Route Filtering and Route Summarization
Tools used to filter BGP routes:
- Distribution lists
- Prefix lists
- AS_PATH filter lists
- Route maps
-
aggregate-address commandThe first four have the following in common:
- Can filter incoming or outgoing updates, per neighbor or per peer group.
- Examine the contents of the BGP update message (PAs and NLRI).
- If a filter is changed, a clear command is required. The clear command can use the soft reconfiguration.
The tools differ in what they can match in the BGP update message:
-
neighbor distribute-list _standard-acl_: Prefix with wc (wilcard) mask.-
neighbor distribute-list _extended-acl_: Prefix and prefix length with wc mask.-
neighbor prefix-list: Exact or "first N" bits of prefix plus range of prefix lengths.-
neighbor filter-list: All NLRI whose AS_PATHs are matched.-
neighbor route-map: Prefix, prefix length, AS_PATH and/or any other PA matchable within a BGP route map.Filtering BGP updates based on NLRI
ip access-list extended lose-2 deny ip host 22.2.2.0 host 255.255.255.0 deny ip host 23.3.16.0 host 255.255.240.0 permit ip any any route-map rmap-lose-2 permit 10 match ip address lose-2 router bgp 123 neighbor 1.1.1.1 route-map rmap-lose-2 out neighbor 2.2.2.2 distribute-list lose-2 out ... ip prefix-list prefix-lose-2 seq 5 deny 22.2.2.0/24 ip prefix-list prefix-lose-2 seq 10 deny 23.3.16.0/20 ip prefix-list prefix-lose-2 seq 15 permit 0.0.0.0/0 le 32 router bgp 123 neighbor 9.9.9.9 prefix-list prefix-lose-2 out ! clear ip bgp 9.9.9.9 out or clear ip bgp * softSoft Reconfiguration
clear ip bgp {* | _neighbor-address_ | _peer-group-name_} [soft [in | out ]]IOS supports soft reconfiguration for sent updates but needs configuration for inbound updates.
neighbor _neighbor-id_ soft-reconfiguration inboud command causes the router to keep a copy of the received updates.BGP can simply reapply the changed filtering policy to the update without closing the neighbor connection.
Comparing BGP Prefix Lists, Distribute Lists and Route Maps
Distribute Lists for simple prefix matching (ACLs).
Prefix Lists for more flexible prefix matching.
The
neighbor filter-list for AS_PATH filtering.Route maps can be used for the same tasks, however, only route maps can provide the following two functions:
- Combine multiple logic: prefix/length, AS_PATH or other PAs
- Manipulate BGP PAs
Filtering Subnets of a Summary Using the aggregate-address Command
The filtering options on the
aggregate-address command are:- Filtering all component subnets by using the
summary-only keyword.- Advertising all component subnets by omitting the
summary-only keyword.- Advertising partial component subnets by referring a route map using the
suppress-map keyword.ip access-list extended permit-1 permit ip host 23.3.16.0 host 255.255.240.0 route-map suppress-1 permit 10 match ip address permit-1 router bgp 123 aggregate-address 23.0.0.0 255.0.0.0 as-set suppress-map suppress-1Filtering BGP Updates by Matching the AS_PATH PA
ip as-path access-list _number_ {permit | deny} _regex_neighbor _neighbor-id_ filter-list _as-path-filter-number_ {in | out}NLRI whose AS_PATHs match with a deny action are filtered.
The BGP AS_PATH and AS_PATH Segment Types
The AS_PATH segment types:
- AS_SEQ: Ordered list of ASNs, separated using spaces and non-enclosed.
- AS_SET: Unordered list of ASNs, separated using commas and enclosed using braces.
- AS_CONFED_SEQ: Ordered list of confederation ASNs, separated using spaces and enclosed using parentheses.
- AS_CONFED_SET: Unordened list of confederation ASNs, separated using commas and enclosed using braces.
Using Regular Expressions to Match AS_PATH
The logic:
- Line by line search for a mathed AS_PATH regex.
- A permit action does not filter the NRLI.
- A deny action filters the NRLI.
- Any NLRI not matched is filtered.
Regex metacharacters:
^ Start of line.
$ End of line.
| Logical OR applied between the preceding and succeeding characters
_ Any delimiter: blank, comma, start of line or end of line.
. Any single character.
? Zero or one instance of the preceding character.
* Zero or more instances of the preceding character.
+ One or more instances of the preceding character.
(string) Parentheses combine enclosed string as a single entity when used with ?,* or +.
[string] Wildcard for which any of the single characters in the string can be used to match that position.
Example: Matching AS_PATHs Using AS_PATH Filters
-
show ip bgp neighbor _neighbor-id_ advertised-routes displays the routes sent.-
show ip bgp neighbor _neighbor-id_ received-routes displays the routes received from a neighbor.- Output filter lists are applied before the routers adds its own ASN to the AS_PATH.
-
show ip bgp regexp _expression_ tests the regex. The regexp option is not allowed with received-routes or advertised-routes.- AS_PATH filter list can also be referenced in a route map using
match as-path _list-number_.The BGP Decision Process
0. Is the NEXT_HOP reachable?
1. Highest administrative weight: Local and Cisco-propietary feature.
2. Highest LOCAL_PREF PA: Well-known discretionary PA. Distributed inside the AS only. Used to choose the same exit point for particular NLRI.
3. Locally injected routes.
4. Shortest AS_PATH length: Treats an AS_SET as one ASN and counts each ASN in the AS_SEQ as one. Ignored if
bgp bestpath as-path ignore command is configured.5. ORIGIN PA: (i) routes are preferred over (e) routes, which are preferred over (?) routes.
6. Smallest Multi-Exit Discriminator (MED) PA: Tells a neighbor which of the peer connections is best for reaching particular NLRI.
7. Neighbor type: Prefer eBGP routes over iBGP.
8. IGP metric for reaching the NEXT_HOP: The lower the value, the better the route.
N
WLLA
OMNI
Three Final Tiebreaker Steps in the BGP Decision Process
9. Keep oldest eBGP route: This action reduces eBGP route flaps.
10. Choose smallest neighbor RID: Use the route whose next-hop router RID is the smallest. Needs the
bgp bestpath compare-routerid command.11. Smallest neighbor ID: Prefer the route advertised by the lowest neighbor ID.
Adding Multiple BGP Routes to the IP Routing Table
- If the best path for an NLRI is determined in steps 0 through 8, BGP adds only one route to the IP routing table.
- If the best path is determined after step 8, BGP considers placing multiple BGP routes into the IP routing table.
- Even if multiple BGP routes are added to the IP routing table, BGP still chooses only one route that will advertise to neighbors.
Step 0: NEXT_HOP Reachable
The router accepts a BGP route as best only if can forward packets to the next-hop router.
The NEXT_HOP can be changed using
neighbor _neighbor-id_ next-hop-self or neighbor _neighbor-id_ next-hop-unchanged.Step 1: Administrative Weight
Two methods of configuring the weight:
neighbor _neighbor-id_ weight _weight_neighbor _neighbor-id_ route-map _route-map_ [in | out]set weight _weight_Step 2: Highest Local Preference (LOCAL_PREF)
The default value is 100.
neighbor _neighbor-id_ route-map _route-map_ [in | out]set local-preference _number_Step 3: Choose Between Locally Injected Routes Based on ORIGIN PA
When the same NLRI is locally injected into BGP from multiple methods, pick the route with the better ORIGIN PA.
Step 4: Shortest AS_PATH
The typical logic requires a router to calculate the number of ASNs int the AS_SEQ and add 1 if an AS_SET exists.
AS_CONFED_SEQ and AS_CONFED_SET do no count at all in the calculation.
aggregate-address _network_ _mask_ [as-set]:- If the component subnets have different AS_PATH, the summary route has only the local AS in the AS_SEQ.
- Otherwise, the summary route contains the AS_SEQ from the component subnets and the local AS prepended.
neighbor remove-private-as:- Private ASNs can be removed only at the point of sending an eBGP update.
- If the current AS_SEQ contains both private and public ASNs, the private ASNs will not be removed.
neighbor local-as [no-prepend]:- Allows a router to use a different AS.
-
no-prepend, the router does not prepend any ASN.Using a
neighbor route-map, the route map can use the set as-path prepend to prepend one or more ASNs into the AS_SEQ.The
bgp bestpath as-path ignore _command_ removes the AS_PATH length step from the decision tree.Step 5: Best ORIGIN PA
BGP routing policies may set the ORIGIN code explicity by using the
set origin route map subcommand.Step 6: Smallest Multi-Exit Discriminator
Allows an AS to tell a neighboring AS the best way to forward packets into the first AS.
Default value is 0. A better default for MED can be set by using the
bgp bestpath med missing-as-worst subcommand.Configured via
neighbor route-map _route-map_ out, using set metric subcommand.To consider the MED in all cases, even when the AS_PATH differs, use the
bgp always-compare-med subcommand.To enhance te MED logic, use the
bgp deterministic-med command.Step 7: Prefer Neighbor Type eBGP over iBGP
BGP uses this decision point when two or more enterprise routers connect to the same ISP.
Each enterprise router knows of one eBGP route to reach each prefix and one or more iBGP routes to the same prefix.
Step 8: Smallest IGP Metric to the NEXT_HOP
The router looks for the BGP route with the smallest IGP metric to reach the NEXT_HOP IP address.
Step 9: Lowest BGP router ID of Advertising Router
Pick the route with the lowest RID:
- Examine eBGP routes first and after, the iBGP routes.
- If the existing best route is an eBGP route, do no replace the existing one, even if the new route has a smaller RID. This behavior can be changed by configuring
bgp bestpath compare-routerid command.- If the existing best route is an iBGP route, the decision is based on the lowest RID.
Step 10: Lowest Neighbor ID
If step 9 does not break the tie, then the router has at least two neighbor commands that point to the same router.
The router picks the routes with the lowest neighbor IP address.
The BGP maximum-paths Command
BGP defaults the
maximum-paths to 1.However, BGP will consider adding multiple entries to the IP routing table under certain conditions.
For eBGP routes:
1. BGP reaches step 9 or 10 to determine the best route.
2. The
maximum-paths _number_ is configured to something larger than 1.3. Only eBGP routes whose adjacent ASNs are the same as the best route are considered as candidates.
4. If there are more candidates than the allowed ones, the tiebreakers of step 9 and 10 determine which ones to use.
For iBGP routes:
1. Same rule as eBGP rule 1.
2. The
maximum-paths ibgp _number_ is configured to something larger than 1.3. Only iBGP routes with differing NEXT_HOP are considered as candidates.
4. Same rule as eBGP rule 4.
The
maximum-paths eibgp _number_ applies to both iBGP and eBGP routes, but only when MPLs is in use.BGP communities
They allow routers in one AS to communicate policy information to routers that are one or more AS distant (optional transitive).
router bgp 4 neighbor 10.1.34.3 send-community both neighbor 10.1.34.3 route-map comm out ip prefix-list 11 seq 5 permit 11.0.0.0/8 ip prefix-list 21 seq 5 permit 21.0.0.0/8 route-map comm permit 10 match ip address prefix-list 11 set community 1 route-map comm permit 20 match ip address prefix-list 21 set community 2 route-map comm permit 30 ! router bgp 123 neighbor 10.1.34.4 route-map react-to-comm in ip community-list 1 permit 1 ip community-list 2 permit 2 route-map react-to-comm permit 10 match community 1 set local-preference 300 route-map react-to-comm permit 20 match community 2 set local-preference 200 route-map react-to-comm permit 30Matching COMMUNITY with Community Lists
The COMMUNITY PA has two representations of 32 bits:
- Original Cisco format: decimal value (32 bits). Default format.
- New RFC format: AA:NN (16 bits:16 bits).
ip bgp-community new-format.set community 10 20 30 creates a COMMUNITY with all three values and replaces any existing COMMUNITY.set community 10 20 30 additive adds the values to the existing COMMUNITY string.Standard community list uses numbers between 1 and 99, can math multiple communities in a single command but does not support regexp.
Extended community list uses numbers between 100 and 199, can match multiple communities in a single command and supports regexp.
Removing COMMUNITY Values
Removing the entire COMMUNITY is relatively simple using the
set community none command in a route-map.To remove individual COMMUNITY strings use the
set comm-list _number_ delete command.Filtering NLRI Using Special COMMUNITY Values
match community {_standard_ | _extended_ | _name_ [exact]}BGP includes reserved values for the COMMUNITY PA that allow route filtering but with less effort than is required with community lists and route maps:
- NO_EXPORT (value FFFF:FF01): Do not advertise outside this AS.
- NO_ADVERT (value FFFF:FF02): Do not advertise to any other peer.
- LOCAL_AS or NO_EXPORT_SUBCONFED (value FFFF:FF03): Do not advertise outside the local confederation sub-AS.
No comments:
Post a Comment