Filter networks with BGP
There are 3 easy ways to filter/restrict certain networks to be announced through BGP to a remote/adjacent AS (Autonomous System).
Those 3 simple ways include: prefix-list | Extended Access-list + Route-map | Extended Access-list + Distribute-list
To Note: before we go on, I need to specify that creating an extended access list to be in use with BGP (route-map, distribute-list) is almost as similar as creating a prefix-list… Having said that, we are therefore no longer matching source and destination address but merely address prefix and netmask with the access list.
Let’s assume in all 3 examples, we do not want add the network 192.168.4.0/24 to our routing table when advertised from our one eBGP peer – AS 64515.
* in this example, we are of course using a private ASN
1. Prefix-list
First we jump into global configuration mode and create a prefix-list filter named “DENY-PREFIX”
border1#conf t
border1(config)#ip prefix-list DENY-PREFIX seq 10 deny 192.168.4.0/25
border1(config)#ip prefix-list DENY-PREFIX seq 20 permit 0.0.0.0/0 le 32
border1(config)#router bgp 64514
border1(config-router)#neighbor 192.168.10.1 remote-as 64515
border1(config-router)#neighbor 192.168.10.1 prefix-list DENY-PREFIX in
border1(config-router)#do wr
2. Extended access-list / Route-map
First, we create an extended access list in global config mode
border1#conf t
border1(config)#access-list 101 deny ip host 192.168.4.0 host 255.255.255.0
border1(config)#access-list 101 permit ip any any
We then now proceed to create a route map (still in global config mode)
border1(config)#route-map NET-FILTER permit 20
border1(config-route-map)#match ip address 101
We jump back in global config mode
border1(config)#route-map NET-FILTER deny 30
border1(config-route-map)#exit
border1(config)#router bgp 64514
border1(config-router)#neighbor 192.168.10.1 remote-as 64515
border1(config-router)#neighbor 192.168.10.1 route-map NET-FILTER in
border1(config-router)#do wr
3. Distribute-list
Similar to route-map, we will be using an extended access list to accomplish the filtering.
We will be using the same access list we defined early for rout- maps, which is access-list 101
border1(config)#router bgp 64514
border1(config-router)#neighbor 192.168.10.1 remote-as 64515
border1(config-router)#neighbor 192.168.10.1 distribute-list 101 in
border1(config-router)#do wr
- Final point but not last
Remember that for inbound updates, the order of preference is
-
first route-map
-
filter-list
-
prefix-list/distribute-list
and for outbound updates
-
prefix-list/distribute-list
-
filter-list
-
route-map