Page MenuHomePhabricator

Filter outgoing BGP announcements on AS regex
Closed, ResolvedPublic

Description

On our Foundry devices we were filtering our outgoing BGP announcements not just on a prefix list, but also with an AS regex, to make sure we'd never send out something bad by mistake. On our Juniper routers, we've only used a prefix list so far.

Last week I had a fun issue with a BGP aggregate getting generated by a PyBal LVS service IP. This made the AS path of the aggregate change from AS14907 to AS64600, and this got announced to TiNet in ulsfo (and ulsfo dropped off the net). If we put AS regex filtering in, we can prevent that.

Details

Reference
rt5971

Related Objects

Event Timeline

rtimport raised the priority of this task from to Medium.Dec 18 2014, 1:42 AM
rtimport added a project: netops.
rtimport set Reference to rt5971.
faidon renamed this task from Filter outging BGP announcements on AS regex to Filter outgoing BGP announcements on AS regex.Sep 4 2015, 5:17 PM
faidon updated the task description. (Show Details)
faidon changed the visibility from "WMF-NDA (Project)" to "Public (No Login Required)".
faidon changed the edit policy from "WMF-NDA (Project)" to "All Users".
faidon set Security to None.
faidon subscribed.

Slightly different, it is possible to use the configuration statement "remove-private" to achieve a similar goal.
It's not as strict as specifying the allowed AS# but might be a good option. For example:

cr-xxx# show | compare 
[edit protocols bgp group IX4]
+     remove-private;

See: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/remove-private-edit-protocols-bgp.html

Yes, that was my intention as well. The other thing about this that I see on my notes is to set as-path path 14907 either under the aggregate routes, or under defaults, plus potentially adding community no-export to the 10.x aggregates.

All of these need to be thought through and be done carefully though :) Keep our confed/subAS setup, as well as the secondary ASN for esams/knams especially in mind :)

Mentioned in SAL (#wikimedia-operations) [2017-05-24T11:52:29Z] <XioNoX> pregressively adding "remove-private" to ix4/6 and transit4/6 bgp groups on cr2-esams T83037

Pushed to all cr* in AMS. BGP sessions and advertised routes haven't change. Will roll it to more sites shortly.

"remove-private" added to all the cr* routers, for the IX/Private/Transit groups.

ayounsi claimed this task.

I believe the previous comment fixes the initial request, other improvements (like community no-export or as-path will be investigated in larger BGP work, like the AS merge.