Scribd
Upload
5 views

BGP Filterning

Uploaded by

Riyaz Admin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

BGP Filterning

Uploaded by

Riyaz Admin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Filtering:

o Route filters can be used when exchanging routing updates to with accept or deny update.
o In Dynamic, routing protocols to filter routes that are sent out from one router to another.
o It used to manipulate traffic flows, reduce memory utilization, or to improve the security.
o Filter routes that are received into router possibilities can be configured to filter routes.
o These are Access Control Lists (ACLs), Distribute Lists, Prefix Lists and the Route Maps.

ACLs:
o For route, filtering Access Control Lists (ACLs) are used in a different way not like normal.
o Access Control Lists are used to specify which routes to allow and which routes to filter.
o The Access Control Lists (ACLs) are used differently with the different types of filtering.
o In Filtering the ACLs are not denying or permitting traffic to/from a different network.
o Instead, the ACLs are either allowing or denying a route from being advertised or learned.

Distribute Lists:
o Distribute-List is used to control routing updates either coming to or leaving from router.
o It mainly used for route filtering means to permit or block routes from being advertised.
o The Distribute-List itself does not block or permit any route but it will call an Access-List.
o The Distribute-List itself does not block or permit any route but it will call a Prefix-List.
o Action will be taken based on whatever specified in that Access-List or in the Prefix-List.
o So, Distribute-List is mainly used to control the incoming or the outgoing traffic to router.
o The Distribute List can be configured in Cisco Router to control in two directions, in or out.
o The Distribute List command to configure will be run in Cisco Router configuration mode.
o With the BGP, access-lists, prefix-lists, and route-maps are all options of a distribute list.
1. First of all, in Cisco Router, define what routes you want to filter for in or out direction.
2. Create an Access Control Lists (ACL) in configuration mode to filter out that traffic.
3. Create a Distribute-List that references the Access Control Lists & defines the direction.
4. The last thing needs to verify that the route which want to filter has been removed.
Prefix List:
o A prefix list in similar to an Access List in that it will be used to match a route prefix.
o However, processing is much faster than an ACL and provides flexibility for filtering.
o Just like Access Control Lists, there is a default “deny any” at the end of a prefix-list.
o Prefix-list is mainly used to filter the Routes, it used in routing protocols only to filter.
o Main difference in Access-List and Prefix-List is that Access-List only matches the bits.
o Which specified by wildcard mask, but Prefix-List also match the subnet mask as well.
o Can specify range of Subnetmask, which need to be matched to be permitted or denied.

Route-Maps:
o The Route-Maps can be used in Distribute Lists for the purpose of route filtering in router.
o For the purposes of filtering routes in BGP, use a route map that references Access List.
o For the purposes of filtering routes in BGP, use a route map that references or prefix list.
o When looking for matches on routes to filter, Route-Maps use the concept of sequence No.
o In Route-Maps specify sequence number at the end of the route-map command in router.
o By default, the Sequence Number will be Ten 10, If do not specify the sequence number.
o Route-Maps can be used for many purposes on routers such as in PBR, Redistribution route.
o In Cisco router the Route-Map command can either have a permit clause or deny clause.
Route-Map Action ACL / Prefix-List Result
Permit Permit Permit
Deny Deny Deny
Permit Deny Deny
deny Permit Deny

R1 Basic Configuration
R1(config)# interface fastEthernet0/0
R1(config-if)# ip address 192.168.12.1 255.255.255.0
R1(config-if)# no shutdown
R2 Basic Configuration
R2(config)# interface fastEthernet0/0
R2(config-if)# ip address 192.168.12.2 255.255.255.0
R2(config-if)# no shutdown
R1 Loopback Configuration
R1(config)# interface loopback 1
R1(config-if)# ip address 1.1.1.1 255.255.255.0
R1(config)# interface loopback 2
R1(config-if)# ip address 1.1.2.1 255.255.255.0
R1(config)# interface loopback 3
R1(config-if)# ip address 1.1.3.1 255.255.255.0
R1(config)# interface loopback 4
R1(config-if)# ip address 1.1.4.1 255.255.255.0
R1(config)# interface loopback 5
R1(config-if)# ip address 1.1.5.1 255.255.255.0
R1(config)# interface loopback 6
R1(config-if)# ip address 1.1.6.1 255.255.255.0

R2 Loopback Configuration
R2(config)# interface loopback 2
R2(config-if)# ip address 2.2.2.2 255.255.255.0
R2(config)# interface loopback 3
R2(config-if)# ip address 2.2.3.2 255.255.255.0
R2(config)# interface loopback 4
R2(config-if)# ip address 2.2.4.2 255.255.255.0
R2(config)# interface loopback 5
R2(config-if)# ip address 2.2.5.2 255.255.255.0
R2(config)# interface loopback 6
R2(config-if)# ip address 2.2.6.2 255.255.255.0

R1 BGP Configuration
R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 remote-as 2
R1(config-router)#network 1.1.1.0 mask 255.255.255.0
R1(config-router)#network 1.1.2.0 mask 255.255.255.0
R1(config-router)#network 1.1.3.0 mask 255.255.255.0
R1(config-router)#network 1.1.4.0 mask 255.255.255.0
R1(config-router)#network 1.1.5.0 mask 255.255.255.0
R1(config-router)#network 1.1.6.0 mask 255.255.255.0
R2 BGP Configuration
R2(config)#router bgp 2
R2(config-router)#neighbor 192.168.12.1 remote-as 1
R2(config-router)#network 2.2.2.0 mask 255.255.255.0
R2(config-router)#network 2.2.3.0 mask 255.255.255.0
R2(config-router)#network 2.2.4.0 mask 255.255.255.0
R2(config-router)#network 2.2.5.0 mask 255.255.255.0
R2(config-router)#network 2.2.6.0 mask 255.255.255.0
R2#show ip bgp neighbors 192.168.12.1 advertised-routes
Lab Time Access List:

Create ACL to Deny 2.2.2.0 Network


R1(config)#access-list 1 deny 2.2.2.0 0.0.0.255
R1(config)#access-list 1 permit any
Attached ACL to BGP
R1(config)#router bgp 1
R1(config-router)#distribute-list 1 in
R1#debug ip bgp updates
R1#clear ip bgp *

Debug message clear show that 2.2.2.0/24 network has been denied.
*Oct 30 14:34:02.475: BGP(0): 192.168.12.2 rcvd 2.2.2.0/24 -- DENIED due to: distribute/prefix-
list;
Now let us check BGP routing table there is no more 2.2.2.0/24 network.
Prefix List Lab Time:

Create Prefix List to deny 2.2.2.0/24 Network


R1(config)#ip prefix-list test deny 2.2.2.0/24
R1(config)#ip prefix-list test permit 0.0.0.0/0 le 32
R1(config)#router bgp 1
R1(config-router)#distribute-list prefix test in
R1#debug ip bgp updates
R1#clear ip bgp *

Debug message clear show that 2.2.2.0/24 network has been denied.
*Oct 30 14:51:27.859: BGP(0): 192.168.12.2 rcvd 2.2.2.0/24 -- DENIED due to: distribute/prefix-
list;

Now let us check BGP routing table there is no more 2.2.2.0/24 network.
Lab Time Route-Map:

Create ACL to Deny 2.2.2.0 Network


R1(config)#access-list 1 permit 2.2.2.0 0.0.0.255
Attached ACL to Route Map
R1(config)#route-map test deny 10
R1(config-route-map)#match ip address 1
R1(config-route-map)#exit
R1(config)#route-map test permit 20
R1(config-route-map)#exit
Attached ACL to BGP
R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map test in

Debug message clearly show that 2.2.2.0/24 network has been denied by route-map.
*Oct 30 15:27:31.211: BGP(0): 192.168.12.2 rcvd 2.2.2.0/24 -- DENIED due to: route-map;

You might also like