Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4444
Views
35
Helpful
10
Replies

Filtering BGP advertisements, routes, etc.

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎05-09-2021 01:01 PM

What would be the best way to filter route advertisements from and to a BGP neighbor with keeping flexibility in mind in case requirements change in future? Would it be just to create prefix-list then apply that to a route-map?

Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-10-2021 06:50 AM - edited ‎05-10-2021 06:51 AM

Hello @CiscoPurpleBelt ,

the greatest flexibilty is achieved by using route-maps for different reasons:

they can match on different BGP attributes and not only on the prefix.

It is easy to add a new route-map block / clause with new additional criteria for allowing prefixes to be advertised or received.

 

Please note that the route-map in this type of application has an implicit deny any.

This can be reverted by using an empty last route-map block with action permit.

 

Sometimes a reverse logic can be easier in that case you first use route-map blocks with deny actions to filter some prefixes and you end with an empty permit block to permit everything has not matched previous route-map clauses.

 

Hope to help

Giuseppe

 

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-10-2021 12:19 PM

In my experience it is extremely unusual to have a route map that works correctly applied both in and out. I would recommend one route map for in and a different route map for out.

 

I have these comments about this" as I only see one route from AS2 when it is advertising about 3"  

Let us look at several statements in your config

This statement establishes that the neighbor in AS 2 uses a route map

neighbor 172.25.140.2 route-map BGP_RM in

These statements establish that the route map uses a prefix list

route-map BGP_RM permit 10
match ip address prefix-list BGP_AS2_PL

And here is establishes that the prefix list permits only a single prefix

ip prefix-list BGP_AS2_PL seq 10 permit 2.0.0.1/32

Remember that prefix lists (much like access lists) what is not permitted is denied. So if the prefix list permits a single prefix then the other prefixes are denied.

HTH

Rick

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-12-2021 10:38 AM

If you have redistribute connected as part of your BGP configuration, and if you use a route map/prefix list to control outbound traffic advertised to your neighbor router then the prefix list would need statements that permit the redistributed subnets to be advertised.

HTH

Rick

View solution in original post

10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎05-09-2021 01:43 PM

Yes it can done by prefix-list and OUT direction.

Go to solution
paul driver
VIP
VIP

‎05-09-2021 02:02 PM - edited ‎05-09-2021 02:02 PM

Hello
Can you elaborate further on what you trying to achieve regards the flexibility?

Where are these routes originating from - external bgp or redistribution from and igp?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to paul driver

‎05-10-2021 06:09 AM

This is EBGP. No redistribution to IGP as of now.

I am basically seeing what would be best options where if any requirements change, I can make minimal or similar changes to support the requirements, in addition to BGP deployment best practices.

 

Let's say for now, I just want to advertise only certain subnets and receive only certain subnets from my EBGP neighbor. But what if later IGP is implemented and so I would need to do more. I just want to confirm if maybe doing a route-map right now would be a more flexible way to do things or should I let's say create one prefix-list allowing both the subnets I want to receive and advertise and apply this prefix-list to in and out direction under BGP to keep things simple? Or is it best to always have a prefix list for routes I want to receive from neighbor, another list for routes I want to advertise, etc.?

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-10-2021 06:50 AM - edited ‎05-10-2021 06:51 AM

Hello @CiscoPurpleBelt ,

the greatest flexibilty is achieved by using route-maps for different reasons:

they can match on different BGP attributes and not only on the prefix.

It is easy to add a new route-map block / clause with new additional criteria for allowing prefixes to be advertised or received.

 

Please note that the route-map in this type of application has an implicit deny any.

This can be reverted by using an empty last route-map block with action permit.

 

Sometimes a reverse logic can be easier in that case you first use route-map blocks with deny actions to filter some prefixes and you end with an empty permit block to permit everything has not matched previous route-map clauses.

 

Hope to help

Giuseppe

 

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Giuseppe Larosa

‎05-10-2021 11:04 AM

So my lab I am trying to configure using address familiy (cisco docs can be bit confusing). Verified it is working but perhaps the configs could be better, as I only see one route from AS2 when it is advertising about 3. If I want to also use the same prefix-list to filter what I am advertising to my neighbor should I just simply apply the RM in the OUT direction or is it best to create another prefix-list for advertised routes? Is it really even necessary as if I don't configure the "network X.X.X.X mask " command under the corresponding address-family it would not advertise what I don't want anyways.

See applicable configs below and I appreciate everyone's feedback.

 

interface Loopback0
ip address 1.0.0.1 255.255.255.255
!
interface Loopback1
ip address 1.0.1.1 255.255.255.255
!
interface Loopback2
ip address 1.0.2.1 255.255.255.255
!
interface Loopback3
ip address 1.0.3.1 255.255.255.255
!
interface GigabitEthernet1
ip address 172.25.140.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
!
router bgp 1
bgp log-neighbor-changes
neighbor 172.25.140.2 remote-as 2
!
address-family ipv4
network 1.0.0.1 mask 255.255.255.255
network 1.0.1.1 mask 255.255.255.255
network 1.0.2.1 mask 255.255.255.255
network 1.0.3.1 mask 255.255.255.255
neighbor 172.25.140.2 activate
neighbor 172.25.140.2 route-map BGP_RM in
exit-address-family

!
ip prefix-list BGP_AS2_PL seq 10 permit 2.0.0.1/32
!
route-map BGP_RM permit 10
match ip address prefix-list BGP_AS2_PL
!

 

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-10-2021 12:19 PM

In my experience it is extremely unusual to have a route map that works correctly applied both in and out. I would recommend one route map for in and a different route map for out.

 

I have these comments about this" as I only see one route from AS2 when it is advertising about 3"  

Let us look at several statements in your config

This statement establishes that the neighbor in AS 2 uses a route map

neighbor 172.25.140.2 route-map BGP_RM in

These statements establish that the route map uses a prefix list

route-map BGP_RM permit 10
match ip address prefix-list BGP_AS2_PL

And here is establishes that the prefix list permits only a single prefix

ip prefix-list BGP_AS2_PL seq 10 permit 2.0.0.1/32

Remember that prefix lists (much like access lists) what is not permitted is denied. So if the prefix list permits a single prefix then the other prefixes are denied.

HTH

Rick

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎05-10-2021 01:35 PM

Hi Richard,

 

Yes I was listing 3 networks however advertising one just to test my prefix, route-map, etc. If I am controlling what networks I am advertising under the address-family, is it really necessary to create a filer for what I am advertising to the neighbor as well?

Do my BGP configs overall look correct?

 

So are you suggesting I should create another prefix list and tie that to another route-map and apply to the outbound direction of to just create another prefix list and apply to same route-map, the apply that route-map to OUT as such:

 

router bgp 1
bgp log-neighbor-changes
neighbor 172.25.140.2 remote-as 2
!
address-family ipv4
network 0.0.0.0
network 1.0.0.1 mask 255.255.255.255
network 1.0.1.1 mask 255.255.255.255
network 1.0.2.1 mask 255.255.255.255
network 1.0.3.1 mask 255.255.255.255
neighbor 172.25.140.2 activate
neighbor 172.25.140.2 route-map BGP_RM in
neighbor 172.25.140.2 route-map BGP_RM out
exit-address-family

 


ip prefix-list BGP_AS2_PL seq 10 permit 2.0.0.1/32
ip prefix-list BGP_AS2_PL seq 20 permit 1.0.0.1/32
ip prefix-list BGP_AS2_PL seq 30 permit 1.0.1.1/32
!
ip prefix-list BGP_AS2__ADV_PL seq 10 permit 1.0.1.1/32
!
route-map BGP_RM permit 10
match ip address prefix-list BGP_AS2_PL
!
route-map BGP_RM permit 20
match ip address prefix-list BGP_AS2__ADV_PL

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-12-2021 12:58 AM

You ask an interesting question: "If I am controlling what networks I am advertising under the address-family, is it really necessary to create a filer for what I am advertising to the neighbor as well?" If you have a single neighbor then the specification in address family will control what you advertise to that neighbor. But if you have more than one neighbor then what you advertise to neighbors may be a combination of your local routes (specified in address family) and routes learned from other neighbors, and in that case you may very well want additional filtering.

 

You ask if the BGP configs look reasonable. I would say no. Your prefix lists suggest that 10.0.1.1 is received from the neighbor and is advertised to the neighbor. It is not reasonable to advertise to a neighbor routes that you learned from that neighbor.It would be much better to have 1 prefix list and one route map to control inbound advertisement and a different prefix list (or other type of filter) to control outbound advertisement.

HTH

Rick

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎05-12-2021 10:00 AM

So different prefix list and different route-map that it is applied to correct (one route-map for advertised routes OUT; other route-map for received routes IN)?

 

Also, if you have the "distribute connected" command configured, would you still need to enter those in the applicable prefix list to ensure they are advertised when a route-map is used?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎05-12-2021 10:38 AM

If you have redistribute connected as part of your BGP configuration, and if you use a route map/prefix list to control outbound traffic advertised to your neighbor router then the prefix list would need statements that permit the redistributed subnets to be advertised.

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card