cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
767
Views
0
Helpful
9
Replies

BGP filtering

roussillon
Level 1
Level 1

hi you all.

I am new to BGP and I am triyng filtering.

Let's say for our peering we have this config:

router bgp 30000

no synchronization

no bgp fast-external-fallover

bgp log-neighbor-changes

bgp dampening

network .......

neighbor Myneighbor remote-as 60000

neighbor Myneighbor send-community

neighbor Myneighbor soft-reconfiguration inbound

neighbor Myneighbor filter-list 1 out

no auto-summary

ip as-path access-list 1 permit ^$

if I change the config as follow:

neighbor Myneighbor remote-as 60000

neighbor Myneighbor send-community

neighbor Myneighbor soft-reconfiguration inbound

neighbor Myneighbor filter-list 1 out

neighbor Myneighbor filter-list 2 in

no auto-summary

ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny any

ip as-path access-list 2 permit ^60000_[0-9]*$

ip as-path access-list 2 deny any

will it be correct?

i think this is allowing incoming routes originated on my peer

and the AS related to it. Also I am filtering

in output the routes not originated in my AS

thanks

9 Replies 9

lejoe.thomas
Level 3
Level 3

Hi Osvaldo,

Yes

Outbound Filter

ip as-path access-list 1 permit ^$

ip as-path access-list 1 deny any

You'll only advertise networks that originated within your AS(30000) to neighboring AS(60000)

Inbound Filter

ip as-path access-list 2 permit ^60000_[0-9]*$

ip as-path access-list 2 deny any

You'll only get networks that originated within AS 60000 and all of its directly attached AS

HTH

Lejoe

Thanks very much.

But there is something, as I am filtering in imput I will loose routes. If I add a last ressources route pointing to my peer(ip route 0.0.0.0 O.O.O.0 ip-myneigthbor) will it solve this issue? or it is required thah my peer announce a default route?

Thanks

Mohamed Sobair
Level 7
Level 7

Hi,

You can apply outbound filter-list using a regular expression, however , you cant apply inbound filter directly using regular expression. looking at ur config, the correct config should be:

neighbor Myneighbor remote-as 60000

neighbor Myneighbor soft-reconfiguration

neighbor Myneighbor filter-list 1 out

neighbor Myneighbor route-map BGP in

ip as-path access-list 1 permit ^$

ip as-path access-list 2 permit ^60000_[0-9]*$

route-map BGP

match as-path 2

Pls refer to the bellow link:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml

HTH

Mohamed

Hi Mohamed,

You can apply an inbound filter directly using AS-Path access-list, whether you achieve it using a route-map or directly using the neighbor filter-list depends on your objectives.

Lejoe

Mohamed Sobair
Level 7
Level 7

Lejoe,

could u Pls provide me with a documentation link describing regular expression using inbound filter-list directly?

HTH

Mohamed

Hi Mohamed

Refer to command reference for as-path access-list, which mentions an inbound filter can be applied using neighbor filter-list

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp2.html#wp1015697

An example

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a83.shtml

Most examples use a route-map to apply as-path access-list inbound, probably this could be reason for the confusion.

HTH

Lejoe

Thanks very much.

But there is something, as I am filtering in imput I will loose routes. If I add a last ressources route pointing to my peer(ip route 0.0.0.0 O.O.O.0 ip-myneigthbor) will it solve this issue? or it is required thah my peer announce a default route?

Thanks

Hi Osvaldo,

If you are not getting complete routes then adding a default-route makes sense.

You can add a static default route

ip route 0.0.0.0 0.0.0.0 next-hop

or have you could have your neighbor announce a default route.

eg: neighbor ip-address default-originate (assuming a static default route already exists on the router)

And if you want to use explicit deny at the end your as-path access-list, use the regular expression .* and not the keyword any

ip as-path access-list 1 deny .*

HTH

Lejoe

Hy

I thank you very much.

I am getting full routing table but If I do the filtering I migth loose routes. That is why I talked about default route.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco