Overview

This is an example of BGP route filter configuration by filter list (AS_PATH ACL). It is important to know how to represent the AS_PATH attribute in a regular expression.

Network Diagram

Figure BGP route filter : filter-list network diagram
Figure BGP route filter : filter-list network diagram

Configuration Conditions

  • R1 advertises only BGP routes in its own AS to R2/R3.
  • R1 receives only BGP routes generated by AS2 and AS20 from R2.
  • R1 must not receive BGP routes generated by AS2 and AS20 from R3.

Initial Configuration

The BGP-related configurations for R1/R2/R3 are as follows.

R1 Initial Configuration(Click)

hostname R1
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.252
!
interface Ethernet0/1
 ip address 10.0.0.5 255.255.255.252
!
router bgp 1
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 neighbor 10.0.0.2 remote-as 2
 neighbor 10.0.0.6 remote-as 3

R2 Initial Configuration(Click)

hostname R2
!
interface Loopback0
 ip address 10.2.20.2 255.255.255.0 secondary
 ip address 10.2.2.2 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.252
!
interface Ethernet0/1
 ip address 10.0.0.9 255.255.255.252
!
router bgp 2
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 network 10.2.2.0 mask 255.255.255.0
 network 10.2.20.0 mask 255.255.255.0
 neighbor 10.0.0.1 remote-as 1
 neighbor 10.0.0.1 route-map AS_PATH out
 neighbor 10.0.0.10 remote-as 3
 neighbor 10.0.0.10 route-map AS_PATH out
!
route-map AS_PATH permit 10
 match ip address 1
 set as-path prepend 20
!
route-map AS_PATH permit 100
!
access-list 1 permit 10.2.20.0

R3 Initial Configuration(Click)

hostname R3
!
interface Loopback0
 ip address 10.3.30.3 255.255.255.0 secondary
 ip address 10.3.3.3 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.6 255.255.255.252
!
interface Ethernet0/1
 ip address 10.0.0.10 255.255.255.252
!
router bgp 3
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 network 10.3.3.0 mask 255.255.255.0
 network 10.3.30.0 mask 255.255.255.0
 neighbor 10.0.0.5 remote-as 1
 neighbor 10.0.0.5 route-map AS_PATH out
 neighbor 10.0.0.9 remote-as 2
 neighbor 10.0.0.9 route-map AS_PATH out
!
route-map AS_PATH permit 10
 match ip address 1
 set as-path prepend 30
!
route-map AS_PATH permit 100
!
access-list 1 permit 10.3.30.0

Configuration and Verifycation

Step1: Verify sending and receiving of BGP routes before applying filter-list

Verify BGP routes sent and received before applying the filter-list on R1.

show ip bgp neighbor 10.0.0.2 advertised-routesDisplays BGP routes advertised to R2.
show ip bgp neighbor 10.0.0.6 advertised-routesDisplays BGP routes received from R2.
show ip bgp neighbor 10.0.0.2 routesDisplays BGP routes received from R2.
show ip bgp neighbor 10.0.0.6 routesDisplays BGP routes received from R3.

First, verify the BGP routes advertised from R1 to R2/R3.

R1 BGP routes to be advertised to R2/R3 before applying filter

R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i

Total number of prefixes 7
R1#show ip bgp neighbors 10.0.0.6 advertised-routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i

Total number of prefixes 7

You can see that R1 advertises to R2/R3 other than the BGP route of its own AS.

Note that R1 automatically makes the same Update-Group for EBGP neighbors R2 and R3. Therefore, the BGP routes advertised to R2/R3 are exactly the same. As a result, the received BGP route is sent back to the EBGP neighbor, but the neighbor considers it a loop and discards it.

And the BGP routes received from R2/R3 are as follows

R1 BGP routes received from R2/R3 before applying filter

R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i
 *   10.3.3.0/24      10.0.0.2                               0 2 3 i
 *   10.3.30.0/24     10.0.0.2                               0 2 3 30 i

Total number of prefixes 4
R1#show ip bgp neighbors 10.0.0.6 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *   10.2.2.0/24      10.0.0.6                               0 3 2 i
 *   10.2.20.0/24     10.0.0.6                               0 3 2 20 i
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i

Total number of prefixes 4

R1 receives not only BGP routes generated by AS2/AS20 from R2, but also BGP routes generated by AS3/AS30; the same applies to BGP routes received from R3.

Step2: R1 Configure filter-list out

Configure filter-list to limit BGP routes advertised from R1 to R2/R3 to routes in its own AS only.

R1 filter-list out

ip as-path access-list 1 permit ^$
!
router bgp 1
 neighbor 10.0.0.2 filter-list 1 out 
 neighbor 10.0.0.6 filter-list 1 out

It is possible to filter with distribute-list or prefix-list to satisfy the requirement to advertise only BGP routes in one’s own AS. However, to advertise only BGP routes in your own AS, it is easiest to use filter-list.

To use distribute-list or prefix list, a number of lines of ACLs or prefix-list must be configured, depending on the network address of the BGP route.

On the other hand, the AS_PATH of a BGP route generated by its own AS is empty and can be identified by the regular expression “^$”. Therefore, no matter how many BGP routes or what network addresses are in your AS, you can identify and permit BGP routes generated in your AS with just one line of AS_PATH ACL 1.

Then, just apply AS_PATH ACL 1 on neighbor 10.0.0.2 (R2) and 10.0.0.6 (R3) out.

After applying filter-list, the BGP route must be re-sent.

R1 Resend BGP routes

R1#clear ip bgp 10.0.0.2 out
R1#clear ip bgp 10.0.0.6 out

Step3: R1 Verify frefix-list out

Verify the BGP routes to be advertised from R1 to R2/R3.

  • show ip bgp neighbor 10.0.0.2 advertised-routes
  • show ip bgp neighbor 10.0.0.6 advertised-routes

R1 verify filter-list out

R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i

Total number of prefixes 3
R1#show ip bgp neighbors 10.0.0.6 advertised-routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i

Total number of prefixes 3

You can see that R1 advertises only BGP routes in its own AS to R2/R3.

図 フィルタリスト out
Figure filter-list out

Note that after filtering by the filter-list, the own AS is prepended to AS_PATH. Therefore, AS_PATH of BGP routes received by R2/R3 is “1”.

Step4: R1 Configure filter-list in From R2

Use filter-list to filter incoming BGP routes from R2 on R1.

R1 Configure filter-list in From R2

ip as-path access-list 2 permit _2$|_20$
!
router bgp 1
 neighbor 10.0.0.2 filter-list 2 in

R1 limits BGP routes received from R2 to only those generated by AS2 or AS20. That is, AS_PATH ends with 2 or 20. The regular expression is “_2$|_20$”.

AS_PATH ACL 2 identifies and permits BGP routes generated by AS2 or AS20 by this regular expression.Then apply AS_PATH ACL 2 to neighbor 10.0.0.2(R2) in.

After applying filter-list, the BGP route must be re-received from R2.

R1 Receive BGP route again From R2

R1#clear ip bgp 10.0.0.2 in

Step5: R1 Verify prefix-list in From R2

Verify the BGP routes received from R2 on R1 using the show ip bgp neighbor 10.0.0.2 routes command.

R1 Verify prefix-list in From R2

R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i

Total number of prefixes 2

You can see that the BGP routes received from R2 are limited to only those generated by AS2 or AS20.

図 フィルタリスト in From R2
Figure filter-list in From R2

Step6: R1 Configure filter-list in From R3

Use filter-list to filter BGP routes received from R3 on R1.

R1 Configure filter-list in From R3

ip as-path access-list 3 deny _2$|_20$
ip as-path access-list 3 permit .*
!
router bgp 1
 neighbor 10.0.0.6 filter-list 3 in

No BGP routes generated in AS2 and AS20 are received from R3. AS_PATH ACL 3 to deny BGP routes with AS_PATH ending in 2 or 20. If there is only deny condition, implicit deny will deny everything. To avoid implicit deny, AS_PATH ACL 3 requires “permit . *” condition.. *” is a regular expression for any string, so it matches all AS_PATH attributes.

Then apply AS_PATH ACL 3 to neighbor 10.0.0.6(R3) in.

After applying filter-list, the BGP route must be re-received from R3.

R1 Receive BGP route again From R3

R1#clear ip bgp 10.0.0.6 in

Step7: R1 Verify filter-list in From R3

Verify the BGP routes received from R3 on R1 using the show ip bgp neighbor 10.0.0.6 routes command.

R1 Verify filter-list in From R3

R1#show ip bgp neighbors 10.0.0.6 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i

Total number of prefixes 2

R1 is not receiving BGP routes generated by AS2 or AS20 from R3.

図 フィルタリスト in From R3
Figure filter-list in From R3

Configuration Summary

The commands related to the filter list for R1, configured from the initial state, are as follows

R1 filter-list(AS_PATH ACL) Configuration Summary

router bgp 1
 neighbor 10.0.0.2 filter-list 2 in
 neighbor 10.0.0.2 filter-list 1 out
 neighbor 10.0.0.6 filter-list 3 in
 neighbor 10.0.0.6 filter-list 1 out
!
ip as-path access-list 1 permit ^$
ip as-path access-list 2 permit _2$|_20$
ip as-path access-list 3 deny _2$|_20$
ip as-path access-list 3 permit .*