BGP filtering

Unanswered Question
Feb 7th, 2009

hi you all.

I am new to BGP and I am triyng filtering.

Let's say for our peering we have this config:

router bgp 30000

no synchronization

no bgp fast-external-fallover

bgp log-neighbor-changes

bgp dampening

network .......

neighbor Myneighbor remote-as 60000

neighbor Myneighbor send-community

neighbor Myneighbor soft-reconfiguration inbound

neighbor Myneighbor filter-list 1 out

no auto-summary

ip as-path access-list 1 permit ^$

if I change the config as follow:

neighbor Myneighbor remote-as 60000

neighbor Myneighbor send-community

neighbor Myneighbor soft-reconfiguration inbound

neighbor Myneighbor filter-list 1 out

neighbor Myneighbor filter-list 2 in

no auto-summary

ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny any

ip as-path access-list 2 permit ^60000_[0-9]*$

ip as-path access-list 2 deny any

will it be correct?

i think this is allowing incoming routes originated on my peer

and the AS related to it. Also I am filtering

in output the routes not originated in my AS

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lejoe.thomas Sat, 02/07/2009 - 15:48

Hi Osvaldo,

Yes

Outbound Filter

ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny any

You'll only advertise networks that originated within your AS(30000) to neighboring AS(60000)

Inbound Filter

ip as-path access-list 2 permit ^60000_[0-9]*$

ip as-path access-list 2 deny any

You'll only get networks that originated within AS 60000 and all of its directly attached AS

HTH

Lejoe

languedoc Sun, 02/08/2009 - 07:31

Thanks very much.

But there is something, as I am filtering in imput I will loose routes. If I add a last ressources route pointing to my peer(ip route 0.0.0.0 O.O.O.0 ip-myneigthbor) will it solve this issue? or it is required thah my peer announce a default route?

Thanks

Mohamed Sobair Sat, 02/07/2009 - 19:20

Hi,

You can apply outbound filter-list using a regular expression, however , you cant apply inbound filter directly using regular expression. looking at ur config, the correct config should be:

neighbor Myneighbor remote-as 60000

neighbor Myneighbor soft-reconfiguration

neighbor Myneighbor filter-list 1 out

neighbor Myneighbor route-map BGP in

ip as-path access-list 1 permit ^$

ip as-path access-list 2 permit ^60000_[0-9]*$

route-map BGP

match as-path 2

Pls refer to the bellow link:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml

HTH

Mohamed

lejoe.thomas Sat, 02/07/2009 - 20:03

Hi Mohamed,

You can apply an inbound filter directly using AS-Path access-list, whether you achieve it using a route-map or directly using the neighbor filter-list depends on your objectives.

Lejoe

Mohamed Sobair Sun, 02/08/2009 - 05:24

Lejoe,

could u Pls provide me with a documentation link describing regular expression using inbound filter-list directly?

HTH

Mohamed

lejoe.thomas Sun, 02/08/2009 - 15:18

Hi Mohamed

Refer to command reference for as-path access-list, which mentions an inbound filter can be applied using neighbor filter-list

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp2.html#wp1015697

An example

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a83.shtml

Most examples use a route-map to apply as-path access-list inbound, probably this could be reason for the confusion.

HTH

Lejoe

languedoc Sun, 02/08/2009 - 15:20

Thanks very much.

But there is something, as I am filtering in imput I will loose routes. If I add a last ressources route pointing to my peer(ip route 0.0.0.0 O.O.O.0 ip-myneigthbor) will it solve this issue? or it is required thah my peer announce a default route?

Thanks

lejoe.thomas Sun, 02/08/2009 - 15:28

Hi Osvaldo,

If you are not getting complete routes then adding a default-route makes sense.

You can add a static default route

ip route 0.0.0.0 0.0.0.0 next-hop

or have you could have your neighbor announce a default route.

eg: neighbor ip-address default-originate (assuming a static default route already exists on the router)

And if you want to use explicit deny at the end your as-path access-list, use the regular expression .* and not the keyword any

ip as-path access-list 1 deny .*

HTH

Lejoe

languedoc Mon, 02/09/2009 - 01:17

Hy

I thank you very much.

I am getting full routing table but If I do the filtering I migth loose routes. That is why I talked about default route.

Thanks

Actions

This Discussion