Jaycee's Networking

May 17, 2009

BGP – Route Filtering

Filed under: BGP, IOS — Tags: — Jaycee @ 5:51 pm

Filtering routes – that’s how you control how your network traffic is carried and how you implement routing policies. There are three ways to do it: AS path filtering, community filtering, and aggregate filtering.

A. AS Path Filters:

1. AS path filters work like ACLs, but with a twist: they support regular expression (regex) pattern matching.

2. Like ACLs, AS paths have the following rules:

a. Each line is a permit or a deny.
b. The first match wins.
c. An implicity “deny all” is added to the end of the list.

3. Example, we want to deny any AS path that starts with AS 10 and permit every thing else.

ip as-path access-list 70 deny ^100_
ip as-path access-list 70 permit .*

4. A path is nothing more than a list of autonomous systems.

a. The 1st autonomous system in the path(which the path originates) is on the right.

b. As the path corsses AS boundaries, new autonomous systems are added on the left.

c. Therefore, the leftmost entry in an AS path is the autonomous system from which we heard the path.

5. AS path regular expressions:

Regular expression Meaning
_ Separates AS numbers in the path
^ Matches the start of the path
$ Matches the end
* Matches any repetition of a character
. Matches any character
.* Matches all (i.e., any AS path).
^$ Matches an empty path. The only routes that can have an empty path are routes that originated within our local AS.
^100$ Specifies a path that consists of the single AS, AS 100.
^(100|200|300)$ Specifies a path that consists of a single AS, which can be either 100, 200, or 300.
^100_ All paths that start with AS 100.
_100_ All paths with 100 anywhere in the path.
_100$ All paths that end with 100.

B. Community Filters:

1. The community attribute allows routing policies to be applied to a destination. They are applied to routes using a set command in a route map.

2. Predefined communiteis:

Community Action
no-export Do not advertise to eBGP peers
no-advertise Do not advertise to any peer
internet Advertise to the Internet community (all routers belong to it.)

3. In the following example, we define a route map named Community 1 that matches IP address from list 1. This map sets the community string of any matches to the no-advertise community:

access-list 1 permit 0.0.0.0 255.255.255.255
!
route-map Community1
 match ip address 1
 set community no-advertise
!
router bgp 500
 neighbor 10.1.1.1 remote-as 200
 neighbor 10.1.1.1 send-community
 neighbor 10.1.1.1 route-map Community1 out

a. By applying the route map in “neighbor” command, we use it to check all the route updates we send to neighbor 10.1.1.1.

b. Because of access list 1, the route map matches any route destination and sets the route’s community string to no-advertise.

c. “no-advertise” means that all routes we send to 10.1.1. via BGP will have the no-advertise community. Therefore, when 10.1.1.1 receives a route updates from us, it will NOT advertise any of our routes.

4. We can assign community value to outgoing routes. Our neighbors can then implement filters based on the community values we have set and act appropreately.

5. In the following example, consider 2 routers, R1 and R2. R1 belongs to 10.1.0.0 network (AS 500), while R2 belongs to 10.2.0.0 network (AS 600). R1 sends all routes to R2 with a community of 100. R2 looks for any routes with a community of 100 and sets the weight to 10.

R1:

router bgp 500
 network 10.1.0.0
 neighbor 10.2.0.0 remote-as 600
 neighbor 10.2.0.0 send-community
 neighbor 10.2.0.0 route-map SET100 out
!
route-map SET100 permit 10
 match ip address 1
 set community 100
!
access-list 1 permit 0.0.0.0 255.255.255.255

R2:

router bgp 600
 network 10.2.0.0
 neighbor 10.1.0.0 remote-as 500
 neighbor 10.1.0.0 route-map CHECK100 in
!
route-map CHECK100 permit 10
 match community 1
 set weight 10
! "community-list" command acts like an ACL.
! We are looking for a community of 100.
ip community-list 1 permit 100

C. Aggregate Filters:

1. They allo several different routes to be expressed in one simple route, thus reducing the size of the routing table. (Aggregates can be used ONLY when the routes can be summarized into a single route.)

2. “aggregate-address” command controls route aggregation and reduces the number of outgoing BGP routes.

3. Example, we have 192.168.1.0/24 through 192.168.254.0/24. We can generate a single route summary for the entire network space:

router bgp 600
 network 10.0.0.0
 aggregate-address 192.168.1.0 255.255.0.0 summary-only

4. “summary-only” keyword tells the router to advertise only the aggregate route.

5. If we leave off summary-only, the router will advertise all of our routes plus the aggregate, which is not our intention.

6. Aggregate routes also allow us to suppress certain addresses from the aggregate list.

7. The following example, we want to advertise our aggregate route and our other routes, but we also want to suppress (抑制) route 192.168.5.0:

router bgp 600
 network 10.1.0.0
 aggregate-address 192.168.1.0 255.255.0.0 suppress-map MAP1
!
route-map MAP1 permit 1
 match ip address 1
!
access-list 1 deny 192.168.5.0 0.0.0.255
access-list 1 permit 0.0.0.0 255.255.255.255

8. As the example above, we use the route map MAP1 to determine which networks we want to suppress. This route map is abased on access list 1.

Advertisements

1 Comment »

  1. A motivating discussion is definitely worth comment.

    I believe that you should publish more about this issue, it might not be a taboo matter but typically
    people don’t speak about these issues. To the next!
    Best wishes!!

    Comment by best wireless routers — August 19, 2014 @ 6:19 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: