< Free Open Study > |
8-11 neighbor { ip-address peer- group - name } filter-list as- path -list-number outSyntax Description:
Purpose: To filter outgoing route updates to a particular BGP neighbor. Filtering is based on AS path information. Only one filter list can be used per neighbor. The operation of the output filter list is identical for both IBGP and EBGP neighbors. Cisco IOS Software Release: 10.0. Peer group support was added in Release 11.0. Configuration Example 1: Block Routes Originating from a Particular ASIn Figure 8-12, Routers B and C are advertising four network prefixes. Router B filters the route update to Router A in order to reject networks originating from AS 3. The last AS listed in the AS path list is the originating AS. Loopbacks are used on Routers B and C to simulate the advertised networks, as shown in the configuration. Figure 8-12. Scenario for the Use of the neighbor filter-list out Command
Router A interface Serial0 ip address 10.1.1.1 255.255.255.252 ! router bgp 1 neighbor 10.1.1.2 remote-as 2 ___________________________________________________________________________ Router B ip subnet-zero ! interface Loopback0 ip address 172.16.0.1 255.255.255.0 ! interface Loopback1 ip address 172.16.1.1 255.255.255.0 ! interface Loopback2 ip address 172.16.2.1 255.255.255.0 ! interface Loopback3 ip address 172.16.3.1 255.255.255.0 ! interface Serial0 ip address 10.1.1.2 255.255.255.252 clockrate 64000 ! router bgp 2 network 172.16.0.0 mask 255.255.255.0 network 172.16.1.0 mask 255.255.255.0 network 172.16.2.0 mask 255.255.255.0 network 172.16.3.0 mask 255.255.255.0 neighbor 10.1.1.1 remote-as 1 neighbor 10.1.2.2 remote-as 3 ___________________________________________________________________________ Router C ip subnet-zero ! interface Loopback0 ip address 198.16.0.1 255.255.255.0 ! interface Loopback1 ip address 198.16.1.1 255.255.255.0 ! interface Loopback2 ip address 198.16.2.1 255.255.255.0 ! interface Loopback3 ip address 198.16.3.1 255.255.255.0 ! interface Serial0 ip address 10.1.2.2 255.255.255.252 ! router bgp 3 network 198.16.0.0 network 198.16.1.0 network 198.16.2.0 network 198.16.3.0 neighbor 10.1.2.1 remote-as 2 Before proceeding to the filter list example, verify that BGP is propagating the routes: rtrA# show ip bgp BGP table version is 22, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 10.1.1.2 0 0 2 i *> 172.16.1.0/24 10.1.1.2 0 0 2 i *> 172.16.2.0/24 10.1.1.2 0 0 2 i *> 172.16.3.0/24 10.1.1.2 0 0 2 i *> 198.16.0.0 10.1.1.2 0 2 3 i *> 198.16.1.0 10.1.1.2 0 2 3 i *> 198.16.2.0 10.1.1.2 0 2 3 i *> 198.16.3.0 10.1.1.2 0 2 3 i ___________________________________________________________________________ rtrB# show ip bgp BGP table version is 9, local router ID is 172.16.3.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 0.0.0.0 0 32768 i *> 172.16.1.0/24 0.0.0.0 0 32768 i *> 172.16.2.0/24 0.0.0.0 0 32768 i *> 172.16.3.0/24 0.0.0.0 0 32768 i *> 198.16.0.0 10.1.2.2 0 0 3 i *> 198.16.1.0 10.1.2.2 0 0 3 i *> 198.16.2.0 10.1.2.2 0 0 3 i *> 198.16.3.0 10.1.2.2 0 0 3 i ___________________________________________________________________________ rtrC# show ip bgp BGP table version is 18, local router ID is 198.16.3.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 10.1.2.1 0 0 2 i *> 172.16.1.0/24 10.1.2.1 0 0 2 i *> 172.16.2.0/24 10.1.2.1 0 0 2 i *> 172.16.3.0/24 10.1.2.1 0 0 2 i *> 198.16.0.0 0.0.0.0 0 32768 i *> 198.16.1.0 0.0.0.0 0 32768 i *> 198.16.2.0 0.0.0.0 0 32768 i *> 198.16.3.0 0.0.0.0 0 32768 i Notice the AS path information contained in the BGP tables of the three routers. Before a router sends an update to another router in a different AS, the advertising router prepends its AS number to the update. This information is used to filter the updates. For this example, we want to filter the route update that Router B is sending to Router A and block routes that originate in AS 3. We can identify the routes originating in AS 3 by looking at the last AS number in the AS path information. If the last AS number is 3, these routes originated in AS 3. We don't care how many AS numbers are listed in the path, as long as the last AS number is 3. In order to filter routes based on AS path information, we need to use an AS path filter in conjunction with the BGP filter-list command. An AS path filter utilizes regular expressions to match patterns in the AS path list. Refer to Appendix B for a discussion of regular expressions. The regular expression used to match any prefix originating from AS 3 is _ 3$. Two of the characters that an underscore matches are a space and the beginning-of-string character. There is always a space between the AS numbers listed in an AS path. The 3$ must match a 3 and then the end-of-string character. So, the regular expression _ 3$ matches any path originating from AS 3, regardless of the length of the AS path. Now modify the BGP configuration on Router B to filter routes originating in AS 3: Router B router bgp 2 neighbor 10.1.1.1 remote-as 1 neighbor 10.1.2.2 remote-as 3 neighbor 10.1.1.1 filter-list 1 out ! ip as-path access-list 1 deny _3$ ip as-path access-list 1 permit .* The filter list always references an IP AS path access list. For this example, the AS path access list number is 1. The first statement in access list 1 rejects any routes originating in AS 3. The second line in the AS path access list is necessary because there is an implicit deny any at the end of every AS path access list. Without the permit . * statement, all routes from Router B would be rejected. VerificationVerify that the routes originating in AS 3 are being blocked on Router A: rtrA# show ip bgp BGP table version is 5, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 10.1.1.2 0 0 2 i *> 172.16.1.0/24 10.1.1.2 0 0 2 i *> 172.16.2.0/24 10.1.1.2 0 0 2 i *> 172.16.3.0/24 10.1.1.2 0 0 2 I Configuration Example 2: Block Routes Originating in AS 3 But Allow Routes That Pass Through AS 3Remove the AS path filter on Router B using the no form of the filter-list command: Router B router bgp 2 no neighbor 10.1.1.1 filter-list 1 out For this example, we will modify the AS path information associated with networks 198.16.0.0/24 and 198.16.1.0/24. This modification makes these routes look like they originated in AS 4. This is accomplished by using a route map on Router C: Router C router bgp 3 network 198.16.0.0 network 198.16.1.0 network 198.16.2.0 network 198.16.3.0 neighbor 10.1.2.1 remote-as 2 neighbor 10.1.2.1 route-map adjust out ! access-list 1 permit 198.16.0.0 0.0.1.255 route-map adjust permit 10 match ip address 1 set as-path prepend 4 ! route-map adjust permit 20 The route map on Router C prepends AS number 4 onto the 198.16.0.0/24 and 198.16.1.0/24 prefixes in order to demonstrate the AS path filter used in this example. Before installing the new AS path filter on Router B, check the BGP tables on Routers A and B to see if the AS path information has been modified: rtrB# show ip bgp BGP table version is 30, local router ID is 172.16.3.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 0.0.0.0 0 32768 i *> 172.16.1.0/24 0.0.0.0 0 32768 i *> 172.16.2.0/24 0.0.0.0 0 32768 i *> 172.16.3.0/24 0.0.0.0 0 32768 i *> 198.16.0.0 10.1.2.2 0 0 3 4 i *> 198.16.1.0 10.1.2.2 0 0 3 4 i *> 198.16.2.0 10.1.2.2 0 0 3 i *> 198.16.3.0 10.1.2.2 0 0 3 i ________________________________________________________________________ rtrA# show ip bgp BGP table version is 9, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 10.1.1.2 0 0 2 i *> 172.16.1.0/24 10.1.1.2 0 0 2 i *> 172.16.2.0/24 10.1.1.2 0 0 2 i *> 172.16.3.0/24 10.1.1.2 0 0 2 i *> 198.16.0.0 10.1.1.2 0 2 3 4 i *> 198.16.1.0 10.1.1.2 0 2 3 4 i *> 198.16.2.0 10.1.1.2 0 2 3 i *> 198.16.3.0 10.1.1.2 0 2 3 i The AS path filter that we will use is the same one used in Configuration Example 1. It demonstrates that the filter blocks only routes originating in AS 3 but allows routes that have passed through AS 3. Of course, all the 198.16.x.x routes originated in AS 3, but Routers A and B now think that two of the routes originated in AS 4: Router B router bgp 2 neighbor 10.1.1.1 remote-as 1 neighbor 10.1.2.2 remote-as 3 neighbor 10.1.1.1 filter-list 1 out ! ip as-path access-list 1 deny _3$ ip as-path access-list 1 permit .* VerificationAs in the previous example, check the BGP table on Router A to verify that only the networks whose AS path information ends in 3 are being blocked: rtrA# show ip bgp BGP table version is 7, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 10.1.1.2 0 0 2 i *> 172.16.1.0/24 10.1.1.2 0 0 2 i *> 172.16.2.0/24 10.1.1.2 0 0 2 i *> 172.16.3.0/24 10.1.1.2 0 0 2 i *> 198.16.0.0 10.1.1.2 0 2 3 4 i *> 198.16.2.0 10.1.1.2 0 2 3 4 I Configuration Example 3: Block All Routes Containing AS Path Number 3For this configuration example, we want to block any route whose AS path contains a 3. Remove the AS path list on Router B using the no form of the command: Router B router bgp 2 no neighbor 10.1.1.1 filter-list 1 out ! no ip as-path acess-list 1 The BGP table on Router A should again contain all the routes being advertised by Router B: rtrA# show ip bgp BGP table version is 9, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 10.1.1.2 0 0 2 i *> 172.16.1.0/24 10.1.1.2 0 0 2 i *> 172.16.2.0/24 10.1.1.2 0 0 2 i *> 172.16.3.0/24 10.1.1.2 0 0 2 i *> 198.16.0.0 10.1.1.2 0 2 3 4 i *> 198.16.1.0 10.1.1.2 0 2 3 4 i *> 198.16.2.0 10.1.1.2 0 2 3 i *> 198.16.3.0 10.1.1.2 0 2 3 i The filter we want to use for this example should match any AS path containing a 3. Four patterns match a 3 anywhere in the AS path: Because an underscore matches a space, beginning of string, or end of string, we can use the regular expression _ 3 _ to match all four patterns. Configure the AS path filter list on Router B: Router B router bgp 2 neighbor 10.1.1.1 remote-as 1 neighbor 10.1.2.2 remote-as 3 neighbor 10.1.1.1 filter-list 1 out ! ip as-path access-list 1 deny _3_ ip as-path access-list 1 permit .* VerificationCheck the BGP table on Router A to verify that any route containing a 3 in the AS path has been blocked: rtrA# show ip bgp BGP table version is 5, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 10.1.1.2 0 0 2 i *> 172.16.1.0/24 10.1.1.2 0 0 2 i *> 172.16.2.0/24 10.1.1.2 0 0 2 i *> 172.16.3.0/24 10.1.1.2 0 0 2 I Configuration Example 4: Block All Routes Originating from a Directly Connected EBGP NeighborRoutes originating from a directly connected EBGP neighbor contain one AS number in the AS path. The form of the AS path is The regular expression that matches routes from a directly connected EBGP neighbor is ^AS-number$. For this example, we use a filter list on Router A to block routes originating from AS 2. Configure the following filter on Router B, remembering to remove any existing AS path filters: Router B router bgp 2 neighbor 10.1.1.1 remote-as 1 neighbor 10.1.2.2 remote-as 3 neighbor 10.1.1.2 filter-list 1 out ! ip as-path access-list 1 deny ^2$ ip as-path access-list 1 permit .* VerificationBefore you apply the filter, the BGP table on Router A should contain the routes from AS 2: rtrA# show ip bgp BGP table version is 9, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 10.1.1.2 0 0 2 i *> 172.16.1.0/24 10.1.1.2 0 0 2 i *> 172.16.2.0/24 10.1.1.2 0 0 2 i *> 172.16.3.0/24 10.1.1.2 0 0 2 i *> 198.16.0.0 10.1.1.2 0 2 3 4 i *> 198.16.1.0 10.1.1.2 0 2 3 4 i *> 198.16.2.0 10.1.1.2 0 2 3 i *> 198.16.3.0 10.1.1.2 0 2 3 i After you apply the AS path filter, the routes originated by AS 2 should be gone: rtrA# show ip bgp BGP table version is 9, local router ID is 172.17.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 198.16.0.0 10.1.1.2 0 2 3 4 i *> 198.16.1.0 10.1.1.2 0 2 3 4 i *> 198.16.2.0 10.1.1.2 0 2 3 i *> 198.16.3.0 10.1.1.2 0 2 3 i Troubleshooting
Notice that the preceding debug output doesn't indicate routes that are blocked. Because the routes you intended to block are not being sent in the update, the AS path filter is working. If you see routes that you intended to block in the update, there is a problem with the AS path filter. |
< Free Open Study > |