BGP Prevent becoming an Transit AS
The soution at hand is a Filter-list with AS-PATH access-list on the provider bgp session to let only local AS numbers out. Other Solution are
R1(config)#ip as-path access-list 1 permit ^$ R1(config-router)#neighbor 192.168.12.2 filter-list 1 outNo-Export Community
R1(config)#route-map NO-EXPORT
R1(config-route-map)#set community no-export
R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map NO-EXPORT inCisco
cisco01
config
ip as-path access-list 1 permit ^$
!
interface Vlan916
ip address 10.29.1.21 255.255.255.248
!
interface Vlan581
ip address 10.255.80.28 255.255.255.240
!
router bgp 65021
bgp log-neighbor-changes
network 10.255.4.0 mask 255.255.255.0
network 10.255.80.0 mask 255.255.240.0
network 10.255.96.0 mask 255.255.240.0
network 10.255.112.0 mask 255.255.240.0
neighbor 10.29.1.18 remote-as 65011
neighbor 10.29.1.18 filter-list 1 out
neighbor 10.255.80.29 remote-as 65021
maximum-paths eibgp 4
!show ip bgp summary
show ip bgp summaryBGP router identifier 10.255.0.1, local AS number 65021
BGP table version is 40, main routing table version 40
7 network entries using 1008 bytes of memory
14 path entries using 1232 bytes of memory
3 multipath network entries and 6 multipath paths
6/3 BGP path/bestpath attribute entries using 1104 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3392 total bytes of memory
BGP activity 14/7 prefixes, 48/34 paths, scan interval 60 secs
7 networks peaked at 18:09:33 Jun 22 2024 UTC (00:35:00.223 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.29.1.18 4 65011 19 27 40 0 0 00:15:10 3
10.255.80.29 4 65021 56 63 40 0 0 00:37:18 7
show ip route
cisco01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.255.80.29 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.255.80.29, 01:17:01
[20/0] via 10.29.1.18, 01:17:01
show ip bgp
show ip bgp
BGP table version is 40, local router ID is 10.255.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*mi 0.0.0.0 10.255.80.29 0 100 0 65011 65001 i
*> 10.29.1.18 0 65011 65001 i
cisco02
config
ip as-path access-list 1 permit ^$
!
interface Vlan581
ip address 10.255.80.29 255.255.255.240
!
interface Vlan917
ip address 10.29.1.5 255.255.255.248
!
router bgp 65021
bgp log-neighbor-changes
network 10.255.4.0 mask 255.255.255.0
network 10.255.80.0 mask 255.255.240.0
network 10.255.96.0 mask 255.255.240.0
network 10.255.112.0 mask 255.255.240.0
neighbor 10.29.1.3 remote-as 65011
neighbor 10.29.1.3 filter-list 1 out
neighbor 10.255.80.28 remote-as 65021
maximum-paths eibgp 4
!show ip bgp summary
show ip bgp summaryBGP router identifier 10.255.0.2, local AS number 65021
BGP table version is 25, main routing table version 25
7 network entries using 1008 bytes of memory
14 path entries using 1232 bytes of memory
3 multipath network entries and 6 multipath paths
6/3 BGP path/bestpath attribute entries using 1104 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3392 total bytes of memory
BGP activity 14/7 prefixes, 40/26 paths, scan interval 60 secs
7 networks peaked at 18:09:33 Jun 22 2024 UTC (00:38:23.699 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.29.1.3 4 65011 46 55 25 0 0 00:40:43 3
10.255.80.28 4 65021 67 60 25 0 0 00:40:41 7
show ip route
cisco02#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.255.80.28 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.255.80.28, 01:17:49
[20/0] via 10.29.1.3, 01:17:49
EdgeRouter-X
edge01
config
set interfaces ethernet eth0 vif 916 address 10.29.1.18/29
set interfaces ethernet eth0 vif 997 address 10.255.2.8/28
set interfaces ethernet eth3 address 10.29.1.9/29
set interfaces loopback lo address 10.29.0.1/32
set protocols bgp 65011 neighbor 10.29.1.14 remote-as 65011
set protocols bgp 65011 neighbor 10.29.1.21 remote-as 65021
set protocols bgp 65011 neighbor 10.255.2.5 local-as 65111
set protocols bgp 65011 neighbor 10.255.2.5 remote-as 65001
set protocols bgp 65011 network 10.29.0.1/32
set protocols bgp 65011 parameters log-neighbor-changes
set protocols bgp 65011 parameters router-id 10.29.0.1show ip route
ubnt01:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
B *> 0.0.0.0/0 [200/0] via 10.255.2.5, eth0.997, 01:05:15
B *> 10.29.0.2/32 [200/0] via 10.29.1.14, eth3, 01:15:12
B *> 10.255.4.0/24 [20/0] via 10.29.1.21, eth0.916, 01:05:19
edge02
config
set interfaces ethernet eth0 address 10.29.1.3/29
set interfaces ethernet eth0 vif 997 address 10.255.2.9/28
set interfaces ethernet eth3 address 10.29.1.14/29
set interfaces loopback lo address 10.29.0.2/32
set protocols bgp 65011 neighbor 10.29.1.5 remote-as 65021
set protocols bgp 65011 neighbor 10.29.1.9 description de052-ne1-rt-ubnt01
set protocols bgp 65011 neighbor 10.29.1.9 remote-as 65011
set protocols bgp 65011 neighbor 10.255.2.5 remote-as 65001
set protocols bgp 65011 network 10.29.0.2/32
set protocols bgp 65011 parameters log-neighbor-changes
set protocols bgp 65011 parameters router-id 10.29.0.2
show ip route
ubnt02:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
B *> 0.0.0.0/0 [20/0] via 10.255.2.5, eth0.997, 35w5d06h
B *> 10.29.0.1/32 [200/0] via 10.29.1.9, eth3, 01:06:30
B *> 10.255.4.0/24 [20/0] via 10.29.1.5, eth0, 35w5d06h
FortiGate
config
config system interface
edit "port1.997"
set vdom "root"
set ip 10.255.2.5 255.255.255.240
set interface "port1"
set vlanid 997
next
end
config router bgp
set as 65001
set router-id 10.255.2.5
set ebgp-multipath enable
config neighbor
edit "10.255.2.9"
set activate6 disable
set activate-vpnv4 disable
set capability-default-originate enable
set remote-as 65011
next
edit "10.255.2.8"
set activate6 disable
set activate-vpnv4 disable
set capability-default-originate enable
set remote-as 65011
next
end
end
get router info routing-table details
forti01 # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 62.155.244.225, ppp2, [1/0]
Tests
traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.255.4.2 1.380 ms 1.345 ms 1.345 ms
2 10.255.80.29 1.136 ms 10.29.1.18 0.616 ms 10.255.80.29 1.079 ms
Patrick Marc's Networks 