Restricting Networks Advertised to a BGP Peer
Problem
You want to restrict which routes your router advertises to another AS.
Solution
There are three ways to filter routes in BGP. The first one uses extended access lists and route maps, as follows:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 105 deny ip host 172.25.0.0 host 255.255.0.0
Router1(config)#access-list 105 permit ip any any
Router1(config)#route-map ACL-RT-FILTER permit 10
Router1(config-route-map)#match ip address 105
Router1(config-route-map)#exit
Router1(config)#route-map ACL-RT-FILTER deny 20
Router1(config-route-map)#exit
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 route-map ACL-RT-FILTER in
Router1(config-router)#exit
Router1(config)#end
Router1#
The second method uses a distribute-list:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 106 deny ip host 172.25.0.0 host 255.255.0.0
Router1(config)#access-list 106 permit ip any any
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 distribute-list 106 in
Router1(config-router)#exit
Router1(config)#end
Router1#
But the most common way to filter routes in BGP is to use prefix lists. The following example has a similar effect the preceding ones:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip prefix-list PREFIX-FILTER seq 10 deny 172.25.0.0/16
Router1(config)#ip prefix-list PREFIX-FILTER seq 20 permit 0.0.0.0/0 le 32
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 prefix-list PREFIX-FILTER in
Router1(config-router)#exit
Router1(config)#end
Router1#
Discussion
In all of these examples, the router will suppress the route 172.25.0.0/16 from its BGP route table if it is received from the eBGP peer, 192.168.1.5. The first example uses route maps, the second one uses a distribute list, and the third uses prefix lists. Examples of route maps and access lists appear throughout this book, so they should already be somewhat familiar to the reader. You can use them for a variety of different applications, such as adjusting route tags, Local Preference, and BGP Weight values. Here we just use the route map to look at the incoming routes from a peer device and reject certain routes.
The access list in the first example uses a "deny" clause to suppress the unwanted route, and ends with a "permit" command to allow all other routes to pass normally:
Router1(config)#access-list 105 deny ip host 172.25.0.0 host 255.255.0.0
Router1(config)#access-list 105 permit ip any any
Then the route map uses this access list to define which routes are permitted to pass:
Router1(config)#route-map ACL-RT-FILTER permit 10
Router1(config-route-map)#match ip address 105
Then we have added an explicit deny all clause to the route map that simply rejects anything that the first clause hasn't matched:
Router1(config-route-map)#route-map ACL-RT-FILTER deny 20
Router1(config-route-map)#exit
Note that every route map ends with an implicit deny all clause, so this was not strictly necessary. But it does make our intentions more clear to the next person who reads this router configuration.
For the distribute list example, we have created a normal access list that specifies the routes that are to be either included or excluded from the distribution. This is almost identical to the route map technique that we discussed for RIP and EIGRP in Chapters 6 and 7, respectively.
Note also the rather odd construction of the extended access lists in both the route map and the distribute list examples. As we discuss in Chapter 19, the first address and wildcard pair usually refers to the source, and the second set refers to the destination. But in this case, we are actually trying to match specific route prefixes, and not source and destination addresses, so the meanings are somewhat different. When filtering routes with extended ACLs, the first address defines the prefix, while the second part of the ACL defines the length of the prefix. This particular ACL matches the prefix 172.25.0.0/16:
Router1(config)#access-list 105 permit ip host 172.25.0.0 host 255.255.0.0
If we had wanted to match the prefix 172.25.0.0/24 instead, we could have used an ACL that looks like this:
Router1(config)#access-list 105 permit ip host 172.25.0.0 host 255.255.255.0
Note that you can also use standard ACLs for route filtering, but the results can be a little strange. Suppose we had used this ACL instead of the one we discussed above:
Router1(config)#access-list 5 permit 172.25.0.0
This will match 172.25.0.0/16. But it doesn't specify the length of the prefix. So it will also match, for example, 172.25.0.0/24, if it exists. But it doesn't include any of the other subnets of 172.25.0.0/16, such as 172.25.1.0/24. We don't recommend using standard ACLs for route filtering because of this strange behavior.
Because it is so easy to get confused when using ACLs for matching prefixes, most people now prefer to use prefix lists instead.
Prefix lists provide another way of doing the same kind of filtering. But it is often considerably easier to create useful filters with prefix lists because they were designed specifically for this purpose. Look at the prefix list in the example:
Router1(config)#ip prefix-list PREFIX-FILTER seq 10 deny 172.25.0.0/16
Router1(config)#ip prefix-list PREFIX-FILTER seq 20 permit 0.0.0.0/0 le 32
The first line of this list rejects the prefix 172.25.0.0/16. The second line explicitly allows all other prefixes. Notice that there is a sequence number in each line, specified by the argument of the seq keyword. This provides a convenient way of either inserting or removing new lines in the middle of a prefix list, as well as at the beginning or the end.
We suggest that you space these numbers in steps of 10, as we have done here, so that you can easily add lines. If you use a smaller step size between sequence numbers, you might find that there isn't enough room to add new rules. When this happens, you will have to delete the entire set of rules and re-enter the commands with new sequence numbers.
Prefix lists show their real power when you want to deal with subnets. For example, suppose what you actually wanted to do was reject all of the subnets of 172.25.0.0/16, while allowing a single summary route for the entire network. You could do this with the following prefix list:
Router1(config)#ip prefix-list PRE-RTFILTER seq 10 deny 172.25.0.0/16 ge 17
Router1(config)#ip prefix-list PRE-RTFILTER seq 20 permit 0.0.0.0/0 le 32
The first line rejects any subnets of 172.25.0.0/16 that have a prefix length of 17 bits or longer. So this would include, for example, 172.25.15.8/30, 172.25.100.0/24, and 172.25.252.0/22. But this rule does not suppress the summary route, 172.25.0.0/16, itself because it has a prefix length of only 16 bits. The rule only rejects prefixes that are 17 or more bits long.
This also helps to clarify the meaning of the second line of the prefix list. This line looks at any subnets of 0.0.0.0/0, which is the entire IPv4 address range, and matches anything with a prefix length of 32 bits or less, which is everything.
You can also combine the ge and le keywords to create useful lists. For a slightly artificial example, if you wanted to permit all routes with prefixes of 8 to 16 bits, but nothing longer and nothing shorter, you could use the following single line prefix list:
Router1(config)#ip prefix-list CLASS-A-B permit 0.0.0.0/0 ge 8 le 16
This also shows that you can match on prefix length independently of the actual network number. Notice also that we have omitted the sequence number in this example. By default, the router will rewrite this command and store it with a default sequence number of 5 as follows:
ip prefix-list CLASS-A-B seq 5 permit 0.0.0.0/0 ge 8 le 16
If we were to then add another line to this list, the router would automatically give it sequence number 10, always incrementing in steps of 5. But we recommend using explicit sequence numbers to ensure that things are in the order you expect.
Here is a similar example that selects only the subnets of 172.25.0.0/16 that are between 19 and 24 bits long:
Router1(config)#ip prefix-list BIG-SUBNETS permit 172.25.0.0/16 ge 19 le 24
Once you have created a prefix list, you need to apply it to a neighbor statement by using the prefix-list keyword as follows:
Router1(config)#router bgp 65500
Router1(config-router)#neighbor 192.168.1.5 remote-as 65510
Router1(config-router)#neighbor 192.168.1.5 prefix-list PREFIX-FILTER in
You have to define the peer with a neighbor remote-as command before you can apply any special options like prefix lists to it. Otherwise, the router will simply reject the command.
Notice the keyword in at the end of the neighbor command. As with route maps, you can assign a prefix list either inbound or outbound by using the keywords in or out, respectively, at the end of the line.