1 – This is the default BGP behavior. Just turn on BGP, configure it correctly and everything is ok. No really worries about this.

2 – Same for this point, this is the default BGP behavior.

3 – For the first part: this is the default BGP behavior. (hey this lab seems too easy!). For the second part: we don’t want AS4 to go to AS2 via AS1 unless link between AS4 and AS3 is down. We can reach this target using local preference. But anyway we also want to use the community attribute for simplify the policy for adding new customers.

So let’s do this conf in RTC:

router bgp 1
network 192.68.11.0
neighbor 172.16.20.2 remote-as 4
neighbor 172.16.20.2 send-community
neighbor 172.16.20.2 route-map setcommunity out
neighbor 192.68.6.1 remote-as 2
no auto-summary

route-map setcommunity permit 10
set community 4:40

Let’s start with the route map setcommunity: we are just going to set a community, nothing more.

The same mirrored configuration should be applied to RTD.

Now let’s go to configure some actions if we are going to see this community coming to our AS4.

This is what we should do to into RTA:

router bgp 4
network 172.16.220.0 mask 255.255.255.0
neighbor 172.16.1.2 remote-as 3
neighbor 172.16.1.2 route-map CHECK_COMMUNITY in
neighbor 172.16.20.1 remote-as 1
neighbor 172.16.20.1 route-map CHECK_COMMUNITY in
no auto-summary
ip community-list 2 permit 4:40
ip community-list 3 permit 4:60
route-map CHECK_COMMUNITY permit 10
match community 2
set local-preference 40
route-map CHECK_COMMUNITY permit 20
match community 3
set local-preference 60
route-map CHECK_COMMUNITY permit 30
set local-preference 100

With the commands above we are just checking if from our neighbors in RTA we are receiving some routes with the community attributes. If so we do set

- a local preference of 40 if community is 4:40
- a local preference of 60 if community is 4:60
- a local preference of 100 by default


Then we will proceed setting up the RTF router:

router bgp 3
network 172.16.10.0 mask 255.255.255.0
network 172.16.65.0 mask 255.255.255.192
neighbor 172.16.1.1 remote-as 4
neighbor 172.16.1.1 send-community
neighbor 172.16.1.1 route-map setcommunity out
neighbor 192.68.5.2 remote-as 2
no auto-summary
route-map setcommunity permit 10
set community 4:60

In a nutshell all the routes from RTF are tagged with community 4:60 and they are going to have a preference of 60 in RTA.

Let’s check what is the result of this configuration:

RTA#sh ip bgp
BGP table version is 11, local router ID is 172.16.2.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* 172.16.1.0/24 172.16.1.2 0 60 0 3 i
*> 0.0.0.0 0 32768 i
*> 172.16.2.0/24 0.0.0.0 0 32768 i
* 172.16.10.0/24 172.16.20.1 40 0 1 2 3 i
*> 172.16.1.2 0 60 0 3 i
* 172.16.20.0/24 172.16.20.1 0 40 0 1 i
*> 0.0.0.0 0 32768 i
* 172.16.65.0/24 172.16.20.1 40 0 1 2 3 i
*> 172.16.1.2 0 60 0 3 i
*> 172.16.220.0/24 0.0.0.0 0 32768 i
* 192.68.5.0 172.16.20.1 40 0 1 2 i
*> 172.16.1.2 0 60 0 3 i
* 192.68.6.0 172.16.20.1 40 0 1 2 i
*> 172.16.1.2 60 0 3 2 i
* 192.68.10.0 172.16.20.1 40 0 1 2 i
*> 172.16.1.2 60 0 3 2 i
*> 192.68.11.0 172.16.1.2 60 0 3 2 1 i
Network Next Hop Metric LocPrf Weight Path
* 172.16.20.1 0 40 0 1 i


From this show ip bgp I can see:

172.16.10.0 and 172.16.10.65 with two paths and we don’t want this. We don’t want AS4 able to reach AS3 via AS1 and AS2. Anyway we can observe that one route has a preference of 40 and the other of 60.

Same for 192.68.10.0: one route has 60 and the other 40. The best path is through AS3 and we want this.

Next step is going to be work with path filtering.

4 – AS AS4 should not be able to reach AS3 via AS1 and AS2.

For reaching this target we are going to use the ip as-path access lists:

ip as-path access-list 2 permit _2_
ip as-path access-list 10 permit ^$
ip as-path access-list 10 permit ^2$

Ther first one, the number 2, is going to match all the routes with 2 in the AS path.
The as-path access list 10 is going to match local routes and routes with 2 as per last AS in the path.

Then we have to apply a filter list that matches this conditions:

Router bgp 1
neighbor 172.16.20.2 filter-list 10 out

and then let’s go to apply the community 4:40 only for the matches in ip as-path access-list 2:

route-map setcommunity permit 10
match as-path 2
set community 4:40
route-map setcommunity permit 20

The same configuration, but mirrored, has to be applied on RTD.

After a clear ip bgp * we can see the final result:

RTA#sh ip bgp
BGP table version is 13, local router ID is 172.16.2.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 172.16.1.0/24 0.0.0.0 0 32768 i
* 172.16.1.2 0 60 0 3 i
*> 172.16.2.0/24 0.0.0.0 0 32768 i
*> 172.16.10.0/24 172.16.1.2 0 60 0 3 i
* 172.16.20.0/24 172.16.20.1 0 100 0 1 i
*> 0.0.0.0 0 32768 i
*> 172.16.65.0/24 172.16.1.2 0 60 0 3 i
*> 172.16.220.0/24 0.0.0.0 0 32768 i
* 192.68.5.0 172.16.20.1 40 0 1 2 i
*> 172.16.1.2 0 60 0 3 i
* 192.68.6.0 172.16.20.1 40 0 1 2 i
*> 172.16.1.2 60 0 3 2 i
* 192.68.10.0 172.16.20.1 40 0 1 2 i
*> 172.16.1.2 60 0 3 2 i
*> 192.68.11.0 172.16.20.1 0 100 0 1 i

So:

172.16.10.0 and 172.16.65.0 are reachable only via RTF with a preference of 60
192.68.10.0 is reachable via two ways but with highest preference via AS3
AS4 cannot reach AS3 via customer’s ASs.

If you are doing this lab and you need some info don’t hesitate to leave a comment.

Net file for GNS3:

lab003 - BGP - Multiple ASs with Multiple Providers

Config files:

RTF RTA RTC RTD

As you can see from the title this is a lab where AS3 is our AS, then there are AS1 and AS2 that are our providers and then some other ASs.
Target of this lab is:

1 - having the network 172.16.10.0 and 172.16.65.0 reachable from NY link (path preferred)
2 - having the network 172.16.220.0 reachable from the SF link (path preferred)
3 - having AS3 not a transit network for AS1 and AS2
4 - having AS3 from the SF link that allows only AS1 and directly AS1 attached AS's routes (AS3 SF link accepts only AS1 and AS7 routes)

1: having the network 172.16.10.0 and 172.16.65.0 reachable from NY link (path preferred)

RTA:
Create an access list that permits the traffic we need 172.16.10.0/24 and 172.16.65.0/24

access-list 1 permit 172.16.10.0 0.0.0.255
access-list 1 permit 172.16.65.0 0.0.0.255

then create a route-map that matches this traffic and prepends 3 3 3 3 (one 3 of course is enough, I used 4 just for having a better visibility in the show commands)

route-map PREPEND_PATH permit 10
match ip address 1
set as-path prepend 3 3 3 3
route-map PREPEND_PATH permit 20

then apply the route-map into the BGP router process

router bgp 3
neighbor 172.16.20.1 route-map PREPEND_PATH out


2: having the network 172.16.220.0 reachable from the SF link (path preferred)

RTF:
Same story here but creating an access list for the ip

access-list 1 permit 172.16.220.0 0.0.0.255


3: having AS3 not a transit network for AS1 and AS2

Quite easy to reach using the regular expressions. We just need to create an ip as-path access list and match it using a route-map

ip as-path access-list 2 permit ^$

Regular expression ^$ allows only local routes.

Then we can match this rule in the previously created route-map:

route-map PREPEND_PATH permit 20
match as-path 2

We have to do the same in RTF

4: having AS3 from the SF link that allows only AS1 and directly AS1 attached AS's routes (AS3 SF link accepts only AS1 and AS7 routes)

We can reach this target using another regular expression:

ip as-path access-list 1 permit ^1 ?[0-9]*$

and then

route-map ACCEPT_LOCAL permit 10
match as-path 1

and then

router bgp 3
neighbor 172.16.20.1 route-map ACCEPT_LOCAL in

Regular expression ^1 ?[0-9]*$ means:

^1 --> a list of ASs that starts with number 1
? --> means that it can matches zero or one occurrences of the pattern
[0-9] --> designates a range of single-character patterns
* --> matches zero or more sequences of the pattern
$ --> matches the end of the input string

You can easily verify what a reg exp matches using the command show ip bgp regexp ^1 ?[0-9]*$

Pay attention that '?' is reproducible with a CTRL-V pressed before the question mark.

I would omit the show command results. Target are well described. If you are doing this lab and you need info don't hesitate to leave a comment.


net file for GNS3: Multiple_Providers-Default_Primary_and_Backup_FullPartial
Config files:

RTA RTF RTD RTC RTH RTG