Table of Contents
Overview
This is an example of BGP route filter configuration using distribute-list. BGP routes to be filtered are identified with both standard and extended ACLs.
Related articles
It is recommended that you read the commands for configuring and verifying of distribute-list before this article.
The following article is an example of configuration using prefix-list that performs same conditions as in this article.
Network Diagram
Configuration Conditions
- R1 advertises only the 192.168.1.0/24 BGP route to R2.
- R1 discards BGP routes advertised from R2 that begin with the network address “172.16.1” and have a subnet mask of “/28” or greater.
Initial Configuration
The BGP-related configuration of R1/R2 is as follows
R1 Initial Configuration(Click)
hostname R1 ! interface Loopback0 ip address 192.168.2.1 255.255.255.0 secondary ip address 192.168.3.1 255.255.255.0 secondary ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/0 ip address 10.0.0.1 255.255.255.0 ! router bgp 1 bgp router-id 1.1.1.1 bgp log-neighbor-changes network 192.168.1.0 network 192.168.2.0 network 192.168.3.0 neighbor 10.0.0.2 remote-as 2
R2 Initial Configuration(Click)
hostname R2 ! interface Loopback0 ip address 172.16.1.130 255.255.255.192 secondary ip address 172.16.1.194 255.255.255.240 secondary ip address 172.16.1.225 255.255.255.252 secondary ip address 172.16.1.2 255.255.255.128 ! interface Ethernet0/0 ip address 10.0.0.2 255.255.255.0 ! router bgp 2 bgp router-id 2.2.2.2 bgp log-neighbor-changes network 172.16.1.0 mask 255.255.255.128 network 172.16.1.128 mask 255.255.255.192 network 172.16.1.192 mask 255.255.255.240 network 172.16.1.224 mask 255.255.255.252 neighbor 10.0.0.1 remote-as 1
Configuration and Verifycation
Step1: Verify sending and receiving of BGP routes before applying distribute-list
Verify BGP routes sent and received before applying the distribute-list on R1.
| show ip bgp neighbor 10.0.0.2 advertised-routes | Displays BGP routes advertised to R2. |
| show ip bgp neighbor 10.0.0.2 routes | Displays BGP routes received from R2. |
R1 Sending and receiving BGP routes
R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.0 0.0.0.0 0 32768 i
*> 192.168.2.0 0.0.0.0 0 32768 i
*> 192.168.3.0 0.0.0.0 0 32768 i
Total number of prefixes 3
R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 12, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 172.16.1.0/25 10.0.0.2 0 0 2 i
*> 172.16.1.128/26 10.0.0.2 0 0 2 i
*> 172.16.1.192/28 10.0.0.2 0 0 2 i
*> 172.16.1.224/30 10.0.0.2 0 0 2 i
Total number of prefixes 4
Step2: R1 Configure distribute-list out
Configure the distribute-list to advertise only “192.168.1.0/24” from R1 to R2.
R1 Configure distribute-list out
access-list 1 permit 192.168.1.0 ! router bgp 1 neighbor 10.0.0.2 distribute-list 1 out
The network address is checked with standard ACL1. The wildcard mask is “0.0.0.0” because the wildcard mask is omitted. This means that the BGP route with network address “192.168.1.0” will be permitted. Other BGP routes are denied by implicit deny.Then apply standard ACL1 on neighbor R2 (10.0.0.2) out.
Also, after applying the distribute-list, the BGP route must be re-sent.
R1 Resend BGP routes
R1#clear ip bgp 10.0.0.2 out
Step3: R1 Verify distribute-list out
Verify the BGP route to be advertised from R1 to R2. The show ip bgp neighbor 10.0.0.2 advertised-routes command displays the following
R1 Verify distribute-list out
R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 12, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.0 0.0.0.0 0 32768 i
Total number of prefixes 1
You can see that only the BGP route “192.168.1.0/24” is advertised from R1 to R2.
Step4: R1 Configure distribute-list in
Filter BGP routes received from R2 on R1. The following BGP routes are discarded
- Network address starting with “172.16.1.”
- Subnet mask “/28” or greater
The commands for configuring distribute-list on R1 are as follows
R1 Configure distribute-list in
access-list 100 deny ip 172.16.1.0 0.0.0.255 255.255.255.240 0.0.0.15 access-list 100 permit ip any any ! router bgp 1 neighbor 10.0.0.2 distribute-list 100 in
Configure extended ACL100 to reference the network address and subnet mask of the BGP route. Since the network address starts with “172.16.1”, the network address portion of the extended ACL (the source IP address portion of the original extended ACL) is follows
172.16.1.0 0.0.0.255
And the subnet mask/28 is 255.255.255.240 in decimal notation. Since the subnet mask /28 or greater, the subnet mask portion of the extended ACL (the destination IP address portion of the original extended ACL) should be configured as follows
255.255.255.240 0.0.0.15
This represents the subnet mask range from “255.255.255.240” to “255.255.255.255”.
For extended ACL 100, the only deny condition will end up denying all BGP routes with implicit deny. Don’t forget the condition to permit other BGP routes.Then apply the extended ACL to neighbor R2 (10.0.0.2) with in.
Also, after applying the distribute list, the BGP route is received again from R2.
R1 Receive BGP route again
R1#clear ip bgp 10.0.0.2 in
Step5: R1 Verify distribute-list in
Verify the BGP routes received from R2 on R1 using the show ip bgp neighbor 10.0.0.2 routes command.
R1 Verify distribute-list in
R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 14, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 172.16.1.0/25 10.0.0.2 0 0 2 i
*> 172.16.1.128/26 10.0.0.2 0 0 2 i
Total number of prefixes 2
You can see that “172.16.1.192/28” and “192.16.1.224/30” are discarded among the BGP routes received from R2.
Configuration Summary
The commands related to the distribute-list on R1, configured from the initial configuration, are as follows.
R1 distribute-list Configuration Summary
access-list 1 permit 192.168.1.0 access-list 100 deny ip 172.16.1.0 0.0.0.255 255.255.255.240 0.0.0.15 access-list 100 permit ip any any ! router bgp 1 neighbor 10.0.0.2 distribute-list 1 out neighbor 10.0.0.2 distribute-list 100 in
How the BGP works
- BGP Basic Configuration and Verification Commands
- BGP Neighbor Status
- BGP Neighbor Authentication
- BGP Well Known Mandatory Attributes
- Illustration: BGP Best Path Selection
- BGP KEEPALIVE timer/Hold time Configuration
- BGP Route Minimum Advertisement Interval Configuration
- BGP Route Dampening
- BGP Route Filter Overview
- BGP Route Filter : distribute-list
- BGP Route Filter : distribute-list Configuration Example
- BGP Route Filter : prefix-list
- BGP Route Filter : prefix-list Configuration Example
- BGP Route Filter : filter-list(AS_PATH ACL)-
- BGP Route Filter : filter-list(AS_PATH ACL) Configuration Example
- BGP Route Filter : Route-map
- BGP Route Filter : route-map Configuration Example
- BGP neighbor allowas-in command
- BGP neighbor as-override command
- BGP Route RIB Failure
- BGP Route Administrative Distance Adjustment
- BGP Route Load Balancing
- BGP Auto Summary
- BGP Route Summary : network command
- BGP Route Summarization : network command configuration example
- BGP Route Summary aggregate-address command
- aggregte-address command : summary-only opiton
- aggregte-address command : attribute-map opiton
- aggregte-address command : as-set opiton
- aggregte-address command : advertise-map opiton
- BGP Selective Aggregation Overview
- BGP Selective Aggregation : suppress-map
- BGP Selective Aggregation : unsuppress-map
- BGP local-as
- BGP neighbor remove-private-AS
- bgp fast-external-fallover
- BGP Prefix Limitation