What Is BGP Communities in Networking?
Also known as: BGP Communities, BGP community attributes, CCNP ENARSI BGP, Cisco BGP policy, BGP well-known communities
On This Page
Quick Definition
BGP communities are like labels you can stick on a package to tell every post office along the route how to handle it. Instead of configuring special rules for each individual route, you group routes by attaching a community value, and then apply policies to that group. This makes managing routing policies on large networks much faster and less error-prone.
Must Know for Exams
BGP communities are a high-yield topic in the Cisco CCNP Enterprise (350-401 ENCOR and 300-410 ENARSI) exams. You are expected to understand the function of well-known communities, how to configure community lists, how to apply them in route maps, and how to use the "send-community" command to ensure communities are passed to neighbors.
In the ENARSI exam, community-related questions often appear in the "Layer 3 Technologies" section under BGP path manipulation and policy control. You may be asked to analyze a configuration snippet and determine which routes will be accepted or rejected based on a community list. Another common question type asks you to choose the correct route-map configuration to implement a specific community policy, such as setting NO_EXPORT on specific prefixes.
You should be comfortable with both standard and extended communities. For example, knowing that the well-known community NO_EXPORT is represented as 0xFFFFFF01 or simply as "no-export" is essential. Cisco also expects you to understand that by default, communities are not sent to BGP neighbors unless the "neighbor x.x.x.x send-community" command is configured. This is a classic exam detail.
Exam scenarios often present a multihomed customer scenario where the customer wants to influence an ISP's routing policy using communities. You might be asked to identify why the community tag from the customer is not being applied, and the answer is often that the send-community command was omitted on the ISP side.
Questions may also test your understanding of how communities interact with other attributes like local preference and AS path. For instance, a scenario might show a route map that sets local preference based on a community, but then another route map overwrites it. You need to know the order of operations for BGP policy processing (inbound route map before best-path selection).
Simple Meaning
Imagine you work in a huge office building with many floors. Every day, the mail room receives hundreds of packages addressed to different people. Without any system, each package would need individual instructions.
BGP communities are like colour-coded stickers the mail room puts on packages. A red sticker might mean "this package must be delivered before noon." A blue sticker might mean "this package is for temporary visitors and must be returned after one week." The mail room does not need to write these instructions on every package by hand; they just glance at the sticker and follow the rule for that colour.
Border Gateway Protocol (BGP) is the routing protocol that connects different networks across the internet. Networks exchange routes (paths to destinations) with each other. Without communities, network administrators would have to write individual configuration rules for thousands of routes to control how they are shared. That is like writing a different delivery note for every single package.
Communities let administrators tag routes with numeric codes (the stickers). Those codes tell other routers, "do this with this route" or "don't do that with this route." For example, a router in New York can send a route to a router in London with a community tag meaning "do not advertise this route to customers in Europe." The London router reads the tag and follows the rule automatically.
This system is powerful because it lets different organizations control traffic behaviour across multiple networks using simple tags, rather than complex per-neighbor policies. It is the internet's way of saying, "we have a common language for special handling instructions."
Full Technical Definition
BGP communities are transitive optional path attributes defined in RFC 1997. They are 32-bit numeric values, traditionally represented as two 16-bit parts separated by a colon (for example, 100:300). The first part is usually the autonomous system (AS) number that defines the community, and the second part carries a specific meaning defined by that AS.
Communities are carried inside BGP update messages as attribute type code 8. When a router receives a route with a community attribute, it can match the community value in a route map or a prefix list and apply policies such as setting local preference, manipulating the AS path, or controlling route advertisement.
There are several well-known communities defined in RFC 1997 and later RFCs. NO_EXPORT (0xFFFFFF01) tells a router not to advertise the route outside the local AS confederation boundary. NO_ADVERTISE (0xFFFFFF02) tells a router not to advertise this route to any BGP peer at all. LOCAL_AS (0xFFFFFF03) prevents a route from being advertised to external peers outside the local AS. NO_PEER (0xFFFFFF04) prevents advertisement to peers that are not in the same AS.
Modern network implementations support extended communities (8 bytes, defined in RFC 4360) and large communities (12 bytes, defined in RFC 8092). Extended communities are used in MPLS VPN and VXLAN environments to carry additional information such as route targets. Large communities use a 4-byte AS number and are backward compatible.
In Cisco IOS and IOS-XE, communities can be configured using the "ip community-list" command to define a list of communities to match. Route maps then reference these community lists to apply policies. The "set community" command allows injection or modification of communities on outbound or inbound updates. Network operators commonly assign community values to control route preference, influence traffic engineering, or implement blackhole routes for DDoS mitigation.
Private communities are also widely used. For example, a service provider may define community 65535:100 to mean "prefer this route as a primary path" and 65535:200 to mean "treat this route as a backup path." These communities are only meaningful within the provider's network, but they allow customers to influence routing behaviour by tagging routes before sending them to the provider.
Real-Life Example
Think of BGP communities like access badges in a large office building. Every employee receives a badge with a colour code that grants them different levels of access. A gold badge might let you enter the CEO's floor, the server room, and the cafeteria. A silver badge might only let you enter the general office area and the break room. A red badge might mark you as a temporary contractor, allowing entry only to the ground floor lobby and a specific meeting room.
The badge system works because everyone agrees on what each colour means. The security guards at each door do not need to ask for your name and look up your permission in a database every time. They simply scan the colour and apply the rule.
Now map this to BGP. The routes (the employees) arrive with a community tag (the badge colour). A route tagged with community 100:50 (gold badge) might be granted local preference 150, meaning it is preferred over other routes. A route tagged with community 100:60 (silver badge) might be given local preference 80, making it less preferred. A route tagged with NO_EXPORT (red badge) is told "do not leave this building" — the router will keep that route private to the local AS.
This analogy works well because in both cases the tag replaces the need for individual instructions. Without the badge system, security would have to check every person against a list. Without communities, routers would need specific policies for each route prefix, which is unmanageable in large networks.
Why This Term Matters
BGP communities are critical in real networks because they provide a scalable way to implement routing policies across thousands of routes. In a service provider environment, a single router may receive millions of routes from hundreds of peers. Applying individual policy to each route is impossible. Communities allow the provider to offer their customers simple tags that the customer can attach to their routes, and the provider's infrastructure automatically applies the correct treatment.
For example, a customer who wants to influence how traffic enters their network can tag their routes with a community like 12345:10 to request a higher local preference from the provider. The provider configures a single route map that matches community 12345:10 and sets local preference to 200. This works for every customer and every route that carries that tag, without adding per-customer configuration.
Communities are also essential for traffic engineering, DDoS mitigation, and multihoming. A network operator can define a community that causes matching routes to be advertised with a next hop of a null interface, effectively blackholing traffic toward a victim IP during an attack. This can be triggered in seconds by just tagging the route, without reconfiguring large router ACLs.
In enterprise networks with MPLS VPNs, extended communities carry route target values that control which VRFs import and export routes. Without communities, implementing Layer 3 VPNs would require complex and fragile redistribution filters. Communities make the whole system modular and transparent.
Finally, communities allow different organizations to cooperate without sharing full configurations. Two ISPs can agree on a set of community values that each will honour, enabling inter-AS traffic engineering without exposing internal policies. This fosters a collaborative internet ecosystem.
How It Appears in Exam Questions
You will see BGP community questions in multiple forms on the CCNP and CCIE exams.
Scenario-based questions often describe a company that is dual-homed to two ISPs. The company wants traffic from a specific ISP to prefer a specific prefix for incoming traffic. The question provides a configuration snippet and asks what community value should be sent to that ISP. You must identify the correct community from the ISP's documented policy.
Configuration-based questions might give a partial route map and ask you to complete it. For example, "Given the route map RM_SET_COMMUNITY, configure it to set the community to NO_ADVERTISE for all routes from prefix 192.168.0.0/24." You would need to write or select the correct sequence: "set community no-advertise" and ensure the route map is applied to the right neighbor.
Troubleshooting questions are very common. A network administrator configures communities on a router, but the neighbor still does not see the community values. The question asks you to identify the missing configuration. The answer is likely the absence of "neighbor x.x.x.x send-community" or the use of "send-community standard" when extended communities are needed.
Multiprotocol BGP questions may involve extended communities in MPLS VPN contexts. You might be asked about route target communities and how they control VRF import and export. For example, "Given RT 100:200 configured on two VRFs, which routes will end up in which VRF?"
Comparison questions ask you to differentiate between standard, extended, and large communities. They may test your knowledge of the format (16-bit vs 32-bit vs 4-byte ASN) and the RFC numbers.
Finally, you might see questions about private communities and well-known communities. Be ready to recall that NO_EXPORT prevents a route from being advertised outside the confederation, while NO_ADVERTISE prevents it from being advertised to any BGP peer at all. These definitions are frequently tested.
Study enarsi
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized company, GlobalBooks, has two internet connections from two different ISPs. GlobalBooks wants incoming traffic for its web servers to prefer the link from ISP-A unless that link is down. GlobalBooks also wants to keep certain internal server addresses from being advertised to ISP-B at all.
GlobalBooks configures BGP on their router and advertises their public IP block to both ISPs. To make ISP-A prefer the route to GlobalBooks over ISP-B, GlobalBooks tags the route sent to ISP-A with the community 64500:10, which ISP-A has defined as "set local preference 200." To prevent ISP-B from ever advertising the internal server prefixes, GlobalBooks tags those prefixes with community NO_ADVERTISE (0xFFFFFF02).
How BGP communities apply: GlobalBooks uses a route map that matches the internal server prefixes and applies the community NO_ADVERTISE. That same route map is applied outbound to the BGP session with ISP-B. When the ISP-B router receives the update, it sees the community value, and because of a standard ISP policy that treats NO_ADVERTISE as an instruction to not forward the route, ISP-B keeps the route in its BGP table but does not advertise it to any other peer.
For the preferred link, GlobalBooks applies a different route map to the ISP-A session. This route map sets the community 64500:10 on the web server prefixes. When ISP-A receives those routes, its configured policy matches community 64500:10 and raises the local preference to 200, making those paths the most preferred for incoming traffic from ISP-A's network. The result is that global internet traffic coming from ISP-A's direction sees the GlobalBooks route as better, so traffic enters through ISP-A.
Common Mistakes
Forgetting to configure "send-community" on the BGP neighbor command.
By default, Cisco routers do not include the community attribute in outgoing BGP updates. If you set a community on a route but do not enable the send-community command, the router strips the community before sending it. The neighbor never sees the tag, so the policy never works.
Always add "neighbor [ip-address] send-community" under the BGP configuration for every neighbor that needs to receive or send community values.
Confusing NO_EXPORT with NO_ADVERTISE.
NO_EXPORT prevents a route from being advertised outside the local AS or confederation, but it is still advertised to other routers within the same AS. NO_ADVERTISE prevents the route from being advertised to any BGP peer at all, even within the same AS. Using the wrong one can break internal routing or leak routes.
Remember: NO_EXPORT = keep within the AS. NO_ADVERTISE = keep completely private. Use NO_ADVERTISE for routes that should not be shared with any neighbor, and NO_EXPORT for routes that should stay inside the AS but can be shared among internal peers.
Applying the community route map in the wrong direction (inbound vs outbound).
Route maps applied inbound affect routes coming from the neighbor before they enter your BGP table. Route maps applied outbound affect routes you send to the neighbor. If you want to tag routes before sending them to a neighbor, you must apply the route map outbound. If you apply it inbound, you will attempt to tag routes you receive, which is not the same effect.
Determine whether you want to tag routes you are sending (outbound) or tag routes you are receiving (inbound). For influencing a provider's policy, apply outbound on your side so the provider sees the community.
Assuming that all ISPs honour the same community values.
Community values are entirely locally significant unless they are well-known communities. A private community like 65000:100 means nothing to another ISP unless they specifically have a policy to interpret it. Each ISP publishes its own community policy, and using the wrong value may have no effect or cause unexpected behaviour.
Always verify the ISP's documented BGP community policy before configuring private communities. Use only the communities the ISP explicitly supports. For standard behaviour like NO_EXPORT, remember that it is universally recognised.
Exam Trap — Don't Get Fooled
An exam question shows a configuration where a route map sets community NO_EXPORT on a route, but the router continues to advertise the route to an iBGP peer. The question asks if this configuration is correct. Many learners think NO_EXPORT prevents all advertisement, including iBGP, and answer that it is not working.
Memorise the exact operation of each well-known community. NO_EXPORT: do not export to eBGP peers (outside AS). NO_ADVERTISE: do not advertise to any BGP peer. For exam questions, always check if the neighbor is iBGP or eBGP.
If it is iBGP, NO_EXPORT does not block it. A good trick: think of NO_EXPORT as "no external export."
Commonly Confused With
Local preference is an attribute that influences the best path selection for outbound traffic from your AS. It is a single numeric value that applies to all routes received from a neighbor. Communities, on the other hand, are tags that can trigger policies including local preference changes. You can set local preference directly with a route map, or you can use a community to indirectly cause a local preference change on the receiving router.
If you want all routes from ISP-A to be preferred, you set local preference to 200 directly on the inbound route map. If you want the ISP to choose the preferred path for return traffic, you send them a community, and the ISP uses that community to set local preference on their side.
AS path prepending artificially lengthens the AS path attribute to make a route appear less desirable. Communities can also influence path selection, but in a more flexible way. AS path prepending always makes a route less preferred, while communities can be used to increase or decrease preference depending on the ISP's policy. Additionally, communities do not modify the AS path; they are separate attributes.
To make a backup link less attractive, you can prepend your AS number three times to the routes sent over that link. Alternatively, you can tag those routes with a community that tells the ISP to set local preference to a low value. The community approach is cleaner because it does not pollute the AS path.
A route reflector is a router that reflects iBGP routes to other iBGP peers to reduce full mesh requirements. It is a topology and propagation mechanism. Communities are attributes that carry policy instructions. They are unrelated functions, though route reflectors do preserve community attributes when reflecting routes. The confusion arises because both are used to manage large BGP deployments.
You use a route reflector to avoid peering every router in your AS with every other router. You use communities to apply consistent tagging across routes that the route reflector then propagates with the tags intact.
Step-by-Step Breakdown
Route Learns Prefix
A BGP router receives a route from a neighbor via an update message. The route includes the network prefix, the AS path, next hop, and optionally a community attribute. If no community is present, the router may keep the route without a tag or it may apply a default community based on inbound policy.
Route Map Matches Community
If an inbound route map is configured, the router checks whether the received route's community attribute matches any entry in a community list. The community list can specify exact match, subset match, or regular expression match. If there is a match, the route map sequence executes the configured set actions.
Policy Action Applied
Based on the route map match, the router can set or modify attributes such as local preference, metric, weight, or AS path. It can also change the next hop or set a new community value. This step is where the community tag triggers a measurable change in routing behaviour. The action can be to accept, deny, or modify the route.
Best Path Selection
After all inbound policies are applied to all routes from all neighbors, the BGP decision process selects the best path for each prefix. Attributes modified by community-based policies (like local preference) directly influence this selection. The best path is then installed in the routing table if it is the best among all protocols.
Outbound Community Tagging
Before sending routes to a BGP neighbor, the router checks if an outbound route map is applied. If the route matches a condition in that route map, the router can set a community value on the route. This step is how a customer tags routes to influence an upstream ISP. The route is then sent with the community attribute attached.
Send Community to Neighbor
For the community attribute to be included in the BGP update message, the router must have the "neighbor send-community" command configured for that neighbor. Without this command, the community is stripped before transmission. This step must be performed on the sending router, not the receiving router.
Receiving Router Processes Community
The neighbor receives the BGP update and sees the community attribute. If the neighbor has inbound route maps that match this community, it applies the associated policy. This is how the tag from the customer influences the provider's BGP table and ultimately affects internet routing.
Practical Mini-Lesson
BGP communities are one of the most powerful tools for routing policy control because they separate the definition of policy from its application. As a network engineer, you define once how certain community values are treated, and then anyone in the network can simply tag routes with that value to invoke the policy.
To configure communities in Cisco IOS, you start by defining a community list. For example, "ip community-list standard CUST_RED permit 65000:100" creates a list that matches community 65000:100. You can also use expanded lists for regex matching. Then, you create a route map that uses this community list as a match criterion. For instance, "route-map SET_PREF permit 10 match community CUST_RED set local-preference 200". This route map checks if a route has the community 65000:100, and if so, sets its local preference to 200.
To apply this on inbound traffic, you reference the route map under the BGP neighbor: "neighbor 10.0.0.1 route-map SET_PREF in". To apply it outbound, you change "in" to "out".
What can go wrong? The most common issue is forgetting to send communities. If you set a community on a route but the "send-community" command is missing, the router silently drops the attribute. Always verify with "show ip bgp neighbors x.x.x.x" to see if community exchange is enabled.
Another practical concern is community propagation through iBGP. By default, iBGP peers preserve community attributes, but if a route goes through a route reflector, the community is kept unless explicitly stripped. This means a community that was added at an edge router may propagate through the entire internal network, which may or may not be intended. You can use route maps to strip communities on specific sessions if needed.
In production, you often use communities in conjunction with prefix lists. For example, you might have a policy that only allows routes with a certain community to be accepted from a customer, thus enforcing routing contract terms. This is a common security and traffic engineering technique.
Large communities, defined in RFC 8092, solve the problem of AS number exhaustion in standard 32-bit communities. They use a format like "ASN:sub1:sub2", allowing for a 4-byte ASN. If your network uses 4-byte AS numbers, you must use large communities or extended communities to avoid overlap. Cisco IOS XR and modern IOS XE support large communities natively.
Finally, remember that communities are optional. Not every network uses them, and not every BGP speaker honours foreign communities. On the internet, only communities that are part of bilateral or multilateral peering agreements have meaning. Always document which communities your organisation supports and communicate them to your peers.
Memory Tip
Think of communities as "post-it notes for routes." The note travels with the route, telling the router what to do. To remember the well-known communities, use NO PEA: NO_EXPORT stays within the AS, NO_ADVERTISE stays with you, NO_PEER stays local peer only. And to remember the send-community command, think "if you want the note to be seen, you must send it."
Covered in These Exams
Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the difference between a standard community and an extended community?
A standard community is a 32-bit value, typically written as ASN:value (e.g., 65000:100). An extended community is 64 bits wide and is used in MPLS VPN and VXLAN networks to carry route targets and other information. Extended communities have a type and sub-type field that define their meaning.
How do I configure a router to send communities to an eBGP neighbor?
You must use the "neighbor [ip-address] send-community" command under the BGP configuration. By default, communities are not sent. For extended communities, use "send-community extended", and for large communities, use "send-community large". You can also use "send-community both" to send standard and extended together.
Can I use communities to filter routes from a specific customer?
Yes. You can configure an inbound route map on your peering router that matches a specific community and then denies or permits the route. For example, if all routes from customer ABC come with community 65001:100, you can create a route map that denies routes matching that community, effectively blocking them.
What happens if a router receives a community it does not recognise?
By default, the router ignores unknown communities and continues processing the route. Communities are an optional transitive attribute, so they are still passed to other BGP peers unless a policy explicitly strips them. Unknown communities do not cause errors, but they do not trigger any policy actions.
Do I need to configure send-community on both sides?
Only the router that is sending the community attribute needs the send-community command. The receiving router does not need any special configuration to receive and process communities, although it will need route maps to act on them. If both routers want to exchange communities bidirectionally, both must have send-community configured.
What is a large community and when should I use it?
A large community is a 12-byte value defined in RFC 8092, formatted as ASN:sub1:sub2. It was created to support 4-byte AS numbers without the ambiguity of standard communities. Use large communities when your network uses 4-byte ASNs or when you need more sub-fields for granular policy control.
Summary
BGP communities are a mechanism that allows network administrators to attach tags to BGP routes, enabling scalable and flexible routing policy enforcement. By grouping routes into policy classes using numeric tags, communities eliminate the need for per-route configuration, which is unmanageable in large networks. The concept is simple: you assign a community value to a route, and any router along the path that understands that value applies the corresponding policy.
This can control route advertisement, modify path preference, or even trigger special actions like blackholing. In the real world, communities are the backbone of inter-ISP traffic engineering and DDoS mitigation strategies. For your CCNP and ENARSI exams, you must be comfortable with the well-known communities, the send-community requirement, route map application direction, and the differences between standard, extended, and large communities.
The most common exam traps revolve around the scope of NO_EXPORT versus NO_ADVERTISE and the necessity of the send-community command. Master these details, and you will handle community questions with confidence.