Policy Control in BGP Using Prefix Lists

Distribute lists, prefix lists, and route maps are BGP advertisement control mechanisms that can be used to normalize the propagation of BGP advertisements throughout the internetwork. They all function in much the same way as access lists in that they can be tweaked to regulate how data is sent through the network. Distribute lists use access lists to decide what routing information will be filtered to govern whether a certain router will send or receive BGP route advertisements with a particular peer. You basically configure a distribute list to permit or deny a router to send or receive BGP advertisements with the distribute-list in or the distribute-list out commands. In addition to update traffic filtering, you can also use distribute lists to filter inbound and outbound protocol traffic by configuring and applying access lists.

Prefix lists are easier to configure than traditional routed protocol access lists because the entries are sequentially numbered. This allows for the insertion, deletion, and modification of specific statements. Mechanically, however, they use the same rules for reading and application as a traditional access list.

This chapter looks at distribute lists and primarily prefix lists as tools to implement BGP policy. Route maps are covered in greater detail in the next chapter on optimizing routing updates.

To apply a distribute list to an IP interface, you should use the neighbor distribute-list command. The complete syntax of the command is as follows :

 
 [View full width] 
 RouterA(config-router)#  neighbor distribute-list  {  ip-address   peer-group-  name}   distribute-list  access-list-number  in  out  

The ip-address parameter is the IP address of the BGP neighbor for which routes will be filtered. The peer-group-name parameter, if applicable , is the name of the peer group. The access-list-number parameter provides the IP standard or extended access list to be applied (1 to 199). The keywords in or out determine whether the access list is to be applied to inbound or outbound advertisements from the specified neighbor. A snippet of sample code to configure a distribute list could look like this:

 RouterA(config) router bgp 65410 RouterA(config-router)# network 192.168.10.0 RouterA(config-router)# neighbor 10.1.1.2 remote-as 65420 RouterA(config-router)# neighbor 10.1.2.2 remote-as 65430  RouterA(config-router)# neighbor 10.1.1.2 distribute-list 1 out  RouterA(config-router)# exit  RouterA(config) access-list 1 deny 172.16.0.0  0.0.255.255  RouterA(config) access-list 1 permit any 

In the preceding sample listing, the distribute list prevents any traffic to major network 172.16.0.0 from being sent outbound to the BGP neighbor at address 10.1.1.2. The last line permits all the rest of the traffic to circumvent the implicit deny statement at the end of every access list.

On BGP routers, you can also achieve filtration by implementing a prefix list . Prefix lists offer a combination of the protocol filtration of access lists with the route filtration capability of distribute lists based on network access prefixes. Distribute lists have effectively become obsolete because of the extensive use of prefix lists in Cisco IOS 12.0 and later. Prefix lists work the same way as access lists, except that they offer several important benefits over access lists. Prefix lists are

• Not as processor- intensive as access lists because they are better at loading and performing lookups of large lists

• More flexible than access lists because they can add and delete individual lines and perform incremental changes

• More user -friendly than the typical access list

Prefix lists do have some functional rules that should be adhered to for optimal performance. Consider carefully the following list:

• An empty prefix list essentially allows (permits) all route prefixes.

• If a prefix is allowed (permitted), the route is utilized.

• If a prefix is not allowed ( denied ), the route is not used.

• Prefix lists are made up of a list of sequenced statements. The router starts at the top of the list and searches down until a match is made. The statement with the lowest sequence number is at the top of the list.

  Consider placing the most common permit or deny matches towards the top of the list by applying lower sequence numbers to them.

  
  

• If a provided prefix does not match any prefix list statements then a tacit implicit deny applies, just as in an access list.

• Sequence numbers are automatically generated unless explicitly disabled.

To configure a prefix list, use the following command:

  ip prefix-list   prefix-list-name   [permit  deny]   network-address/len  

The parameter network-address/len indicates the network prefix and mask length for which the configured action should be used. Use the no ip prefix-list prefix-list-name command to delete an existing prefix list.

Figure 9.5 uses a prefix list to force RouterA to send only network prefix (supernet) 169.0.0.0/8 to AS 65410, but not the route to network 169.254.0.0/16. Listing 9.4 lists the RouterA prefix list configuration commands.

Listing 9.4 The Prefix List Configuration for RouterA

 RouterA(config)# ip prefix-list justsupernet permit 169.0.0.0/8 RouterA(config)# router bgp 65410 RouterA(config-router)# network 192.168.100.0 RouterA(config-router)# neighbor 10.1.1.2 remote-as 65400 RouterA(config-router)# neighbor 10.1.2.2 remote-as 65420 RouterA(config-router)# aggregate-address 169.0.0.0 255.0.0.0 RouterA(config-router)# neighbor 10.1.1.2 prefix-list justsupernet out RouterA(config-router)# exit RouterA# 

As shown in Figure 9.5, RouterA is a peer with RouterB at address 10.1.1.2 in AS 65400, and RouterC at 10.1.2.2 in AS 65420. The neighbor prefix-list command dictates that RouterA is to use the prefix list named justsupernet to decide which update messages are pushed to BGP peer RouterB. Only the route 169.0.0.0/8 gets sent to RouterB because the implicit deny stops the rest of the routes.

You cannot combine the neighbor prefix-list command with the neighbor distribute-list command to configure the same BGP peer.

If you want to delete a prefix list, use the following syntax:

 RouterA(config)#  no ip prefix-list   list-name  

The show ip prefix-list command is used with a wide array of keywords and parameters to display information regarding the prefix list policy that is configured on a router. The full syntax for the show ip prefix-list command is as follows:

 show ip prefix-list [detail-summary]  name  [  network/len  ] [seq seq-num] [longer][  first-match  ] 

When you opt for the detail keyword, it displays information for all prefix lists configured on a router, as well as the description and the number of times the entry has matched a route (hit count). If you issue the show ip prefix-list detail name command, it displays information for the specified prefix list only. The [network/len] parameter displays the policy that is associated with a certain prefix/len value (for example, 169.254.0.0/16) in a prefix list. The seq seq-num parameter denotes a specific prefix list entry's sequence number.

The clear ip prefix-list command can be used to clear and reset the hit count that is displayed for a particular prefix-list whenever the show ip prefix-list [detail summary] prefix-list-name command is run. The full syntax is

  clear ip prefix-list   prefix-list-name  

In spite of the methods used for filtering, particular consideration needs to be given to the size and number of lists that are configured on your router. Because all pertinent traffic is compared to applied access lists and extended access lists line by line, CPU usage increases in proportion to the number and size of applied lists.