Route filtering in BGP

Best practices is to not trust your ISP’s and filter routes (just in case they forget to). There are three common ways to filter; route-maps, distribute lists and prefix lists. Below are examples of each, with each, and the associated gotchas.

bgp-filtering

In this example we’re going to be working on the CUSTOMER router and will verify what we see on the CUSTOMER router on the SERVICE router. Under BGP we can see the three options for route filtering;

CUSTOMER(config-router)#neighbor 169.254.0.1 ?

  …

distribute-list          Filter updates to/from this neighbor


prefix-list              Filter updates to/from this neighbor


route-map                Apply route map to neighbor

Let’s take a look at the base BGP configuration on the CUSTOMER router and at our BGP peering.

CUSTOMER#sh run | sec bgp

router bgp 65005
no synchronization
bgp log-neighbor-changes
neighbor 169.254.0.1 remote-as 65000
neighbor 169.254.0.1 soft-reconfiguration inbound
no auto-summary

CUSTOMER#sh ip bgp sum

BGP router identifier 169.254.0.2, local AS number 65005
BGP table version is 4, main routing table version 4
1 network entries using 117 bytes of memory
1 path entries using 52 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 441 total bytes of memory
BGP activity 2/1 prefixes, 2/1 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

169.254.0.1     4 65000      12      12        4    0    0 00:06:45        1

And on the SERVICE router side.

SERVICE#sh run | sec bgp

router bgp 65000
no synchronization
bgp log-neighbor-changes
redistribute static
neighbor 169.254.0.2 remote-as 65005
neighbor 169.254.0.2 soft-reconfiguration inbound
default-information originate
no auto-summary

SERVICE#sh ip bgp sum

BGP router identifier 169.254.0.1, local AS number 65000
BGP table version is 4, main routing table version 4
1 network entries using 117 bytes of memory
1 path entries using 52 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 417 total bytes of memory
BGP activity 2/1 prefixes, 2/1 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

169.254.0.2     4 65005      10      10        4    0    0 00:04:17        0
SERVICE#sh ip bgp nei 169.254.0.2 received-routes

Total number of prefixes 0

We can see that we are peering, that the CUSTOMER router is getting one prefix (default route) and the SERVICE router is not learning any routes. So far so good.

Next we’ll advertise 3 networks from the CUSTOMER router to the SERVICE router

CUSTOMER(config)#ip route 1.1.1.0 255.255.255.0 null0

CUSTOMER(config)#ip route 2.2.2.0 255.255.255.0 null0
CUSTOMER(config)#ip route 3.3.3.0 255.255.255.0 null0
CUSTOMER(config)#router bgp 65005
CUSTOMER(config-router)#redistribute static

Lets check and make sure we are advertising them.

CUSTOMER#sh ip bgp nei 169.254.0.1 advert

BGP table version is 5, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 1.1.1.0/24       0.0.0.0                  0         32768 ?
*> 2.2.2.0/24       0.0.0.0                  0         32768 ?
*> 3.3.3.0/24       0.0.0.0                  0         32768 ?

Total number of prefixes 3

CUSTOMER#

Then let’s see if the SERVICE router is learning them.

SERVICE#sh ip bgp nei 169.254.0.2 received-rout

BGP table version is 13, local router ID is 169.254.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 1.1.1.0/24       169.254.0.2              0             0 65005 ?
*> 2.2.2.0/24       169.254.0.2              0             0 65005 ?
*> 3.3.3.0/24       169.254.0.2              0             0 65005 ?

Total number of prefixes 3

SERVICE#

Everything looks good.

Lets start filtering. First we’ll create the ACL and the prefix list we’ll be using. We only want to advertise the 2.2.2.0/24 network.

CUSTOMER(config)#access-list 10 remark Outbound BGP Filter

CUSTOMER(config)#access-list 10 permit 2.2.2.0 0.0.0.255
CUSTOMER(config)#ip prefix-list FILTER_OUT permit 2.2.2.0/24

Now for the filtering techniques.

First let’s try via a route map.

CUSTOMER(config)#route-map FILTER-ROUTES

CUSTOMER(config-route-map)#match ip address 10
CUSTOMER(config-route-map)#router bgp 65005
CUSTOMER(config-router)#nei 169.254.0.1 route-map FILTER-ROUTES out

We clear the BGP process then check the route advertising.

CUSTOMER#sh ip bgp nei 169.254.0.1 advert

BGP table version is 5, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 2.2.2.0/24       0.0.0.0                  0         32768 ?

Total number of prefixes 1

We’re only advertising one route. Let’s see if the the SERVICE router sees the same.

SERVICE#sh ip bgp nei 169.254.0.2 received-rout

BGP table version is 23, local router ID is 169.254.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 2.2.2.0/24       169.254.0.2              0             0 65005 ?

Total number of prefixes 1

That works!

Now lets change the route map. Instead of specifying the ACL, lets tell it to look at the prefix list.

CUSTOMER(config)#route-map FILTER-ROUTES

CUSTOMER(config-route-map)#no match ip address 10
CUSTOMER(config-route-map)#match ip address FILTER_OUT

CUSTOMER#sh ip bgp nei 169.254.0.1 advert
BGP table version is 5, local router ID is 169.254.0.2

Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 1.1.1.0/24       0.0.0.0                  0         32768 ?
*> 2.2.2.0/24       0.0.0.0                  0         32768 ?
*> 3.3.3.0/24       0.0.0.0                  0         32768 ?

Total number of prefixes 3

Now it’s not filtering. All three networks are being advertised. Let’s verify by looking at the SERVICE router.

SERVICE#sh ip bgp nei 169.254.0.2 received-rout

BGP table version is 27, local router ID is 169.254.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 1.1.1.0/24       169.254.0.2              0             0 65005 ?
*> 2.2.2.0/24       169.254.0.2              0             0 65005 ?
*> 3.3.3.0/24       169.254.0.2              0             0 65005 ?

Total number of prefixes 3

It’s getting all three network. Specifying a prefix list in a route map will NOT work.

Lets remove the route map and use the prefix-list command under bgp for filtering.

CUSTOMER(config)#router bgp 65005

CUSTOMER(config-router)#no neighbor 169.254.0.1 route-map FILTER-ROUTES out
CUSTOMER(config-router)# neighbor 169.254.0.1 prefix-list FILTER_OUT out

CUSTOMER#sh ip bgp nei 169.254.0.1 advert

BGP table version is 5, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 2.2.2.0/24       0.0.0.0                  0         32768 ?

Total number of prefixes 1

Filtering that way works. Lets verify on the SERVICE router.

SERVICE#sh ip bgp nei 169.254.0.2 received-rout

BGP table version is 31, local router ID is 169.254.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 2.2.2.0/24       169.254.0.2              0             0 65005 ?

Total number of prefixes 1

It all looks good. Next lets remove the prefix filter and use a distribute list.

CUSTOMER(config-router)#no neighbor 169.254.0.1 prefix-list FILTER_OUT out
CUSTOMER(config-router)# neighbor 169.254.0.1 distribute-list ?

  <1-199>      IP access list number
<1300-2699>  IP access list number (expanded range)
WORD         IP Access-list name

CUSTOMER(config-router)# neighbor 169.254.0.1 distribute-list 10 out

CUSTOMER#sh ip bgp nei 169.254.0.1 advert

BGP table version is 5, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 2.2.2.0/24       0.0.0.0                  0         32768 ?

Total number of prefixes 1

Looks good, lets check the SERVICE router.

SERVICE#sh ip bgp nei 169.254.0.2 received-rout

BGP table version is 31, local router ID is 169.254.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 2.2.2.0/24       169.254.0.2              0             0 65005 ?

Total number of prefixes 1

Looks good there too. Now let’s change the distribute list from using an ACL to using the prefix list. If you ? after distribute-list you will see that it asks for the ACL number or the ACL name. It does not state the prefix list name. The router does not perform a check to see if the name you enter here is actually a named ACL or not!

CUSTOMER(config)#router bgp 65005

CUSTOMER(config-router)#no  neighbor 169.254.0.1 distribute-list 10 out
CUSTOMER(config-router)# neighbor 169.254.0.1 distribute-list FILTER_OUT out

CUSTOMER#sh ip bgp nei 169.254.0.1 advert

BGP table version is 5, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 1.1.1.0/24       0.0.0.0                  0         32768 ?
*> 2.2.2.0/24       0.0.0.0                  0         32768 ?
*> 3.3.3.0/24       0.0.0.0                  0         32768 ?

Total number of prefixes 3

Now we are not filtering again. Lets verify on the SERVICE router.

SERVICE#sh ip bgp nei 169.254.0.2 received-rout

BGP table version is 35, local router ID is 169.254.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network          Next Hop            Metric LocPrf Weight Path

*> 1.1.1.0/24       169.254.0.2              0             0 65005 ?
*> 2.2.2.0/24       169.254.0.2              0             0 65005 ?
*> 3.3.3.0/24       169.254.0.2              0             0 65005 ?

Total number of prefixes 3

Filtering with a distribute list pointing to a prefix list will NOT filter.

So what did we learn?

  • If we filter in a route map we must use an ACL for the match ip address
  • If we use distribute-list we must use an ACL
  • If we want to use a prefix list, we can only do it with the prefix-list filter command

Leave a Reply

Your email address will not be published. Required fields are marked *