BGP: Route filter with ip prefix-list

AS65200 is added to the network diagram.

Using the same network diagram, I would want prefix 10.20.0.0 to be filtered from advertisement by the border iBGP routers (r1 and r3). Using prefix-list is a more granular method than using ACL with distribute-list.

Hide r2 prefixes from r5
This has to be done at r3 as this is the router than is doing the ebgp peer to r5.

Step 1: Group the prefix to be filtered. Prefix-list like ACL has an implicit deny statement.


r3#sh run | s ip prefix-list
ip prefix-list r2-prefix seq 5 deny 10.20.0.0/16 ge 22 le 24
ip prefix-list r2-prefix seq 10 permit 0.0.0.0/0 le 32
r3#

The first statement is to find a match of 10.20.0.0, then compare its prefix length. If it is between 22 and 24 bit the prefix will be denied. Example prefixes will be denied by this statement:
10.20.4.0/22, 10.20.8.0/24, 10.20.8.0/22, 10.20.12.0/24, 10.20.2.0/23, 10.20.4.0/23

The last statement is the same as permit any in standard ACL.

Step 2: Apply the prefix-list to the peering neighbour statement.


r3#sh run | s router bgp
router bgp 65000
 no synchronization
 bgp router-id 33.33.33.33
 bgp log-neighbor-changes
 network 192.168.0.4 mask 255.255.255.252
 network 192.168.0.8 mask 255.255.255.252
 network 192.168.0.16 mask 255.255.255.252
 neighbor 192.168.0.1 remote-as 65000
 neighbor 192.168.0.2 remote-as 65000
 neighbor 192.168.0.5 remote-as 65000
 neighbor 192.168.0.9 remote-as 65000
 neighbor 192.168.0.18 remote-as 65200
 neighbor 192.168.0.18 prefix-list r2-prefix out
 no auto-summary
r3#

r5 routing table does not have r2’s 10.20.0.0 subnets:

r5#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      10.0.0.0/30 is subnetted, 3 subnets
B        10.0.0.0 [20/0] via 192.168.0.17, 00:00:02
B        10.0.0.4 [20/0] via 192.168.0.17, 00:00:02
B        10.0.0.8 [20/0] via 192.168.0.17, 00:00:02
      172.17.0.0/16 is variably subnetted, 6 subnets, 2 masks
C        172.17.1.0/28 is directly connected, Loopback1
L        172.17.1.1/32 is directly connected, Loopback1
C        172.17.1.16/28 is directly connected, Loopback2
L        172.17.1.17/32 is directly connected, Loopback2
C        172.17.1.32/28 is directly connected, Loopback3
L        172.17.1.33/32 is directly connected, Loopback3
      192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B        192.168.0.0/30 [20/0] via 192.168.0.17, 00:00:33
B        192.168.0.4/30 [20/0] via 192.168.0.17, 00:00:33
B        192.168.0.12/30 [20/0] via 192.168.0.17, 00:00:33
C        192.168.0.16/30 is directly connected, FastEthernet0/0
L        192.168.0.18/32 is directly connected, FastEthernet0/0
r5#

Prefix advertisement and filtering

I have added a new loopback4 interface to r2 which ip address is 10.20.4.1/24. The 10.20.4.0/24 prefix is advertised by r2. I want r5 to receive this new 10.20.4.0/24 advertisement but hide 10.20.0.0/24, 10.20.1.0/24 and 10.20.2.0/24.

At r3 I changed prefix-list statement at sequence number 5:

r3(config)#do sh run | s ip prefix-list
ip prefix-list r2-prefix seq 5 deny 10.20.0.0/22 le 24
ip prefix-list r2-prefix seq 10 permit 0.0.0.0/0 le 32
r3(config)#

This statement at seq 5 will hide prefix 10.20.0.0/24, 10.20.1.0/24, 10.20.2.0/24 and 10.20.3.0/24 but allows 10.20.4.0/24 to be advertised.

This is the routing table of r5 after the prefix-list statement change:

r5#sh ip route bgp | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B        10.0.0.0/30 [20/0] via 192.168.0.17, 00:13:46
B        10.0.0.4/30 [20/0] via 192.168.0.17, 00:13:46
B        10.0.0.8/30 [20/0] via 192.168.0.17, 00:13:46
B        10.20.4.0/24 [20/0] via 192.168.0.17, 00:11:36
      192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B        192.168.0.0/30 [20/0] via 192.168.0.17, 00:14:17
B        192.168.0.4/30 [20/0] via 192.168.0.17, 00:14:17
B        192.168.0.12/30 [20/0] via 192.168.0.17, 00:14:17
r5#

r5#ping 10.20.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5#

I want r4 to receive 10.20.0.0/24 and 10.20.1.0/24 from r2 but hides 10.20.2.0/24 and 10.20.4.0/24 prefix.
At r1 I configured:

r1#sh run | s ip prefix-list
ip prefix-list r2-prefix seq 5 deny 10.20.2.0/23 le 24
ip prefix-list r2-prefix seq 10 deny 10.20.4.0/23 le 24
ip prefix-list r2-prefix seq 15 permit 0.0.0.0/0 le 32
r1#sh run | s router bgp
router bgp 65000
 no synchronization
 bgp router-id 11.11.11.11
 bgp log-neighbor-changes
 network 192.168.0.0 mask 255.255.255.252
 network 192.168.0.4 mask 255.255.255.252
 network 192.168.0.12 mask 255.255.255.252
 neighbor 192.168.0.2 remote-as 65000
 neighbor 192.168.0.2 next-hop-self
 neighbor 192.168.0.6 remote-as 65000
 neighbor 192.168.0.9 remote-as 65000
 neighbor 192.168.0.10 remote-as 65000
 neighbor 192.168.0.14 remote-as 65100
 neighbor 192.168.0.14 prefix-list r2-prefix out
 no auto-summary
r1#

r4 routing table after route filtering at r1:

r4#sh ip route bgp | beg Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
B        10.20.0.0/24 [20/0] via 192.168.0.13, 03:52:21
B        10.20.1.0/24 [20/0] via 192.168.0.13, 03:52:21
      172.17.0.0/28 is subnetted, 3 subnets
B        172.17.1.0 [20/0] via 192.168.0.13, 00:31:29
B        172.17.1.16 [20/0] via 192.168.0.13, 00:31:29
B        172.17.1.32 [20/0] via 192.168.0.13, 00:31:29
      192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B        192.168.0.0/30 [20/0] via 192.168.0.13, 03:59:46
B        192.168.0.4/30 [20/0] via 192.168.0.13, 03:59:46
B        192.168.0.16/30 [20/0] via 192.168.0.13, 00:31:59
r4#
This entry was posted in BGP, Route and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s