BGP Filtering- Part2:
Filter-List Example:
- Consider the AS-path for a route of Network-X to be 100 200 400 6678
- One thing to consider is no matter how big the AS_PATH, the beginning should have the ‘^’ symbol and end of every AS_PATH must have the ‘$’ sign
By using just there two symbols, we can create most common as-path access-lists. The ‘12’ in below examples can be any number.
Commonly used as-path access-list 1:
- The above permits any routes coming from AS 100 (irrespective of the path taken/origination)
- What the ‘_’ at the end does is it says I need to have a space after 100.
- If we hadn’t given that ‘_’, then, this will match 100, 1000, 10000, 1004, 10050…
Commonly used as-path access-list 2:
- This will match AS_PATHs with space followed by 6678 and nothing after 6678
Then, to apply the above created as-path access-list ‘12’, we go into router bgp:
router bgp
neighbor 1.1.1.1 filter-list 12 in/out
If we can remember ‘^’, ‘$’ and ‘_’, we can easily address 50% of the usecases of as-path access-lists...but there are other really complicated ones too
Note that as-path access-list is not just used for filtering. They can be also be used along with route-maps to match based on AS_PATH. If we need to match based on AS_PATH, then, as-path access-list is the only way. After matching, we can either use it with a filter-list (or) a route-map.
- Say, if we are getting the same routes from two neighbors in AS100 and AS200, and we want to add/modify the path attributes of routes from neighbor in AS200 to make it more preferable, we match it with as-path access-list and modify using route-maps
BGP Filtering using Route-Maps:
- Route-maps are very commonly used in BGP
- Route-maps can reference ACLs, prefix-lists, and as-path access-lists
- Route-maps can be used as just a simple filter...so, instead of using a distribute-list, I could just say ‘neighbor 1.1.1.1 route-map INE in’ and the route-map INE can either be looking at an access-list and permitting or denying...not changing anything...just a simple filter
- Route-maps are also applied against a neighbor like ‘neighbor
route-map
Common usecase of BGP filtering:
How do I prevent my AS from becoming a transit AS? I have two ways out...but that is for my redundancy/path-selection, not for becoming a transit AS
- This can be done by bgp route filtering to make sure that the only routes we advertise out are our own routes, and not advertising routes of one ISP to another ISP
- Example: Consider a case where we got our own subnet 130.130.0.0/16 from regional service provider, so as to avoid dependency on the ISP for our subnet
- In this case, it is very simple...we just need to advertise this subnet and can be done via a outbound distribute-list
- (The implicit deny will deny all the routes of ISP2 from being sent out)...That’s all is needed!
For the same question above, consider that the company is very big now and there is no hierarchy and we have subnets from various subnets...then, to create access-lists that would just match our network would be very difficult...For that we can alternatively, use the AS_PATH to match our routes using as-path access-list: since all the routes that are within our AS will have no AS_PATH while it is still inside our AS.
- People use this a lot:
- The above regex matches to None since there is no number between ‘^’ which is start and ‘$’ which is end
- So, it will match all routes that live within my AS….ie. AS_PATH is not yet created
- So, we can use a filter-list and match based on the as-path access-list which will ensure we advertise only our routes, since all routes which are sent by ISPs will have some AS_PATH:
Applying Filter without resetting BGP:
In a lab environment, in order to apply a bgp filter, we can do a hard reset of bgp neighborship to relearn/ re-advertise the routes and will be done based on the filters
In production, it is not recommended since bgp will go down for a few seconds
To avoid doing a hard reset, BGP also has the option of doing a soft reset which does not bring down the BGP/TCP connection.
Rather, it resends all outgoing updates (which will be adjusted as per the outbound filter) and reprocesses incoming updates (as per the inbound policy)
Clearing can be done for single neighbor or for all neighbors
Clearing can be done for both directions (inbound/outbound) or one direction can be specified
Two ways of doing soft reset:
- Old Way: Soft Reconfiguration
- Standardised way: Route Refresh capability
Soft Reconfiguration (inbound/outbound):
Say we have neighborships like below:
Say that we know in future we will be applying some filters to 1.1.1.1 neighbor
So, we will be putting the routes received from 1.1.1.1 in a separate shadow table before it goes into the bgp table
To get that to happen, we need to configure soft-reconfiguration via ‘neighbor
soft-reconfiguration inbound’ The above command tells our router to maintain separate space and memory just for his routes….though it takes more memory and space, here is the benefit of doing this:
- Say after sometime, we decide that we don’t want one route that was received from 1.1.1.1 and not send it to neighbor as well
- So, we configure the filter and then, instead of doing a hard bgp reset, we do a ‘clear ip bgp
soft in’ - What this does is it will take the bgp table created for that neighbor and run the newly applied filters over that separate routing table and whichever routes are left after filtering is pushed into bgp table
The neighbor shadow table will still have that route, but, we don’t use that table for anything else..we will only use the bgp table which is updated
The positive of this is lets us use filtering without resetting bgp, but, the negative side is if we have 10s of neighbors each advertising 10000 routes, we will be consuming a lot of memory!
For outbound filtering, we don’t need the neighbor
soft-reconfiguration inbound’ command since outbound will always take from bgp table...we just need to run ‘clear ip bgp soft out’ which will take the routes from my bgp table, run the filtering and send them route to my neighbor So, we need to decide initially whether we are going to filter routes in future and whether it will be inbound/outbound filtering. If inbound, then, we need to add additional command into router bgp. If outbound, no need any additional configs.
Route Refresh Capability:
- We saw that when BGP is initially being established, it will send a BGP Open message to each other. Apart from mandatory fields, there was also a Capability field which bgp uses to advertise its capabilities
- There is a capability called route refresh which is on by default
- Both the neighbors need to support this capability (or need to be on in both the neighbors)
- What the capability does is it doesn’t need any special configuration. After configuring any inbound filter, if we type ‘clear ip bgp
in’, then, the router sends a special message called ‘Route Refresh Request’ to the neighbor which essentially asks the neighbor to resend all of its routes - Since the neighbor was capable of that, he will resend all his routes and now the filter will take effect since it is getting new updates
- Also, ‘clear ip bgp out’ does the same as ‘clear ip bgp soft out’ which is take all the bgp routes from my routing table and send them to my neighbor once again
- Another interesting thing to note is if we did NOT configure soft-reconfiguration inside router bgp, but we execute ‘clear ip bgp soft in’, then, we will expect that since we are not maintaining a shadow table, we will not be doing anything. But, what actually happens now if it will send a Route-Refresh message to the neighbor even when using ‘soft in’
Thus, the different ways of clearing a bgp are:
Commands to show the effect of BGP route filtering:
- ‘Show ip bgp neighbor received-routes’ ---> Shows the routes in the neighbor shadow table for soft reconfiguration. This command will only work when soft-reconfiguration is enabled
- ‘Show ip bgp advertised-routes’
- ‘Show ip bgp’
No comments:
Post a Comment