Overview

This is an example of BGP route filter configuration using distribute-list. BGP routes to be filtered are identified with both standard and extended ACLs.

Network Diagram

Figure BGP distribute-list Configuration Example network diagram
Figure BGP distribute-list Configuration Example network diagram

Configuration Conditions

  • R1 advertises only the 192.168.1.0/24 BGP route to R2.
  • R1 discards BGP routes advertised from R2 that begin with the network address “172.16.1” and have a subnet mask of “/28” or greater.

Initial Configuration

The BGP-related configuration of R1/R2 is as follows

R1 Initial Configuration(Click)

hostname R1
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.0
!
router bgp 1
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 neighbor 10.0.0.2 remote-as 2

R2 Initial Configuration(Click)

hostname R2
!
interface Loopback0
 ip address 172.16.1.130 255.255.255.192 secondary
 ip address 172.16.1.194 255.255.255.240 secondary
 ip address 172.16.1.225 255.255.255.252 secondary
 ip address 172.16.1.2 255.255.255.128
!
interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.0
!
router bgp 2
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 network 172.16.1.0 mask 255.255.255.128
 network 172.16.1.128 mask 255.255.255.192
 network 172.16.1.192 mask 255.255.255.240
 network 172.16.1.224 mask 255.255.255.252
 neighbor 10.0.0.1 remote-as 1

Configuration and Verifycation

Step1: Verify sending and receiving of BGP routes before applying distribute-list

Verify BGP routes sent and received before applying the distribute-list on R1.

show ip bgp neighbor 10.0.0.2 advertised-routesDisplays BGP routes advertised to R2.
show ip bgp neighbor 10.0.0.2 routesDisplays BGP routes received from R2.

R1 Sending and receiving BGP routes

R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i

Total number of prefixes 3
R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 12, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  172.16.1.0/25    10.0.0.2                 0             0 2 i
 *>  172.16.1.128/26  10.0.0.2                 0             0 2 i
 *>  172.16.1.192/28  10.0.0.2                 0             0 2 i
 *>  172.16.1.224/30  10.0.0.2                 0             0 2 i

Total number of prefixes 4

Step2: R1 Configure distribute-list out

Configure the distribute-list to advertise only “192.168.1.0/24” from R1 to R2.

R1 Configure distribute-list out

access-list 1 permit 192.168.1.0
!
router bgp 1
 neighbor 10.0.0.2 distribute-list 1 out

The network address is checked with standard ACL1. The wildcard mask is “0.0.0.0” because the wildcard mask is omitted. This means that the BGP route with network address “192.168.1.0” will be permitted. Other BGP routes are denied by implicit deny.Then apply standard ACL1 on neighbor R2 (10.0.0.2) out.

Also, after applying the distribute-list, the BGP route must be re-sent.

R1 Resend BGP routes

R1#clear ip bgp 10.0.0.2 out

Step3: R1 Verify distribute-list out

Verify the BGP route to be advertised from R1 to R2. The show ip bgp neighbor 10.0.0.2 advertised-routes command displays the following

R1 Verify distribute-list out

R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 12, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.1.0      0.0.0.0                  0         32768 i

Total number of prefixes 1

You can see that only the BGP route “192.168.1.0/24” is advertised from R1 to R2.

Figure R1 distribute-list out
Figure R1 distribute-list out

Step4: R1 Configure distribute-list in

Filter BGP routes received from R2 on R1. The following BGP routes are discarded

  • Network address starting with “172.16.1.”
  • Subnet mask “/28” or greater

The commands for configuring distribute-list on R1 are as follows

R1 Configure distribute-list in

access-list 100 deny   ip 172.16.1.0 0.0.0.255 255.255.255.240 0.0.0.15
access-list 100 permit ip any any
!
router bgp 1
 neighbor 10.0.0.2 distribute-list 100 in

Configure extended ACL100 to reference the network address and subnet mask of the BGP route. Since the network address starts with “172.16.1”, the network address portion of the extended ACL (the source IP address portion of the original extended ACL) is follows

172.16.1.0 0.0.0.255

And the subnet mask/28 is 255.255.255.240 in decimal notation. Since the subnet mask /28 or greater, the subnet mask portion of the extended ACL (the destination IP address portion of the original extended ACL) should be configured as follows

255.255.255.240 0.0.0.15

This represents the subnet mask range from “255.255.255.240” to “255.255.255.255”.

For extended ACL 100, the only deny condition will end up denying all BGP routes with implicit deny. Don’t forget the condition to permit other BGP routes.Then apply the extended ACL to neighbor R2 (10.0.0.2) with in.

Also, after applying the distribute list, the BGP route is received again from R2.

R1 Receive BGP route again

R1#clear ip bgp 10.0.0.2 in

Step5: R1 Verify distribute-list in

Verify the BGP routes received from R2 on R1 using the show ip bgp neighbor 10.0.0.2 routes command.

R1 Verify distribute-list in

R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 14, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  172.16.1.0/25    10.0.0.2                 0             0 2 i
 *>  172.16.1.128/26  10.0.0.2                 0             0 2 i

Total number of prefixes 2

You can see that “172.16.1.192/28” and “192.16.1.224/30” are discarded among the BGP routes received from R2.

図 ディストリビュートリスト in
Figure R1 distribute-list in

Configuration Summary

The commands related to the distribute-list on R1, configured from the initial configuration, are as follows.

R1 distribute-list Configuration Summary

access-list 1 permit 192.168.1.0
access-list 100 deny   ip 172.16.1.0 0.0.0.255 255.255.255.240 0.0.0.15
access-list 100 permit ip any any
!
router bgp 1
 neighbor 10.0.0.2 distribute-list 1 out
 neighbor 10.0.0.2 distribute-list 100 in