September 20, 2009

Filter networks with BGP

There are 3 easy ways to filter/restrict certain networks to be announced through BGP to a remote/adjacent AS (Autonomous System).

Those 3 simple ways include: prefix-list | Extended Access-list + Route-map | Extended Access-list + Distribute-list

To Note: before we go on, I need to specify that creating an extended access list to be in use with BGP (route-map, distribute-list) is almost as similar as creating a prefix-list… Having said that, we are therefore no longer matching source and destination address but merely address prefix and netmask with the access list.

Let’s assume in all 3 examples, we do not want add the network 192.168.4.0/24 to our routing table when advertised from our one eBGP peer - AS 64515.

  • in this example, we are of course using a private ASN

1. Prefix-list

First we jump into global configuration mode and create a prefix-list filter named “DENY-PREFIX”

border1#conf t border1(config)#ip prefix-list DENY-PREFIX seq 10 deny 192.168.4.0/25 border1(config)#ip prefix-list DENY-PREFIX seq 20 permit 0.0.0.0/0 le 32 border1(config)#router bgp 64514 border1(config-router)#neighbor 192.168.10.1 remote-as 64515 border1(config-router)#neighbor 192.168.10.1 prefix-list  DENY-PREFIX in border1(config-router)#do wr

2. Extended access-list / Route-map

First, we create an extended access list in global config mode

border1#conf t border1(config)#access-list 101 deny ip host 192.168.4.0 host 255.255.255.0 border1(config)#access-list 101 permit ip any any

We then now proceed to create a route map (still in global config mode)

border1(config)#route-map NET-FILTER permit 20 border1(config-route-map)#match ip address 101

We jump back in global config mode

border1(config)#route-map NET-FILTER deny 30 border1(config-route-map)#exit border1(config)#router bgp 64514 border1(config-router)#neighbor 192.168.10.1 remote-as 64515 border1(config-router)#neighbor 192.168.10.1 route-map NET-FILTER in border1(config-router)#do wr

3. Distribute-list

Similar to route-map, we will be using an extended access list to accomplish the filtering.

We will be using the same access list we defined early for rout- maps, which is access-list 101

border1(config)#router bgp 64514 border1(config-router)#neighbor 192.168.10.1 remote-as 64515 border1(config-router)#neighbor 192.168.10.1 distribute-list 101 in border1(config-router)#do wr

- Final point but not last

Remember that for inbound updates, the order of preference is

first route-map

filter-list

prefix-list/distribute-list

and for outbound updates

prefix-list/distribute-list

filter-list

route-map