Using the same network diagram, I would want prefix 10.20.0.0 to be filtered from advertisement by the border iBGP routers (r1 and r3). Using prefix-list is a more granular method than using ACL with distribute-list.
Hide r2 prefixes from r5
This has to be done at r3 as this is the router than is doing the ebgp peer to r5.
Step 1: Group the prefix to be filtered. Prefix-list like ACL has an implicit deny statement.
r3#sh run | s ip prefix-list ip prefix-list r2-prefix seq 5 deny 10.20.0.0/16 ge 22 le 24 ip prefix-list r2-prefix seq 10 permit 0.0.0.0/0 le 32 r3#
The first statement is to find a match of 10.20.0.0, then compare its prefix length. If it is between 22 and 24 bit the prefix will be denied. Example prefixes will be denied by this statement:
10.20.4.0/22, 10.20.8.0/24, 10.20.8.0/22, 10.20.12.0/24, 10.20.2.0/23, 10.20.4.0/23
The last statement is the same as permit any in standard ACL.
Step 2: Apply the prefix-list to the peering neighbour statement.
r3#sh run | s router bgp router bgp 65000 no synchronization bgp router-id 33.33.33.33 bgp log-neighbor-changes network 192.168.0.4 mask 255.255.255.252 network 192.168.0.8 mask 255.255.255.252 network 192.168.0.16 mask 255.255.255.252 neighbor 192.168.0.1 remote-as 65000 neighbor 192.168.0.2 remote-as 65000 neighbor 192.168.0.5 remote-as 65000 neighbor 192.168.0.9 remote-as 65000 neighbor 192.168.0.18 remote-as 65200 neighbor 192.168.0.18 prefix-list r2-prefix out no auto-summary r3#
r5 routing table does not have r2’s 10.20.0.0 subnets:
r5#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 3 subnets
B 10.0.0.0 [20/0] via 192.168.0.17, 00:00:02
B 10.0.0.4 [20/0] via 192.168.0.17, 00:00:02
B 10.0.0.8 [20/0] via 192.168.0.17, 00:00:02
172.17.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.17.1.0/28 is directly connected, Loopback1
L 172.17.1.1/32 is directly connected, Loopback1
C 172.17.1.16/28 is directly connected, Loopback2
L 172.17.1.17/32 is directly connected, Loopback2
C 172.17.1.32/28 is directly connected, Loopback3
L 172.17.1.33/32 is directly connected, Loopback3
192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B 192.168.0.0/30 [20/0] via 192.168.0.17, 00:00:33
B 192.168.0.4/30 [20/0] via 192.168.0.17, 00:00:33
B 192.168.0.12/30 [20/0] via 192.168.0.17, 00:00:33
C 192.168.0.16/30 is directly connected, FastEthernet0/0
L 192.168.0.18/32 is directly connected, FastEthernet0/0
r5#
Prefix advertisement and filtering
I have added a new loopback4 interface to r2 which ip address is 10.20.4.1/24. The 10.20.4.0/24 prefix is advertised by r2. I want r5 to receive this new 10.20.4.0/24 advertisement but hide 10.20.0.0/24, 10.20.1.0/24 and 10.20.2.0/24.
At r3 I changed prefix-list statement at sequence number 5:
r3(config)#do sh run | s ip prefix-list ip prefix-list r2-prefix seq 5 deny 10.20.0.0/22 le 24 ip prefix-list r2-prefix seq 10 permit 0.0.0.0/0 le 32 r3(config)#
This statement at seq 5 will hide prefix 10.20.0.0/24, 10.20.1.0/24, 10.20.2.0/24 and 10.20.3.0/24 but allows 10.20.4.0/24 to be advertised.
This is the routing table of r5 after the prefix-list statement change:
r5#sh ip route bgp | beg Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B 10.0.0.0/30 [20/0] via 192.168.0.17, 00:13:46
B 10.0.0.4/30 [20/0] via 192.168.0.17, 00:13:46
B 10.0.0.8/30 [20/0] via 192.168.0.17, 00:13:46
B 10.20.4.0/24 [20/0] via 192.168.0.17, 00:11:36
192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B 192.168.0.0/30 [20/0] via 192.168.0.17, 00:14:17
B 192.168.0.4/30 [20/0] via 192.168.0.17, 00:14:17
B 192.168.0.12/30 [20/0] via 192.168.0.17, 00:14:17
r5#
r5#ping 10.20.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5#
I want r4 to receive 10.20.0.0/24 and 10.20.1.0/24 from r2 but hides 10.20.2.0/24 and 10.20.4.0/24 prefix.
At r1 I configured:
r1#sh run | s ip prefix-list ip prefix-list r2-prefix seq 5 deny 10.20.2.0/23 le 24 ip prefix-list r2-prefix seq 10 deny 10.20.4.0/23 le 24 ip prefix-list r2-prefix seq 15 permit 0.0.0.0/0 le 32 r1#sh run | s router bgp router bgp 65000 no synchronization bgp router-id 11.11.11.11 bgp log-neighbor-changes network 192.168.0.0 mask 255.255.255.252 network 192.168.0.4 mask 255.255.255.252 network 192.168.0.12 mask 255.255.255.252 neighbor 192.168.0.2 remote-as 65000 neighbor 192.168.0.2 next-hop-self neighbor 192.168.0.6 remote-as 65000 neighbor 192.168.0.9 remote-as 65000 neighbor 192.168.0.10 remote-as 65000 neighbor 192.168.0.14 remote-as 65100 neighbor 192.168.0.14 prefix-list r2-prefix out no auto-summary r1#
r4 routing table after route filtering at r1:
r4#sh ip route bgp | beg Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
B 10.20.0.0/24 [20/0] via 192.168.0.13, 03:52:21
B 10.20.1.0/24 [20/0] via 192.168.0.13, 03:52:21
172.17.0.0/28 is subnetted, 3 subnets
B 172.17.1.0 [20/0] via 192.168.0.13, 00:31:29
B 172.17.1.16 [20/0] via 192.168.0.13, 00:31:29
B 172.17.1.32 [20/0] via 192.168.0.13, 00:31:29
192.168.0.0/24 is variably subnetted, 5 subnets, 2 masks
B 192.168.0.0/30 [20/0] via 192.168.0.13, 03:59:46
B 192.168.0.4/30 [20/0] via 192.168.0.13, 03:59:46
B 192.168.0.16/30 [20/0] via 192.168.0.13, 00:31:59
r4#
cyruslab 