Table of Contents
Overview
This section describes the commands for configuring and verifying the BGP route filter using distribute-list. The distribute-list identifies the BGP route information with ACL to be allowed or denied.
Flow of configuring distribute-list
The configuration flow for filtering BGP routes using distribute-list is as follows
- Identify route information to be filtered by ACLs
- Applying distribute-list to a specific neighbor
- Re-sent/Re-recieve BGP routes
Standard and extended ACLs are used to identify route information. Note that the meaning of a standard/extended ACL is different from that of a standard/extended ACL when used in a packet filter.
Configuration Commands for distribute-list
distribute-list(Std ACL) Configuration Commands
Identifies BGP route information to allow or deny by standard ACLs. Create a standard ACL in global configuration mode. Then apply it to the BGP neighbor.
distribute-list(Std ACL) Configuration Commands
(config)#access-list <ACL-num> {permit|deny} <network-address> <wildcard-mask>
(config)#router bgp <AS>
(config-router)#neighbor <ip-address> distribute-list <ACL-num> {in|out}
<ACL-num>:Std ACL number.1-99
<network-address>:Network address
<wildcard-mask>:wildcard mask
<AS>:AS number
<ip-address>: Neighbor IP address
<ACL-num>: ACL number
The ACL parameter names reflect those used in the route filter.
The in the standard ACL specifies the bit pattern of the network address of BGP route information. It is easy to misunderstand, but the configuration “192.168.1.0 0.0.0.255” does not represent “192.168.1.0/24”. The configuration “192.168.1.0 0.0.0.255” means a BGP route whose network address begins with “192.168.1”.
Then, decide how to handle the corresponding route information by permit or deny. “permit” allows route information.That is, if it is applied out, it advertises the corresponding BGP route; if it is applied in, it receives the BGP route. “deny” denies route information. That is, if it is applied out, the corresponding BGP route is not advertised; if it is applied in, the corresponding BGP route is not received.
Also, remember that there is an “implicit deny” at the end of the ACL.
distribute-list(Ext ACL) Configuration Commands
Extended ACLs allow you to check not only network addresses but also subnet masks to identify route information to filter.
distribute-list(Ext ACL) Configuration Commands
(config)#access-list <ACL-num> {permit|deny} ip <network-address> <wildcard-mask> <subnet-address> <wildcard-mask>
(config)#router bgp <AS>
(config-router)#neighbor <ip-address> distribute-list <ACL-num> {in|out}
<ACL-num>:Extended ACL number. 100-199
<network-address>:Network address
<subnet-mask>:Subnet mask
<wildcard-mask>: Wildcard mask
<AS>:AS number
<ip-address>: Neighbor IP address
<ACL-num>: ACL number
The ACL parameter names reflect those used in the route filter.
The protocol for extended ACLs is “ip”. Configure the bit pattern for the network address in the source IP address portion of the original extended ACL. Then, configure the subnet mask bit pattern in the destination IP address part.
Then, you decide how to handle the corresponding route information with either permit or deny. This is exactly the same as for standard ACLs.
Re-send/Re-recieve BGP routes
Simply applying a distribute list to a neighbor does not make the route filter work. BGP routes must be re-sent/received. Re-send or re-receive, depending on the direction in which distribute-list is applied. Use the following commands in privileged EXEC mode.
Re-send/Re-recieve BGP routes
#clear ip bgp <ip-address> {in|out}
<ip-address> : Neighbor IP address
If the applied direction of distribute-list is in, “clear ip bgp in” command will re-receive the BGP route from the neighbor. If the applied direction is out, “clear ip bgp out” command re-send the BGP route to the neighbor.
Verifycation Commands for distribute-list
The following table summarizes the main show commands for verifying BGP route filtering by distribute-list.
| Command | Summary |
|---|---|
| #show ip access-list | Verify the ACLs to identify the BGP routes. |
| #show ip protocols | Verify the distribute-list applied to the BGP neighbor. |
| #show ip bgp | Verify the BGP table. |
| #show ip bgp neighbor advertised-routes | Verify BGP routes to be advertised to the specified BGP neighbor. |
| #show ip bgp neighbor routes | Verify BGP routes received from the specified BGP neighbor. |
show ip access-list
Verify the ACLs to identify the BGP routes with the show ip access-list command.
show ip access-list
R1#show access-lists
Standard IP access list 1
10 permit 192.168.1.0 (2 matches)
Extended IP access list 100
10 deny ip 172.16.1.0 0.0.0.255 255.255.255.240 0.0.0.15 (2 matches)
20 permit ip any any (2 matches)
show ip protocols
To verify the distribute-list applied to a BGP neighbor, the show ip protocols command is self-explanatory.
show ip protocols
R1#show ip protocols
*** IP Routing is NSF aware ***
-- omitted --
Routing Protocol is "bgp 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
10.0.0.2 100 1
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
10.0.0.2 20 00:04:21
Distance: external 20 internal 200 local 200
show ip bgp
Use the show ip bgp command to display the BGP table and verify that the intended filters are in place. However, it is difficult to see the entire BGP table, so please filter the display of the BGP table.
show ip bgp
R1#show ip bgp
BGP table version is 18, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 172.16.1.0/25 10.0.0.2 0 0 2 i
*> 172.16.1.128/26 10.0.0.2 0 0 2 i
*> 192.168.1.0 0.0.0.0 0 32768 i
*> 192.168.2.0 0.0.0.0 0 32768 i
*> 192.168.3.0 0.0.0.0 0 32768 i
show ip bgp neighbor advertised-routes
The show ip bgp neighbor advertised-routes command displays the BGP routes advertised to the specified neighbor.
show ip bgp neighbor advertised-routes
R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 18, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.0 0.0.0.0 0 32768 i
Total number of prefixes 1
show ip bgp neighbor routes
The show ip bgp neighbor routes command displays BGP routes received from the specified neighbor.
show ip bgp neighbor routes
R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 18, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 172.16.1.0/25 10.0.0.2 0 0 2 i
*> 172.16.1.128/26 10.0.0.2 0 0 2 i
Total number of prefixes 2
Summary
Points
- The process of configuring BGP route filter using distribute-list is as follows
- Identify route information to be filtered by ACLs
- Applying distribute-list to a specific neighbor
- Re-sent/Re-recieve BGP routes
- Note that ACLs for identifying BGP routes have a different meaning than ACLs used in packet filters.
Related articles
The following article is an example of BGP route filter configuration using distribute-list.
How the BGP works
- BGP Basic Configuration and Verification Commands
- BGP Neighbor Status
- BGP Neighbor Authentication
- BGP Well Known Mandatory Attributes
- Illustration: BGP Best Path Selection
- BGP KEEPALIVE timer/Hold time Configuration
- BGP Route Minimum Advertisement Interval Configuration
- BGP Route Dampening
- BGP Route Filter Overview
- BGP Route Filter : distribute-list
- BGP Route Filter : distribute-list Configuration Example
- BGP Route Filter : prefix-list
- BGP Route Filter : prefix-list Configuration Example
- BGP Route Filter : filter-list(AS_PATH ACL)-
- BGP Route Filter : filter-list(AS_PATH ACL) Configuration Example
- BGP Route Filter : Route-map
- BGP Route Filter : route-map Configuration Example
- BGP neighbor allowas-in command
- BGP neighbor as-override command
- BGP Route RIB Failure
- BGP Route Administrative Distance Adjustment
- BGP Route Load Balancing
- BGP Auto Summary
- BGP Route Summary : network command
- BGP Route Summarization : network command configuration example
- BGP Route Summary aggregate-address command
- aggregte-address command : summary-only opiton
- aggregte-address command : attribute-map opiton
- aggregte-address command : as-set opiton
- aggregte-address command : advertise-map opiton
- BGP Selective Aggregation Overview
- BGP Selective Aggregation : suppress-map
- BGP Selective Aggregation : unsuppress-map
- BGP local-as
- BGP neighbor remove-private-AS
- bgp fast-external-fallover
- BGP Prefix Limitation
