BGP Filtering- Part1:
Filtering can be done for inbound (filtering before installing them in bgp table) or outbound routes (before advertising it to our neighbors)
After filtering is applied, BGP neighborships MUST be reset or cleared for the filter to take effect
To reset a bgp neighborship, cli command is:
- ‘Clear ip bgp *’ → clears or all neighbors
- ‘Clear ip bgp
’ → clears neighborship only for that particular neighbor
But, resetting the bgp neighborship for implementing a filter is destructive esp. If we are an ISP and if one customer has not paid us and we want to filter out his routes for being advertised, if we had to reset the bgp neighborship b/w the two ISPs, it can lead to convergence time of sometimes 30 sec...which is very bad...Luckily, there are also other ways of applying a filter
But, a key takeaway is after configuring a filter, it will not take effect unless we reset the neighborship (or) do something else
BGP can filter routes based on wide variety of options like:
- Matching Prefixes/prefix-length
- Based on different path attribute that are associated with each route and are part of update message
BGP filtering is done for each neighbor separately; the ‘filter’ command must be applied to each bgp neighbor using the ‘neighbor’, even when same filtering is required for each neighbor. We could use peer-groups for doing this.
BGP filtering can be done using any of the following methods:
- Using distribute-list
- Using prefix-list
- Using filter-list
- Using route-map
Prefix-list:
- Works exactly the same way as in EIGRP/OSPF...see that video to understand prefix-list (or see my OSPF notes)
- Command is ‘neighbor
prefix-list ’ in/out - When filtering with prefix-list, prefix-list can also be used to match exact or “first N” bit of prefix plus range of prefix lengths.
- https://www.routeralley.com/guides/route_maps.pdf
- http://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/
Filter-list:
- Filter-list is different in BGP as compared to OSPF
- In OSPF, we used to specify filter-list and then mention the prefixes in a prefix-list. Filter-list and prefix-list are used together
- In BGP, the ‘#’ number is not the number of the prefix list. It is something completely different called ‘ip as-path access-list #’ which is used to match the as-path attribute
- Say, if we want to filter out all routes that either originated in a particular AS (OR) passed through that particular AS, then, we will use the as-path access-list and then call this as-path access-list through the filter-list
- All NLRI (.ie. prefix/length) whose AS_PATHs are matches are considered to be a match
- Applying the as-path access-list to a neighbor is simple...BUT, creating the as-path access-list is the complicated part since it uses regular expressions to match the AS_PATHs
Distribute-list:
This command is also different
Note: ‘nbr’ above stands for ‘neighbor’
Example:
Distribute-lists reference standard or extended access-lists, which can match prefix with wildcard mask (or) prefix and prefix-length with wildcard mask, respectively
Filtering with distribute-list can be applied to a certain neighbor using the command ‘neighbor distribute-list’
Examples of distribute lists and prefix-lists
Distribute-list Example:
- We have the below routes in routing table...Let us use distribute-list to prevent 128.0.11.0/24
- We see that the neighbor (which is same as the next-hop here) is 11.11.11.11
- Now, before we configure the distribute-list against that neighbor, we need to create an ACL denying this IP
- ip access-list 1
deny 128.0.11.0 255.255.255.0
permit any any
- Now, we go into bgp process and apply the distribute-list with this ACL:
router bgp 12
Neighbor distribute-list 1 in #The ACL name is ‘1’ here
- Now, what this distribute-list will do is prevent 128.0.11.0/24 from entering the bgp table and permit everything else from that neighbor
- Now, for it to take effect, we need to run ‘clear ip bgp 11.11.11.11’
- Now, if we check in ‘show ip bgp’ we will not see that route. If it is not there in bgp table itself, it won’t be there even in our routing table
- Now, if we also wanted to filter out certain ip prefixes from being advertised to our bgp neighbor, the steps are the exact same...Just that we should use ‘out’ at the end of the command instead of ‘in’
Prefix-List Example:
- Let us filter out the 15.15.0.0/16 prefix in our routing table using prefix-list
- To create the prefix-list, do: ip prefix-list
deny <ip-prefix/subnetmask> le 30 - Here, we need to do:
- ip prefix-list INE deny 15.15.0.0/16 le 30
- ip prefix-list INE permit 0.0.0.0/0 le 32 #This is to prevent the implicit deny in prefix-list..needs to have the same name
- Then, we need to go into router bgp and apply it against a neighbor:
- neighbor 13.13.13.13 prefix-list INE in
- Then, we need to clear bgp of that neighbor and see that the route is not present in our bgp table
No comments:
Post a Comment