8-21 : neighbor ip-address peer-group-name prefix-list prefix-list-name in

8-21 : neighbor { ip-address peer- group - name } prefix-list prefix-list-name in

Syntax Description:

• ip-address Neighbor's IP address.

• peer-group-name Name of the peer group. See section 8-19.

• prefix-list-name Name of the input IP prefix list.

Purpose: To filter incoming route updates from a particular BGP neighbor based on the IP address and mask length. Only one prefix list can be used per neighbor. The operation of the input prefix list is identical for both IBGP and EBGP neighbors. Using a prefix list is an alternative to using an extended IP access list and a distribute list.

Cisco IOS Software Release: 12.0

Configuration Example 1: Allow an Aggregate Route While Blocking the More-Specific Routes

In Figure 8-20, Router B is advertising four network prefixes and the aggregate of the prefixes to Router A. Router A filters the route update from Router B in order to reject the more-specific routes. Loopbacks are used on Router B to simulate the advertised networks, as shown in the configuration.

 Router A  !   interface Serial0   ip address 10.1.1.1 255.255.255.252   !   router bgp 1   neighbor 10.1.1.2 remote-as 2   ___________________________________________________________________________  Router B  ip subnet-zero   !   interface Loopback0   ip address 172.16.0.1 255.255.255.0   !   interface Loopback1   ip address 172.16.1.1 255.255.255.0   !   interface Loopback2   ip address 172.16.2.1 255.255.255.0   !   interface Loopback3   ip address 172.16.3.1 255.255.255.0   !   interface Serial0   ip address 10.1.1.2 255.255.255.252   clockrate 64000   !   router bgp 2   network 172.16.0.0 mask 255.255.255.0   network 172.16.1.0 mask 255.255.255.0   network 172.16.2.0 mask 255.255.255.0   network 172.16.3.0 mask 255.255.255.0   aggregate-address 172.16.0.0 255.255.252.0   neighbor 10.1.1.1 remote-as 1  

Before proceeding to the prefix list example, verify that Router A is receiving the routes from Router B:

 rtrA#  show ip bgp  BGP table version is 5, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.1.2                 0             0 2 i *> 172.16.0.0/22    10.1.1.2                               0 2 i *> 172.16.1.0/24    10.1.1.2                 0             0 2 i *> 172.16.2.0/24    10.1.1.2                 0             0 2 i *> 172.16.3.0/24    10.1.1.2                 0             0 2 i 

Modify the BGP configuration on Router A to allow only the aggregate prefix 172.16.0.0/22:

 Router A  router bgp 1   neighbor 10.1.1.2 remote-as 2    neighbor 10.1.1.2 prefix-list aggregate in    !    ip prefix-list aggregate seq 5 permit 172.16.0.0/22   

The prefix list is similar to a route map. Prefix lists are named, and each statement in a prefix list has a sequence number. Elements in a prefix list are executed in numerical order, and processing stops when a match occurs. Before proceeding, we will discuss the commands available with an IP prefix list:

  ip prefix-list   sequence-number  (default)  no ip prefix-list   sequence-number  

The default form includes the sequence numbers in the configuration. Using the no form of this command excludes the sequence numbers. If we list our configuration on Router A, we see that the sequence numbers are included in the configuration. By default, the sequence numbers start at 5 and increment by 5:

  ip prefix-list aggregate seq 5 permit 172.16.0.0/22  

Using the no form produces this:

  ip prefix-list aggregate permit 172.16.0.0/22  

If the no form is used, the sequence numbers can be seen using the show ip prefix-list command:

 rtrA#  show ip prefix-list  ip prefix-list aggregate: 2 entries    seq 5 permit 172.16.0.0/22 

Here is the general form of the command:

 rtrA(config)#  ip prefix-list ?  WORD             Name of a prefix list   sequence-number  Include/exclude sequence numbers in NVGEN rtrA(config)#  ip prefix-list aggregate ?  deny         Specify packets to reject   description  Prefix-list specific description   permit       Specify packets to forward   seq          sequence number of an entry 

The permit and deny statements are used to determine if a prefix is allowed or prevented when received from a neighbor. The description option is useful if you have many prefix lists. We can add a description to our configuration using this:

  ip prefix-list aggregate description filter specific routes of 172.16.0.0/22  

The seq (sequence number) option allows us to apply our own sequence number to each permit or deny statement. If it is not used, the default sequence numbers are applied.

After the permit or deny option comes the prefix/length entry:

 rtrA(config)#  ip prefix-list aggregate permit ?  A.B.C.D  IP prefix <network>/<length>, e.g., 35.0.0.0/8 

For our example we used this:

  ip prefix-list aggregate seq 5 permit 172.16.0.0/22  

This permits the aggregate advertisement received from Router B. Finally, we can further specify a range for the number of bits to match in the prefix length by using the optional parameters greater than or equal to ( ge ) or less than or equal to ( le ):

 rtrA(config)#  ip prefix-list aggregate permit 172.16.0.0/22 ?  ge  Minimum prefix length to be matched   le  Maximum prefix length to be matched   <cr> 

The possibilities are to match the following:

• Less than or equal to a number of bits:

  ip prefix-list aggregate permit 172.16.0.0 /22 le 23

• Greater than a number of bits:

  ip prefix-list aggregate permit 172.16.0.0 /22 ge 23

• Greater than one value and less than or equal to another value:

  ip prefix-list aggregate permit 172.16.0.0 /22 ge 23 le 24

The last form allows the more-specific routes and blocks the aggregate prefix.

Verification

Verify that Router A is using the prefix list:

 rtrA#  show ip bgp  BGP neighbor is 10.1.1.2,  remote AS 2, external link  Index 1, Offset 0, Mask 0x2   BGP version 4, remote router ID 172.16.3.1   BGP state = Established, table version = 2, up for 01:01:10   Last read 00:00:09, hold time is 180, keepalive interval is 60 seconds   Minimum time between advertisement runs is 30 seconds   Received 172 messages, 0 notifications, 0 in queue   Sent 150 messages, 0 notifications, 0 in queue   Prefix advertised 0, suppressed 0, withdrawn 0  Incoming update prefix filter list is aggregate  Connections established 10; dropped 9   Last reset 01:01:27, due to User reset   1 accepted prefixes consume 32 bytes   0 history paths consume 0 bytes Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Local host: 10.1.1.1, Local port: 11052 Foreign host: 10.1.1.2, Foreign port: 179 

The prefix list can be examined by using the show ip prefix- list or show ip prefix-list detail commands:

 rtrA#  show ip prefix-list  ip prefix-list aggregate: 1 entries    seq 5 permit 172.16.0.0/22 rtrA#  show ip prefix-list detail  Prefix-list with the last deletion/insertion: aggregate ip prefix-list aggregate:    Description: filter specific routes of 172.16.0.0/22    count: 1, range entries: 0, sequences: 5 - 5, refcount: 3    seq 5 permit 172.16.0.0/22 (hit count: 1, refcount: 1) 

Finally, check the BGP routing table on Router A to ensure that the 172.16.0.0/22 prefix has been allowed and that the more-specific prefixes have been filtered:

 rtrA#  show ip bgp  BGP table version is 2, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/22    10.1.1.2                               0 2 i 

Configuration Example 2: Allow the More-Specific Prefixes and Block the Aggregate

For this example, we will allow the more-specific prefixes and block the aggregate. The first method uses the following prefix list:

  ip prefix-list aggregate permit 172.16.0.0/24   ip prefix-list aggregate permit 172.16.1.0/24   ip prefix-list aggregate permit 172.16.2.0/24   ip prefix-list aggregate permit 172.16.3.0/24  

Here is a more compact form to achieve the same results:

  ip prefix-list aggregate permit 172.16.0.0/22 ge 23  

The BGP router configuration on Router A remains unchanged. Because there is an implicit deny any at the end of every prefix list, we will let this implicit statement block the aggregate.

Verification

As in the previous example, check the BGP table on Router A to verify that only the more-specific prefixes of 172.16.0.0 are being allowed:

 rtrA#  show ip bgp  BGP table version is 5, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.1.2                 0             0 2 i *> 172.16.1.0/24    10.1.1.2                 0             0 2 i *> 172.16.2.0/24    10.1.1.2                 0             0 2 i *> 172.16.3.0/24    10.1.1.2                 0             0 2 i 

Troubleshooting

1. Verify that the BGP neighbors are in the Established state using the show ip bgp neighbors command.

   If the neighbor relationship is not in the Established state, see section 8-23.

2. Check the syntax of your prefix list.

   You can monitor the BGP route exchange using debug ip bgp updates, which should produce output similar to the following for the second configuration:

    1w0d: BGP: 10.1.1.2 rcv UPDATE w/ attr: nexthop 10.1.1.2, origin i,   aggregated by 2 172.16.3.1, path 2  1w0d: BGP: 10.1.1.2 rcv UPDATE about 172.16.0.0/22 -- DENIED due to: distribute/   prefix-list;  1w0d: BGP: 10.1.1.2 rcv UPDATE w/ attr: nexthop 10.1.1.2, origin i, metric 0,   path 2 1w0d: BGP: 10.1.1.2 rcv UPDATE about 172.16.0.0/24 1w0d: BGP: 10.1.1.2 rcv UPDATE about 172.16.1.0/24 1w0d: BGP: 10.1.1.2 rcv UPDATE about 172.16.2.0/24 1w0d: BGP: 10.1.1.2 rcv UPDATE about 172.16.3.0/24