cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1234
Views
0
Helpful
9
Replies

BGP filtering

roussillon
Level 1
Level 1

hi you all.

I am new to BGP and I am triyng filtering.

Let's say for our peering we have this config:

router bgp 30000

no synchronization

no bgp fast-external-fallover

bgp log-neighbor-changes

bgp dampening

network .......

neighbor Myneighbor remote-as 60000

neighbor Myneighbor send-community

neighbor Myneighbor soft-reconfiguration inbound

neighbor Myneighbor filter-list 1 out

no auto-summary

ip as-path access-list 1 permit ^$

if I change the config as follow:

neighbor Myneighbor remote-as 60000

neighbor Myneighbor send-community

neighbor Myneighbor soft-reconfiguration inbound

neighbor Myneighbor filter-list 1 out

neighbor Myneighbor filter-list 2 in

no auto-summary

ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny any

ip as-path access-list 2 permit ^60000_[0-9]*$

ip as-path access-list 2 deny any

will it be correct?

i think this is allowing incoming routes originated on my peer

and the AS related to it. Also I am filtering

in output the routes not originated in my AS

thanks

9 Replies 9

lejoe.thomas
Level 3
Level 3

Hi Osvaldo,

Yes

Outbound Filter

ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny any

You'll only advertise networks that originated within your AS(30000) to neighboring AS(60000)

Inbound Filter

ip as-path access-list 2 permit ^60000_[0-9]*$

ip as-path access-list 2 deny any

You'll only get networks that originated within AS 60000 and all of its directly attached AS

HTH

Lejoe

Thanks very much.

But there is something, as I am filtering in imput I will loose routes. If I add a last ressources route pointing to my peer(ip route 0.0.0.0 O.O.O.0 ip-myneigthbor) will it solve this issue? or it is required thah my peer announce a default route?

Thanks

Mohamed Sobair
Level 7
Level 7

Hi,

You can apply outbound filter-list using a regular expression, however , you cant apply inbound filter directly using regular expression. looking at ur config, the correct config should be:

neighbor Myneighbor remote-as 60000

neighbor Myneighbor soft-reconfiguration

neighbor Myneighbor filter-list 1 out

neighbor Myneighbor route-map BGP in

ip as-path access-list 1 permit ^$

ip as-path access-list 2 permit ^60000_[0-9]*$

route-map BGP

match as-path 2

Pls refer to the bellow link:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml

HTH

Mohamed

Hi Mohamed,

You can apply an inbound filter directly using AS-Path access-list, whether you achieve it using a route-map or directly using the neighbor filter-list depends on your objectives.

Lejoe

Mohamed Sobair
Level 7
Level 7

Lejoe,

could u Pls provide me with a documentation link describing regular expression using inbound filter-list directly?

HTH

Mohamed

Hi Mohamed

Refer to command reference for as-path access-list, which mentions an inbound filter can be applied using neighbor filter-list

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp2.html#wp1015697

An example

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a83.shtml

Most examples use a route-map to apply as-path access-list inbound, probably this could be reason for the confusion.

HTH

Lejoe

Thanks very much.

But there is something, as I am filtering in imput I will loose routes. If I add a last ressources route pointing to my peer(ip route 0.0.0.0 O.O.O.0 ip-myneigthbor) will it solve this issue? or it is required thah my peer announce a default route?

Thanks

Hi Osvaldo,

If you are not getting complete routes then adding a default-route makes sense.

You can add a static default route

ip route 0.0.0.0 0.0.0.0 next-hop

or have you could have your neighbor announce a default route.

eg: neighbor ip-address default-originate (assuming a static default route already exists on the router)

And if you want to use explicit deny at the end your as-path access-list, use the regular expression .* and not the keyword any

ip as-path access-list 1 deny .*

HTH

Lejoe

Hy

I thank you very much.

I am getting full routing table but If I do the filtering I migth loose routes. That is why I talked about default route.

Thanks