Prevent BGP from advertising a connected LAN



  • Hello,

    I have a router that has a few LANs connected to it.

    I don't want to advertise one of the LANs because it would cause a routing conflict elsewhere in the network.

    What's the best way to prevent a directly connected LAN from being advertised?

    I've tried using prefix lists in the past to prevent advertisement but the routes were advertised anyways.


  • LAYER 8 Netgate

    Are you redistributing connected or something?



  • Yes, I usually have BGP set to redistribute connected routes.

    Each of my routers has at least 2 OpenVPN tunnels to at least 2 other routers on the network. I have an interface assigned to each tunnel.

    My understanding is that if I don't select 'redistribute connected routes' then it won't advertise the routes I have access to over the VPN tunnels?


  • LAYER 8 Netgate

    Unless you just set it to advertise what you want advertised.

    You should be able to filter that with a route map too.

    You'll probably want to post what you have tried to that end.


  • Rebel Alliance Developer Netgate

    Filtering works like anything else that does BGP, that is, use route maps and prefix lists to filter what you do or do not want to advertise, especially when distributing automatic sets of routes like 'connected'.



  • I've tried setting up prefix lists in the past, but I wasn't able to successfully prevent any specific routes from being advertised or filter out any routes coming in. I will try again.

    Is it possible to NAT the connected LAN over the OpenVPNs to a different subnet, and then advertise a route to the NAT'd subnet?

    It's not possible to change the subnet that is causing the conflict, so I'm wondering what the options are.


  • LAYER 8 Netgate

    Something like this should work.

    # Prefix Lists
    ip prefix-list NO_EXPORT description Do Not Export These Routes
    ip prefix-list NO_EXPORT seq 10 permit 10.20.30.0/24 le 32 
    ip prefix-list NO_EXPORT seq 20 permit 10.12.14.0/24 le 32 
    
    # Route Maps
    route-map IPV4_EXPORT deny 10
      match ip address prefix-list NO_EXPORT
    route-map IPV4_EXPORT permit 20
    
    address-family ipv4 unicast
        neighbor 172.25.228.58 route-map IPV4_EXPORT out
    


  • I configured a preflix list in the GUI and this is what is generated:

    # Prefix Lists
    ip prefix-list NO_EXPORT seq 10 permit bad.sub.net.addr/29 le 32 
    ip prefix-list NO_EXPORT description Do not export these routes
    
    # Route Maps
    route-map IPV4_EXPORT deny 10
    match ip address prefix-list NO_EXPORT
    

    I restarted FRR bgpd on this router and other routers also and waited a few hours.

    Still no joy, this route is still showing up on all the other routers, pointing back to this one.


  • Rebel Alliance Developer Netgate

    Did you remember to pick that route map on the BGP Neighbor settings for Outbound route map filter?



  • No I forgot. I selected IPV4_EXPORT on the outbound route map.

    However, not long after I got reports that incoming RDP connections to this network were getting closed after about 8 seconds of being connected.

    After I unselected IPV4_EXPORT from the outbound route map everything went back to normal.

    I'll probably avoid using prefix lists for now.


  • LAYER 8 Netgate

    Sounds like you might have created an asymmetric routing situation having nothing to do with BGP (other than distributing routes as instructed).


Log in to reply