Prevent BGP from advertising a connected LAN

ttblum · Sep 30, 2020, 7:54 PM

Hello,

I have a router that has a few LANs connected to it.

I don't want to advertise one of the LANs because it would cause a routing conflict elsewhere in the network.

What's the best way to prevent a directly connected LAN from being advertised?

I've tried using prefix lists in the past to prevent advertisement but the routes were advertised anyways.

Derelict · Oct 1, 2020, 1:01 PM

Are you redistributing connected or something?

ttblum · Oct 1, 2020, 4:54 PM

Yes, I usually have BGP set to redistribute connected routes.

Each of my routers has at least 2 OpenVPN tunnels to at least 2 other routers on the network. I have an interface assigned to each tunnel.

My understanding is that if I don't select 'redistribute connected routes' then it won't advertise the routes I have access to over the VPN tunnels?

Derelict · Oct 1, 2020, 5:10 PM

Unless you just set it to advertise what you want advertised.

You should be able to filter that with a route map too.

You'll probably want to post what you have tried to that end.

jimp · Oct 2, 2020, 2:17 PM

Filtering works like anything else that does BGP, that is, use route maps and prefix lists to filter what you do or do not want to advertise, especially when distributing automatic sets of routes like 'connected'.

ttblum · Oct 2, 2020, 7:32 PM

I've tried setting up prefix lists in the past, but I wasn't able to successfully prevent any specific routes from being advertised or filter out any routes coming in. I will try again.

Is it possible to NAT the connected LAN over the OpenVPNs to a different subnet, and then advertise a route to the NAT'd subnet?

It's not possible to change the subnet that is causing the conflict, so I'm wondering what the options are.

Derelict · Oct 3, 2020, 1:13 AM

Something like this should work.

# Prefix Lists
ip prefix-list NO_EXPORT description Do Not Export These Routes
ip prefix-list NO_EXPORT seq 10 permit 10.20.30.0/24 le 32 
ip prefix-list NO_EXPORT seq 20 permit 10.12.14.0/24 le 32 

# Route Maps
route-map IPV4_EXPORT deny 10
  match ip address prefix-list NO_EXPORT
route-map IPV4_EXPORT permit 20

address-family ipv4 unicast
    neighbor 172.25.228.58 route-map IPV4_EXPORT out

ttblum · Oct 8, 2020, 5:09 PM

I configured a preflix list in the GUI and this is what is generated:

# Prefix Lists
ip prefix-list NO_EXPORT seq 10 permit bad.sub.net.addr/29 le 32 
ip prefix-list NO_EXPORT description Do not export these routes

# Route Maps
route-map IPV4_EXPORT deny 10
match ip address prefix-list NO_EXPORT

I restarted FRR bgpd on this router and other routers also and waited a few hours.

Still no joy, this route is still showing up on all the other routers, pointing back to this one.

jimp · Oct 8, 2020, 5:15 PM

Did you remember to pick that route map on the BGP Neighbor settings for Outbound route map filter?

ttblum · Oct 15, 2020, 7:48 PM

No I forgot. I selected IPV4_EXPORT on the outbound route map.

However, not long after I got reports that incoming RDP connections to this network were getting closed after about 8 seconds of being connected.

After I unselected IPV4_EXPORT from the outbound route map everything went back to normal.

I'll probably avoid using prefix lists for now.

Derelict · Oct 15, 2020, 9:18 PM

Sounds like you might have created an asymmetric routing situation having nothing to do with BGP (other than distributing routes as instructed).