Prevent BGP from advertising a connected LAN
-
Hello,
I have a router that has a few LANs connected to it.
I don't want to advertise one of the LANs because it would cause a routing conflict elsewhere in the network.
What's the best way to prevent a directly connected LAN from being advertised?
I've tried using prefix lists in the past to prevent advertisement but the routes were advertised anyways.
-
Are you redistributing connected or something?
-
Yes, I usually have BGP set to redistribute connected routes.
Each of my routers has at least 2 OpenVPN tunnels to at least 2 other routers on the network. I have an interface assigned to each tunnel.
My understanding is that if I don't select 'redistribute connected routes' then it won't advertise the routes I have access to over the VPN tunnels?
-
Unless you just set it to advertise what you want advertised.
You should be able to filter that with a route map too.
You'll probably want to post what you have tried to that end.
-
Filtering works like anything else that does BGP, that is, use route maps and prefix lists to filter what you do or do not want to advertise, especially when distributing automatic sets of routes like 'connected'.
-
I've tried setting up prefix lists in the past, but I wasn't able to successfully prevent any specific routes from being advertised or filter out any routes coming in. I will try again.
Is it possible to NAT the connected LAN over the OpenVPNs to a different subnet, and then advertise a route to the NAT'd subnet?
It's not possible to change the subnet that is causing the conflict, so I'm wondering what the options are.
-
Something like this should work.
# Prefix Lists ip prefix-list NO_EXPORT description Do Not Export These Routes ip prefix-list NO_EXPORT seq 10 permit 10.20.30.0/24 le 32 ip prefix-list NO_EXPORT seq 20 permit 10.12.14.0/24 le 32 # Route Maps route-map IPV4_EXPORT deny 10 match ip address prefix-list NO_EXPORT route-map IPV4_EXPORT permit 20 address-family ipv4 unicast neighbor 172.25.228.58 route-map IPV4_EXPORT out
-
I configured a preflix list in the GUI and this is what is generated:
# Prefix Lists ip prefix-list NO_EXPORT seq 10 permit bad.sub.net.addr/29 le 32 ip prefix-list NO_EXPORT description Do not export these routes # Route Maps route-map IPV4_EXPORT deny 10 match ip address prefix-list NO_EXPORT
I restarted FRR bgpd on this router and other routers also and waited a few hours.
Still no joy, this route is still showing up on all the other routers, pointing back to this one.
-
Did you remember to pick that route map on the BGP Neighbor settings for Outbound route map filter?
-
No I forgot. I selected IPV4_EXPORT on the outbound route map.
However, not long after I got reports that incoming RDP connections to this network were getting closed after about 8 seconds of being connected.
After I unselected IPV4_EXPORT from the outbound route map everything went back to normal.
I'll probably avoid using prefix lists for now.
-
Sounds like you might have created an asymmetric routing situation having nothing to do with BGP (other than distributing routes as instructed).