Technical Guide How To | Use Route Maps and Other Filters to Filter and Alter BGP and OSPF Routes Introduction ISPs transport large volumes of data. They often have to pay large amounts of money to transport their data through hired links, or through other providers' networks. Similarly, they can also charge money for transporting other ISPs' data through their network.
Introduction Contents Introduction ..................................................................................................................................................................................................................1 Related How To Notes................................................................................................................................................................................3 Which products and software version does it apply to?.............
Introduction BGP: Route Map Filtering Example ..............................................................................................................................................................48 BGP configuration.........................................................................................................................................................................................48 Route map configuration............................................................................
BGP: Concepts and Terminology BGP: Concepts and Terminology Before moving on to look at the filtering processes, it is important to first have some understanding of certain aspects of how BGP works. The following sections describe: BGP peers BGP updates Update attributes BGP peers Definition Within the BGP protocol, the exchange of routing information is carried out between pairs of routers.
BGP: Concepts and Terminology Update attributes As mentioned above, each BGP update message contains a set of attributes. These attributes describe some of the properties of the routes, and can be used in making decisions about which routes to accept and which to reject. Some of the attributes are: Origin How a prefix came to be routed by BGP at the origin Autonomous System (AS).
BGP: Overview of the Available Filter Types BGP: Overview of the Available Filter Types The following sections describe the various types of filters that can be applied to BGP updates and the hierarchy of the filters.
BGP: Overview of the Available Filter Types Difference and Relationship in BGP KEY WORD IN COMMAND DEFINABLE FILTER ACL access-list Yes Distribute list distribute-list Prefix list prefix-list Yes AS path list as-path Yes Filter list filter-list Route map route-map DEFINABLE FILTER ACL Prefix list WAY TO APPLY FILTERING Yes Yes Yes Yes Yes WAY TO APPLY FILTERING DISTRIBUTE LIST PREFIX LIST FILTER LIST YES ROUTE MAP YES YES AS path list YES YES Route map YES YES Examples for
Hierarchy of the Different Filters Hierarchy of the Different Filters For distribute filters (ACLs), path filters, and prefix filters, the order of application is not important. If an update is denied by any given filter, it is discarded immediately, and is not run through any of the other filters. If an update is permitted by one filter, it is passed through to the next filter to be considered. At the end, you end up with the set of updates that all the filters agree should not be discarded.
Hierarchy of the Different Filters Basic configuration This configuration gets the neighbor relationship established and some routes exchanged. AlliedWare Plus switch Create the second VLAN and associate port1.0.2 with it; assign IP addresses; and configure BGP. vlan database vlan 64 name v64 interface port1.0.2 switchport access vlan 64 interface vlan1 ip address 45.45.45.45/24 interface vlan64 ip address 64.64.64.64/4 router bgp 34567 redistribute connected neighbor 45.45.45.
Hierarchy of the Different Filters Confirming the neighbor relationship Check that each switch sees the interface route advertised from the other switch. On both the AlliedWare Plus and AlliedWare switches, use the command show ip route.
BGP: Configuring Distribute Filters BGP: Configuring Distribute Filters Distribute filters use ACLs (Access Control Lists) to filter particular routes on the basis of their prefixes. Distribute filters and prefix filters both filter individual routes out of BGP update packets. They are mutually exclusive. About ACLs From the point of view of route filtering, an ACL is one or more simple unnumbered filter entries, each with a prefix and an action of deny or permit.
BGP: Configuring Distribute Filters Using ACLs as filters When you have created an ACL, you can use it to filter incoming or outgoing update messages for a particular BGP peer, by using the following commands in BGP router mode for the AS.
BGP: Configuring Distribute Filters 3. Renew the route exchange by shutting down the neighbor, then bring it up again. awplus(config-router)# neighbor 45.45.45.46 shutdown awplus(config-router)# neighbor 45.45.45.46 no shutdown 4. Check that the IP route table no longer includes 52.0.0.0/8.
BGP: Configuring Distribute Filters 3. Check that the IP route table now includes all the routes. awplus(config-router)# do show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default B C B C 45.0.0.0/8 [20/0] via 45.45.45.46, vlan1, 00:01:57 45.45.45.0/24 is directly connected, vlan1 52.0.0.0/8 [20/0] via 45.45.45.
BGP: Configuring Distribute Filters 7. Check that the IP route table no longer includes 52.0.0.0/8. awplus(config-router)# do show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default B C C 45.0.0.0/8 [20/0] via 45.45.45.46, vlan1, 00:00:08 45.45.45.0/24 is directly connected, vlan1 64.0.0.
BGP: Configuring Distribute Filters 4. Check that the IP route table no longer includes 52.0.0.0/8. awplus(config-router)# do show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default B C C 45.0.0.0/8 [20/0] via 45.45.45.46, vlan1, 00:05:30 45.45.45.0/24 is directly connected, vlan1 64.0.0.
BGP: Configuring AS Path Filters BGP: Configuring AS Path Filters To configure path filters we need to first understand something about AS path lists and how to use them. AS path lists Path filters use a construct known as an AS path list. An AS path list has a name and consists of one or more (unnumbered) entries. Each entry specifies: which AS paths to consider. whether the AS paths in question should be included or excluded from the list.
BGP: Configuring AS Path Filters Using AS path lists as path filters When an AS path list has been created, it can be applied to filter incoming or outgoing update messages for a particular BGP peer, by using the following commands in BGP router mode for the AS.
BGP: Configuring AS Path Filters 4. Shut down the neighbor, and then bring it up again. awplus(config-router)# neighbor 45.45.45.46 shutdown awplus(config-router)# neighbor 45.45.45.46 no shutdown 5. Check that the IP route table does not have the BGP routes from the AlliedWare neighbor in AS 34568 any more.
BGP: Configuring AS Path Filters 9. Check that the AS path list shows the two filter entries: awplus(config-router)# do show ip as-path-access-list AS path access list list1 deny 23456 permit 34568 Another example An outgoing filter that uses an AS-path list 1. Create an AS-PATH list that denies empty AS Paths, but allows AS Paths that contain the AS number 34567. ip as-path access-list example deny ^$ ip as-path access-list example permit 34567 2. Apply this as the out route map for neighbor 45.45.45.
BGP: Configuring AS Path Filters BGP table, the AS Path for the learnt routes is shown as "SEQ 34567". This entry is inserted into the AS-Path of the updates after they have passed through the filter.
BGP: Configuring Prefix Filters BGP: Configuring Prefix Filters Prefix filters use prefix lists to filter particular routes on the basis of their prefixes. Prefix filters and distribute filters both filter individual routes out of BGP update packets. They are mutually exclusive. About prefix lists A prefix list is a list of prefix entries.
BGP: Configuring Prefix Filters Using prefix lists as prefix filters When you have created a prefix list, you can use it to filter incoming or outgoing update messages for a particular BGP peer, by using the following commands in BGP router mode for the AS.
BGP: Configuring Prefix Filters awplus(config-router)# neighbor 45.45.45.46 prefix-list list1 in 4. Shut down the neighbor, and then bring it up again. awplus(config-router)# neighbor 45.45.45.46 shutdown awplus(config-router)# neighbor 45.45.45.46 no shutdown 5. Check that the IP route table now contains one of the routes learnt from that neighbor, but not the other.
BGP: Configuring Prefix Filters 5. Check that the IP route table now contains only the other route from the neighbor. awplus(config-router)# do show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default C B C 45.45.45.0/24 is directly connected, vlan1 52.0.0.0/8 [20/0] via 45.45.45.46, vlan1, 00:26:45 64.0.0.
BGP: Configuring Route Maps BGP: Configuring Route Maps Route maps are very powerful and flexible entities. Therefore, the configuring of route maps must, by necessity, be relatively complex. The purpose of this section of the document is to understand route maps piece by piece and thereby build up a full understanding of how all the parts fit together.
BGP: Configuring Route Maps Clauses There are two types of clauses that can be present in a route map entry: match clauses, which specify attributes or prefixes to match on set clauses, which specify the changes to be made to attribute values A given route map entry can never have more than one match clause, but it can have multiple set clauses. Configuring a match clause When you configure a match clause, you can match on one of the attributes listed in the following sections.
BGP: Configuring Route Maps Case 1: awplus(config)# ip as-path access-list example deny ^$ awplus(config)# ip as-path access-list example permit 15557 awplus(config)# router bgp 100 awplus(config-router)# neighbor 192.168.200.
BGP: Configuring Route Maps Expanded lists use regular expressions to specify the communities. They can be identified by a number, or by the word expanded, and are created by using any of the following commands: awplus(config)# ip community-list <100-199> {deny|permit} awplus(config)# ip community-list expanded {deny|permit} You can have multiple entries in a community list. Entries are unnumbered, so each new entry gets added at the end of the list.
BGP: Configuring Route Maps Once you have made the ACL, apply it to the match clause of a route map entry by using the command: awplus(config-route-map)# match ip address A next hop address You can use either a prefix list or an ACL to specify a next hop address.
BGP: Configuring Route Maps Community Community set clauses give you a lot of control over the community values in updates.
BGP: Configuring Route Maps Atomicaggregate This adds the atomic aggregate attribute to the update. Use the command: set atomic-aggregate Extended community This specifies a value to set as the Extended Community attribute in the update message. Use the command: set extcommunity {rt|soo} The rt parameter configures a route target extended community. This consists of routers that will receive matching routes. The soo parameter configures a site-of-origin extended community.
BGP: Configuring Route Maps The effect of different combinations of clauses A map entry could consist of: one match clause with an action, or no match clause and one or more set clauses, or one match clause and one or more set clauses Let us consider each entry type in turn. One match clause with an action The effect of an entry that contains a match, but no sets, will be to apply the specified action to all update messages that match the entry. The action can be either permit or deny.
BGP: Configuring Route Maps Particular mention, though, has to be made of the case where the match clause specifies prefix list or ACL as the match criterion, and the route map is being applied to outgoing route updates. The intention of such an entry would be that the attribute values specified in the set clauses be applied to only those routes that are contained in the prefix list or ACL specified in the match clause.
BGP: Applying Distribute, Path, Prefix, and Route Map Filters to a Peer BGP: Applying Distribute, Path, Prefix, and Route Map Filters to a Peer Distribute filters, path filters, prefix filters, and route maps can all be applied to a BGP peer configuration for both incoming and outgoing updates. However, you cannot combine distribute filters (ACLs) and prefix filters. First, enter BGP router mode for the AS.
Examples Examples Example A A route map that matches on a prefix-list and sets the route metrics 1. Create a prefix list that matches just 52.0.0.0/8 awplus(config)#ip prefix-list test1 permit 52.0.0.0/8 2. Then, create a route map to match on this prefix-list, and set the metric of matching routes to 665: awplus(config)#route-map test1 permit 1 awplus(config-route-map)#match ip address prefix-list test1 awplus(config-route-map)#set metric 665 3.
Examples Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default B C C Example C 45.0.0.0/8 [20/665] via 45.45.45.46, vlan1, 00:00:02 45.45.45.0/24 is directly connected, vlan1 64.0.0.0/4 is directly connected, vlan64 Match on a community list, and apply to a deny entry of a route map 1.
Examples Example D Matching on a next-hop prefix-list 1. Create a prefix-list that matches on the neighbor's IP address: awplus#ship prefix-list nh-test permit 45.45.45.46/32 2. Create a route map with a permit entry that matches on this prefix-list as a next-hop: awplus#shroute-map nh-test permit 1 awplus#shmatch ip next-hop prefix-list nh-test 3. Apply this route map as the in route map on the neighbor: awplus(config)#router bgp 34567 awplus(config-router)# neighbor 45.45.45.
Examples BGP route table Flags: >=Best route for the given prefix, *=Unreachable next hop, W=Withdrawn m=Community, a=Aggregate route, s=Aggregate Suppressed, D=Damped Learned from: L=Local, e=eBGP Peer, i=iBGP Peer, c=Confederate Peer --------------------------------------------------------------------Fl Prefix Next hop Origin MED Local pref Path Originator Cluster List -------------------------------------------------------------------- > 64.0.0.0/4 45.45.45.
Examples 4. Set the prefix-list to be the match criterion on a permit entry in the route map: route-map com permit 2 match ip address prefix-list test1 If the route 52.0.0.0/8 is dropped by this route map, we can be sure that it was dropped by the first deny entry, and not by the implicit deny-all entry at the end of the route map. 5. Apply this route map as the incoming filter for the neighbor 45.45.45.46: neighbor 45.45.45.46 route-map com in 6.
Examples add ip routem=mixed entry=1 match prefixlist=com add ip routem=mixed entry=1 set com=89:89 add ip routem=mixed entry=2 match prefixlist=as add ip routem=mixed entry=2 set aspath=34599 set bgp peer=45.45.45.45 outroutemap=mixed sendcommunity=yes When the route 156.23.4.144/28 is checked on the AlliedWare Plus switch, its ASPath contains 34599. BGP#show ip bgp 156.23.4.144/28 BGP routing table entry for 156.23.4.
Examples With this combination, neither 156.23.4.32/27 nor 156.34.4.144/28 appear in the IP route table. The route 156.23.4.32/27 is dropped by the route map filter, and the route 156.34.4.144/28 is dropped by the ASPath-list filter. BGP#show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default B C B C B B 45.0.0.0/8 [20/0] via 45.
Examples Example I Using an ACL-match in a route map to update just a single route out of an update 1. Configure static routes on the AW+ switch. BGP(config)#ip route 192.34.23.0/26 64.93.23.1 BGP(config)#ip route 192.34.23.32/29 64.193.54.1 BGP(config)#ip route 192.34.23.192/27 64.12.89.1 2. Configure BGP to redistribute static routes. router bgp 34567 redistribute connected redistribute static neighbor 45.45.45.46 remote-as 34568 3. Create an ACL that matches just one of these routes.
Examples BGP route table Flags: >=Best route for the given prefix, *=Unreachable next hop, W=Withdrawn m=Community, a=Aggregate route, s=Aggregate Suppressed, D=Damped Learned from: L=Local, e=eBGP Peer, i=iBGP Peer, c=Confederate Peer --------------------------------------------------------------------Fl Prefix Next hop Origin MED Local pref Path Originator Cluster List --------------------------------------------------------------------> 45.0.0.0/8 0.0.0.0 IGP 100 EMPTY L > 45.45.45.0/24 45.45.45.
Ways to use lists in IP route filtering for BGP, with generic command examples ACLs access-list 1 deny x.x.x.x 0.0.0.255 bgp neighbor x.x.x.x distribute-list 1 in Path filters ip as-path access-list ... ... permit ... deny ... permit bgp neighbor x.x.x.x filter-list in ip as-path access-list ... ... permit ... deny bgp neighbor x.x.x.x filter-list out ip prefix-list ... ... permit x.x.x.x/24 ... deny x.x.x.
BGP: Applying Route Maps to Imported Routes BGP: Applying Route Maps to Imported Routes The switch is able to import routes into BGP that it learnt by non-BGP means. In other words, the routes would be static routes, or routes learnt by OSPF or RIP. You can apply a route map to this importation process so that the imported routes are given certain attributes, or so that certain routes are blocked from being imported.
Other Uses of Route Maps Other Uses of Route Maps Route maps are used in some contexts other than filtering routes. Let us look briefly at some of the other contexts in which they are used. neighbor default-originate The command neighbor default-originate instructs BGP to send a default route to a neighbor. This command includes a parameter for specifying a route map. The route map parameter specifies criteria that must be fulfilled before the switch will advertise the default route to the neighbor.
BGP: Route Map Filtering Example BGP: Route Map Filtering Example Here is an example of a set of route maps. BGP configuration First, we need to set the router’s ASN and the ASN of the peer. router bgp 3816 neighbor 172.26.1.1 remote-as 15557 neighbors are enabled by default. Route map configuration Next, we want to limit the routes that we accept from this peer. We will accept the default route from any community, but will only accept any other updates from community 15557.
BGP: Route Map Filtering Example set local-preference 9000 route-map outdef permit 3 match ip address prefix-list plist4 set as-path prepend 64751 1827 set community no-export additive set local-preference 9000 route-map outdef permit 4 router bgp 3816 neighbor 172.26.1.1 route-map outdef out Finally, we want to import the host-specific prefix 192.168.200.200/32 into BGP, and set a community value on that entry. route-map netspec permit 1 set community 8888:8888 9999:9999 router bgp 3816 network 192.
OSPF: Configuring Route Maps for Filtering and Modifying OSPF Routes OSPF: Configuring Route Maps for Filtering and Modifying OSPF Routes For information about route maps and their structure, see "Structure of a route map" on page 26. Route maps can be applied to OSPF routes as well as BGP routes. Of course, the route maps that can be used with OSPF are rather limited in comparison with those that are used with BGP, as OSPF route updates do not carry attributes in the way that BGP route updates do.
OSPF: Configuring Route Maps for Filtering and Modifying OSPF Routes External route type The entry will match all routes of either Type 1 External or Type 2 External. To match a route type, use the command: match external {type-1|type-2} A prefix, by using a prefix list The entry will match one or more route prefixes. For information about creating a prefix list, see "About prefix lists" on page 22.
Metric This changes the route metric. You can: Set the metric, by using the command: set metric <0-4294967295> Increase or decrease the metric by a specified amount, by using one of the commands: set metric + set metric - For example, to increase the metric by 2, use the command: set metric +2 Next hop This specifies the next hop for matching routes. Use the command: set ip next-hop Type This sets the route type to either Type 1 External or Type 2 External.