BGP No-Advertise Community
Contents
Intro
The BGP NO-ADVERTISE community is a “well-known” community that prevents a route from being advertised to any peers, including both iBGP and eBGP. BGP routers that receive prefixes with this community attached understand not to send it to any iBGP or eBGP peers.
Topology
Initial Configs
conf t
host R1
no ip domain-lookup
line con 0
logg syn
!
interface GigabitEthernet0/2
ip address 10.10.13.1 255.255.255.0
no shut
conf t
host R2
no ip domain-lookup
line con 0
logg syn
!
interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 10.10.23.2 255.255.255.0
no shut
conf t
host R3
no ip domain-lookup
line con 0
logg syn
!
interface GigabitEthernet0/0
ip address 10.10.23.3 255.255.255.0
no shut
!
interface GigabitEthernet0/1
ip address 10.10.34.3 255.255.255.0
no shut
!
interface GigabitEthernet0/2
ip address 10.10.13.3 255.255.255.0
no shut
conf t
host R4
no ip domain-lookup
line con 0
logg syn
!
interface GigabitEthernet0/1
ip address 10.10.34.4 255.255.255.0
no shut
Configuration Steps
1. Configure Basic BGP
I’ll start by getting all of the BGP peerings up using their respective AS numbers and R2’s Lo2 prefix advertised into BGP.
R1:
router bgp 1
neighbor 10.10.13.3 remote-as 34
R2:
router bgp 2
neighbor 10.10.23.3 remote-as 34
network 2.2.2.2 mask 255.255.255.255
R3:
router bgp 34
neighbor 10.10.13.1 remote-as 1
neighbor 10.10.23.2 remote-as 2
neighbor 10.10.34.4 remote-as 34
R4:
router bgp 34
neighbor 10.10.34.3 remote-as 34
If you want to verify that BGP neighbors are up and prefixes are being received you can do that using the show ip bgp summary command on all routers.
R1:
R1#show ip bgp summ | begin Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.13.3 4 34 11 10 2 0 0 00:07:09 1
R1’s peering with R3 is up and one prefix is being received.
R2:
R2#show ip bgp summ | begin Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.23.3 4 34 11 11 2 0 0 00:07:00 0 R2’s peerings with R3 is up.
R3:
R3#show ip bgp summ | begin Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.13.1 4 1 10 11 2 0 0 00:07:09 0
10.10.23.2 4 2 11 11 2 0 0 00:06:59 1
10.10.34.4 4 34 9 10 2 0 0 00:05:01 0 R3’s peerings with R1, R2 and R4 are up. You can also see R3 is receiving one prefix from R2.
R4:
R4#show ip bgp summ | begin Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.34.3 4 34 10 9 1 0 0 00:05:01 1 R4’s peering with R3 is up as well and one prefix is being received.
Let me make sure that R1, R3 and R4 is receiving the correct prefix. I’ll use show ip bgp for this.
R1#show ip bgp | begin Network
Network Next Hop Metric LocPrf Weight Path
*> 2.2.2.2/32 10.10.13.3 0 34 2 i R3#show ip bgp | begin Network
Network Next Hop Metric LocPrf Weight Path
*> 2.2.2.2/32 10.10.23.2 0 0 2 i
R4#show ip bgp | begin Network
Network Next Hop Metric LocPrf Weight Path
* i 2.2.2.2/32 10.10.23.2 0 100 0 2 i
So far I’ve confirmed that the BGP peerings are up and the correct prefix from R2 is being received throughout the network. Now I’ll make sure that when R2 sends prefixes to R3, the No-Advertise community is attached. When R3 receives this prefix from R2, it will see this community and not advertise that prefix to any BGP peers.
2. Enable the sending of communities.
In Cisco IOS, BGP communities are not sent by default. You need to enable it on a per-neighbor.
R2:
router bgp 2
neighbor 10.10.23.3 send-community
3. Attach the No-Advertise community to R2's prefix.
Now you need to specifiy on R2 which prefixes the community should be attached to. I’ll use a route-map for this.
R2:
route-map R2-NO-ADVERTISE permit 10
set community no-advertise
By not having a match statement that references a prefix-list or ACL I’ll be applying the No-Advertise community on all prefixes. The only thing needed is to “set” the community to No-Advertise.
The route-map is configured but it won’t do anything until I apply it to a neighbor.
R2:
router bgp 2
neighbor 10.10.23.3 route-map R2-NO-ADVERTISE out
The route-map is applied towards the neighbor R3 in the outbound direction. This means the community is applied to all prefixes R2 sends outbound to R3. If I wanted, I could’ve applied this in the inbound direction on R3 instead. Let’s see the details of R2’s BGP table.
R3#sh ip bgp 2.2.2.2
BGP routing table entry for 2.2.2.2/32, version 3
Paths: (1 available, best #1, table default, not advertised to any peer)
Not advertised to any peer
Refresh Epoch 1
2
10.10.23.2 from 10.10.23.2 (2.2.2.2)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: no-advertise
rx pathid: 0, tx pathid: 0x0
In the above output you can see that for the 2.2.2.2/32 prefix on R3, the No-Advertise community is applied. Here’s what it looked like before the route-map was applied.
R3#sh ip bgp 2.2.2.2
BGP routing table entry for 2.2.2.2/32, version 4
Paths: (1 available, best #1, table default)
Advertised to update-groups:
1 2
Refresh Epoch 1
2
10.10.23.2 from 10.10.23.2 (2.2.2.2)
Origin IGP, metric 0, localpref 100, valid, external, best
rx pathid: 0, tx pathid: 0x0
Now I’ll verify that R1 and R4 don’t have these prefixes in their BGP tables.
R1#show ip bgp 2.2.2.2
% Network not in table
R4#show ip bgp 2.2.2.2
% Network not in table
The above output shows that R1 and R4 aren’t recieving the 2.2.2.2/32 prefix anymore. What if you don’t have access to R1 or R4? How would you verify this is working? Let me show you a command you can use on R3.
R3#sh ip bgp neighbors 10.10.13.1 advertised-routes
Total number of prefixes 0
R3#sh ip bgp neighbors 10.10.34.4 advertised-routes
Total number of prefixes 0
The show ip bgp neighbors advertised-routes command shows me what prefixes the router is sending to specific neighbors. This is a great way to verify from the local routers perspecitve what exactly is being sent. In this case nothing thanks to the No-Advertise community which prevents prefixes from being advertised to iBGP or eBGP peers.
Take a look at the BGP UPDATE message in Wireshark. This is what R2 sent to R3 when the No-Advertise community was applied. Notice under the Path Attribute it says Communities: NO_ADVERTISE
EVE-NG Lab File
To download the EVE-NG topology file you'll need to be a member. You can register here, it's free! It will be right here once you log in.
Full Configs
Here are the full configs from all routers if you want to try it out yourself.
conf t
host R1
no ip domain-lookup
line con 0
logg syn
interface GigabitEthernet0/2
ip address 10.10.13.1 255.255.255.0
!
router bgp 1
bgp log-neighbor-changes
neighbor 10.10.13.3 remote-as 34
conf t
host R2
no ip domain-lookup
line con 0
logg syn
interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 10.10.23.2 255.255.255.0
!
route-map R2-NO-ADVERTISE permit 10
set community no-advertise
!
router bgp 2
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
neighbor 10.10.23.3 remote-as 34
neighbor 10.10.23.3 send-community
neighbor 10.10.23.3 route-map R2-NO-ADVERTISE out
conf t
host R3
no ip domain-lookup
line con 0
logg syn
interface GigabitEthernet0/0
ip address 10.10.23.3 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.10.34.3 255.255.255.0
!
interface GigabitEthernet0/2
ip address 10.10.13.3 255.255.255.0
!
router bgp 34
bgp log-neighbor-changes
neighbor 10.10.13.1 remote-as 1
neighbor 10.10.23.2 remote-as 2
neighbor 10.10.34.4 remote-as 34
conf t
host R4
no ip domain-lookup
line con 0
logg syn
interface GigabitEthernet0/1
ip address 10.10.34.4 255.255.255.0
!
router bgp 34
bgp log-neighbor-changes
neighbor 10.10.34.3 remote-as 34