Date created: 08/09/13 09:51:35. Last modified: 09/25/17 11:53:24

Basic filtering with communities, route-maps and prefix-lists

Examples of filtering downstream announcements, or announcements between peers, using communities, prefix lists and route maps. It can be seen that prefix lists aren't as scalable as BGP communities for tag prefixes and filtering based on tags.

Cust1 & Cust2 receive default only routes from pe1 and pe1 tag prefixes that are on-net for AS65000 with no-export, boarder routes will announce supernet routes (10.65.x.x for internal usage and 58.58.58.x is AS65000's public address space);

pe1:
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 10.65.11.2 remote-as 65001
 neighbor 10.65.11.2 next-hop-self
 neighbor 10.65.11.2 default-originate
 neighbor 10.65.11.2 prefix-list PL-DEFAULT-ONLY out
 neighbor 10.65.11.2 route-map RM-DEFAULT-ONLY-CUSTOMERS-IN in
 neighbor 10.65.12.2 remote-as 65002
 neighbor 10.65.12.2 next-hop-self
 neighbor 10.65.12.2 default-originate
 neighbor 10.65.12.2 prefix-list PL-DEFAULT-ONLY out
 neighbor 10.65.12.2 route-map RM-DEFAULT-ONLY-CUSTOMERS-IN in

ip prefix-list PL-AS65000-ON-NET seq 5 deny 10.65.0.0/16 le 32
ip prefix-list PL-AS65000-ON-NET seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list PL-DEFAULT-ONLY seq 5 permit 0.0.0.0/0
!
route-map RM-DEFAULT-ONLY-CUSTOMERS-IN permit 10
 match ip address prefix-list PL-AS65000-ON-NET
 set community no-export

pe1 is also provides connectivity for cust3 which is a full table customer with another upstream provider (AS20). AS65000 is the lesser preferred provider and AS65000 accepts BGP communities from transit customers (AS3000) to allow them to control AS-prepending, again using BGP communities;

pe1:
router bgp 65000
 neighbor 10.65.13.2 remote-as 3000
 neighbor 10.65.13.2 description Full table customer
 neighbor 10.65.13.2 next-hop-self
 neighbor 10.65.13.2 prefix-list PL-AS65000-ON-NET out
 neighbor 10.65.13.2 route-map RM-TRANSIT-CUSTOMER-IN in
!
ip bgp-community new-format
ip community-list standard as-prepend-65000-3times permit 65000:3000
ip community-list standard as-prepend-65000-2times permit 65000:2000
ip community-list standard as-prepend-65000-1times permit 65000:1000
ip community-list standard as-prepend-65000-0times permit 65000:500
!
 route-map RM-TRANSIT-CUSTOMER-IN permit 5 description Lower local_pref for direct peers, but as-prepend for upstream peers continue 10 set local-preference 1000 ! ip prefix-list PL-AS65000-ON-NET seq 5 deny 10.65.0.0/16 le 32 ip prefix-list PL-AS65000-ON-NET seq 10 permit 0.0.0.0/0 le 32 ! route-map RM-TRANSIT-CUSTOMER-IN permit 10 match community as-prepend-65000-3times continue 20 set as-path prepend 65000 65000 65000 ! route-map RM-TRANSIT-CUSTOMER-IN permit 20 match community as-prepend-65000-2times continue 30 set as-path prepend 65000 65000 ! route-map RM-TRANSIT-CUSTOMER-IN permit 30 match community as-prepend-65000-1times continue 40 set as-path prepend 65000 ! route-map RM-TRANSIT-CUSTOMER-IN permit 40 description Do nothing for prepend-0times just tag the routes for upstream export

br1 is setting the community to 65000:666 for routes in from transit provirder 1, so we don't send them out via transit provider 2 (and br2 also does the reverse). It also filter outbound announcements.

br1:
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 redistribute static route-map RM-TAG-AS65000-SUPERNETS
 neighbor AS65000-PEERS peer-group
 neighbor AS65000-PEERS remote-as 65000
 neighbor AS65000-PEERS update-source Loopback0
 neighbor AS65000-PEERS route-reflector-client
 neighbor AS65000-PEERS send-community
 neighbor 10.0.0.2 peer-group AS65000-PEERS
 neighbor 10.0.1.2 peer-group AS65000-PEERS
 neighbor 10.10.0.1 remote-as 10
 neighbor 10.10.0.1 next-hop-self
 neighbor 10.10.0.1 route-map RM-AS10-TRANSIT-IN in
 neighbor 10.10.0.1 route-map RM-AS10-TRANSIT-OUT out
 no auto-summary
!
ip forward-protocol nd
ip route 58.58.58.0 255.255.255.0 Null0 250 tag 65000 name AS65000-SUPERNETS
!
ip bgp-community new-format
ip community-list standard AS65000-PREFIXES permit 65000:65000
!
!
ip prefix-list PL-TRANSIT-CUSTOMERS-AND-SUPERNETS seq 5 permit 58.58.58.0/24
ip prefix-list PL-TRANSIT-CUSTOMERS-AND-SUPERNETS seq 10 permit 60.0.0.60/32
!
ip prefix-list PL-TRANSIT-CUSTOMERS-SUPERNETS description deny local prefixes and allow everything else
!
route-map RM-TAG-AS65000-SUPERNETS permit 10
 description Tag AS65000 prefixes for annoucement to upstreams
 match tag 65000
 set community 65000:65000
!
route-map RM-AS10-TRANSIT-OUT deny 10
 match community 65000:666
!
route-map RM-AS10-TRANSIT-OUT permit 20
 match ip address prefix-list PL-TRANSIT-CUSTOMERS-AND-SUPERNETS
!
route-map RM-AS10-TRANSIT-IN permit 10
 set local-preference 200

br2 performs the similar corresponding filtering for upstream providers, letting transit customer tagged routes and local public tagged routes (community list AS65000-UPSTREAM-FILTER), and also filtering routes to peer networks;

br2:
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor AS65000-PEERS peer-group
 neighbor AS65000-PEERS remote-as 65000
 neighbor AS65000-PEERS description Internal AS iBGP Peers
 neighbor AS65000-PEERS update-source Loopback0
 neighbor AS65000-PEERS route-reflector-client
 neighbor AS65000-PEERS send-community
 neighbor AS-PEERS peer-group
 neighbor AS-PEERS description External Peers
 neighbor AS-PEERS next-hop-self
 neighbor AS-PEERS prefix-list PL-AS65000-SUPERNETS out
 neighbor AS-PEERS route-map RM-PREFER-ASPEER-IN in
 neighbor 10.0.0.1 peer-group AS65000-PEERS
 neighbor 10.20.0.1 remote-as 20
 neighbor 10.20.0.1 next-hop-self
 neighbor 10.20.0.1 route-map RM-AS20-TRANSIT-IN in
 neighbor 10.20.0.1 route-map RM-AS20-TRANSIT-OUT out
 neighbor 10.100.0.1 remote-as 100
 neighbor 10.100.0.1 peer-group AS-PEERS
 neighbor 10.200.0.1 remote-as 200
 neighbor 10.200.0.1 peer-group AS-PEERS
 no auto-summary
!
ip route 58.58.58.0 255.255.255.0 Null0 250 tag 65000 name AS65000-SUPERNETS
!
ip bgp-community new-format
ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:3000
ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:2000
ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:1000
ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:500
ip community-list standard AS-65000-UPSTREAM-FILTER deny 65000:666
ip community-list standard AS-65000-UPSTREAM-FILTER permit 65000:65000
!
!
ip prefix-list PL-AS65000-SUPERNETS description Only advertise AS65000 public supernet routes
ip prefix-list PL-AS65000-SUPERNETS seq 5 permit 58.58.58.0/24
ip prefix-list PL-AS65000-SUPERNETS seq 10 permit 60.0.0.60/32
!
ip prefix-list PL-TRANSIT-CUSTOMERS-SUPERNETS description deny local prefixes and allow everything else
!
route-map RM-AS20-TRANSIT-OUT permit 10
 match community AS-65000-UPSTREAM-FILTER
!         
route-map RM-PREFER-ASPEER-IN permit 10
 set local-preference 200
!         
route-map RM-AS20-TRANSIT-IN permit 10
 description Prefer transit1 provider
 set local-preference 100
 set community 65000:666

Previous page: ASN Filtering
Next page: BGP Dampening