Friday, October 11, 2013

BGP - Manipulating BGP communities

I like my desk to be organized..Do you? I suppose we can "desk" that conversation for another time :) Anyways if you are into being organized then BGP communities (32-bit value) are a great way to tag,organize your routes and make intelligent routing decisions. In this blogtorial I will show you briefly on how to set communities, delete communities (specific one or all of them), and appending to the existing communities.

Here is the topology we will be using.



Entire config can be downloaded here.

First we will see how we can set communities. On R1 we are going to advertise 1.1.1.0/24 to R2 with a community set. If you need a primer on communities check out my other articles on BGP communities.

 R1#  
 interface FastEthernet1/0  
  description connected to r2  
  ip address 192.168.1.1 255.255.255.252  
  duplex auto  
  speed auto  
 end  
 !  
 interface Loopback0  
  description loopback 0  
  ip address 1.1.1.1 255.255.255.0  
 end  
 !  
 route-map add-community permit 10  
  set community 77881 66325 
 !  
 router bgp 1  
  no synchronization  
  bgp log-neighbor-changes  
  network 1.1.1.0 mask 255.255.255.0 route-map add-community out  
  neighbor 192.168.1.2 remote-as 2  
  neighbor 192.168.1.2 send-community both  
  no auto-summary  

Please note that without the "send-community" the communities will not be sent to the peer. "both" is used because there are two types of communities you can send -- standard or extended. Long discussion but for the most part standard communities should be fine unless you are doing VRFs/MPLS or some network-kung fu.

 R2#
 interface FastEthernet1/0  
  description connected to r1  
  ip address 192.168.1.2 255.255.255.0  
  duplex auto  
  speed auto  
 end  
 !
 router bgp 2  
  bgp log-neighbor-changes  
  neighbor 192.168.1.1 remote-as 1  
  !  
  address-family ipv4  
  neighbor 192.168.1.1 activate  
  no auto-summary  
  no synchronization  
  exit-address-family  
 !!
R2#sh ip bgp 1.1.1.0
BGP routing table entry for 1.1.1.0/24, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer
  1
    192.168.1.1 from 192.168.1.1 (1.1.1.1)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Community: 66325 77881 

Notice that on R2 1.1.1.0/24 is tagged with communities. Now let's see how we can delete communities.

Deleting certain communities or clear communities all together.

First we will see how we can delete a certain community, in this case say we wanted to delete 66325.

 R2#  
 !  
 ip community-list 1 permit 66325  
 !  
 route-map delete-community permit 10  
  set comm-list 1 delete  
 !
 router bgp 2  
  bgp log-neighbor-changes  
  neighbor 192.168.1.1 remote-as 1  
  !  
  address-family ipv4  
  neighbor 192.168.1.1 activate  
  neighbor 192.168.1.1 route-map delete-community in  
  no auto-summary  
  no synchronization  
  exit-address-family  

  1. Create a community-list to match what we want to delete. 
  2. Create a route-map to match all routes coming in from R1 and delete communities with a set statement. 
  3. Apply the route-map in the inbound direction on the peer. 
Now what if wanted to clear all communities? Simple just make the community-list 1 to permit all.

ip community-list 1 permit instead of ip community-list 1 permit 66325

Please keep in mind that this is a routing policy change so BGP needs to be cleared with a "clear ip bgp <IP|*|ASN> <soft>"

How about if you wanted to append to the existing list of communities?

 R2#  
 !  
 route-map add-communities permit 10  
  set community 12789 additive  
 !  
 router bgp 2  
  bgp log-neighbor-changes  
  neighbor 192.168.1.1 remote-as 1  
  !  
  address-family ipv4  
  neighbor 192.168.1.1 activate  
  neighbor 192.168.1.1 soft-reconfiguration inbound  
  neighbor 192.168.1.1 route-map add-communities in  
  no auto-summary  
  no synchronization  
  exit-address-family  
 !  
 R2#sh ip bgp 1.1.1.0  
 BGP routing table entry for 1.1.1.0/24, version 3  
 Paths: (2 available, best #1, table Default-IP-Routing-Table)  
 Flag: 0x880  
  Not advertised to any peer  
  1  
   192.168.1.1 from 192.168.1.1 (1.1.1.1)  
    Origin IGP, metric 0, localpref 100, valid, external, best  
    Community: 12789 66325 77881  

Notice that the community is now being added to the rest of the communities.

Please keep in mind that this is a routing policy change so BGP needs to be cleared with a "clear ip bgp <IP|*|ASN> <soft>"

You can do a lot with communities for example, you can set a route to have a different next hop based on a certain community or give it a lower local preference etc.

I have used BGP communities in various scenarios --
  • In the ISP world to affect customer routes coming into our ISP backbone. 
  • I've also used as a end customer to blackhole my public subnet when we are under DDOS attacks.
  • I've used it to tag routes as multicast prefixes so it can be used for mBGP. 
Where have you used BGP Communities??

Great reference on BGP communities http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-2/bgp_communities.html

Many more articles to come so stay tuned.

Please reshare/subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.

2 comments:

  1. Hi fella

    Great Article. How did you use the community to black hole your public subnet?

    ReplyDelete
    Replies
    1. We would send our route with a certain community set and based on that community the ISP would send traffic destined to that network to null.

      Delete