Overview

This section describes the commands for configuring and verifying the BGP route filter using distribute-list. The distribute-list identifies the BGP route information with ACL to be allowed or denied.

Flow of configuring distribute-list

The configuration flow for filtering BGP routes using distribute-list is as follows

  1. Identify route information to be filtered by ACLs
  2. Applying distribute-list to a specific neighbor
  3. Re-sent/Re-recieve BGP routes

Standard and extended ACLs are used to identify route information. Note that the meaning of a standard/extended ACL is different from that of a standard/extended ACL when used in a packet filter.

Configuration Commands for distribute-list

distribute-list(Std ACL) Configuration Commands

Identifies BGP route information to allow or deny by standard ACLs. Create a standard ACL in global configuration mode. Then apply it to the BGP neighbor.

distribute-list(Std ACL) Configuration Commands

(config)#access-list <ACL-num> {permit|deny} <network-address> <wildcard-mask>
(config)#router bgp <AS>
(config-router)#neighbor <ip-address> distribute-list <ACL-num> {in|out}

<ACL-num>:Std ACL number.1-99
<network-address>:Network address
<wildcard-mask>:wildcard mask
<AS>:AS number
<ip-address>: Neighbor IP address
<ACL-num>: ACL number

The ACL parameter names reflect those used in the route filter.

The in the standard ACL specifies the bit pattern of the network address of BGP route information. It is easy to misunderstand, but the configuration “192.168.1.0 0.0.0.255” does not represent “192.168.1.0/24”. The configuration “192.168.1.0 0.0.0.255” means a BGP route whose network address begins with “192.168.1”.

Then, decide how to handle the corresponding route information by permit or deny. “permit” allows route information.That is, if it is applied out, it advertises the corresponding BGP route; if it is applied in, it receives the BGP route. “deny” denies route information. That is, if it is applied out, the corresponding BGP route is not advertised; if it is applied in, the corresponding BGP route is not received.

Also, remember that there is an “implicit deny” at the end of the ACL.

Figure distribute-list (Std ACL)
Figure distribute-list (Std ACL)

distribute-list(Ext ACL) Configuration Commands

Extended ACLs allow you to check not only network addresses but also subnet masks to identify route information to filter.

distribute-list(Ext ACL) Configuration Commands

(config)#access-list <ACL-num> {permit|deny} ip <network-address> <wildcard-mask> <subnet-address> <wildcard-mask>
(config)#router bgp <AS>
(config-router)#neighbor <ip-address> distribute-list <ACL-num> {in|out}

<ACL-num>:Extended ACL number. 100-199
<network-address>:Network address
<subnet-mask>:Subnet mask
<wildcard-mask>: Wildcard mask
<AS>:AS number
<ip-address>: Neighbor IP address
<ACL-num>: ACL number

The ACL parameter names reflect those used in the route filter.

The protocol for extended ACLs is “ip”. Configure the bit pattern for the network address in the source IP address portion of the original extended ACL. Then, configure the subnet mask bit pattern in the destination IP address part.

Then, you decide how to handle the corresponding route information with either permit or deny. This is exactly the same as for standard ACLs.

Figure distribute-list (Ext ACL)
Figure distribute-list (Ext ACL)

Re-send/Re-recieve BGP routes

Simply applying a distribute list to a neighbor does not make the route filter work. BGP routes must be re-sent/received. Re-send or re-receive, depending on the direction in which distribute-list is applied. Use the following commands in privileged EXEC mode.

Re-send/Re-recieve BGP routes

#clear ip bgp <ip-address> {in|out}

<ip-address> : Neighbor IP address

If the applied direction of distribute-list is in, “clear ip bgp in” command will re-receive the BGP route from the neighbor. If the applied direction is out, “clear ip bgp out” command re-send the BGP route to the neighbor.

Verifycation Commands for distribute-list

The following table summarizes the main show commands for verifying BGP route filtering by distribute-list.

CommandSummary
#show ip access-listVerify the ACLs to identify the BGP routes.
#show ip protocolsVerify the distribute-list applied to the BGP neighbor.
#show ip bgpVerify the BGP table.
#show ip bgp neighbor advertised-routesVerify BGP routes to be advertised to the specified BGP neighbor.
#show ip bgp neighbor routesVerify BGP routes received from the specified BGP neighbor.
Verifycation Commands for distribute-list

show ip access-list

Verify the ACLs to identify the BGP routes with the show ip access-list command.

show ip access-list

R1#show access-lists
Standard IP access list 1
    10 permit 192.168.1.0 (2 matches)
Extended IP access list 100
    10 deny ip 172.16.1.0 0.0.0.255 255.255.255.240 0.0.0.15 (2 matches)
    20 permit ip any any (2 matches)

show ip protocols

To verify the distribute-list applied to a BGP neighbor, the show ip protocols command is self-explanatory.

show ip protocols

R1#show ip protocols
*** IP Routing is NSF aware ***

-- omitted --

Routing Protocol is "bgp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  IGP synchronization is disabled
  Automatic route summarization is disabled
  Neighbor(s):
    Address          FiltIn FiltOut DistIn DistOut Weight RouteMap
    10.0.0.2                           100       1
  Maximum path: 1
  Routing Information Sources:
    Gateway         Distance      Last Update
    10.0.0.2              20      00:04:21
  Distance: external 20 internal 200 local 200

show ip bgp

Use the show ip bgp command to display the BGP table and verify that the intended filters are in place. However, it is difficult to see the entire BGP table, so please filter the display of the BGP table.

show ip bgp

R1#show ip bgp
BGP table version is 18, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  172.16.1.0/25    10.0.0.2                 0             0 2 i
 *>  172.16.1.128/26  10.0.0.2                 0             0 2 i
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i

show ip bgp neighbor advertised-routes

The show ip bgp neighbor advertised-routes command displays the BGP routes advertised to the specified neighbor.

show ip bgp neighbor advertised-routes

R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 18, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.1.0      0.0.0.0                  0         32768 i

Total number of prefixes 1

show ip bgp neighbor routes

The show ip bgp neighbor routes command displays BGP routes received from the specified neighbor.

show ip bgp neighbor routes

R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 18, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  172.16.1.0/25    10.0.0.2                 0             0 2 i
 *>  172.16.1.128/26  10.0.0.2                 0             0 2 i

Total number of prefixes 2

Summary

Points

  • The process of configuring BGP route filter using distribute-list is as follows
    • Identify route information to be filtered by ACLs
    • Applying distribute-list to a specific neighbor
    • Re-sent/Re-recieve BGP routes
  • Note that ACLs for identifying BGP routes have a different meaning than ACLs used in packet filters.