Subject: RE: BGP/Community No-export
>
>
> > Consider the following:
> >
> > R1------R2-----R3-----R4--------R5
> > AS10 (-----AS 20------) AS30
> >
> > By putting no export on the routes coming in from R1 when advertised
> > thru IBGP to R3 and R4 and putting no export on routes coming in from
> > R5 to R4 when advertised thru IGRP to R3 and R2...
> >
> > R1-----------R2-----R3-----R4----------R5
> > AS10 (-----AS 20------) AS30
> >
> > >routeR1> >>routeR1 NE>> |NOT routeR1|
> > (EBGP) (IBGP) (EBGP)
> >
> > |NOT routeR5| <<routeR5 NE<< <routeR5<
> > (EBGP) (IBGP) (EBGP)
> >
> > In this situation, your AS (20) will know routes from AS10 but not
> > advertise those routes out to AS30. Also your AS will know routes from
> > AS30 but not advertise them to AS10. As a result you will have all
> > known routes but no BGP AS path will ever have your AS as a transient
AS.
> > i.e. no AS will ever see in their BGP table a path of 10 20 30 or
> > vice versus 30 20 10.
> >
> > The only way you would have transient traffic is for either of the
> > neighboring AS's to set your AS in their default route. In this case
> > they may send traffic to you if they have no route to it, and if you
> > have a route to it out the other side of your AS the traffic will
transit
> > your AS.
> >
> > To absolutely insure no traffic is transiting your AS, you could set
just
> > a plain access-list that allows only traffic destined for your internal
> > networks. And apply that access list to the incoming interfaces of your
> > EBGP connections. Assuming you have a service agreement with the two
> > AS's you connect to, and you can negotiate that they do not set you in
> > their default route. Then the no export is much cleaner and prevents
> > your border routers to compare all incoming traffic to an access-list.
> >
> >
> > Daniel M. Dawson
> > E-mail: dandawson@lucent.com
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > fwells12
> > Sent: Saturday, March 31, 2001 11:20 PM
> > To: ccielab@groupstudy.com
> > Subject: Re: BGP/Community No-export
> >
> >
> > This is true. However, it still does not stop the directly connected
AS'
> > from using your AS as a transit, it will only stop the AS' beyond those
> > directly connected ones from seeing your routes. If those remote AS'
had
> > default routes to the directly connected AS', your AS may still be used
as
> a
> > transit AS by the directly connected ones. The only way to be sure
your
> AS
> > will not become a transit it to make sure that only routes that
originate
> > inside your AS are advertised to other AS'.
> >
> > To comment on the other comment, it does not make any difference how you
> > advertise those routes. Route maps are just a tool to help you filter
> and
> > manipulate attributes.
> >
> >
> > ----- Original Message -----
> > From: Erick B. <erickbe@yahoo.com>
> > To: Richard Foltz <globalfx@netropolis.net>; <ccielab@groupstudy.com>
> > Sent: Saturday, March 31, 2001 6:39 PM
> > Subject: Re: BGP/Community No-export
> >
> >
> > > no export works fine if you set it on the inbound
> > > routes / neighbor from another AS. Doing this you're
> > > AS will get routes from that AS but other AS's your
> > > connected to won't get those routes.
> > >
> > > --- Richard Foltz <globalfx@netropolis.net> wrote:
> > > > In order to not become a transit as you should only
> > > > allow your subnets to be
> > > > advertised, using a route map. Setting no export
> > > > just tells the next AS not
> > > > to send your router to any of thier connected AS's.
> > > >
> > > > Richard Foltz
> > > > Sr. Network Engineer
> > > > ZettaWorks LLP.
> > > > 3rd Attemp @ RTP 11/2-3
> > > >
> > > > ----- Original Message -----
> > > > From: "Jerry Hutcheson" <jhutches@cisco.com>
> > > > To: <ccielab@groupstudy.com>
> > > > Sent: Saturday, March 31, 2001 12:23 PM
> > > > Subject: BGP/Community No-export
> > > >
> > > >
> > > > > If you have two connections out to an the same
> > > > EBGP network and you want
> > > > to make sure you do not become a transit AS.
> > > > >
> > > > > I used the community no export command. Do you
> > > > have to do this only on one
> > > > side of your IBGP network or on both.?
> > > > >
> > > > > It seemed to work for me on one side.
> > > > >
> > > > > thanks,
> > > > >
> > > > > jerry
> > > > > **NOTE** All LAB SWAP messages should now be sent
> > > > to the
> > > > > LAB SWAP Message board on groupstudy.com.
> > > > **NOTE** All LAB SWAP messages should now be sent to
> > > > the
> > > > LAB SWAP Message board on groupstudy.com.
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:38 GMT-3