BGP Prefix Filtering

Similar Messages

• BGP prefix list weird issue

  Hello All,
  I'm working in a BGP prefix list configuration and i'm seeing a strange issue.
  Issue: As per the cofiguration we have defined the prefix list to filter the incomming subnets. Though a specific subnet is not allowed in the prefix list but the router is allowing the subnet to get in to BGP table from the neighbour.
  configuration:
  ip prefix-list TEST seq 5 permit 10.61.64.0/19 ge 24 le 24
  Though the below subnet is not allowed in prefix list but I'm seeing this subnet in BGP table with best path.
  10.61.192.0/23
  Can you anybody help me to know what could be the issue? any bug? any thing I'm wrong with the configuration?
  Thanks,
  Thiyagu

  Hi,
  After applying the prefix-list try soft resting the BGP neighbor and test again
  clear ip bgp XX neigh soft in
  HTH

• IPv6 BGP prefix-list filtering

  Dears,
  I have  established iBGP seesion between 2 routers (R1 ---- R2) and I want to  advertise loopback interface /128 using ipv prifex filtering, but didnt  advertise to neighbor loopback . it is working fine with network or redistribute command but I want to know why it is not working with
  prefix-list filtering?
  Configuration:
  router bgp 100
  neighbor 2001:100:1:1::2 remote-as 100
  address-family ipv6
  neighbor 2001:100:1:1::2 activate
  neighbor 2001:100:1:1::2 prefix-list IPV6 out
  no synchronization
  exit-address-family
  int lo 100
  ipv address 2001:500:1:1::1/128
  ipv6 prefix-list IPV6 seq 10 permit 2001:500:1:1::1/128
  router bgp 100
  neighbor 2001:100:1:1::1 remote-as 100
  address-family ipv6
  neighbor 2001:100:1:1::1 activate
  neighbor 2001:100:1:1::1 prefix-list TEST out
  no synchronization
  exit-address-family
  int lo 100
  ipv address 2001:600:1:1::1/128
  ipv6 prefix-list TEST seq 10 permit 2001:600:1:1::1/128
  Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
  2001:100:1:1::1 4 100   49236   49191        5    0    0 04:03:21        0

  Even though you're using a prefix list, the prefix list is used for filtering and not advertising the network. You still have to advertise the network using "network 2001:600:1:1::1/128" and you should see it.
  HTH,
  John
  *** Please rate all useful posts ***

• Regarding BGP prefixes

  hello All,
  I have created lab and was doing preparation of BGP lab. Lab Scenario is attached herewith.
  I just do the simple configuration of BGP, for three router's i used iBGP and other router's are connected via eBGP. 
  I checked and found that every prfixes are advertised in every AS but when i was doing the ping, then prefixes are not reachable.
  Only from iBGP to eBGP, advertised prefixes were reachable.
  eg: AS1 prefixes are updated in AS2>AS3>AS4>AS5 AND vice-versa. 
  When i do the sh ip route to any prefixes, then it display, no subnet in Route table. When i do sh ip bgp, i must see that prefixes are advertised in BGP.
  Please correct me for the same. My question is that Do i need to do routing for other AS to update Prefixes in router's rout table.

  Hi,
  your lab scenario is missing here.
  So just guessing:
  Possibly you need to configure
  neighbor... next-hop-self
  for your iBGP neighbors on the router peering by eBGP to the other AS?
  Without that the other iBGP peers might not be able to reach the other AS.
  Best regards,
  Milan

• BGP route filtering

  How to stop isp1 routes advertisement via isp2 on Bgp...
  The problem is when my spoke isp1 mpls down...
  Still it is getting routes via isp2

  I do not have an understanding of your topology or of the relationship between ISP 1 and ISP 2 and therefore can not be sure how well my suggestion will work. But here is what I frequently use when I want to be sure that routes learned from ISP 1 do not get advertised to ISP 2.
  ip as-path access-list 10 permit ^$
  router bgp 123
   neighbor 1.2.3.4 filter-list 10 out
  HTH
  Rick

• Importing not-just-1-best bgp route to VRF in XR in case of unique RD per PE

  I'm trying to import  BGP prefix from several different sources into VRF for fast convergence. When RD on local and remote PE match, it works right away. But if RDs are different, then I can see many different routes in "sh bgp vpnv4 unicast rd x:x (remote PE's RD)" with NOT-IN-VRF flag, but only best one is present in "sh bgp vpnv4 unicast vrf YYY" or  "sh bgp vpnv4 unicast rd y:y (RD of local PE)". 
  As I understand, in IOS it is handled like this:
  router bgp 1
  address-family ipv4 vrf YYY
    import path selection all
    import path limit 4
  But can not figure out how to do it in XR. Any suggestions? Do not want to roll back to same-RD-on-all-PEs approach, as IOS doesn't do much of add-paths for VPNv4 ;(. 

  I dont know if this will exactly suit your needs but you can enable PIC (Prefix independent convergence) with the additional-paths command.
  The exact command depends on your XR version (additional-paths install backup or additional-paths election)
  Refer to the document:
  http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-1/routing/command/reference/b_routing_cr41crs/b_routing_cr41crs_chapter_01.html#wp2841279186

• BGP Conditional Advertisement With 2 Subnets

  Is it possible to trigger conditional advertisement of a Border Gateway Protocol (BGP) prefix based upon the non-existence of two subnets? I can only get this to work with one subnet.
  My customer has parallel links to a provider (one BGP session).
  The command reference mentions one subnet in the description of the non-exist-map.
  Perhaps I should just identify one network from this Internet Service Provider (ISP) to focus on as the indicator of the failure.

  An IP address match is mandatory for a non-exist-map. The access-list specified should be a simple access-list and contains only one prefix. If the condition requires multiple prefixes, multiple access-list can be used, for example:
  route-map ISP1-backbone permit 10
  match ip address 2 3 4

• BGP Communities - Tagging our "own" range?

  Hi Everyone,
  We tag routes received from upstreams + peers(In BGP session), so we can easily control what we advertise to our customers that peer with us eg. Customer A only wants routes advertised to them from our "peering" partners(i.e. no Internet), Customer B only wants full table from our upstream carrier A, but nothing from carrier B...this works fine.
  My question is, how do we tag our own address block in a similar fashion?  (As we are not "receiving" it from someone via BGP, we cant tag it that way)
  i.e. If customer C wants our peering partner ranges, but also all of "our" range...it would be really simple to just have all our routes tag'd so we can create a community-list with the permitted community tags, create a route-map  that matches the community-list, then add it to the neighbour statement?  We can then even go further and break up our IP allocation into subsets, so customers can be restricted to certain "views/areas" of our network.
  Ive had very little sleep, so Im probably missing something extremely trivial here, or there is a much "easier" way to do this :)
  Cheers.

  Hi,
  how are you getting your BGP prefixes to the BGP table?
  Redistributing from some IGP?
  Or simply
  network ... mask ...
  command under your BGP process?
  In both cases you could use ... route-map tag-comm
  option and within the
  route-map tag-comm
  set community ....
  to any value you need.
  Best regards,
  Milan

• Bgp-Eigrp-Bgp redistribution question

  Hi Experts,
  Just wish to ask if there is an option to retain the as-path information in eigrp when i redistribute from bgp to eigrp then to bgp?
  I recall coming across something similar to this before but I can't seem to remember it.
  Thanks in advance.

  Hello friend.
  No, you can't retain the AS-PATH when redistributing prefixes from BGP to EIGRP.
  What you CAN do though, is to add the AS-PATH you want when redistributing it BACK to BGP.
  You can do something like this:
  1 - Add a TAG when redistributing the BGP prefixes into EIGRP
  route-map SET_TAG permit 10
   set tag 100
  router eigrp 1
  redistribute bgp 100 metric 1 1 1 1 1 route-map SET_TAG
  2 - transform the TAG into an AS_PATH, when redistributing it BACK to BGP.
  route-map set-as-path-from-tag
  set as-path tag
  router bgp 100
  redistribute eigrp 1 route-map set-as-path-from-tag
  Got it ?
  I hope this helps you !
  cheers

• Configuring BGP on WS-3750G-12S-E

  Dear Friends,
  I have WS-3750G-12S-E with me and would like to configure BGP on the same. I want your suggestion / help whether it is advisable to configure BGP on 3750G or not.
  Please suggest if anybody has already deployed BGP on 3750.
  Thanks in advance for your support

  Saying that you'll need a router to run BGP isn't accurate or true.  The 3750s (all flavours) can run BGP just fine.
  3560s/3750s have enough memory to run several hundred BGP prefixes or more, if that meets your needs.  That may be sufficient to run an IGP, or to advertise BGP to an upstream provider (and just take a default router via BGP in the downstream direction).  Definitely won't take a full Internet table, but in many cases that's not necessary anyway.
  Been there done that a few times.  It works fine, and as always you just need to be mindful of the limitations of the platform in so far as memory and TCAM size.  You will need the IPSERVICES featureset though, as BGP isn't supported on the IPBASE featureset.
  Featurewise it's fairly much all OK, I can't remember anything missing in the implementation compared to much bigger switches and the config is exactly the same as all other IOS devices.
  Edit:  Found this:
  http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00801e7bb9.shtml
  which indicates your 3750G-12S should be able to take up to 20,000 routes IN HARDWARE provided you use the right SDM template (and trust me, you do not want to exceed this, ever).  You will still need to make sure you don't eat up DRAM memory with too many routes.   I would suggest staying well below that limit.
  Message was edited by: Reuben Farrelly - with more information

• Trouble getting BGP route to be primary

  We have an MPLS network between locations using BGP. Several locations have a VPN connection as a backup and use OSPF for those routes.
  When an MPLS link goes down, the traffic switches over to the VPN connection just fine. But when the MPLS link comes back up, the OSPF route is still overriding the BGP route.  I've changed the weights for both BGP & OSPF but still can't get the BGP route to override the OSPF route.
  Any ideas as to what I'm missing?
  Main router, MPLS link active at remote site:
  nbrtr2#sh ip bgp
  BGP table version is 6837, local router ID is 216.149.85.242
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *> 172.16.104.0/24  216.149.85.241                       300 2828 3549 2828 i
  nbrtr2#sh ip bgp 172.16.104.0
  BGP routing table entry for 172.16.104.0/24, version 6839
  Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Flag: 0x820
    Not advertised to any peer
    2828 3549 2828
      216.149.85.241 from 216.149.85.241 (216.149.85.241)
        Origin IGP, localpref 100, weight 300, valid, external, best
  After shutting down the remote interface, traffic switches to the VPN link.
  nbrtr2#sh ip bgp
  BGP table version is 6842, local router ID is 216.149.85.242
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *> 172.16.104.0/24  172.16.196.4           123           100 ?
  nbrtr2#sh ip bgp 172.16.104.0
  BGP routing table entry for 172.16.104.0/24, version 6842
  Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Flag: 0x820
    Advertised to update-groups:
          1
    Local
      172.16.196.4 from 0.0.0.0 (216.149.85.242)
        Origin incomplete, metric 123, localpref 100, weight 100, valid, sourced,
  best
  Bringing up the remote interface, the traffic stays on the VPN.
  nbrtr2#sh ip bgp
  BGP table version is 6843, local router ID is 216.149.85.242
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *> 172.16.104.0/24  172.16.196.4           123           100 ?
  nbrtr2#sh ip bgp 172.16.104.0
  BGP routing table entry for 172.16.104.0/24, version 6842
  Paths: (1 available, best #1, table Default-IP-Routing-Table)
    Advertised to update-groups:
          1
    Local
      172.16.196.4 from 0.0.0.0 (216.149.85.242)
        Origin incomplete, metric 123, localpref 100, weight 100, valid, sourced,
  best
  Finally, terminating the site-site VPN tunnel restores the MPLS route:
  nbrtr2#sh ip bgp
  BGP table version is 6845, local router ID is 216.149.85.242
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *> 172.16.104.0/24  216.149.85.241                       300 2828 3549 2828 i
  nbrtr2#sh ip bgp 172.16.104.0
  BGP routing table entry for 172.16.104.0/24, version 6845
  Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Flag: 0x820
    Not advertised to any peer
    2828 3549 2828
      216.149.85.241 from 216.149.85.241 (216.149.85.241)
        Origin IGP, localpref 100, weight 300, valid, external, best
  Config details:
  router ospf 100
   log-adjacency-changes
   redistribute static subnets
   redistribute bgp 36166 metric 20 subnets
   network 172.16.196.0 0.0.0.255 area 0
   network 172.16.224.0 0.0.3.255 area 0
  router bgp 36166
   network 172.16.210.0 mask 255.255.255.0
   network 172.16.211.0 mask 255.255.255.0
   redistribute ospf 100 route-map Redist-OSPF
   neighbor 216.149.85.241 remote-as 2828
   neighbor 216.149.85.241 weight 300
   default-information originate
  access-list 11 remark Define OSPF routes for redistribution
  access-list 11 permit 172.16.11.0 0.0.0.255
  access-list 11 permit 172.16.16.0 0.0.1.255
  access-list 11 permit 172.16.196.0 0.0.1.255
  access-list 11 permit 172.16.198.0 0.0.0.255
  access-list 12 remark Define VPN routes for redistribution
  access-list 12 permit 172.16.104.0 0.0.0.255
  access-list 12 permit 192.168.1.0 0.0.0.255
  access-list 12 permit 192.168.3.0 0.0.0.255
  access-list 12 permit 192.168.4.0 0.0.0.255
  access-list 12 permit 192.168.8.0 0.0.0.255
  route-map Redist-OSPF permit 10
   match ip address 11
   set weight 500
  route-map Redist-OSPF permit 20
   match ip address 12
   set weight 100
  route-map Redist-OSPF permit 30

  Hi,
  IMHO, you should use the same Weight for both the BGP prefix redistributed from OSPF and received from the BGP neighbor.
  And set other attribute (Local Preference, e.g.) to make the prefix received from the BGP neighbor to win when the MPLS interface goes Up again.
  Another issue might be though:
  When the MPLS interface is Down, you get the OSPF prefix redistributed to your BGP table, And when the MPLS interface goes Up again, you might be advertising this prefix to the backbone. And it can beat the prefix advertised from the remote site. If it's your case, I'd also try to prepend your AS number several times to the prefix advertised from your router to make it less preferred within the backbone comparing to the original BGP prefix.
  Best regards,
  Milan.

• Best way to change config then change it back after a while.

  I spent some time today trying a couple approaches to this, but they all seemed a little klunky.
  I'm looking for the best way to change the BGP prefixes which are advertised out to an ISP, based on some check.  I want to set a timeout so the router won't attempt to send the route again for say 30 minutes after it is triggered, but then will start advertising it again, and monitor to see if the trigger condition returns.  If the trigger condition returns then again withdrawl the route for 30 minutes and so on.
  I'm using a prefix-list already to limit outbound route advertisments, so it seems simplest to just make a config change to remove one line in the prefix-list, then a few minutes later put it back.
  I tried just using the "cli command wait", but if I set the wait period too long, the applet seemed to die, and never ran the later cli commands to put the prefix-list line back.  There is also a exit-time clause for the event, but I couldn't figure out how to put the line back after the exit-time expired.  Lastly I tried doing an event with a watchdog timer, but also couldn't get that to work either.  Before I spend too much time working on differant options, I wanted to see if anyone had any recommendations.
  I've done some TCL scripting on Cisco routers, but that seemed to be overkill for this, and I wanted to keep the config easy to manage for peers who might not be as proficient in TCL scripting.
  This is intended for ASR-1002X routers if it matters.
  Any suggestions would be much appreciated.
  Thanks
  Derek

  Thanks for all your help Joe. 
  Ok, so here is my current script, which seems to be working pretty well (changing to entry-type "value" fixed the variability in detection times).  For testing in the script below, I'm using a 30 second timeout for when the line gets put back, and a 60 second timeout for when monitoring should resume after the event is triggered. The script checks the value of the OID every 5 seconds.
  The only other thing I would like to do with it that I can't figure out, is how to use an environment variable for the exit-time.  Ideally, I would just add a value, like 10 seconds, to the ATimeout variable.  However I can't figure out the syntax to just use a var for the exit-time.  Anyone know the secret (or if it is possible?)
  event manager environment ATimeout 30
  event manager environment q "
  no event manager applet DDOS_RESPONSE01
  event manager applet DDOS_RESPONSE01
  event snmp oid 1.3.6.1.4.1.9.9.166.1.17.1.1.21.80.65538 get-type exact entry-op gt entry-val "0" entry-type value exit-time 60 poll-interval 5
  trigger
  action 001 cli command "enable"
  action 002 cli command "config term"
  action 003 cli command "no ip prefix-list PUBLIC_NETWORKS seq 140 permit 10.4.1.0/24 le 32"
  action 004 syslog msg "DDoS Attack Detected. Removing Web Srvr Subnet from PUBLIC_NETWORKS for ($ATimeout) seconds."
  action 005 cli command "event manager applet RESTORE_PREFIX"
  action 006 cli command "event timer countdown time $ATimeout "
  action 007 cli command "action 101 cli command $q enable $q"
  action 008 cli command "action 102 cli command $q config term $q"
  action 009 cli command "action 103 cli command $q no event manager applet RESTORE_PREFIX $q"
  action 010 cli command "action 104 cli command $q ip prefix-list PUBLIC_NETWORKS seq 140 permit 10.4.1.0/24 le 32$q"
  action 011 cli command "action 105 syslog msg $q DDoS Attack Timeout ($ATimeout) reached. Re-adding Web Srvr Subnet to PUBLIC_NETWORKS. $q "
  action 012 cli command "action 106 cli command $q no event manager applet RESTORE_PREFIX $q"
  exit
  event manager environment ATimeout 30
  event manager environment q "
  event manager applet DDOS_RESPONSE01
  event snmp oid 1.3.6.1.4.1.9.9.166.1.17.1.1.21.80.65538 get-type exact entry-op gt entry-val "0" entry-type value exit-time 60 poll-interval 5
  trigger
  action 001 cli command "enable"
  action 002 cli command "config term"
  action 003 cli command "no ip prefix-list PUBLIC_NETWORKS seq 140 permit 10.4.1.0/24 le 32"
  action 004 syslog msg "DDoS Attack Detected. Removing Web Srvr Subnet from PUBLIC_NETWORKS for ($ATimeout) seconds."
  action 005 cli command "event manager applet RESTORE_PREFIX"
  action 006 cli command "event timer countdown time $ATimeout "
  action 007 cli command "action 101 cli command $q enable $q"
  action 008 cli command "action 102 cli command $q config term $q"
  action 009 cli command "action 103 cli command $q no event manager applet RESTORE_PREFIX $q"
  action 010 cli command "action 104 cli command $q ip prefix-list PUBLIC_NETWORKS seq 140 permit 10.4.1.0/24 le 32$q"
  action 011 cli command "action 105 syslog msg $q DDoS Attack Timeout ($ATimeout) reached. Re-adding Web Srvr Subnet to PUBLIC_NETWORKS. $q "
  action 012 cli command "action 106 cli command $q no event manager applet RESTORE_PREFIX $q"
  exit

• Configuration Management Software

  Hi all,
  I'm putting it out there early. In two weeks (Dec 14th) I am going to release rConfig. This free and open source software has been over a year in the making and is specifically designed by a highly expereinced network engineer (Me!) for network engineers. And the best part IT'S FREE (oh yes, I mentioned that already).
  What is it? A Free, and Open Source, Network Configuration Management tool. Web based, fast, and customizable. Installs on Linux CentOS and written completely in PHP/MySQL.
  You can download the running-configs, cdp neighbor table, OSPF Neighbor table, BGP prefix table, routing table for routers, as well as show route for firewalls and show spanning-tree for switches easily... actually... whatever show command you care to choose for a given category of network devices.
  Why? Well, for me, a 'show run' and 'show start' from my network device configuration management tool wasn't enough. I needed more. I needed to see what my routers routing table looked like last week. I needed to know how many hits were on a particular ACL entry on my edge firewall two months ago and compare it to today. I wanted to know, which interface was the root bridge path (spanning-tree) on my one of my core switches yesterday. That's why!
  I am hoping to expand features as the community around this tool grows. It will be community led - I hope you can join early.
  Go check it out at www.rconfig.com, and if your interested, sign up for a beta release. I am still releasing content on the public site, so a video is due soon, and perhaps an online demo too. Any questions, just fire them back to me.
  Please forward to anyone you may think be interested
  Regards
  Stephen
  ==========================
  http://www.rConfig.com
  A free, open source network device configuration management tool, customizable to your needs!

  All,
  There has been some uptake and some great feedback on rConfig since I made this announcement two weeks ago. rConfig is offically released as Version1 today. Please login to www.rconfig.com and download a copy.
  You know, it takes less than 1 hour to install rConfig on Linux and more than 2 hours to get some of it's well known commercial counterparts up and running. There is even a complete, easy-to-follow Linux build document designed especially for the rConfig installation on www.rconfig.com. You'll be backing up Cisco configuration and show outputs in no time with rConfig. And even learning a bit of Linux along the way.
  And remember, it's free & open source.
  Regards
  Stephen
  ==========================
  http://www.rConfig.com 
  A free, open source network device configuration management tool, customizable to your needs!

• Route advertisement with AS path

  Hello
  We are running Multi-homed network, to influence the BGP route selection, we are using AS path attribute with route-maps.
  Recently, we observed that the routes advertised on TCL network(ISP 1) were not reflected in global routing table.
  For example, we have advertised a network (196.X.X.X/24) on TCL BGP peer as best path and also advertised the same network on another BGP peer with AS path pretend of 10times. But, the network is reaching via Bharti BGP (iSP 2 )peer instead of TCL peer.
  Can anyone help understand as why it is preferred route is via Bharti 
  Thanks
  Viswa Sai

  Network statement in BGP configuration is used to identify which networks are being advertised. BGP process then checks the global routing table, if it sees a prefix in global routing table and with exact match (including subnet mask), only then it will advertise that network to other BGP peers. 
  Is this network a local network or learned from other routing protocols? If locak, make sure you enter exact mask of the network seen in routing table. If learned from other routing protocols, the better way is to selectively redistribute iGP routes into BGP using prefix-list and route-map.
  As far as convergence is concerned, below is explanation:
  BGP routers router will not start the BGP Best-Path calculation/selection process until they receives all NLRI from BGP peer. This will be known from UPDATE messages. End of UPDATE messages is usually identified after a KEEPALIVE message is received. 
  The time taken to learn new best path is directly proportional to number of NLRIs received from peers. 
  Only when your service provider router selects it's best path, and installs into RIB, it is going to send UPDATE message to your routers. If SP routers use line cards with Cisco distributed forwarding, it is going to populate it's FIB and then send UPDATE message.
  It depends on how fast your Bharati BGP peer detects your network unreachable and sends UPDATE messages to it's peers to withdraw your network's NLRI from it's routing table.
  There are ways to improve this convergence, but at service provider level. In your network, if you want faster re-convergence, static routes (with higher AD) would be a wonderful solution.
  Few other ways would be to use:
  Bidirectional forwarding detection (BFD)
  fast neighbor failover
  BGP next hop tracking
  BGP best external path (IOS and vendor specific)
  BGP prefix convergence (IOS and vendor specific)
  Peace and Health,
  Ravindra

• IPv6 in a big corporate

  Hi,
  does anybody here have a practical experience with IPv6 implementing within a big corporate network?
  Let's say the corporate has got several thousands of sites, some of them in Europe, others in Asia and Americas.
  20 Data Centers are used for the Internet connectivity.
  So what kind of IPv6 addresses should it use?
  As all IPv6 documents are saying "Don't think about ULA and NAT, use GUA!", it should try to get PI (Provider Independent) addresses, I guess?
  Looking to RIPE web pages (http://www.ripe.net/ripe/docs/ripe-452) I found only an info it's necessary to have a contract with a LIR to get some PI addresses but no details :-(
  How big could such a block be? /32?
  But is it possible to use one PI address block worldwide?
  I don't think so, as ISPs in America would not accept prefixes provided by RIPE, I'm afraid?
  So the corporate should try to get a PI block from each RIR (RIPE, APNIC, ARIN, ...)?
  Even then with /32 PI per continent available, it would be necessary to advertise only some more specific subnet from each DC probably?
  Let's say /36?
  But would /36 be accepted by the ISPs connecting the DCs to the Internet?
  And propagated to the neighboring ASes?
  I've been told /32 is the maximum prefix length accepted? (But using an IPv6 looking glass I can see lots of /48s among the current IPv6 BGP prefixes within the Internet?).
  So it would be necessary to use a single ISP per continent?
  Even when all mentioned above would work, it would be necessary to advertise the default route into the corporate network a very sophisticated way to ensure all /36 clients would use the correct DC to enter the Internet to avoid an asymmetric routing!
  So I'd really like to discuss with somebody who fixed all the issues listed above already!
  Thanks,
  Milan

  Hi Milan,
  I Did get a chance to be a member of  deployment of  such network for  a customer ,and he had multiple AS as well as IPv6 addresses from RIRs .The RIRs are willing to give a /32 without much concern based upon simple justifications.The equivalent of a /24 IPv4 being advertised to the internet is a /48 in IPv6 world (This is the lowest any enterprise would get).
  Regarding the inter-connectivity between the various sites and the path to the internet via the DC ,it would depend upon the architecture you have in mind.I mean if you have a Service provider MPLS backbone,provider independent inter-connectivity over the internet. 
  We used service provider backbone with multiple layers of route reflectors connectivity from the DCs to the sites and then diverting traffic to the nearest site.
  However we could discuss in detail what exact scenario lies for your case.