gurfin / Route-maps VPNv4 filtering

Created Thu, 07 Mar 2024 11:55:01 +0100 Modified Sat, 04 Jan 2025 12:50:38 +0000
227 Words

In my series DC@Home I recently ran into the issue of how to filter which VRF:s should be allowed to propagate from the provider core, out to the customer sites. It turns our it is quite simple and can be done in a manner similar to prefix-lists for regular BGP peering.

For VPNv4 multiplexing the MP-BGP session uses extended community tags to separate the traffic. We can use a route-map combined with a extcommunity-list to filter which route-targets are allowed to traverse the peering. If we really want we can translate the route-target into something called a VPN Distinguisher, which allows us to obscure the route-targets used within the iBGP.

diagram

As you can see in the example diagram above, the 169.254.73.37/32 route is present in the VPN in AS1 (by redistributing connected), but since we have a route-map filtering the export of VPNs towards AS2 the routes are not showing up in AS2. This can also be done on the ingress of the ASBR in AS1 to completely lock down the VPNv4 import/export.

Here is the relevant configuration for the export filtering on the AS ASBR:

ip extcommunity-list standard AS1_ASBR_EXPORT_VPN_EXT_LIST deny rt 1:101
ip extcommunity-list standard AS1_ASBR_EXPORT_VPN_EXT_LIST permit rt 1:102

route-map AS1_ASBR_EXPORT_VPN_RM permit 10
 match extcommunity AS1_ASBR_EXPORT_VPN_EXT_LIST

router bgp 1
 address-family vpnv4
  neighbor 2.2.2.2 route-map AS1_ASBR_EXPORT_VPN_RM out

Quite neat, and another example of route-maps being MEGA BASED!

route maps are based