Overview

This is an example of BGP route filter configuration with route-map. Route-maps allow you to flexibly identify BGP routes to filter by referencing standard/extended ACLs, prefix-lists, and AS_PATH ACLs in the match condition.

Network Diagram

Figure BGP Route Filter route-map configuration example
Figure BGP Route Filter route-map configuration example

Configuration Conditions

  • R1 advertises only BGP routes with an even third octet network address in its own AS to R2/R3.
  • R1 receives only BGP routes generated by AS2 and AS20 from R2.
  • R1 should not receive BGP routes generated by AS2 and AS20 from R3.

Initial Configuration

The initial configuration regarding BGP of R1/R2/R3 is as follows.

R1 Initial Configuration(Click)

hostname R1
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.4.1 255.255.255.0 secondary
 ip address 192.168.5.1 255.255.255.0 secondary
 ip address 192.168.6.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.252
!
interface Ethernet0/1
 ip address 10.0.0.5 255.255.255.252
!
router bgp 1
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
 network 192.168.5.0
 network 192.168.6.0
 neighbor 10.0.0.2 remote-as 2
 neighbor 10.0.0.6 remote-as 3

R2 Initial Configuration(Click)

hostname R2
!
interface Loopback0
 ip address 10.2.20.2 255.255.255.0 secondary
 ip address 10.2.2.2 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.252
!
interface Ethernet0/1
 ip address 10.0.0.9 255.255.255.252
!
router bgp 2
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 network 10.2.2.0 mask 255.255.255.0
 network 10.2.20.0 mask 255.255.255.0
 neighbor 10.0.0.1 remote-as 1
 neighbor 10.0.0.1 route-map AS_PATH out
 neighbor 10.0.0.10 remote-as 3
 neighbor 10.0.0.10 route-map AS_PATH out
!
route-map AS_PATH permit 10
 match ip address 1
 set as-path prepend 20
!
route-map AS_PATH permit 100
!
access-list 1 permit 10.2.20.0

R3 Initial Configuration(Click)

hostname R3
!
interface Loopback0
 ip address 10.3.30.3 255.255.255.0 secondary
 ip address 10.3.3.3 255.255.255.0
!
interface Ethernet0/0
 ip address 10.0.0.6 255.255.255.252
!
interface Ethernet0/1
 ip address 10.0.0.10 255.255.255.252
!
router bgp 3
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 network 10.3.3.0 mask 255.255.255.0
 network 10.3.30.0 mask 255.255.255.0
 neighbor 10.0.0.5 remote-as 1
 neighbor 10.0.0.5 route-map AS_PATH out
 neighbor 10.0.0.9 remote-as 2
 neighbor 10.0.0.9 route-map AS_PATH out
!
route-map AS_PATH permit 10
 match ip address 1
 set as-path prepend 30
!
route-map AS_PATH permit 100
!
access-list 1 permit 10.3.30.0

Configuration and Verifycation

Step1: Verify sending and receiving of BGP routes before applying route-map

Verify BGP routes sent and received before applying the route-map on R1.

show ip bgp neighbor 10.0.0.2 advertised-routesDisplays BGP routes advertised to R2.
show ip bgp neighbor 10.0.0.6 advertised-routesDisplays BGP routes advertised to R3.
show ip bgp neighbor 10.0.0.2 routesDisplays BGP routes received from R2.
show ip bgp neighbor 10.0.0.6 routesDisplays BGP routes received from R3.

First, verify the BGP routes advertised from R1 to R2/R3.

R1 BGP routes to be advertised to R2/R3 before applying filter

R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i
 *>  192.168.4.0      0.0.0.0                  0         32768 i
 *>  192.168.5.0      0.0.0.0                  0         32768 i
 *>  192.168.6.0      0.0.0.0                  0         32768 i

Total number of prefixes 10
R1#show ip bgp neighbors 10.0.0.6 advertised-routes
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i
 *>  192.168.4.0      0.0.0.0                  0         32768 i
 *>  192.168.5.0      0.0.0.0                  0         32768 i
 *>  192.168.6.0      0.0.0.0                  0         32768 i

Total number of prefixes 10

R1 advertises not only 192.168.1.0/24 to 192.168.6.0/24 in its own AS to EBGP neighbor R2/R3, but also BGP routes outside its own AS.

Note that R1 automatically makes the same Update-Group for EBGP neighbors R2 and R3. Therefore, the BGP routes advertised to R2/R3 are exactly the same. As a result, the received BGP route is sent back to the EBGP neighbor, but the neighbor considers it a loop and discards it.

And the BGP routes received from R2/R3 are as follows

R1 BGP routes received from R2/R3 before applying filter

R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i
 *   10.3.3.0/24      10.0.0.2                               0 2 3 i
 *   10.3.30.0/24     10.0.0.2                               0 2 3 30 i

Total number of prefixes 4
R1#show ip bgp neighbors 10.0.0.6 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *   10.2.2.0/24      10.0.0.6                               0 3 2 i
 *   10.2.20.0/24     10.0.0.6                               0 3 2 20 i
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i

Total number of prefixes 4

R1 receives not only BGP routes generated by AS2/AS20 from R2, but also BGP routes generated by AS3/AS30; the same applies to BGP routes received from R3.

Step2: R1 Configure route-map out

Configure route-map filter to limit the BGP routes advertised from R1 to R2/R3 to only those routes in its own AS with an even third octet of network address.

R1 Configure route-map out

ip as-path access-list 1 permit ^$
access-list 1 permit 0.0.0.0 255.255.254.255
!
route-map TO_EBGP permit 10
 match ip address 1
 match as-path 1
!
router bgp 1
 neighbor 10.0.0.2 route-map TO_EBGP out
 neighbor 10.0.0.6 route-map TO_EBGP out

To satisfy the condition that only BGP routes with an even number of third octets in their own AS are advertised, the standard ACL and AS_PATH ACL are referenced AND in the route-map.

Even means the least significant bit is 0. Therefore, the address and wildcard mask for an even number in 8-bit decimal format are as follows

Figure combination of address and wildcard mask that means even number
Figure combination of address and wildcard mask that means even number

It is OK if the combination of the third octet address and the wildcard mask is “0” and “254”. Standard ACL 1 is configured to identify network addresses with an even number of third octets.

Std ACL Network address 3rd octet “even”

access-list 1 permit 0.0.0.0 255.255.254.255

Also, BGP routes in their own AS can be easily identified with AS_PATH ACL 1 because the AS_PATH attribute is empty.

AS_PATH ACL BGP routes of own AS

ip as-path access-list 1 permit ^$

Then, the route-map “TO_EBGP” references standard ACL 1 and AS_PATH ACL 1.

route-map Reference to standard ACL/AS_PATH ACL

route-map TO_EBGP permit 10
 match ip address 1
 match as-path 1

If multiple match conditions are specified, they are evaluated as AND. In other words, “the third byte of the network address is even (standard ACL 1)” and “BGP route of own AS (AS_PATH ACL1)” is route information that satisfies the match condition. The action is “permit” because corresponding BGP routes aer to be advertised.

Just apply the created route-map “TO_EBGP” to the neighbor 10.0.0.2(R2) and 10.0.0.6(R3) out.

After applying the route-map, the BGP route must be re-sent.

R1 BGP route re-sent

R1#clear ip bgp 10.0.0.2 out
R1#clear ip bgp 10.0.0.6 out

Step3: R1 Verify route-map out

Verify the BGP routes to be advertised from R1 to R2/R3.

  • show ip bgp neighbor 10.0.0.2 advertised-routes
  • show ip bgp neighbor 10.0.0.6 advertised-routes

R1 Verify route-map out

R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.4.0      0.0.0.0                  0         32768 i
 *>  192.168.6.0      0.0.0.0                  0         32768 i

Total number of prefixes 3
R1#show ip bgp neighbors 10.0.0.6 advertised-routes
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.4.0      0.0.0.0                  0         32768 i
 *>  192.168.6.0      0.0.0.0                  0         32768 i

Total number of prefixes 3

As per the condition, you can see that R1 advertises to R2/R3 only BGP routes in its own AS where the third octet of the network address is even.

Figure R1 verify route-map out
Figure R1 verify route-map out

Step4: R1 Configure route-map in From R2

Filter BGP routes received from R2 on R1 with route-map.

R1 Configure route-map in From R2

ip as-path access-list 2 permit _2$|_20$
!
route-map FROM_R2 permit 10
 match as-path 2
!
router bgp 1
 neighbor 10.0.0.2 route-map FROM_R2 in

AS_PATH ACL 2 determines the conditions under which the AS_PATH attribute ends in “2” or “20”. That is, BGP routes generated by AS2 or AS20. It then identifies BGP routes generated by AS2 or AS20 by referencing AS_PATH ACL 2 in the route-map “FROM_R2”. The route-map action is “permit” because the corresponding BGP routes are to be received.

Then apply the route-map “FROM_R2” to neighbor 10.0.0.2 (R2) in. After applying the route map, the BGP route is received again from R2.

R1 Receive BGP route again From R2

R1#clear ip bgp 10.0.0.2 in

Step5: R1 Verify route-map in From R2

Verify the BGP routes received from R2 on R1 using the show ip bgp neighbor 10.0.0.2 routes command.

R1 Verify route-map in From R2

R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i

Total number of prefixes 2

You can see that the BGP routes received from R2 are limited to only those generated by AS2 or AS20.

Figure R1 Verify route-map in From R2
Figure R1 Verify route-map in From R2

Step6: R1 Configure route-map in From R3

Filter BGP routes received from R3 on R1 with route-map.

R1 Configure route-map in From R3

ip as-path access-list 2 permit _2$|_20$
!
route-map FROM_R3 deny 10
 match as-path 2
!
route-map FROM_R3 permit 999
!
router bgp 1
 neighbor 10.0.0.6 route-map FROM_R3 in

No BGP routes generated by AS2 and AS20 are received from R3. Reuse AS_PATH ACL 2 that identifies BGP routes generated by AS2 and AS20 in Step 4

Create route-map “FROM_R3” and reference AS_PATH ACL 2 in sequence 10. This makes the BGP routes generated by AS2 and AS20 the target of the route-map processing.Configure route-map action as “deny” because the routes are not desired to be received.

If there is only a sequence of deny, implicit deny will eventually deny all BGP routes. Sequence 999 is configured to avoid implicit deny. The sequence number is appropriate.Sequence 999 is all because the match condition is omitted. BGP routes that do not match sequence 10 are permitted in sequence 999.

Then apply the route map “FROM_R3” to neighbor 10.0.0.6 (R3) in. After applying the route map, the BGP route is received again from R3.

R1 Receive BGP route again From R3

R1#clear ip bgp 10.0.0.6 in

Step7: R1 Verify route-map in From R3

Verify the BGP routes received from R3 on R1 using the show ip bgp neighbor 10.0.0.6 routes command.

R1 Verify route-map in From R3

R1#show ip bgp neighbors 10.0.0.6 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i

Total number of prefixes 2

No BGP routes generated by AS2 or AS20 are received from R3.

Figure R1 verify route-map in from R3
Figure R1 verify route-map in from R3

Configuration Summary

The commands related to the route-map for R1, configured from the initial state, are as follows

R1 BGP route filter with route-map configuration summary

router bgp 1
 neighbor 10.0.0.2 route-map FROM_R2 in
 neighbor 10.0.0.2 route-map TO_EBGP out
 neighbor 10.0.0.6 route-map FROM_R3 in
 neighbor 10.0.0.6 route-map TO_EBGP out
!
ip as-path access-list 1 permit ^$
ip as-path access-list 2 permit _2$|_20$
!
route-map FROM_R3 deny 10
 match as-path 2
!
route-map FROM_R3 permit 999
!
route-map FROM_R2 permit 10
 match as-path 2
!
route-map TO_EBGP permit 10
 match ip address 1
 match as-path 1
!
access-list 1 permit 0.0.0.0 255.255.254.255