BGP Update Filtering

Pouyaism · ‎12-13-2023

Hi everyone.

I have a big problem. consider the below scenario. i wanna advertise 1.1.1.0/24 from R1 to R2, but when R2 advertise this prefix to R3 filter a /32 IP address (1.1.1.10) and pass and permit the rest of prefix.

I tried many ways but did not work.

is it possible? if yes, how?

paul driver · ‎12-13-2023

Hello
A couple of ways you could do this is to apply a bgp filter

R2
ip prefix-list STAN seq 5 deny 1.1.1.10/32
ip prefix-list STAN seq 99 permit 0.0.0.0/0 le 32

router bgp 200
neighbor <As 300 peer> prefix-list STAN out

or

ip prefix-list STAN seq 5 permit 1.1.1.10/32

router bgp 200
route-map PF-RM deny 10
match ip address prefix-list STAN

route-map PF-RM permit 100
neighbor <As 300 peer> route-map PF-RM out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎12-13-2023

It will not filter by any way

The BGP will advertise/24 in update message not /32

So any filter cannot filter think not exist.

MHM

Harold Ritter · ‎12-13-2023

Hi @Pouyaism ,

I am not sure I understand your end goal, but if it is to make sure that R2 drops traffic destined to 1.1.1.10/32 and passes traffic destined to the rest of 1.1.1.0/24, this could be accomplished by advertising two routes (/24 and /32) from R1 to R2. The /32 route would have a next hop that resolves to interface null0 on R2, therefore dropping traffic destined to 1.1.1.10/32. The /32 would also have the no-export community set so that it does not get announced from R2 to R3.

This is how remotely triggered black hole works. For more information on this technique, please refer to the following document:

https://learningnetwork.cisco.com/s/article/remotely-triggered-black-hole-filtering-dos-mitigation

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

MHM Cisco World · ‎12-13-2023

How he config the R2 to accpet two IP from same subnet.

He want to advertise all/24 except one /32 via bgp.

And that can not done with any filter.

Blackhole work in control plane' here he can not change that

He need acl drop data traffic from specific source' but not advertise it.

MHM

Harold Ritter · ‎12-13-2023

Hi @MHM Cisco World ,

> How he config the R2 to accpet two IP from same subnet.

Advertising 1.1.1.0/24 and 1.1.1.10/32 is not a problem.

> He want to advertise all/24 except one /32 via bgp.

> And that can not done with any filter.

The goal is most probably to make sure no traffic from R3 reaches 1.1.1.10 and that traffic from the rest of 1.1.1.0/24 can reach. In networking, there is always more than one way to achieve goals.

> Blackhole work in control plane' here he can not change that

Using Remotely Triggered Black Hole (RTBH) will allow forwarding all traffic to 1.1.1.10/32 to null0 on R2.

> He need acl drop data traffic from specific source' but not advertise it.

With RTBH, no ACL is needed. Traffic is just forwarded to null0.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

MHM Cisco World · ‎12-13-2023

I check this, it unusual but it can work
first the R1 can not by any way advertise or have 1.1.1.10/32 to any other router
BUT
if he add R4 and make it as trigger and config null0 in R2 then he can drop packet for 1.1.1.10/32 in R2.
""there is iBGP between R2 and R4""
this make R2 can not connect to 1.1.1.10/32 anymore
also even we use no-export the R3 can not also connect to 1.1.1.10/32 since the path pass through R2.

MHM

Harold Ritter · ‎12-13-2023

Hi @MHM Cisco World ,

> first the R1 can not by any way advertise or have 1.1.1.10/32 to any other router

Can you tell me why this can't be done?

R1:

ip route 1.1.1.10 255.255.255.255 f0/1

router bgp 100

network 1.1.1.10 mask 255.255.255.255

netw 1.1.1.0 mask 255.255.255.0

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

MHM Cisco World · ‎12-13-2023

@Harold Ritter

I really dont know how we can config this with these three routers in his topology

Can you share full config

Thanks

MHM

Harold Ritter · ‎12-13-2023

Hi @MHM Cisco World ,

It would look something like this on R1 and R2. R3 does not need to be changed.

R1:

router bgp 100

network 1.1.1.10 mask 255.255.255.255

network 1.1.1.0 mask 255.255.255.0

neighbor 192.168.12.2 remote-as 200

neighbor 192.168.12.2 route-map RTBF out

!

route-map RTBF permit 10
match ip address prefix-list RTBF
set community no-export
set ip next-hop 192.0.2.1
route-map RTBF permit 20

!

ip prefix-list RTBF seq 5 permit 1.1.1.10/32

ip route 1.1.1.10 255.255.255.255 f0/1

R2:

router bgp 200

neighbor 192.168.12.1 remote-as 100

neighbor 192.168.12.1 ebgp-multihop (to allow the next hop 192.0.2.1 to be accepted)

ip route 192.0.2.1 255.255.255.255 null0

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

MHM Cisco World · ‎12-13-2023

in R1 there are two route one direct and other static with /32 to interface same as direct connect to
it accept as config but it never consider by BGP, the BGP advertise only the /24

I check in R4 and via update
so as I mention before we can not using any filter since R1 never advertise /32 prefix
Note:- I also add no auto summary and same issue
R4 see only /24.

so in any case we can not use R1 control plane to filter traffic
we can do Blackhole in R4 by adding route to null0 for /32. (this will make any connection to /32 drop whatever it source)

or apply ACL in R1 to deny traffic come form specific source

Harold Ritter · ‎12-13-2023

Hi @MHM Cisco World ,

Please try the configs I provided.

BTW, in your example the bgp network statement (10.0.0.1/32) doesn't match the static route (10.0.0.10/32). This is why BGP doesn't advertise the /32.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

MHM Cisco World · ‎12-14-2023

Sure sure @Harold Ritter

I will apply your config and share details

Thanks

MHM