BGP.guru

BGP.guru

Nerd blog.

12 Feb 2016

Filtering with BGP Communities

Otherwise known as Filtering BGP Advertisements Using BGP Communities For Fun and Profit but that made the layout terrible.

Filtering BGP advertisements using communities is a simple and effective way to control your advertisements. This can prevent common BGP route leaks with AS-PATHs that look like SOMEAS LEAKER-TRANSIT1 LEAKER LEAKER-TRANSIT2 PEER LEAKER-CUSTOMER when filtering transit sessions with prefix-list alone.

Before you can begin filtering using BGP communities, there are a few things you need to know and plan out.

What Are BGP Communities?

A BGP community is a group of destinations that share a common property. That common property is a path attribute that is included in BGP update messages. This information is somewhat like a GMail label, multiple communities can be attached to a particular route. By using these communities you can perform actions on the whole group without having to list each member in a prefix-list for example. You can use community attributes to trigger routing policy decisions, such as whether to accept a route or not, and if you do accept it, what preference you give it, and whether you advertise it upstream or to your peering partners.

BGP communities look like an AS number, ex: 65001 and 2000. BGP Extended communities look like two ASNs separated with a :, ex: 174:70 and 15290:75.

How do you want to label routes, and influence your routing policy?

It may help to look at some examples of BGP communities supported by various providers when creating your own. Many ISPs publish their list of BGP Communities in their IRR AS record.

ex: whois -h whois.radb.net AS174 and whois -h whois.radb.net AS15290 (look in the remarks section, or here and here for archived copies).

These published communities follow this format:

<TheirASN>:<Number>

It would seem to me that the number ranges used in the <Number> portion of the community should be partitioned out in a local way, ex:

Number RangeActions
1 - 9Originated, Customer Originated, Peer, and Transit routes
50 - 200Localpref Modifiers (50 thru 200 in increments of 5 or 10)
300 - 500Limit advertisements to upstreams, peers, and customers
666Blackhole
3000 - 3010Control insertion of own prepends

Example Routing Policy, Communities and Cisco Config

ASN: 65001

Routing Policy

Route SourceLocalpref
Transit60
Peering70
Peering Backup65
Customer Preferred110
Customer Primary100
Customer Backup90
Customer Fallback50

BGP Communities

BGP CommunityActions/Meaning
65001:1Learned via Transit
65001:2Learned via IX/Open Peering
65001:3Learned via Customers
65001:4Learned via Self
65001:100Set Localpref = 100 (Customer Primary Link/Default)
65001:110Set Localpref = 110 (Customer Preferred Link)
65001:90Set Localpref = 90 (Customer Backup Link)
65001:50Set Localpref = 50 (Customer Failback Link)
65001:65Set Localpref = 65 (Peering Backup Link)
65001:300Do not send routes to BGP customers or peers CAREFUL
65001:301Do not send routes to upstreams/transits
65001:302Do not send routes to IX peering
65001:303Do not send routes to Customers CAREFUL
65001:304Only send routes to downstreams/customers
65001:666Blackhole
65001:3001Prepend AS65001 1x
65001:3002Prepend AS65001 2x
65001:3003Prepend AS65001 3x
65001:3004Prepend AS65001 4x

Example Partial Cisco Config w/ Route-Maps

router bgp 65001
  no synchronization
  bgp log-neighbor-changes
  ! neighbor 192.0.2.1 CUSTOMER
  neighbor 192.0.2.1 remote-as 65002
  neighbor 192.0.2.1 next-hop-self
  neighbor 192.0.2.1 send-community
  neighbor 192.0.2.1 prefix-list BGP-65002-in
  neighbor 192.0.2.1 route-map PEER-65002-in in
  !neighbor 192.0.2.1 route-map PEER-65002-out out
  ! neighbor 192.0.2.2 TRANSIT
  neighbor 192.0.2.2 remote-as 65003
  neighbor 192.0.2.2 next-hop-self
  neighbor 192.0.2.2 send-community
  neighbor 192.0.2.2 prefix-list BGP-65003-in
  neighbor 192.0.2.2 route-map PEER-65003-in in
  neighbor 192.0.2.2 route-map PEER-65003-out out
  no auto-summary

ip bgp-community new-format

ip prefix-list BGP-65002-in seq 10 permit 192.0.2.0/24
ip prefix-list ALL seq 10 permit 0.0.0.0/0 le 24

ip community-list 1 permit 65001:1
ip community-list 2 permit 65001:2
ip community-list 3 permit 65001:3
ip community-list 4 permit 65001:4
ip community-list 10 permit 65001:100
ip community-list 11 permit 65001:110
ip community-list 9 permit 65001:90
ip community-list 5 permit 65001:50
ip community-list 6 permit 65001:666
ip community-list 20 permit 65001:300
ip community-list 21 permit 65001:301
ip community-list 22 permit 65001:302
ip community-list 23 permit 65001:303
ip community-list 24 permit 65001:304
ip community-list 30 permit 65001:3000
ip community-list 31 permit 65001:3001
ip community-list 32 permit 65001:3002
ip community-list 23 permit 65001:3003
ip community-list 34 permit 65001:3004

route-map PEER-65002-in permit 10
  match ip address prefix-list BGP-65002-in
  set community 65001:3 additive
  continue

route-map PEER-65002-in permit 100
  match community 10
  set local-preference 100

route-map PEER-65002-in permit 110
  match community 11
  set local-preference 110

route-map PEER-65002-in permit 120
  match community 9
  set local-preference 90

route-map PEER-65002-in permit 130
  match community 5
  set local-preference 50


route-map PEER-65003-in permit 10
  match ip address prefix-list ALL
  set community 65001:1 additive
  continue

route-map PEER-65003-in permit 20
  match community 23
  set local-preference 100


route-map PEER-65003-out deny 10
  match community 1

route-map PEER-65003-out deny 20
  match community 2

route-map PEER-65003-out permit 30
  match community 3
  continue

route-map PEER-65003-out permit 40
  match community 4
  continue

route-map PEER-65003-out permit 110
  match community 21
  set as-path prepend 65001

route-map PEER-65003-out permit 120
  match community 22
  set as-path prepend 65001 65001

route-map PEER-65003-out permit 130
  match community 23
  set as-path prepend 65001 65001 65001

route-map PEER-65003-out permit 140
  match community 24
  set as-path prepend 65001 65001 65001 65001

Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.