Filtering with BGP Communities
Otherwise known as Filtering BGP Advertisements Using BGP Communities For Fun and Profit but that made the layout terrible.
Filtering BGP advertisements using communities is a simple and effective way to control your advertisements. This can prevent common BGP route leaks with AS-PATHs that look like
LEAKER-CUSTOMER when filtering transit sessions with prefix-list alone.
Before you can begin filtering using BGP communities, there are a few things you need to know and plan out.
What Are BGP Communities?
A BGP community is a group of destinations that share a common property. That common property is a path attribute that is included in BGP update messages. This information is somewhat like a GMail label, multiple communities can be attached to a particular route. By using these communities you can perform actions on the whole group without having to list each member in a prefix-list for example. You can use community attributes to trigger routing policy decisions, such as whether to accept a route or not, and if you do accept it, what preference you give it, and whether you advertise it upstream or to your peering partners.
BGP communities look like an AS number, ex:
2000. BGP Extended communities look like two ASNs separated with a :, ex:
How do you want to label routes, and influence your routing policy?
It may help to look at some examples of BGP communities supported by various providers when creating your own. Many ISPs publish their list of BGP Communities in their IRR AS record.
whois -h whois.radb.net AS174 and
whois -h whois.radb.net AS15290 (look in the remarks section, or here and here for archived copies).
These published communities follow this format:
It would seem to me that the number ranges used in the
<Number> portion of the community should be partitioned out in a local way, ex:
|1 - 9||Originated, Customer Originated, Peer, and Transit routes|
|50 - 200||Localpref Modifiers (50 thru 200 in increments of 5 or 10)|
|300 - 500||Limit advertisements to upstreams, peers, and customers|
|3000 - 3010||Control insertion of own prepends|
Example Routing Policy, Communities and Cisco Config
|65001:1||Learned via Transit|
|65001:2||Learned via IX/Open Peering|
|65001:3||Learned via Customers|
|65001:4||Learned via Self|
|65001:100||Set Localpref = 100 (Customer Primary Link/Default)|
|65001:110||Set Localpref = 110 (Customer Preferred Link)|
|65001:90||Set Localpref = 90 (Customer Backup Link)|
|65001:50||Set Localpref = 50 (Customer Failback Link)|
|65001:65||Set Localpref = 65 (Peering Backup Link)|
|65001:300||Do not send routes to BGP customers or peers CAREFUL|
|65001:301||Do not send routes to upstreams/transits|
|65001:302||Do not send routes to IX peering|
|65001:303||Do not send routes to Customers CAREFUL|
|65001:304||Only send routes to downstreams/customers|
|65001:3001||Prepend AS65001 1x|
|65001:3002||Prepend AS65001 2x|
|65001:3003||Prepend AS65001 3x|
|65001:3004||Prepend AS65001 4x|
Example Partial Cisco Config w/ Route-Maps
router bgp 65001 no synchronization bgp log-neighbor-changes ! neighbor 192.0.2.1 CUSTOMER neighbor 192.0.2.1 remote-as 65002 neighbor 192.0.2.1 next-hop-self neighbor 192.0.2.1 send-community neighbor 192.0.2.1 prefix-list BGP-65002-in neighbor 192.0.2.1 route-map PEER-65002-in in !neighbor 192.0.2.1 route-map PEER-65002-out out ! neighbor 192.0.2.2 TRANSIT neighbor 192.0.2.2 remote-as 65003 neighbor 192.0.2.2 next-hop-self neighbor 192.0.2.2 send-community neighbor 192.0.2.2 prefix-list BGP-65003-in neighbor 192.0.2.2 route-map PEER-65003-in in neighbor 192.0.2.2 route-map PEER-65003-out out no auto-summary ip bgp-community new-format ip prefix-list BGP-65002-in seq 10 permit 192.0.2.0/24 ip prefix-list ALL seq 10 permit 0.0.0.0/0 le 24 ip community-list 1 permit 65001:1 ip community-list 2 permit 65001:2 ip community-list 3 permit 65001:3 ip community-list 4 permit 65001:4 ip community-list 10 permit 65001:100 ip community-list 11 permit 65001:110 ip community-list 9 permit 65001:90 ip community-list 5 permit 65001:50 ip community-list 6 permit 65001:666 ip community-list 20 permit 65001:300 ip community-list 21 permit 65001:301 ip community-list 22 permit 65001:302 ip community-list 23 permit 65001:303 ip community-list 24 permit 65001:304 ip community-list 30 permit 65001:3000 ip community-list 31 permit 65001:3001 ip community-list 32 permit 65001:3002 ip community-list 23 permit 65001:3003 ip community-list 34 permit 65001:3004 route-map PEER-65002-in permit 10 match ip address prefix-list BGP-65002-in set community 65001:3 additive continue route-map PEER-65002-in permit 100 match community 10 set local-preference 100 route-map PEER-65002-in permit 110 match community 11 set local-preference 110 route-map PEER-65002-in permit 120 match community 9 set local-preference 90 route-map PEER-65002-in permit 130 match community 5 set local-preference 50 route-map PEER-65003-in permit 10 match ip address prefix-list ALL set community 65001:1 additive continue route-map PEER-65003-in permit 20 match community 23 set local-preference 100 route-map PEER-65003-out deny 10 match community 1 route-map PEER-65003-out deny 20 match community 2 route-map PEER-65003-out permit 30 match community 3 continue route-map PEER-65003-out permit 40 match community 4 continue route-map PEER-65003-out permit 110 match community 21 set as-path prepend 65001 route-map PEER-65003-out permit 120 match community 22 set as-path prepend 65001 65001 route-map PEER-65003-out permit 130 match community 23 set as-path prepend 65001 65001 65001 route-map PEER-65003-out permit 140 match community 24 set as-path prepend 65001 65001 65001 65001