Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
10
Helpful
3
Replies

ASR9000 bgp route-policy and interface access-group

wfqk
Level 5
Level 5

‎05-26-2016 08:44 PM - edited ‎03-05-2019 04:05 AM

Hi, In ASR9000, we can see a route-policy when show bgp neighbor x.x.x.x. This route-policy is for filtering prefix. but under interface for connection to bgp peer x.x.x.x, we also can see an access-group, which also is for filtering prefix. My question is what is relation between the two configurations? why do we use two configuratin for filter? Thank you

Labels:
0 Helpful
3 Replies 3

David_Che
Level 1
Level 1

‎05-27-2016 01:30 AM

Under interface configuration access-group was used to filter data-plane traffic, including any kind of IP packet, of course, BGP packet is due to be filtered as BGP is one kind of IP packet. In toher words, it only permit some IP packet into this interface, and deny other IP packet from entering into this interface.

Route-policy under BGP process configuration was used to filter control-plane traffic , in this case, that is filter IP ROUTE PREFIX in BGP route advertisement. In other words, it only permit some IP prefix enter into local BGP table, and deny other IP prefix from enter into local BGP table. 

HTH

wfqk
Level 5
Level 5
In response to David_Che

‎05-27-2016 07:53 AM

Thank you so much for your reply. 

Lets suppose some PREFIX are covered by interface access-group and BGP route-policy, if we want the PREFIX go through to the bgp peer, the PREFIX must be permitted by both route-policy and access-group at the same time, ether of both could block the traffic, right?

0 Helpful

David_Che
Level 1
Level 1
In response to wfqk

‎05-27-2016 09:08 AM

 Under interface configuration you need to permit bgp session like the below:

ip extended access-list PERMIT_BGP

 permit tcp host x.x.x.x host y.y.y.y eq BGP

 permit tcp host y.y.y.y host x.x.x.x eq BGP

This ACL can make it possible for BGP established BGP session.

Then you need to create IP prefix access-list to permit PREFIX to enter local BGP table.

then applied it into route-map under BGP configuration like

router bgp xxxx

neighbor xx.xx.xx.xx route-map PERMIT-PREFIX.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card