Table of Contents
Overview
This is an example of BGP route filter configuration with route-map. Route-maps allow you to flexibly identify BGP routes to filter by referencing standard/extended ACLs, prefix-lists, and AS_PATH ACLs in the match condition.
Related article
The following article describes in detail the configuration and verification commands for BGP route filtering with route-map.
Network Diagram
Configuration Conditions
- R1 advertises only BGP routes with an even third octet network address in its own AS to R2/R3.
- R1 receives only BGP routes generated by AS2 and AS20 from R2.
- R1 should not receive BGP routes generated by AS2 and AS20 from R3.
Initial Configuration
The initial configuration regarding BGP of R1/R2/R3 is as follows.
R1 Initial Configuration(Click)
hostname R1 ! interface Loopback0 ip address 192.168.2.1 255.255.255.0 secondary ip address 192.168.3.1 255.255.255.0 secondary ip address 192.168.4.1 255.255.255.0 secondary ip address 192.168.5.1 255.255.255.0 secondary ip address 192.168.6.1 255.255.255.0 secondary ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/0 ip address 10.0.0.1 255.255.255.252 ! interface Ethernet0/1 ip address 10.0.0.5 255.255.255.252 ! router bgp 1 bgp router-id 1.1.1.1 bgp log-neighbor-changes network 192.168.1.0 network 192.168.2.0 network 192.168.3.0 network 192.168.4.0 network 192.168.5.0 network 192.168.6.0 neighbor 10.0.0.2 remote-as 2 neighbor 10.0.0.6 remote-as 3
R2 Initial Configuration(Click)
hostname R2 ! interface Loopback0 ip address 10.2.20.2 255.255.255.0 secondary ip address 10.2.2.2 255.255.255.0 ! interface Ethernet0/0 ip address 10.0.0.2 255.255.255.252 ! interface Ethernet0/1 ip address 10.0.0.9 255.255.255.252 ! router bgp 2 bgp router-id 2.2.2.2 bgp log-neighbor-changes network 10.2.2.0 mask 255.255.255.0 network 10.2.20.0 mask 255.255.255.0 neighbor 10.0.0.1 remote-as 1 neighbor 10.0.0.1 route-map AS_PATH out neighbor 10.0.0.10 remote-as 3 neighbor 10.0.0.10 route-map AS_PATH out ! route-map AS_PATH permit 10 match ip address 1 set as-path prepend 20 ! route-map AS_PATH permit 100 ! access-list 1 permit 10.2.20.0
R3 Initial Configuration(Click)
hostname R3 ! interface Loopback0 ip address 10.3.30.3 255.255.255.0 secondary ip address 10.3.3.3 255.255.255.0 ! interface Ethernet0/0 ip address 10.0.0.6 255.255.255.252 ! interface Ethernet0/1 ip address 10.0.0.10 255.255.255.252 ! router bgp 3 bgp router-id 3.3.3.3 bgp log-neighbor-changes network 10.3.3.0 mask 255.255.255.0 network 10.3.30.0 mask 255.255.255.0 neighbor 10.0.0.5 remote-as 1 neighbor 10.0.0.5 route-map AS_PATH out neighbor 10.0.0.9 remote-as 2 neighbor 10.0.0.9 route-map AS_PATH out ! route-map AS_PATH permit 10 match ip address 1 set as-path prepend 30 ! route-map AS_PATH permit 100 ! access-list 1 permit 10.3.30.0
Configuration and Verifycation
Step1: Verify sending and receiving of BGP routes before applying route-map
Verify BGP routes sent and received before applying the route-map on R1.
show ip bgp neighbor 10.0.0.2 advertised-routes | Displays BGP routes advertised to R2. |
show ip bgp neighbor 10.0.0.6 advertised-routes | Displays BGP routes advertised to R3. |
show ip bgp neighbor 10.0.0.2 routes | Displays BGP routes received from R2. |
show ip bgp neighbor 10.0.0.6 routes | Displays BGP routes received from R3. |
First, verify the BGP routes advertised from R1 to R2/R3.
R1 BGP routes to be advertised to R2/R3 before applying filter
R1#show ip bgp neighbors 10.0.0.2 advertised-routes BGP table version is 11, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.2.2.0/24 10.0.0.2 0 0 2 i *> 10.2.20.0/24 10.0.0.2 0 0 2 20 i *> 10.3.3.0/24 10.0.0.6 0 0 3 i *> 10.3.30.0/24 10.0.0.6 0 0 3 30 i *> 192.168.1.0 0.0.0.0 0 32768 i *> 192.168.2.0 0.0.0.0 0 32768 i *> 192.168.3.0 0.0.0.0 0 32768 i *> 192.168.4.0 0.0.0.0 0 32768 i *> 192.168.5.0 0.0.0.0 0 32768 i *> 192.168.6.0 0.0.0.0 0 32768 i Total number of prefixes 10 R1#show ip bgp neighbors 10.0.0.6 advertised-routes BGP table version is 11, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.2.2.0/24 10.0.0.2 0 0 2 i *> 10.2.20.0/24 10.0.0.2 0 0 2 20 i *> 10.3.3.0/24 10.0.0.6 0 0 3 i *> 10.3.30.0/24 10.0.0.6 0 0 3 30 i *> 192.168.1.0 0.0.0.0 0 32768 i *> 192.168.2.0 0.0.0.0 0 32768 i *> 192.168.3.0 0.0.0.0 0 32768 i *> 192.168.4.0 0.0.0.0 0 32768 i *> 192.168.5.0 0.0.0.0 0 32768 i *> 192.168.6.0 0.0.0.0 0 32768 i Total number of prefixes 10
R1 advertises not only 192.168.1.0/24 to 192.168.6.0/24 in its own AS to EBGP neighbor R2/R3, but also BGP routes outside its own AS.
Note that R1 automatically makes the same Update-Group for EBGP neighbors R2 and R3. Therefore, the BGP routes advertised to R2/R3 are exactly the same. As a result, the received BGP route is sent back to the EBGP neighbor, but the neighbor considers it a loop and discards it.
And the BGP routes received from R2/R3 are as follows
R1 BGP routes received from R2/R3 before applying filter
R1#show ip bgp neighbors 10.0.0.2 routes BGP table version is 10, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.2.2.0/24 10.0.0.2 0 0 2 i *> 10.2.20.0/24 10.0.0.2 0 0 2 20 i * 10.3.3.0/24 10.0.0.2 0 2 3 i * 10.3.30.0/24 10.0.0.2 0 2 3 30 i Total number of prefixes 4 R1#show ip bgp neighbors 10.0.0.6 routes BGP table version is 10, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path * 10.2.2.0/24 10.0.0.6 0 3 2 i * 10.2.20.0/24 10.0.0.6 0 3 2 20 i *> 10.3.3.0/24 10.0.0.6 0 0 3 i *> 10.3.30.0/24 10.0.0.6 0 0 3 30 i Total number of prefixes 4
R1 receives not only BGP routes generated by AS2/AS20 from R2, but also BGP routes generated by AS3/AS30; the same applies to BGP routes received from R3.
Step2: R1 Configure route-map out
Configure route-map filter to limit the BGP routes advertised from R1 to R2/R3 to only those routes in its own AS with an even third octet of network address.
R1 Configure route-map out
ip as-path access-list 1 permit ^$ access-list 1 permit 0.0.0.0 255.255.254.255 ! route-map TO_EBGP permit 10 match ip address 1 match as-path 1 ! router bgp 1 neighbor 10.0.0.2 route-map TO_EBGP out neighbor 10.0.0.6 route-map TO_EBGP out
To satisfy the condition that only BGP routes with an even number of third octets in their own AS are advertised, the standard ACL and AS_PATH ACL are referenced AND in the route-map.
Even means the least significant bit is 0. Therefore, the address and wildcard mask for an even number in 8-bit decimal format are as follows
It is OK if the combination of the third octet address and the wildcard mask is “0” and “254”. Standard ACL 1 is configured to identify network addresses with an even number of third octets.
Std ACL Network address 3rd octet “even”
access-list 1 permit 0.0.0.0 255.255.254.255
Also, BGP routes in their own AS can be easily identified with AS_PATH ACL 1 because the AS_PATH attribute is empty.
AS_PATH ACL BGP routes of own AS
ip as-path access-list 1 permit ^$
Then, the route-map “TO_EBGP” references standard ACL 1 and AS_PATH ACL 1.
route-map Reference to standard ACL/AS_PATH ACL
route-map TO_EBGP permit 10 match ip address 1 match as-path 1
If multiple match conditions are specified, they are evaluated as AND. In other words, “the third byte of the network address is even (standard ACL 1)” and “BGP route of own AS (AS_PATH ACL1)” is route information that satisfies the match condition. The action is “permit” because corresponding BGP routes aer to be advertised.
Just apply the created route-map “TO_EBGP” to the neighbor 10.0.0.2(R2) and 10.0.0.6(R3) out.
After applying the route-map, the BGP route must be re-sent.
R1 BGP route re-sent
R1#clear ip bgp 10.0.0.2 out R1#clear ip bgp 10.0.0.6 out
Step3: R1 Verify route-map out
Verify the BGP routes to be advertised from R1 to R2/R3.
- show ip bgp neighbor 10.0.0.2 advertised-routes
- show ip bgp neighbor 10.0.0.6 advertised-routes
R1 Verify route-map out
R1#show ip bgp neighbors 10.0.0.2 advertised-routes BGP table version is 11, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 192.168.2.0 0.0.0.0 0 32768 i *> 192.168.4.0 0.0.0.0 0 32768 i *> 192.168.6.0 0.0.0.0 0 32768 i Total number of prefixes 3 R1#show ip bgp neighbors 10.0.0.6 advertised-routes BGP table version is 11, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 192.168.2.0 0.0.0.0 0 32768 i *> 192.168.4.0 0.0.0.0 0 32768 i *> 192.168.6.0 0.0.0.0 0 32768 i Total number of prefixes 3
As per the condition, you can see that R1 advertises to R2/R3 only BGP routes in its own AS where the third octet of the network address is even.
Step4: R1 Configure route-map in From R2
Filter BGP routes received from R2 on R1 with route-map.
R1 Configure route-map in From R2
ip as-path access-list 2 permit _2$|_20$ ! route-map FROM_R2 permit 10 match as-path 2 ! router bgp 1 neighbor 10.0.0.2 route-map FROM_R2 in
AS_PATH ACL 2 determines the conditions under which the AS_PATH attribute ends in “2” or “20”. That is, BGP routes generated by AS2 or AS20. It then identifies BGP routes generated by AS2 or AS20 by referencing AS_PATH ACL 2 in the route-map “FROM_R2”. The route-map action is “permit” because the corresponding BGP routes are to be received.
Then apply the route-map “FROM_R2” to neighbor 10.0.0.2 (R2) in. After applying the route map, the BGP route is received again from R2.
R1 Receive BGP route again From R2
R1#clear ip bgp 10.0.0.2 in
Step5: R1 Verify route-map in From R2
Verify the BGP routes received from R2 on R1 using the show ip bgp neighbor 10.0.0.2 routes command.
R1 Verify route-map in From R2
R1#show ip bgp neighbors 10.0.0.2 routes BGP table version is 10, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.2.2.0/24 10.0.0.2 0 0 2 i *> 10.2.20.0/24 10.0.0.2 0 0 2 20 i Total number of prefixes 2
You can see that the BGP routes received from R2 are limited to only those generated by AS2 or AS20.
Step6: R1 Configure route-map in From R3
Filter BGP routes received from R3 on R1 with route-map.
R1 Configure route-map in From R3
ip as-path access-list 2 permit _2$|_20$ ! route-map FROM_R3 deny 10 match as-path 2 ! route-map FROM_R3 permit 999 ! router bgp 1 neighbor 10.0.0.6 route-map FROM_R3 in
No BGP routes generated by AS2 and AS20 are received from R3. Reuse AS_PATH ACL 2 that identifies BGP routes generated by AS2 and AS20 in Step 4
Create route-map “FROM_R3” and reference AS_PATH ACL 2 in sequence 10. This makes the BGP routes generated by AS2 and AS20 the target of the route-map processing.Configure route-map action as “deny” because the routes are not desired to be received.
If there is only a sequence of deny, implicit deny will eventually deny all BGP routes. Sequence 999 is configured to avoid implicit deny. The sequence number is appropriate.Sequence 999 is all because the match condition is omitted. BGP routes that do not match sequence 10 are permitted in sequence 999.
Then apply the route map “FROM_R3” to neighbor 10.0.0.6 (R3) in. After applying the route map, the BGP route is received again from R3.
R1 Receive BGP route again From R3
R1#clear ip bgp 10.0.0.6 in
Step7: R1 Verify route-map in From R3
Verify the BGP routes received from R3 on R1 using the show ip bgp neighbor 10.0.0.6 routes command.
R1 Verify route-map in From R3
R1#show ip bgp neighbors 10.0.0.6 routes BGP table version is 10, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.3.3.0/24 10.0.0.6 0 0 3 i *> 10.3.30.0/24 10.0.0.6 0 0 3 30 i Total number of prefixes 2
No BGP routes generated by AS2 or AS20 are received from R3.
Configuration Summary
The commands related to the route-map for R1, configured from the initial state, are as follows
R1 BGP route filter with route-map configuration summary
router bgp 1 neighbor 10.0.0.2 route-map FROM_R2 in neighbor 10.0.0.2 route-map TO_EBGP out neighbor 10.0.0.6 route-map FROM_R3 in neighbor 10.0.0.6 route-map TO_EBGP out ! ip as-path access-list 1 permit ^$ ip as-path access-list 2 permit _2$|_20$ ! route-map FROM_R3 deny 10 match as-path 2 ! route-map FROM_R3 permit 999 ! route-map FROM_R2 permit 10 match as-path 2 ! route-map TO_EBGP permit 10 match ip address 1 match as-path 1 ! access-list 1 permit 0.0.0.0 255.255.254.255
How the BGP works
- BGP Basic Configuration and Verification Commands
- BGP Neighbor Status
- BGP Neighbor Authentication
- BGP Well Known Mandatory Attributes
- Illustration: BGP Best Path Selection
- BGP KEEPALIVE timer/Hold time Configuration
- BGP Route Minimum Advertisement Interval Configuration
- BGP Route Dampening
- BGP Route Filter Overview
- BGP Route Filter : distribute-list
- BGP Route Filter : distribute-list Configuration Example
- BGP Route Filter : prefix-list
- BGP Route Filter : prefix-list Configuration Example
- BGP Route Filter : filter-list(AS_PATH ACL)-
- BGP Route Filter : filter-list(AS_PATH ACL) Configuration Example
- BGP Route Filter : Route-map
- BGP Route Filter : route-map Configuration Example
- BGP neighbor allowas-in command
- BGP neighbor as-override command
- BGP Route RIB Failure
- BGP Route Administrative Distance Adjustment
- BGP Route Load Balancing
- BGP Auto Summary
- BGP Route Summary : network command
- BGP Route Summarization : network command configuration example
- BGP Route Summary aggregate-address command
- aggregte-address command : summary-only opiton
- aggregte-address command : attribute-map opiton
- aggregte-address command : as-set opiton
- aggregte-address command : advertise-map opiton
- BGP Selective Aggregation Overview
- BGP Selective Aggregation : suppress-map
- BGP Selective Aggregation : unsuppress-map
- BGP local-as
- BGP neighbor remove-private-AS
- bgp fast-external-fallover
- BGP Prefix Limitation