Date created: Friday, August 9, 2013 9:51:35 AM. Last modified: Monday, September 25, 2017 11:53:24 AM
Basic filtering with communities, route-maps and prefix-lists
Examples of filtering downstream announcements, or announcements between peers, using communities, prefix lists and route maps. It can be seen that prefix lists aren't as scalable as BGP communities for tag prefixes and filtering based on tags.
Cust1 & Cust2 receive default only routes from pe1 and pe1 tag prefixes that are on-net for AS65000 with no-export, boarder routes will announce supernet routes (10.65.x.x for internal usage and 58.58.58.x is AS65000's public address space);
pe1: router bgp 65000 no synchronization bgp log-neighbor-changes redistribute connected neighbor 10.65.11.2 remote-as 65001 neighbor 10.65.11.2 next-hop-self neighbor 10.65.11.2 default-originate neighbor 10.65.11.2 prefix-list PL-DEFAULT-ONLY out neighbor 10.65.11.2 route-map RM-DEFAULT-ONLY-CUSTOMERS-IN in neighbor 10.65.12.2 remote-as 65002 neighbor 10.65.12.2 next-hop-self neighbor 10.65.12.2 default-originate neighbor 10.65.12.2 prefix-list PL-DEFAULT-ONLY out neighbor 10.65.12.2 route-map RM-DEFAULT-ONLY-CUSTOMERS-IN in ip prefix-list PL-AS65000-ON-NET seq 5 deny 10.65.0.0/16 le 32 ip prefix-list PL-AS65000-ON-NET seq 10 permit 0.0.0.0/0 le 32 ! ip prefix-list PL-DEFAULT-ONLY seq 5 permit 0.0.0.0/0 ! route-map RM-DEFAULT-ONLY-CUSTOMERS-IN permit 10 match ip address prefix-list PL-AS65000-ON-NET set community no-export
pe1 is also provides connectivity for cust3 which is a full table customer with another upstream provider (AS20). AS65000 is the lesser preferred provider and AS65000 accepts BGP communities from transit customers (AS3000) to allow them to control AS-prepending, again using BGP communities;
pe1: router bgp 65000 neighbor 10.65.13.2 remote-as 3000 neighbor 10.65.13.2 description Full table customer neighbor 10.65.13.2 next-hop-self neighbor 10.65.13.2 prefix-list PL-AS65000-ON-NET out neighbor 10.65.13.2 route-map RM-TRANSIT-CUSTOMER-IN in ! ip bgp-community new-format ip community-list standard as-prepend-65000-3times permit 65000:3000 ip community-list standard as-prepend-65000-2times permit 65000:2000 ip community-list standard as-prepend-65000-1times permit 65000:1000 ip community-list standard as-prepend-65000-0times permit 65000:500 !
route-map RM-TRANSIT-CUSTOMER-IN permit 5 description Lower local_pref for direct peers, but as-prepend for upstream peers continue 10 set local-preference 1000 ! ip prefix-list PL-AS65000-ON-NET seq 5 deny 10.65.0.0/16 le 32 ip prefix-list PL-AS65000-ON-NET seq 10 permit 0.0.0.0/0 le 32 ! route-map RM-TRANSIT-CUSTOMER-IN permit 10 match community as-prepend-65000-3times continue 20 set as-path prepend 65000 65000 65000 ! route-map RM-TRANSIT-CUSTOMER-IN permit 20 match community as-prepend-65000-2times continue 30 set as-path prepend 65000 65000 ! route-map RM-TRANSIT-CUSTOMER-IN permit 30 match community as-prepend-65000-1times continue 40 set as-path prepend 65000 ! route-map RM-TRANSIT-CUSTOMER-IN permit 40 description Do nothing for prepend-0times just tag the routes for upstream export
br1 is setting the community to 65000:666 for routes in from transit provirder 1, so we don't send them out via transit provider 2 (and br2 also does the reverse). It also filter outbound announcements.
br1: router bgp 65000 no synchronization bgp log-neighbor-changes redistribute static route-map RM-TAG-AS65000-SUPERNETS neighbor AS65000-PEERS peer-group neighbor AS65000-PEERS remote-as 65000 neighbor AS65000-PEERS update-source Loopback0 neighbor AS65000-PEERS route-reflector-client neighbor AS65000-PEERS send-community neighbor 10.0.0.2 peer-group AS65000-PEERS neighbor 10.0.1.2 peer-group AS65000-PEERS neighbor 10.10.0.1 remote-as 10 neighbor 10.10.0.1 next-hop-self neighbor 10.10.0.1 route-map RM-AS10-TRANSIT-IN in neighbor 10.10.0.1 route-map RM-AS10-TRANSIT-OUT out no auto-summary ! ip forward-protocol nd ip route 58.58.58.0 255.255.255.0 Null0 250 tag 65000 name AS65000-SUPERNETS ! ip bgp-community new-format ip community-list standard AS65000-PREFIXES permit 65000:65000 ! ! ip prefix-list PL-TRANSIT-CUSTOMERS-AND-SUPERNETS seq 5 permit 58.58.58.0/24 ip prefix-list PL-TRANSIT-CUSTOMERS-AND-SUPERNETS seq 10 permit 60.0.0.60/32 ! ip prefix-list PL-TRANSIT-CUSTOMERS-SUPERNETS description deny local prefixes and allow everything else ! route-map RM-TAG-AS65000-SUPERNETS permit 10 description Tag AS65000 prefixes for annoucement to upstreams match tag 65000 set community 65000:65000 ! route-map RM-AS10-TRANSIT-OUT deny 10 match community 65000:666 ! route-map RM-AS10-TRANSIT-OUT permit 20 match ip address prefix-list PL-TRANSIT-CUSTOMERS-AND-SUPERNETS ! route-map RM-AS10-TRANSIT-IN permit 10 set local-preference 200
br2 performs the similar corresponding filtering for upstream providers, letting transit customer tagged routes and local public tagged routes (community list AS65000-UPSTREAM-FILTER), and also filtering routes to peer networks;
br2: router bgp 65000 no synchronization bgp log-neighbor-changes redistribute connected neighbor AS65000-PEERS peer-group neighbor AS65000-PEERS remote-as 65000 neighbor AS65000-PEERS description Internal AS iBGP Peers neighbor AS65000-PEERS update-source Loopback0 neighbor AS65000-PEERS route-reflector-client neighbor AS65000-PEERS send-community neighbor AS-PEERS peer-group neighbor AS-PEERS description External Peers neighbor AS-PEERS next-hop-self neighbor AS-PEERS prefix-list PL-AS65000-SUPERNETS out neighbor AS-PEERS route-map RM-PREFER-ASPEER-IN in neighbor 10.0.0.1 peer-group AS65000-PEERS neighbor 10.20.0.1 remote-as 20 neighbor 10.20.0.1 next-hop-self neighbor 10.20.0.1 route-map RM-AS20-TRANSIT-IN in neighbor 10.20.0.1 route-map RM-AS20-TRANSIT-OUT out neighbor 10.100.0.1 remote-as 100 neighbor 10.100.0.1 peer-group AS-PEERS neighbor 10.200.0.1 remote-as 200 neighbor 10.200.0.1 peer-group AS-PEERS no auto-summary ! ip route 58.58.58.0 255.255.255.0 Null0 250 tag 65000 name AS65000-SUPERNETS ! ip bgp-community new-format ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:3000 ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:2000 ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:1000 ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:500 ip community-list standard AS-65000-UPSTREAM-FILTER deny 65000:666 ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:65000 ! ! ip prefix-list PL-AS65000-SUPERNETS description Only advertise AS65000 public supernet routes ip prefix-list PL-AS65000-SUPERNETS seq 5 permit 58.58.58.0/24 ip prefix-list PL-AS65000-SUPERNETS seq 10 permit 60.0.0.60/32 ! ip prefix-list PL-TRANSIT-CUSTOMERS-SUPERNETS description deny local prefixes and allow everything else ! route-map RM-AS20-TRANSIT-OUT permit 10 match community AS-65000-UPSTREAM-FILTER ! route-map RM-PREFER-ASPEER-IN permit 10 set local-preference 200 ! route-map RM-AS20-TRANSIT-IN permit 10 description Prefer transit1 provider set local-preference 100 set community 65000:666
Previous page: ASN Filtering
Next page: BGP Dampening