Sovereign BGP – Part 2

As a continuation of last month’s “Sovereign BGP” post, this post will demonstrate the implementation of an Advertise-Map + an Exist-Map:

I’ll be honest, it took me a few minutes to figure out when you could use this feature, two situations came to mind but I opted for this one -> my apologies if it’s a rubbish example.

To keep things straight-forward we’ll stick with the majority of the setup from the previous post; an internal router is the only device that has been added to the diagram and the non-exist-map configuration remains in place.

Please take a look at the new network topology:

The aim of SanFran Systems is to only advertise their public network (146.55.43.0/26) to AS456 and AS789 if their private network (192.168.3.0/24) is available; the private network is where hosts on the inside of static one-to-one NATs are found, the public network provides the addresses for the outside of the NATs -> if the inside network isn’t available (and therefore the servers) SanFran Systems wish to withhold the advertisement of their outside network to AS456 and AS789.
In the case of AS789; the route should only be advertised if the private network is in the BGP table of SF_R1 and the 146.55.0.0/16 route isn’t being received from AS456 (non-exist-map + exist-map policy).  The private network has reached the BGP table of SF_R1 over an iBGP session being run with SF_R2 -> please remember, this is imaginary, I haven’t addressed the security side of things other than a lazy addition of a firewall symbol J

Our task detailed:

1a) If 192.168.3.0/24 exists in the local BGP table of SF_R1, then advertise the 146.55.43.0/26 route to ISP1_R1 (AS456) 1b)If 192.168.3.0/24 does not exist in the local BGP table of SF_R1, then do not advertise the 146.55.43.0/26 route to ISP1_R1 (AS456) ———————————————————————————— 2a) If 192.168.3.0/24 exists in the local BGP table of SF_R1 and we are receiving the  146.55.0.0/16 route from ISP1_R1 (AS456), then do not advertise the 146.55.43.0/26 route to ISP2_R1 (AS789) 2b) If 192.168.3.0/24 exists in the local BGP table of SF_R1 and we aren’t receiving the  146.55.0.0/16 route from ISP1_R1 (AS456), then advertise the 146.55.43.0/26 route to ISP2_R1 (AS789) 2c) If 192.168.3.0/24 does not exist in the local BGP table of SF_R1 and we are receiving the  146.55.0.0/16 route from ISP1_R1 (AS456), then do not advertise the 146.55.43.0/26 route to ISP2_R1 (AS789) 2d) If 192.168.3.0/24 does not exist in the local BGP table of SF_R1 and we aren’t receiving the  146.55.0.0/16 route from ISP1_R1 (AS456), then do not advertise the 146.55.43.0/26 route to ISP2_R1 (AS789)

Initial Configuration of SF_R1, new lines in bold, retained lines not:

router bgp 123  no synchronization  bgp log-neighbor-changes  network 146.55.43.0 mask 255.255.255.192  neighbor 146.55.43.1 remote-as 123  neighbor 146.55.43.1 next-hop-self  neighbor 146.55.251.13 remote-as 456  neighbor 146.55.251.13 route-map AS456_IN in  neighbor 146.55.251.13 route-map AS456_OUT out  neighbor 146.55.251.13 advertise-map SEND_THIS exist-map IF_THIS_EXISTS  neighbor 163.86.53.5 remote-as 789  neighbor 163.86.53.5 route-map AS789_IN in  neighbor 163.86.53.5 route-map AS789_OUT out  neighbor 163.86.53.5 advertise-map SEND_THIS non-exist-map IF_THIS_IS_MISSING  neighbor 163.86.53.5 advertise-map SEND_THIS exist-map IF_THIS_EXISTS  no auto-summary ! ip community-list 1 permit 123:456 ip as-path access-list 1 permit ^$ ! ip prefix-list ISP456_TRACK seq 10 permit 146.55.0.0/16 ! ip prefix-list CONDITIONAL seq 10 permit 146.55.43.0/26 ! ip prefix-list PRIVATE_NET seq 10 permit 192.168.3.0/24 ! route-map IF_THIS_IS_MISSING permit 10  match ip address prefix-list ISP456_TRACK  match community 1 ! route-map IF_THIS_EXISTS permit 10  match ip address prefix-list PRIVATE_NET ! route-map AS456_OUT deny 5  match ip address prefix-list PRIVATE_NET ! route-map AS456_OUT permit 10  match as-path 1 ! route-map AS789_OUT deny 5  match ip address prefix-list PRIVATE_NET ! route-map AS789_OUT permit 10  match as-path 1 ! route-map SEND_THIS permit 10  match ip address prefix-list CONDITIONAL ! route-map AS789_IN permit 10  set community 8061717 ! route-map AS456_IN permit 10  set local-preference 110  set community 8061384 !   Configuration explanation: The first two highlighted lines are for the new iBGP session required, the next two lines assign CR in the form of an advertise-map + exist-map to the neighbours in AS456 and AS789.  We then get into the route-maps…  we have been polite and filtered the internal private network from outbound advertisements, this has been done by adding lines above the existing “OUT” route-map permit lines to be able to selectively deny – in this case, a prefix-list that identifies 192.168.3.0/24 is matched.  The “IF_THIS_EXISTS” route-map that is referenced by CR has been created and also matches the same prefix-list, the “SEND_THIS” route-map then matches the existing “CONDITIONAL” prefix-list -> We want to advertise the route identified by “SEND_THIS” when the route identified by “IF_THIS_EXISTS” exists in the local BGP table.

So, now let’s test things… starting with the BGP tables of ISP1_R1 and ISP2_R1 after applying the configuration above:

ISP1_R1#sho ip bgp neighbors 146.55.251.14 received-routes *output omitted* *> 146.55.43.0/26   146.55.251.14            0             0 123 i     ISP2_R1#show ip bgp neighbor 163.86.53.6 received-routes Total number of prefixes 0

(note. “received-routes” = neighbor ‘ip-address’ soft-reconfiguration inbound)

That looks good, we are receiving 192.168.3.0/24 and 146.55.0.0/16 on SF_R1, so we should be sending 146.55.43.0/26 to ISP1_R1 and withholding our advert to ISP2_R1 until we stop receiving 146.55.0.0/16 from ISP1_R1 -> That fulfils the requirements of “1a” and “2a” -> let’s check the requirement “2b” by shutting down the interface connected to ISP1_R1:

SF_R1(config)#interface serial 1/0 SF_R1(config-if)#shutdown   After waiting a little while…. ISP2_R1#sho ip bgp neighbors 146.55.251.14 received-routes *output omitted* *> 146.55.43.0/26   146.55.251.14            0             0 123 i

Great, SF_R1 is sending its 146.55.43.0/26 route to ISP2_R1 because it has stopped receiving the 146.55.0.0/16 route from ISP1_R1 whilst still having the 192.168.3.0/24 route in its BGP table.  (“and breathe”)

Let’s address requirements “1b” and “2c” now.  We’ll start by doing a “no shut” on the interface previously shutdown and then after everything has stabilized we’ll shutdown the link to SF_R2 –the 192.168.3.0/24 route will no longer be received:

SF_R1(config)#interface serial 1/0 SF_R1(config-if)#no shutdown   … SF_R1(config)#interface fastethernet 0/0 SF_R1(config-if)#shutdown … ISP1_R1#show ip bgp neighbor 163.86.53.6 received-routes Total number of prefixes 0   ISP2_R1#show ip bgp neighbor 163.86.53.6 received-routes Total number of prefixes 0

Superb, the 146.55.43.0/26 route isn’t being sent to ISP1_R1 or ISP2_R1 when SF_R1 doesn’t have the 192.168.3.0/24 network in its BGP table.

That just leaves “2d”.  We’ll shutdown the respective BGP neighbors and not the interfaces this time -> “there’s more than one way to skin a cat”… 

SF_R1(config)#router bgp 123 SF_R1(config-router)#neighbor 146.55.251.13 shutdown SF_R1(config-router)#neighbor 163.86.53.5 shutdown   … ISP1_R1#show ip bgp neighbor 163.86.53.6 received-routes Total number of prefixes 0   ISP2_R1#show ip bgp neighbor 163.86.53.6 received-routes Total number of prefixes 0

And there we have it -> all requirements fulfilled 🙂