Filtering BGP Routes

You can filter BGP routes in a number of ways; filtering incoming or outgoing routes from neighbors using distribute lists, route maps, prefix lists, filter lists, by BGP attribute, or by BGP COMMUNITY attributes. This section introduces basic BGP route filtering using route maps, distribution lists, and prefix lists.

Basic BGP route filtering is similar to the configuration of route filtering used with IGP protocols. A list of network prefixes is created, using access lists, or prefix lists, and that information is applied either to a specific neighbor or neighbors, a peer group, or as a blanket application to all BGP peers. The major difference between BGP and IGP route filtering is the number of options that BGP provides for filter selection criteria.

Using Distribute Lists to Filter Network Prefixes

The simplest way to filter BGP routes is to use a distribute list, either as a blanket statement for all peers or applied to specific peers using the neighbor statement. To apply a distribute list to all peers for all incoming or outgoing routes, follow these steps:

  1. Create an access or prefix list that specifies the traffic that is to be filtered.
  2. From BGP router configuration mode, create the distribution list that will be used to filter all incoming or outgoing UPDATE messages. Distribute lists use the following syntax:
    distribute-list {access-list-number | access-list-name | gateway prefix-list-
      name | prefixprefix-list-name [gateway prefix-list-name]} {in [interface-name
      interface-number] | out [interface-name interface-number | bgp | connected | egp
      | eigrp | igrp | ospf | rip | static]}

You can apply only one distribution list to incoming and outgoing (either or both) updates at any time. Distribution lists can also be applied to UPDATE messages from a particular interface using the optional interface-name and number statement at the end of a list. For instance, the Willis router is currently receiving routes to all the networks shown in Example 9-36.

Example 9-36. Willis BGP RIB

Willis# show ip bgp | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 23.75.18.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.19.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.20.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.21.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.22.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.23.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.24.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.25.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.26.0/24    62.128.47.6                            0 11151 5623 i
*> 189.168.56.0/23  62.128.47.198            0             0 645 i
*> 189.168.58.0/23  62.128.47.198            0             0 645 i
*> 189.168.60.0/23  62.128.47.198            0             0 645 i
*> 189.168.62.0/23  62.128.47.198            0             0 645 i
*> 189.168.64.0/23  62.128.47.198            0             0 645 i
*> 189.168.66.0/23  62.128.47.198            0             0 645 i
*> 189.168.68.0/23  62.128.47.198            0             0 645 i
*> 189.168.70.0/23  62.128.47.198            0             0 645 i
*> 189.168.72.0/23  62.128.47.198            0             0 645 i
*> 189.168.74.0/23  62.128.47.198            0             0 645 i
*> 189.168.76.0/23  62.128.47.198            0             0 645 i
*> 189.168.78.0/23  62.128.47.198            0             0 645 i
*> 189.168.80.0/23  62.128.47.198            0             0 645 i
*> 189.168.82.0/23  62.128.47.198            0             0 645 i
*> 189.168.84.0/23  62.128.47.198            0             0 645 i
*> 189.168.86.0/23  62.128.47.198            0             0 645 i
*> 189.168.88.0/23  62.128.47.198            0             0 645 i

To filter all routes, except for routes to the prefix 23.75.0.0/16, you create an access list specifying the 23.75.0.0/16 network prefix and use that access list with a distribute list to filter all incoming routes. Example 9-37 shows the Willis BGP configuration and the results of its application. In this case, the distribute list applies globally to all BGP neighbors.

Example 9-37. Willis Router Configuration and Postconfiguration BGP RIB

Willis# show run | begin bgp
router bgp 2001
 no synchronization
 bgp log-neighbor-changes
 neighbor 62.128.47.6 remote-as 11151
 neighbor 62.128.47.194 remote-as 645
 neighbor 62.128.47.198 remote-as 645
 distribute-list 1 in
 no auto-summary
!
access-list 1 permit 23.75.0.0 0.0.255.255
Willis# show ip bgp | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 23.75.18.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.19.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.20.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.21.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.22.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.23.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.24.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.25.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.26.0/24    62.128.47.6                            0 11151 5623 i

As previously mentioned, you can also use the distribute-list command with a neighbor statement to filter traffic to or from a specific neighbor or peer group. You can accomplish this type of BGP route filtering using the following command:

neighbor {ip-address | peer-group} distribute-list {access-list-number |
  access-list-name} {in | out}

For example, using the BGP configuration from the previous example, and a neighbor distribute list, you can filter all but two routes from peer 62.128.47.6. Example 9-38 shows the required commands and the resulting BGP routes.

Example 9-38. Filtering Incoming Routes from a Specific Peer

Willis# show run | begin bgp
router bgp 2001
 no synchronization
 bgp log-neighbor-changes
 neighbor 62.128.47.6 remote-as 11151
 neighbor 62.128.47.6 distribute-list 50 in
 neighbor 62.128.47.194 remote-as 645
 neighbor 62.128.47.198 remote-as 645
 no auto-summary
!
access-list 50 permit 23.75.18.0 0.0.0.255
access-list 50 permit 23.75.19.0 0.0.0.255
Willis# show ip bgp neighbors 62.128.47.6 routes | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 23.75.18.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.19.0/24    62.128.47.6                            0 11151 5623 i

Using Prefix Lists to Filter BGP Routes

For a simpler, more readable route filtration configuration, you can also apply prefix lists directly to BGP peers using the neighbor {ip-address | peer-group} prefix-list prefix-list-name {in | out} command.

IP prefix lists offer a simpler, more intuitive alternative to the access list. IP prefix lists enable you to use a list name or number that specifies a sequence of permit or deny statements. By specifying the prefix list sequence number, you can edit each statement in an IP prefix list individually, without removing and reapplying the entire list. Prefix lists also remove the burden of wildcard mask calculation. If you want to specify a particular host IP—for example, 110.80.8.118/32—type the following:

ip prefix-list bad-host seq 100 deny 110.80.8.118/32

If you were to add several 62.128.0.0/23 networks to the local BGP configuration on the Willis router, and then issue the show ip bgp neighbor 62.128.47.6 advertised-routes command, for instance, you would see the routes advertised in Example 9-39.

Example 9-39. Networks Currently Advertised to Peer 62.128.47.6

Willis# show ip bgp neighbors 62.128.47.6 advertised-routes | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 62.128.60.0/23   0.0.0.0                  0         32768 i
*> 62.128.64.0/23   0.0.0.0                  0         32768 i
*> 62.128.68.0/23   0.0.0.0                  0         32768 i
*> 62.128.72.0/23   0.0.0.0                  0         32768 i
*> 62.128.76.0/23   0.0.0.0                  0         32768 i
*> 189.168.56.0/23  62.128.47.198            0             0 645 i
*> 189.168.58.0/23  62.128.47.198            0             0 645 i
*> 189.168.60.0/23  62.128.47.198            0             0 645 i
*> 189.168.62.0/23  62.128.47.198            0             0 645 i
*> 189.168.64.0/23  62.128.47.198            0             0 645 i
*> 189.168.66.0/23  62.128.47.198            0             0 645 i
*> 189.168.68.0/23  62.128.47.198            0             0 645 i
*> 189.168.70.0/23  62.128.47.198            0             0 645 i
*> 189.168.72.0/23  62.128.47.198            0             0 645 i
*> 189.168.74.0/23  62.128.47.198            0             0 645 i
*> 189.168.76.0/23  62.128.47.198            0             0 645 i
*> 189.168.78.0/23  62.128.47.198            0             0 645 i
*> 189.168.80.0/23  62.128.47.198            0             0 645 i
*> 189.168.82.0/23  62.128.47.198            0             0 645 i
*> 189.168.84.0/23  62.128.47.198            0             0 645 i
*> 189.168.86.0/23  62.128.47.198            0             0 645 i
*> 189.168.88.0/23  62.128.47.198            0             0 645 i

Now, suppose you want to allow only local 62.128.x.0 networks to be advertised to neighbor 62.128.47.6. To accomplish this task, add an IP prefix list and call that list from the neighbor command, as shown in Example 9-40.

Example 9-40. Using a Prefix List to Filter BGP Routes

Willis# show run | begin bgp
router bgp 2001
 no synchronization
 bgp log-neighbor-changes
 network 62.128.60.0 mask 255.255.254.0
network 62.128.64.0 mask 255.255.254.0
network 62.128.68.0 mask 255.255.254.0
network 62.128.72.0 mask 255.255.254.0
network 62.128.76.0 mask 255.255.254.0
 neighbor 62.128.47.6 remote-as 11151
 neighbor 62.128.47.6 prefix-list route-filter out
 neighbor 62.128.47.194 remote-as 645
 neighbor 62.128.47.198 remote-as 645
 no auto-summary
!
ip prefix-list route-filter seq 5 permit 62.128.0.0/16 le 23
Willis# show ip bgp neighbors 62.128.47.6 advertised-routes | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 62.128.60.0/23   0.0.0.0                  0         32768 i
*> 62.128.64.0/23   0.0.0.0                  0         32768 i
*> 62.128.68.0/23   0.0.0.0                  0         32768 i
*> 62.128.72.0/23   0.0.0.0                  0         32768 i
*> 62.128.76.0/23   0.0.0.0                  0         32768 i

This IP prefix list provides the same type of functionality as an access list with a 0.0.1.255 wildcard mask. The 62.128.0.0/16 le 23 prefix list allows any network that begins with 62.128.x.x with a 23-bit subnet mask. If you decide to change from access lists and try IP prefix lists, be careful to check your syntax before applying the prefix list to a neighbor. Remember, that just like access lists, prefix lists end with an implicit deny; so, if you use a deny statement at the beginning of a list, you must include a permit statement at some point in the list to allow other traffic. The use of the ge and le commands might be a bit tricky at first; remember that the mask used for the prefix must match the exact prefix for all filtered routes. The ge/le statements match a range of subnet masks, like an inverse wildcard mask. For more help configuring IP prefix lists, refer to Appendix D, "IP Prefix Lists."

Using Route Maps to Filter BGP Routes

Another more sophisticated approach to route filtering is to use a neighbor statement with an associated route map. There are a number of basic ways that route maps can be used to filter BGP routes: by attribute, network prefix, next-hop value, or route type. When filtering BGP routes, the match command specifies the item to match, and the route map itself is then applied to a neighbor or peer group. Table 9-3 lists the route map match command types supported by BGP.

Table 9-3. BGP-Related Route Map match Commands

Match Command

Description

as-path as-path-access-list-number

Matches the AS_PATH attribute specified by an as-path-access-list number (ranging from 1 to 199). AS_PATH access lists and other AS_PATH functionality is covered later in this chapter.

community community-list-number [exact-match]

Matches the community value specified by the community list. There are two types of community lists: standard (ranging from 1 to 99) and extended (ranging from 100 to 199). The exact-match command can be used to specify an exact match. Community lists and other BGP COMMUNITY attribute functionality is covered later in this chapter.

ip address { access-list-number | access-list-name | prefix-list prefix-list-name }

Matches the IP prefix specified by the access or prefix list.

ip next-hop { access-list-number | access-list-name | prefix-list prefix-list-name }

Matches the NEXT_HOP attribute of a route. The NEXT_HOP value is specified by the trailing access list or prefix list.

The NEXT_HOP attribute, and its uses, is covered later in this chapter.

ip route-source { access-list-number | access-list-name | prefix-list prefix-list-name }

Matches the source IP address of the peer that sent the route. The peer's IP address is specified by an access or prefix list. The match ip route-source command is supported only for outbound route maps.

metric metric-value

Matches a MULTI_EXIT_DISC (MED) value; metric matches are not supported for in- or outbound route filtering.

The MED attribute, and its uses, is covered later in this chapter.

route-type {internal | external | local}

Matches a locally generated route (sourced from 0.0.0.0 using show ip bgp). The match route-type command is supported only for outbound route filtering.

Make sure to test the results obtained using the route-type local command; this command matches any locally originated routes, including routes that entered a BGP process by redistribution.

tag tag-value

Matches a tag value.

The use of BGP tags was covered earlier in Chapter 2, "Configuring Route Maps and Policy-Based Routing."

Only two steps are required to configure BGP basic route filtering with route maps:

  1. Create a route map using the route-map command, and from route map configuration mode, use match commands to specify the attributes that are to be matched. (Route map configuration is covered in detail in Chapter 2.)
  2. Apply the route map to a neighbor or peer group using the following command:
    neighbor {ip-address | peer-group-name} route-maproute-map-name {in | out}

The following example shows how you can use a simple route map to limit route advertisements to locally generated routes. Example 9-41 shows the routes that the Willis router is currently advertising to peer 62.128.47.6 before the application of route map filtering.

Example 9-41. Routes Advertised by Willis to Peer 62.128.47.6 Before Applying the Route Map

Willis# show ip bgp neighbors 62.128.47.6 advertised-routes | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 23.75.18.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.19.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.20.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.21.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.22.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.23.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.24.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.25.0/24    62.128.47.6                            0 11151 5623 i
*> 23.75.26.0/24    62.128.47.6                            0 11151 5623 i
*> 62.128.0.0/23    0.0.0.0                  0         32768 i
*> 62.128.4.0/23    0.0.0.0                  0         32768 i
*> 62.128.8.0/23    0.0.0.0                  0         32768 i
*> 62.128.12.0/23   0.0.0.0                  0         32768 i
*> 62.128.16.0/23   0.0.0.0                  0         32768 i
*> 62.128.20.0/23   0.0.0.0                  0         32768 i
*> 62.128.24.0/23   0.0.0.0                  0         32768 i
*> 62.128.28.0/23   0.0.0.0                  0         32768 i
*> 62.128.32.0/23   0.0.0.0                  0         32768 i
*> 62.128.36.0/23   0.0.0.0                  0         32768 i
*> 62.128.40.0/23   0.0.0.0                  0         32768 i
*> 62.128.44.0/23   0.0.0.0                  0         32768 i
*> 62.128.48.0/23   0.0.0.0                  0         32768 i
*> 62.128.52.0/23   0.0.0.0                  0         32768 i
*> 62.128.56.0/23   0.0.0.0                  0         32768 i
*> 62.128.60.0/23   0.0.0.0                  0         32768 i
*> 62.128.64.0/23   0.0.0.0                  0         32768 i
*> 62.128.68.0/23   0.0.0.0                  0         32768 i
*> 62.128.72.0/23   0.0.0.0                  0         32768 i
*> 62.128.76.0/23   0.0.0.0                  0         32768 i
*> 189.168.56.0/23  62.128.47.198            0             0 645 i
*> 189.168.58.0/23  62.128.47.198            0             0 645 i
*> 189.168.60.0/23  62.128.47.198            0             0 645 i
*> 189.168.62.0/23  62.128.47.198            0             0 645 i
*> 189.168.64.0/23  62.128.47.198            0             0 645 i
*> 189.168.66.0/23  62.128.47.198            0             0 645 i
*> 189.168.68.0/23  62.128.47.198            0             0 645 i
*> 189.168.70.0/23  62.128.47.198            0             0 645 i
*> 189.168.72.0/23  62.128.47.198            0             0 645 i
*> 189.168.74.0/23  62.128.47.198            0             0 645 i
*> 189.168.76.0/23  62.128.47.198            0             0 645 i
*> 189.168.78.0/23  62.128.47.198            0             0 645 i
*> 189.168.80.0/23  62.128.47.198            0             0 645 i
*> 189.168.82.0/23  62.128.47.198            0             0 645 i
*> 189.168.84.0/23  62.128.47.198            0             0 645 i
*> 189.168.86.0/23  62.128.47.198            0             0 645 i
*> 189.168.88.0/23  62.128.47.198            0             0 645 i

Example 9-42 shows how one simple little route map filters all routes from any source other than locally generated routes to the members of the all-peers peer group.

Example 9-42. Using the route-type local Command to Filter Routes

Willis# show run | begin bgp
router bgp 2001
 no synchronization
 bgp log-neighbor-changes
 network 62.128.60.0 mask 255.255.254.0
 network 62.128.64.0 mask 255.255.254.0
 network 62.128.68.0 mask 255.255.254.0
 network 62.128.72.0 mask 255.255.254.0
 network 62.128.76.0 mask 255.255.254.0
 neighbor all-peers peer-group
 neighbor all-peers route-map route-filter out
 neighbor 62.128.47.6 remote-as 11151
 neighbor 62.128.47.6 peer-group all-peers
 neighbor 62.128.47.194 remote-as 645
 neighbor 62.128.47.194 peer-group all-peers
 neighbor 62.128.47.198 remote-as 645
 neighbor 62.128.47.198 peer-group all-peers
 no auto-summary
!
route-map route-filter permit 10
match route-type local

After this configuration is applied, the Willis router will advertise only the routes shown in Example 9-43 to any peer belonging to the all-peers peer group. This example uses the show ip bgp neighbors peer-group advertised-routes command to display the routes that are advertised to the all-peers peer group.

Example 9-43. show ip bgp neighbors peer-group advertised-routes Command

Willis# show ip bgp neighbors 62.128.47.6 advertised-routes | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 62.128.60.0/23   0.0.0.0                  0         32768 i
*> 62.128.64.0/23   0.0.0.0                  0         32768 i
*> 62.128.68.0/23   0.0.0.0                  0         32768 i
*> 62.128.72.0/23   0.0.0.0                  0         32768 i
*> 62.128.76.0/23   0.0.0.0                  0         32768 i

You might have noticed that the route map set commands are not shown in Table 9-3; this is because the route map set commands provide more advanced BGP functionality—BGP attribute manipulation. Another even more powerful use for BGP route maps involves the manipulation of BGP attributes and BGP route dampening. Each of these subjects is covered later in this chapter. BGP attribute values are usually manipulated using the set command under route map configuration mode and applying the route map to a neighbor or peer group using the neighbor {ip-address | peer-group} route-map route-map-name {in | out} command. The following list shows a brief hint of the set commands that are covered in the next section:

  • as-path prepend as-path-number
  • as-path tag as-path-string
  • comm-list community-list-number [delete]
  • community [community-value-decimal | aa:nn-format]
  • community additive
  • community internet
  • community local-as
  • community no-advertise
  • community no-export
  • community none
  • dampening half-life-value reuse-penalty-value suppress-penalty-value
  • ip default next-hop ip-address
  • ip default next-hop verify-availability
  • local-preference value
  • metric [+ | - ] metric-value
  • origin {egp as-number | igp | incomplete}
  • tag tag-value
  • weight weight-value

+ Share This