Control BGP Advertisements

to eBGP peers with ExaBGP

Jun - 2015 (~5 minutes read time)

We know that ExaBGP can be used to inject BGP routes into an AS that you control. It's a very helpful feature that allows you to automate reachability and traffic flows within your network. But what if you want to you ExaBGP to influence what is advertised, or in this case, not advertised to external peers that are not willing to peer with your ExaBGP service?

Our scenario is this: We have a 100.10.10.0/24 prefix attached to our SW. The CE router learns about this prefix from SW via OSPF, and then advertises the prefix out to the Internet via the PE router. This 100.10.10.0/24 prefix is anycasted so it is also advertised out of a different location. In order to withdraw the prefix from the PE and therefore the Internet we would need to manually filter the prefix outbound via route-map, or stop the advertisement from the SW which would also remove the resource from local resources.

There has to be a better way, right? You're in luck because I'm going to show you how we can use ExaBGP and BGP communities along with some basic functionality on your existing routers to indirectly influence the advertisement of the 100.10.10.0/24 prefix.

Here's how our BGP peer configuration looks on the CE router:

CE# show run
router bgp 65000
 network 100.10.10.0 mask 255.255.255.0
 network 100.10.20.0 mask 255.255.255.0
 neighbor 172.16.2.1 remote-as 100
 neighbor 172.16.2.1 route-map OUTBOUND out
 neighbor 10.0.0.3 remote-as 65000
 neighbor 10.0.0.3 weight 32768
!
ip community-list standard EXABGP permit 6553700
!
route-map OUTBOUND deny 10
 match community EXABGP
!
route-map OUTBOUND permit 20

Here's the important details:

Here's what the network looks like before the ExaBGP announcement :

C##sh ip bgp | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 100.10.20.0/24   0.0.0.0                  0         32768 i
*> 100.10.10.0/24   10.0.0.2                11         32768 i


PE#sh ip bgp | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 100.10.20.0/24   172.16.2.2               0             0 65000 i
*> 100.10.10.0/24   172.16.2.2              11             0 65000 i

And here is what it looks like after:

CE#sh ip bgp | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 100.10.20.0/24   0.0.0.0                  0         32768 i
r>i100.10.10.0/24   172.16.2.2                  65000  32768 i
r                   10.0.0.2                11         32768 i
CE#sh ip bgp nei 172.16.2.2 adv | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 100.10.20.0/24   0.0.0.0                  0         32768 i

Total number of prefixes 1


PE#sh ip bgp | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 100.10.20.0/24   172.16.2.2               0             0 65000 i

CE knows about the 100.10.10.0/24 prefix and uses SW as its next-hop. PE is learning the prefix from CE with next-hop of CE due to the eBGP peering.  Notice that the default weight for locally sourced (network or redistribute commands) prefixes on R1 is 32768. This weight value can range from 0-65535, and on a Cisco device, it is the first value taken into account during the BGP Path Selection algorithm.

When we startup ExaBGP and advertise the prefix 100.10.10.0/24, CE changes the prefix's weight to 65000 and it takes preference over the locally sourced route (network 100.10.10.0 mask 255.255.255.0) and is marked as best. Now when CE calculates which prefixes to advertise out to PE, it selects the 100.10.10.0/24 prefix from ExaBGP, which happens to be marked with the [100:100] community. This prefix is then filtered in the outbound advertisements with the OUTBOUND route-map and Viola! The prefix is no longer advertised to PE and the rest of the Internet from this site. The r code (RIB failure) on the routes in lines 4 and 5 is happening because the R1 can't prefer the BGP route and install it in the RIB since the OSPF learned prefix has a lower AD. 100.10.10.0/24 is still reachable from R1 and AR so it's not a big deal, read more about it from ipspace.net.

Here's the ExaBGP conf.ini and python script that allows for this magic to happen:

from sys import stdout, stdin
from time import sleep

# Print the command to STDIN so ExaBGP can execute
stdout.write('announce route 100.10.10.0/24 next-hop 10.0.0.2 local-preference 65000 community [100:100]\n')
stdout.flush()

#Keep the script running so ExaBGP doesn't stop running and tear down the BGP peering
while True:
    sleep(10)</pre>

<pre class="lang:ini decode:true" title="conf.ini">group test {
    router-id 10.0.0.3;
    local-as 65000;
    local-address 10.0.0.3;

    process add_route {
        run /usr/bin/python /etc/exabgp/add_route.py;
    }

    neighbor 10.0.0.1 {
        peer-as 65000;
    }
}

Note that this python script clearly isn't the only way to get ExaBGP to advertise this route to R1. The focus of this post is more of how to use the ExaBGP announcements to manipulate your traffic flows by managing prefix advertisements. To see more examples of how to control ExaBGP, check out the earlier posts in this series.