Examples

Study Material For Cisco Ccna Ccnp And Ccie Students

Study Material For Cisco Students

Get Instant Access

Only Allow Networks Locally Originating from AS

For example, you want an AS to advertise only routes it locally originates. In another example, you want R5 to advertise only its locally originated routes. Apply the following outbound filter on R5.

ip as-path access-list 1 permit

Only Allow Networks Originating from AS 600 to Enter R1

You want R1 to receive only the routes originated from AS 600 (and no Internet routes). You can apply an inbound access list on R1 as follows:

ip as-path access-list 1 permit ^600$

Only Allow Networks That Have Passed Through AS 600 to Enter AS 500

You want only the networks that have passed through AS 600 to enter AS 500 from R5. You can apply an inbound filter on R5.

ip as-path access-list 1 permit _600_

You can use an underscore (_) as the input string and output string in the ip as-path access-list command. Note that in this example, you do not use anchoring (for instance, there is no A), so it doesn't matter what autonomous systems come before and after AS 600.

Only Allow Networks Originated from AS 600, and AS's Directly Attached to AS 600, to Enter R1

You want AS 100 to get networks originated from AS 600 and all directly attached AS's of AS 600. Apply the following inbound filter on R1.

ip as-path access-list 1 permit ^600$ ip as-path access-list 1 permit ^600_[0-9]*$

In the ip as-path access-list command, the carat (A) starts the input string and designates "AS". The underscore (_) means there is a null string in the string that follows "AS 600". The [0-9]* specifies that any connected AS with a valid AS number can pass the filter. The advantage of using the [0-9]* syntax is that it gives you the flexibility to add any number of AS's without modifying this command string.

sco.com sco.com

• Filter lists can be used to filter routes based on AS-path

• R4 will not accept updates with advertisements with AS100 in the path

AS100

AS400

AS400

R4(config)# router bgp 400

R4(config-router)# neighbor 172.16.70.3 filter-

R4(config-router)# exit

R4(config)# ip as-path access-list 1 deny _100_ R4(config)# ip as-path access-list 1 permit .*

list 1

R4(config)# router bgp 400

R4(config-router)# neighbor 172.16.70.3 filter-

R4(config-router)# exit

R4(config)# ip as-path access-list 1 deny _100_ R4(config)# ip as-path access-list 1 permit .*

© 2002, Cisco Systems, Inc. All rights reserved.

Cisco CCIE Prep vt.0—Module 8-81

list 1

Filtering can also be performed via the AS path. To filter using the AS path, use the neighbor filter-list command. The complete syntax is shown.

neighbor {ip-address | peer-group-name} filter-list as-path-list {in | out}

Although neighbor prefix-list can be used as an alternative to the neighbor distribute-list command, do not use attempt to apply both neighbor prefix list and neighbor distribute-list filtering to the same neighbor. Only one filter list can be used per neighbor per direction.

In the above example R1 is advertising several networks to R3, which is in turn advertising those networks to R4 along with some of its own networks.

If you look at R4's BGP table before any filtering, you see:

R4# show ip bgp

BGP table version is 27, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

R4# show ip bgp

BGP table version is 27, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

Network

Next

Hop

Metric LocPrf

Weight

Path

*>

3.3

.2.

0/24

172.

16.70.

3

0

0

300

i

*>

3.3

.3.

0/24

172.

16.70.

3

0

0

300

i

*>

3.3

.4.

0/24

172.

16.70.

3

0

0

300

i

*>

4.4

.4.

0/24

0.0.

0.0

0

32768

i

*>

30.

30.

30. 0/24

172.

16.70.

3

0

300

100 i

*>

172

.16

.11.0/24

172.

16.70.

3

0

300

100 i

*>

172

16

12

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

13

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

14

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

.15 .

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

16

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

17

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

.18 .

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

.19.

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

20

0/24

172 .

16

70

3

0

300

100

i

*>

172

16

21

0/24

172 .

16

70

3

0

300

100

I

If at R4 you wanted to filter all networks with AS 100 in the path, you can use inbound AS path filtering.

R4(config)# router bgp 400

R4(config-router)# neighbor 172.16.70.3 filter-list 1 R4(config-router)# exit

R4(config)# ip as-path access-list 1 deny _100_ R4(config)# ip as-path access-list 1 permit .*

The neighbor filter-list command specifies that when R4 receives updates from neighbor 172.16.70.3 (R3), you should first pass the updates through AS path access list 1.

R4(config-router)# neighbor 172.16.70.3 filter-list 1

The first as-path access-list command denies any route that has AS 100 in the path. R4(config)# ip as-path access-list 1 deny _100_

The second as-path access-list command permits all other routes. R4(config)# ip as-path access-list 1 permit .*

After clearing the BGP connection and performing a show ip bgp, you will see the following. R4# show ip bgp

BGP table version is 14, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete

Network *> 3.3.2. 0/24 *> 3.3.3.0/24 *> 3.3.4.0/24

Next Hop 172.16.70.3 172.16.70.3 172.16.70.3

Metric LocPrf Weight Path

Prefix List

• Prefix lists are an improved form of access lists useful in route filtering

R5(config)# router bgp 500

R5(config-router)# neighbor 172.16.56.6 remote-as 600

R5(config-router)# neighbor 172.16.56.6 prefix-list MYFILTER out

R5(config-router)# exit

R5(config)# ip prefix-list MYFILTER seq 5 deny 5.5.5.0/24

R5(config)# ip prefix-list MYFILTER seq 10 permit 0.0.0.0/0 le 32

R5(config)# router bgp 500

R5(config-router)# neighbor 172.16.56.6 remote-as 600

R5(config-router)# neighbor 172.16.56.6 prefix-list MYFILTER out

R5(config-router)# exit

R5(config)# ip prefix-list MYFILTER seq 5 deny 5.5.5.0/24

R5(config)# ip prefix-list MYFILTER seq 10 permit 0.0.0.0/0 le 32

© 2002, Cisco Systems, Inc. All lights reserved. Cisco CCIE Prep v1.0—Module 8-82

Another form of filtering is using prefix list filtering. Here, you can filter inbound or outbound routes based on the IP address and mask length. Only one prefix list can be used per neighbor, per direction. Using prefix lists are an alternative to using a distribution list with an extended access list. Two commands work in conjunction to perform prefix filtering:

neighbor {ip-address / peer-group-name} prefix-list prefix-list-name fin | out}

ip prefix-list <prefix-list-num> {permit | deny} <ip_prefix> [ge | le] ] network length

There are two ways to block one or more networks from a Border Gateway Protocol (BGP) peer based on prefix. The first method uses the distribute-list out command and the second method uses the ip prefix-list command. The sample scenario will show the ip prefix-list method.

In this configuration, the ip prefix-list command matches any and denies the IP address range 5.5.5.0. Under the router bgp 100 statement, specify the ip prefix-list command for the peer that you want.

The neighbor prefix-list command specifies you want to apply an outbound filter to updates directed to neighbor R6.

R5(config-router)# neighbor 172.16.56.6 remote-as 600

Prefix-list sequence 5 is denying the specific prefix 5.5.5.0/24. R5(config)# ip prefix-list MYFILTER seq 5 deny 5.5.5.0/24

Prefix-list sequence 10 is permitting all other prefixes. R5(config)# ip prefix-list MYFILTER seq 10 permit 0.0.0.0/0 le 32

Using Prefix Lists

Prefix lists can be used as an alternative to access lists in many BGP route-filtering commands. The advantages of using prefix lists are:

Significant performance improvement in loading and route lookup of large lists Support for incremental updates

— Filtering using extended access lists does not support incremental updates.

■ More user-friendly command-line interface

— The command-line interface for using access lists to filter BGP updates is difficult to understand and use, since it uses the packet-filtering format.

Greater flexibility

— Before using a prefix list in a command, you must set up a prefix list, and you may want to assign sequence numbers to the entries in the prefix list.

How the System Filters Traffic by Prefix List

Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list. When there is a match, the route is used. The matching is similar to that of the access list. More specifically, whether a prefix is permitted or denied is based upon the following rules:

An empty prefix list permits all prefixes.

■ An implicit deny is assumed if a given prefix does not match any entries of a prefix list.

■ When multiple entries of a prefix list match a given prefix, the sequence number of a prefix list entry identifies the entry with the lowest sequence number. In this case, the entry with the smallest sequence number is considered to be the "real" match.

The router begins the search at the top of the prefix list, with the sequence number 1. Once a match or deny occurs, the router does not need to go through the rest of the prefix list. For efficiency, you may want to place the most common matches or denies near the top of the list, using the argument seq in the ip prefix-list command. The show commands always include the sequence numbers in their output.

Sequence numbers are generated automatically unless you disable this automatic generation. If you disable the automatic generation of sequence numbers, you must specify the sequence number for each entry using the seq-value argument of the ip prefix-list command.

It does not matter if the default sequence numbers are used in configuring a prefix list, because a sequence number does not need to be specified when removing a configuration entry.

The optional keywords ge and le can be used to specify the range of the prefix length to be matched for prefixes that are more specific than network/len. An exact match is assumed when neither ge nor le is specified. The range is assumed to be from ge-value to 32 if only the ge attribute is specified, and from len to le-value if only the le attribute is specified.

A specified ge-value and/or le-value must satisfy the following condition: len < ge-value <= le-value <= 32

For example, to deny all prefixes matching /24 in 128.0.0.0/8, you would use:

ip prefix-list abc deny 128.0.0.0/8 ge 24 le 24

Note You can specify sequence values for prefix list entries in any increments you want (the automatically generated numbers are incremented in units of 5). If you specify the sequence values in increments of 1, you cannot insert additional entries into the prefix list. If you choose very large increments, you could run out of sequence values.

To disable the automatic generation of sequence numbers, use the following command: R5(config)# no ip prefix-list sequence-number

To delete a prefix list, use the following command in global configuration mode:

R5(config)# no ip prefix-list list-name

You can delete entries from a prefix list individually. To delete an entry in a prefix list, use the following command in global configuration mode:

R5(config)# no ip prefix-list seq seg-value

Was this article helpful?

0 0

Post a comment