This is gonna be short and hopefully sweet. I'll leave some blanks in here so you can fill in the rest...
R4 (AS3) connects to R1 via EBGP
R1 connects to R2 via IBGP (AS 2)
R2 connects to R5 (AS1) via EBGP
We don't want AS2 to become a transit AS between R4 and R5 so we can use the no-export community to accomplish this. There are several ways to do is but here is a way with using the as-path access-lists. AS-path access-lists are awesome because they use regexp.
So on R1 we create an AS-path access list to match any routes originating in R4 AS:
ip as-path access-list 1 permit _3$
Then we create a route-map and apply it to the R2 neighbor going outbound:
route-map noexport permit 10
match as-path 1
set community no-export
route-map noexport permit 20
router bgp 2
neighbor 155.1.23.2 send-community
neighbor 155.1.23.2 route-map noexport out
Now on R2 we have this:
R2#show ip bgp 204.12.1.0 | inc Community
Community: no-export
R5 does not have the route!
R5#show ip bgp 204.12.1.0
% Network not in table
R5#
You can do the reverse on R2 to accomplish the two way restriction. Also note that R4 can bypass this by prepending an AS# to its routes! A better way would be to add the no-export community to all routes learned from R4 not just the ones originating in R4's AS. But I just wanted to see the flexibility of route-maps and as-path access lists with communities.
R4 (AS3) connects to R1 via EBGP
R1 connects to R2 via IBGP (AS 2)
R2 connects to R5 (AS1) via EBGP
We don't want AS2 to become a transit AS between R4 and R5 so we can use the no-export community to accomplish this. There are several ways to do is but here is a way with using the as-path access-lists. AS-path access-lists are awesome because they use regexp.
So on R1 we create an AS-path access list to match any routes originating in R4 AS:
ip as-path access-list 1 permit _3$
Then we create a route-map and apply it to the R2 neighbor going outbound:
route-map noexport permit 10
match as-path 1
set community no-export
route-map noexport permit 20
router bgp 2
neighbor 155.1.23.2 send-community
neighbor 155.1.23.2 route-map noexport out
Now on R2 we have this:
R2#show ip bgp 204.12.1.0 | inc Community
Community: no-export
R5 does not have the route!
R5#show ip bgp 204.12.1.0
% Network not in table
R5#
You can do the reverse on R2 to accomplish the two way restriction. Also note that R4 can bypass this by prepending an AS# to its routes! A better way would be to add the no-export community to all routes learned from R4 not just the ones originating in R4's AS. But I just wanted to see the flexibility of route-maps and as-path access lists with communities.
