8-11 neighbor ip-address peer-group-name filter-list as-path-list-number out

 < Free Open Study > 

8-11 neighbor { ip-address peer- group - name } filter-list as- path -list-number out

Syntax Description:

  • ip-address Neighbor's IP address.

  • peer-group-name Name of the peer group. See section 8-19.

  • as-path-list-number IP AS path list number.

Purpose: To filter outgoing route updates to a particular BGP neighbor. Filtering is based on AS path information. Only one filter list can be used per neighbor. The operation of the output filter list is identical for both IBGP and EBGP neighbors.

Cisco IOS Software Release: 10.0. Peer group support was added in Release 11.0.

Configuration Example 1: Block Routes Originating from a Particular AS

In Figure 8-12, Routers B and C are advertising four network prefixes. Router B filters the route update to Router A in order to reject networks originating from AS 3. The last AS listed in the AS path list is the originating AS. Loopbacks are used on Routers B and C to simulate the advertised networks, as shown in the configuration.

Figure 8-12. Scenario for the Use of the neighbor filter-list out Command

graphics/08fig12.gif

 Router A  interface Serial0   ip address 10.1.1.1 255.255.255.252   !   router bgp 1   neighbor 10.1.1.2 remote-as 2   ___________________________________________________________________________  Router B  ip subnet-zero   !   interface Loopback0   ip address 172.16.0.1 255.255.255.0   !   interface Loopback1   ip address 172.16.1.1 255.255.255.0   !   interface Loopback2   ip address 172.16.2.1 255.255.255.0   !   interface Loopback3   ip address 172.16.3.1 255.255.255.0   !   interface Serial0   ip address 10.1.1.2 255.255.255.252   clockrate 64000   !   router bgp 2   network 172.16.0.0 mask 255.255.255.0   network 172.16.1.0 mask 255.255.255.0   network 172.16.2.0 mask 255.255.255.0   network 172.16.3.0 mask 255.255.255.0   neighbor 10.1.1.1 remote-as 1   neighbor 10.1.2.2 remote-as 3   ___________________________________________________________________________  Router C  ip subnet-zero   !   interface Loopback0   ip address 198.16.0.1 255.255.255.0   !   interface Loopback1   ip address 198.16.1.1 255.255.255.0   !   interface Loopback2   ip address 198.16.2.1 255.255.255.0   !   interface Loopback3   ip address 198.16.3.1 255.255.255.0   !   interface Serial0   ip address 10.1.2.2 255.255.255.252   !   router bgp 3   network 198.16.0.0   network 198.16.1.0   network 198.16.2.0   network 198.16.3.0   neighbor 10.1.2.1 remote-as 2  

Before proceeding to the filter list example, verify that BGP is propagating the routes:

 rtrA#  show ip bgp  BGP table version is 22, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete  Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.1.2                 0             0 2 i *> 172.16.1.0/24    10.1.1.2                 0             0 2 i *> 172.16.2.0/24    10.1.1.2                 0             0 2 i *> 172.16.3.0/24    10.1.1.2                 0             0 2 i *> 198.16.0.0       10.1.1.2                               0 2 3 i *> 198.16.1.0       10.1.1.2                               0 2 3 i *> 198.16.2.0       10.1.1.2                               0 2 3 i *> 198.16.3.0       10.1.1.2                               0 2 3 i  ___________________________________________________________________________  rtrB#  show ip bgp  BGP table version is 9, local router ID is 172.16.3.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    0.0.0.0                  0         32768 i *> 172.16.1.0/24    0.0.0.0                  0         32768 i *> 172.16.2.0/24    0.0.0.0                  0         32768 i *> 172.16.3.0/24    0.0.0.0                  0         32768 i *> 198.16.0.0       10.1.2.2                 0             0 3 i *> 198.16.1.0       10.1.2.2                 0             0 3 i *> 198.16.2.0       10.1.2.2                 0             0 3 i *> 198.16.3.0       10.1.2.2                 0             0 3 i  ___________________________________________________________________________  rtrC#  show ip bgp  BGP table version is 18, local router ID is 198.16.3.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.2.1                 0             0 2 i *> 172.16.1.0/24    10.1.2.1                 0             0 2 i *> 172.16.2.0/24    10.1.2.1                 0             0 2 i *> 172.16.3.0/24    10.1.2.1                 0             0 2 i *> 198.16.0.0       0.0.0.0                  0         32768 i *> 198.16.1.0       0.0.0.0                  0         32768 i *> 198.16.2.0       0.0.0.0                  0         32768 i *> 198.16.3.0       0.0.0.0                  0         32768 i 

Notice the AS path information contained in the BGP tables of the three routers. Before a router sends an update to another router in a different AS, the advertising router prepends its AS number to the update. This information is used to filter the updates. For this example, we want to filter the route update that Router B is sending to Router A and block routes that originate in AS 3. We can identify the routes originating in AS 3 by looking at the last AS number in the AS path information. If the last AS number is 3, these routes originated in AS 3. We don't care how many AS numbers are listed in the path, as long as the last AS number is 3. In order to filter routes based on AS path information, we need to use an AS path filter in conjunction with the BGP filter-list command. An AS path filter utilizes regular expressions to match patterns in the AS path list. Refer to Appendix B for a discussion of regular expressions. The regular expression used to match any prefix originating from AS 3 is _ 3$. Two of the characters that an underscore matches are a space and the beginning-of-string character. There is always a space between the AS numbers listed in an AS path. The 3$ must match a 3 and then the end-of-string character. So, the regular expression _ 3$ matches any path originating from AS 3, regardless of the length of the AS path. Now modify the BGP configuration on Router B to filter routes originating in AS 3:

 Router B  router bgp 2   neighbor 10.1.1.1 remote-as 1   neighbor 10.1.2.2 remote-as 3   neighbor 10.1.1.1 filter-list 1 out   !   ip as-path access-list 1 deny _3$   ip as-path access-list 1 permit .*  

The filter list always references an IP AS path access list. For this example, the AS path access list number is 1. The first statement in access list 1 rejects any routes originating in AS 3. The second line in the AS path access list is necessary because there is an implicit deny any at the end of every AS path access list. Without the permit . * statement, all routes from Router B would be rejected.

Verification

Verify that the routes originating in AS 3 are being blocked on Router A:

 rtrA#  show ip bgp  BGP table version is 5, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.1.2                 0             0 2 i *> 172.16.1.0/24    10.1.1.2                 0             0 2 i *> 172.16.2.0/24    10.1.1.2                 0             0 2 i *> 172.16.3.0/24    10.1.1.2                 0             0 2 I 

Configuration Example 2: Block Routes Originating in AS 3 But Allow Routes That Pass Through AS 3

Remove the AS path filter on Router B using the no form of the filter-list command:

 Router B  router bgp 2   no neighbor 10.1.1.1 filter-list 1 out  

For this example, we will modify the AS path information associated with networks 198.16.0.0/24 and 198.16.1.0/24. This modification makes these routes look like they originated in AS 4. This is accomplished by using a route map on Router C:

 Router C  router bgp 3   network 198.16.0.0   network 198.16.1.0   network 198.16.2.0   network 198.16.3.0   neighbor 10.1.2.1 remote-as 2    neighbor 10.1.2.1 route-map adjust out    !    access-list 1 permit 198.16.0.0 0.0.1.255     route-map adjust permit 10     match ip address 1     set as-path prepend 4    !    route-map adjust permit 20   

The route map on Router C prepends AS number 4 onto the 198.16.0.0/24 and 198.16.1.0/24 prefixes in order to demonstrate the AS path filter used in this example. Before installing the new AS path filter on Router B, check the BGP tables on Routers A and B to see if the AS path information has been modified:

 rtrB#  show ip bgp  BGP table version is 30, local router ID is 172.16.3.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    0.0.0.0                  0         32768 i *> 172.16.1.0/24    0.0.0.0                  0         32768 i *> 172.16.2.0/24    0.0.0.0                  0         32768 i *> 172.16.3.0/24    0.0.0.0                  0         32768 i  *> 198.16.0.0       10.1.2.2                 0             0 3 4 i   *> 198.16.1.0       10.1.2.2                 0             0 3 4 i  *> 198.16.2.0       10.1.2.2                 0             0 3 i *> 198.16.3.0       10.1.2.2                 0             0 3 i  ________________________________________________________________________  rtrA#  show ip bgp  BGP table version is 9, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.1.2                 0             0 2 i *> 172.16.1.0/24    10.1.1.2                 0             0 2 i *> 172.16.2.0/24    10.1.1.2                 0             0 2 i *> 172.16.3.0/24    10.1.1.2                 0             0 2 i  *> 198.16.0.0       10.1.1.2                               0 2 3 4 i   *> 198.16.1.0       10.1.1.2                               0 2 3 4 i  *> 198.16.2.0       10.1.1.2                               0 2 3 i *> 198.16.3.0       10.1.1.2                               0 2 3 i 

The AS path filter that we will use is the same one used in Configuration Example 1. It demonstrates that the filter blocks only routes originating in AS 3 but allows routes that have passed through AS 3. Of course, all the 198.16.x.x routes originated in AS 3, but Routers A and B now think that two of the routes originated in AS 4:

 Router B  router bgp 2   neighbor 10.1.1.1 remote-as 1   neighbor 10.1.2.2 remote-as 3   neighbor 10.1.1.1 filter-list 1 out   !   ip as-path access-list 1 deny _3$   ip as-path access-list 1 permit .*  
Verification

As in the previous example, check the BGP table on Router A to verify that only the networks whose AS path information ends in 3 are being blocked:

 rtrA#  show ip bgp  BGP table version is 7, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.1.2                 0             0 2 i *> 172.16.1.0/24    10.1.1.2                 0             0 2 i *> 172.16.2.0/24    10.1.1.2                 0             0 2 i *> 172.16.3.0/24    10.1.1.2                 0             0 2 i *> 198.16.0.0       10.1.1.2                               0 2 3 4 i *> 198.16.2.0       10.1.1.2                               0 2 3 4 I 

Configuration Example 3: Block All Routes Containing AS Path Number 3

For this configuration example, we want to block any route whose AS path contains a 3. Remove the AS path list on Router B using the no form of the command:

 Router B  router bgp 2   no neighbor 10.1.1.1 filter-list 1 out   !   no ip as-path acess-list 1  

The BGP table on Router A should again contain all the routes being advertised by Router B:

 rtrA#  show ip bgp  BGP table version is 9, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.1.2                 0             0 2 i *> 172.16.1.0/24    10.1.1.2                 0             0 2 i *> 172.16.2.0/24    10.1.1.2                 0             0 2 i *> 172.16.3.0/24    10.1.1.2                 0             0 2 i  *> 198.16.0.0       10.1.1.2                               0 2 3 4 i   *> 198.16.1.0       10.1.1.2                               0 2 3 4 i  *> 198.16.2.0       10.1.1.2                               0 2 3 i *> 198.16.3.0       10.1.1.2                               0 2 3 i 

The filter we want to use for this example should match any AS path containing a 3. Four patterns match a 3 anywhere in the AS path:


     <beginning of string>3<space>
     <beginning of string>3<end of string>
     <space>3<end of string>
     <space>3<space>

Because an underscore matches a space, beginning of string, or end of string, we can use the regular expression _ 3 _ to match all four patterns. Configure the AS path filter list on Router B:

 Router B  router bgp 2   neighbor 10.1.1.1 remote-as 1   neighbor 10.1.2.2 remote-as 3   neighbor 10.1.1.1 filter-list 1 out   !   ip as-path access-list 1 deny _3_   ip as-path access-list 1 permit .*  
Verification

Check the BGP table on Router A to verify that any route containing a 3 in the AS path has been blocked:

 rtrA#  show ip bgp  BGP table version is 5, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 172.16.0.0/24    10.1.1.2                 0             0 2 i *> 172.16.1.0/24    10.1.1.2                 0             0 2 i *> 172.16.2.0/24    10.1.1.2                 0             0 2 i *> 172.16.3.0/24    10.1.1.2                 0             0 2 I 

Configuration Example 4: Block All Routes Originating from a Directly Connected EBGP Neighbor

Routes originating from a directly connected EBGP neighbor contain one AS number in the AS path. The form of the AS path is


     <beginning of string>AS number<end of string>

The regular expression that matches routes from a directly connected EBGP neighbor is ^AS-number$. For this example, we use a filter list on Router A to block routes originating from AS 2. Configure the following filter on Router B, remembering to remove any existing AS path filters:

 Router B  router bgp 2   neighbor 10.1.1.1 remote-as 1   neighbor 10.1.2.2 remote-as 3   neighbor 10.1.1.2 filter-list 1 out   !   ip as-path access-list 1 deny ^2$   ip as-path access-list 1 permit .*  
Verification

Before you apply the filter, the BGP table on Router A should contain the routes from AS 2:

 rtrA#  show ip bgp  BGP table version is 9, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path  *> 172.16.0.0/24    10.1.1.2                 0             0 2 i   *> 172.16.1.0/24    10.1.1.2                 0             0 2 i   *> 172.16.2.0/24    10.1.1.2                 0             0 2 i   *> 172.16.3.0/24    10.1.1.2                 0             0 2 i  *> 198.16.0.0       10.1.1.2                               0 2 3 4 i *> 198.16.1.0       10.1.1.2                               0 2 3 4 i *> 198.16.2.0       10.1.1.2                               0 2 3 i *> 198.16.3.0       10.1.1.2                               0 2 3 i 

After you apply the AS path filter, the routes originated by AS 2 should be gone:

 rtrA#  show ip bgp  BGP table version is 9, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 198.16.0.0       10.1.1.2                               0 2 3 4 i *> 198.16.1.0       10.1.1.2                               0 2 3 4 i *> 198.16.2.0       10.1.1.2                               0 2 3 i *> 198.16.3.0       10.1.1.2                               0 2 3 i 
Troubleshooting
  1. Verify that the BGP neighbors are in the Established state using the show ip bgp neighbors command.

    If the neighbor relationship is not in the Established state, see section 8-23.

  2. Verify that the routes to be filtered are being advertised using the show ip bgp command.

  3. In some cases, there might not be routes to filter. Your filter might be used to block future advertisements from a particular AS. In this case, the routes are not in the BGP table.

  4. If routes that you think should be filtered are showing up in the BGP table, check the syntax of your AS path filter and your regular expressions. You can check the operation of the filters by debugging the BGP updates. For the second example, the debug output would be similar to this:

     Router B 6d17h: BGP: 10.1.1.1 send UPDATE 172.16.0.0/24, next 10.1.1.2, metric 0,   path 2 6d17h: BGP: 10.1.1.1 send UPDATE 172.16.1.0/24 (chgflags: 0x0), next 10.1.1.2,   path  (before routemap/aspath update) 6d17h: BGP: 10.1.1.1 send UPDATE 172.16.2.0/24 (chgflags: 0x0), next 10.1.1.2,   path  (before routemap/aspath update) 6d17h: BGP: 10.1.1.1 send UPDATE 172.16.3.0/24 (chgflags: 0x0), next 10.1.1.2,   path  (before routemap/aspath update) 6d17h: BGP: 10.1.1.1 send UPDATE 198.16.2.0/24, next 10.1.1.2, metric 0,   path 2 3 4 6d17h: BGP: 10.1.1.1 send UPDATE 198.16.3.0/24 (chgflags: 0x0), next 10.1.1.2,   path 3 4 (before routemap/aspath update). 

Notice that the preceding debug output doesn't indicate routes that are blocked. Because the routes you intended to block are not being sent in the update, the AS path filter is working. If you see routes that you intended to block in the update, there is a problem with the AS path filter.

 < Free Open Study > 


Cisco[r] BGP-4 Command and Configuration Handbook
Cisco BGP-4 Command and Configuration Handbook
ISBN: 1587055732
EAN: 2147483647
Year: 2001
Pages: 300

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net