Route Filtering

A big part of working with BGP is filtering routes; that's how you control how your network traffic is carried and how you implement routing policies. You might want to filter routes coming from the outside into your network, or filter routes you advertise to other networks. No matter what your reason for filtering, there are basically three ways to do it: AS path filtering, community filtering, and aggregate filtering.

10.3.1. AS Path Filters

A lot of what you do with BGP is based on building AS path filters . Filters let you select specific paths (routes) through the network. AS path filters work like access lists, but with a twist: they support regular expression (regex) pattern matching. Here's an example of a simple AS path filter:

ip as-path access-list 70 deny ^100_ ip as-path access-list 70 permit .*

Like access lists, AS paths have the following rules :

In this case, we want to deny any AS path that starts with AS 100 and permit everything else. We've assigned the filter number 70 (with the ip as-path access-list 70 command), which we use when we reference the filter in other parts of the configuration. The last part of each line is the regular expression that determines whether or not a path matches the list. Note that the number assigned to the AS path filter has nothing to do with the numbers assigned to regular IP access lists; there's no concept of regular or extended lists, so you can use any number you want. You can even use the same numbers you used for your IP access lists, although this would probably be confusing.

Table 10-2 shows some of the expressions that can be used in an AS path. A path is nothing more than a list of autonomous systems. The first autonomous system in the path (the AS with which the path originates) is on the right; as the path crosses AS boundaries, new autonomous systems are added on the left. Therefore, the leftmost entry in an AS path is the autonomous system from which we heard the path. An underscore is used to separate AS numbers in the path. ^ matches the start of the path; $ matches the end. * matches any repetition of a character, and . matches any character.[*]

[*] For more information about regular expressions, see Mastering Regular Expressions by Jeffrey Friedl (O'Reilly).

Table 10-2. AS path regular expressions

Regular expression

Meaning

.*

Matches all (i.e., any AS path).

^$

Matches an empty path. The only routes that can have an empty path are routes that originated within our local AS.

^100$

Specifies a path that consists of the single AS, AS 100. The ^ matches the beginning of the path; the $ matches the end.

^(100|200|300)$

Specifies a path that consists of a single AS, which can be either 100, 200, or 300. The vertical bar (|) means "or;" the parentheses are for grouping.

^100_

All paths that start with AS 100.

_100_

All paths with 100 anywhere in the path.

_100$

All paths that end with 100.

 

10.3.2. Community Filters

The community attribute allows routing policies to be applied to a destination. They are applied to routes using a set command in a route map. Later, you can use the community strings to perform various kinds of filtering. Three special community strings are defined and cause the router to take some action. Table 10-3 lists the three predefined communities.

Table 10-3. Predefined communities

Community

Action

no-export

Do not advertise to eBGP peers.

no-advertise

Do not advertise to any peer.

internet

Advertise to the Internet community (all routers belong to it).

In this example, we define a route map named Community1 that matches IP addresses from list 1. This map sets the community string of any matches to the no-advertise community:

access-list 1 permit 0.0.0.0 255.255.255.255 ! route-map Community1 match ip address 1 set community no-advertise ! ! Now we use the community in the neighbor command router bgp 500 neighbor 10.1.1.1 remote-as 200 neighbor 10.1.1.1 send-community neighbor 10.1.1.1 route-map Community1 out

By applying the route map in the neighbor command, we use it to check all the route updates we send to neighbor 10.1.1.1. However, the route map matches any route destination (because of access list 1) and sets the route's community string to no-advertise. This means that all routes we send to 10.1.1.1 via BGP will have the no-advertise community. Therefore, when 10.1.1.1 receives a route update from us, it will not advertise any of our routes.

We can assign our own community values to outgoing routes. Our neighbors can then implement filters based on the community values we have set and act appropriately. Consider two routers, Router 1 and Router 2. Router 1 belongs to the 10.1.0.0 network (AS 500), while Router 2 belongs to the 10.2.0.0 network (AS 600). Router 1 sends all routes to Router 2 with a community of 100. Router 2 looks for any routes with a community of 100 and sets the weight to 10.

The configuration for Router 1 is:

! Router1 sends all its outgoing routes to neighbor 10.2.0.0 with ! a community value of 100 ! router bgp 500 network 10.0.0.0 neighbor 10.2.0.0 remote-as 600 neighbor 10.2.0.0 send-community ! the route-map is set to OUT neighbor 10.2.0.0 route-map SET100 out ! ! Define our route map, setting the community to 100 route-map SET100 permit 10 match ip address 1 set community 100 ! ! Match all IP addresses access-list 1 permit 0.0.0.0 255.255.255.255

The configuration for Router 2 is:

! Router 2 looks for any route with a community of 100 and sets the ! weight to 10 router bgp 600 network 10.2.0.0 neighbor 10.1.0.0 remote-as 500 ! The route map is used to check incoming routes neighbor 10.1.0.0 route-map CHECK100 in ! ! Define our route map, looking for community 100 route-map CHECK100 permit 10 match community 1 set weight 10 ! ! Here is our community-list command. It acts like an access-list. This ! time we are looking for a community of 100 ip community-list 1 permit 100

It's easy to get confused by the many layers of indirection. The neighbor statement refers to a route map by name; the match statements inside the route map refer to community lists or access lists by number, and the community list itself finally checks the community.

Note that the predefined communities are mutually exclusive. In contrast, user-defined communities can be made additive by placing the additive keyword on the set community command. A route may therefore belong to several communities.

10.3.3. Aggregate Filters

Aggregate filters allow several different routes to be expressed in one simple (but equivalent) route, thus reducing the size of the routing table. Aggregates can be used only when the routes can be summarized into a single (aggregate) route.

The aggregate-address command controls route aggregation and reduces the number of outgoing BGP routes. Let's assume that we own several networks, 192.168.1.0/24 through 192.168.254.0/24. There is no need to advertise all of these networks separately. Instead, we can generate a single route summary for the entire network space:

router bgp 600 network 10.0.0.0 aggregate-address 192.168.1.0 255.255.0.0 summary-only

The summary-only keyword tells the router to advertise only the aggregate route. If we leave off summary-only, the router will advertise all of our routes plus the aggregate, which is not our intention.

Aggregate routes also allow us to suppress certain addresses from the aggregate list. In this example, we want to advertise our aggregate route and our other routes, but we also want to suppress route 192.168.5.0:

router bgp 600 network 10.1.0.0 aggregate-address 192.168.1.0 255.255.0.0 suppress-map MAP1 ! ! Define our route map route-map MAP1 permit 1 match ip address 1 ! ! Define our access list to deny 192.168.5.0/24 and permit everything else access-list 1 deny 192.168.5.0 0.0.0.255 access-list 1 permit 0.0.0.0 255.255.255.255

In this case, we use the route map MAP1 to determine which networks we want to suppress. This route map is based on access list 1.

Now that we've introduced a lot of the concepts, let's look at a complete configuration for a network.

Related

Категории