BGP filtering

Unanswered Question
Feb 7th, 2009
User Badges:

hi you all.


I am new to BGP and I am triyng filtering.


Let's say for our peering we have this config:


router bgp 30000

no synchronization

no bgp fast-external-fallover

bgp log-neighbor-changes

bgp dampening

network .......


neighbor Myneighbor remote-as 60000

neighbor Myneighbor send-community

neighbor Myneighbor soft-reconfiguration inbound

neighbor Myneighbor filter-list 1 out

no auto-summary

ip as-path access-list 1 permit ^$


if I change the config as follow:



neighbor Myneighbor remote-as 60000

neighbor Myneighbor send-community

neighbor Myneighbor soft-reconfiguration inbound

neighbor Myneighbor filter-list 1 out

neighbor Myneighbor filter-list 2 in

no auto-summary


ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny any


ip as-path access-list 2 permit ^60000_[0-9]*$

ip as-path access-list 2 deny any



will it be correct?

i think this is allowing incoming routes originated on my peer

and the AS related to it. Also I am filtering

in output the routes not originated in my AS


thanks





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lejoe.thomas Sat, 02/07/2009 - 15:48
User Badges:
  • Silver, 250 points or more

Hi Osvaldo,


Yes


Outbound Filter


ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny any



You'll only advertise networks that originated within your AS(30000) to neighboring AS(60000)



Inbound Filter


ip as-path access-list 2 permit ^60000_[0-9]*$

ip as-path access-list 2 deny any


You'll only get networks that originated within AS 60000 and all of its directly attached AS


HTH


Lejoe

languedoc Sun, 02/08/2009 - 07:31
User Badges:

Thanks very much.


But there is something, as I am filtering in imput I will loose routes. If I add a last ressources route pointing to my peer(ip route 0.0.0.0 O.O.O.0 ip-myneigthbor) will it solve this issue? or it is required thah my peer announce a default route?


Thanks

Mohamed Sobair Sat, 02/07/2009 - 19:20
User Badges:
  • Gold, 750 points or more

Hi,


You can apply outbound filter-list using a regular expression, however , you cant apply inbound filter directly using regular expression. looking at ur config, the correct config should be:


neighbor Myneighbor remote-as 60000

neighbor Myneighbor soft-reconfiguration

neighbor Myneighbor filter-list 1 out

neighbor Myneighbor route-map BGP in


ip as-path access-list 1 permit ^$

ip as-path access-list 2 permit ^60000_[0-9]*$


route-map BGP

match as-path 2



Pls refer to the bellow link:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml



HTH

Mohamed

lejoe.thomas Sat, 02/07/2009 - 20:03
User Badges:
  • Silver, 250 points or more

Hi Mohamed,


You can apply an inbound filter directly using AS-Path access-list, whether you achieve it using a route-map or directly using the neighbor filter-list depends on your objectives.



Lejoe


Mohamed Sobair Sun, 02/08/2009 - 05:24
User Badges:
  • Gold, 750 points or more

Lejoe,


could u Pls provide me with a documentation link describing regular expression using inbound filter-list directly?



HTH

Mohamed

lejoe.thomas Sun, 02/08/2009 - 15:18
User Badges:
  • Silver, 250 points or more

Hi Mohamed


Refer to command reference for as-path access-list, which mentions an inbound filter can be applied using neighbor filter-list


http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp2.html#wp1015697


An example


http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a83.shtml


Most examples use a route-map to apply as-path access-list inbound, probably this could be reason for the confusion.


HTH


Lejoe

languedoc Sun, 02/08/2009 - 15:20
User Badges:

Thanks very much.


But there is something, as I am filtering in imput I will loose routes. If I add a last ressources route pointing to my peer(ip route 0.0.0.0 O.O.O.0 ip-myneigthbor) will it solve this issue? or it is required thah my peer announce a default route?


Thanks




lejoe.thomas Sun, 02/08/2009 - 15:28
User Badges:
  • Silver, 250 points or more

Hi Osvaldo,


If you are not getting complete routes then adding a default-route makes sense.

You can add a static default route

ip route 0.0.0.0 0.0.0.0 next-hop


or have you could have your neighbor announce a default route.

eg: neighbor ip-address default-originate (assuming a static default route already exists on the router)


And if you want to use explicit deny at the end your as-path access-list, use the regular expression .* and not the keyword any


ip as-path access-list 1 deny .*


HTH


Lejoe

languedoc Mon, 02/09/2009 - 01:17
User Badges:

Hy

I thank you very much.


I am getting full routing table but If I do the filtering I migth loose routes. That is why I talked about default route.


Thanks



Actions

This Discussion