Solved: Learning BGP - Question on route-map use

christopher_hall · ‎03-24-2016

Greetings,

I'm trying to dig in and learn more about BGP and how routes are manipulated or filtered. Can someone tell me the purpose/use for the following (Bold) statements? I see that it's applying a route-map...if I'm reading this right, the idea is to 'Allow' these routes? Additionally, prefix-lists are also used for route filtering. In regards to prefix-lists, how are these applied in conjunction with access-lists? I see the below and it's unclear whether traffic from 10.20.x.x will be permitted or not. If someone can help to clarify when to use ip prefix-lists vs access-lists, I'd appreciate it.

router bgp 65551

neighbor 12.2.112.1 activate

neighbor 12.2.112.1 route-map DefaultRoute out

........

access-list 5 permit 0.0.0.0
access-list 10 permit 10.255.128.0 0.0.0.255
access-list 15 permit 10.20.130.0 0.0.0.255
access-list 20 permit 172.20.128.0 0.0.0.255
access-list 25 permit 12.91.116.64 0.0.0.25
access-list 30 permit 10.20.11.0 0.0.0.255
access-list 35 permit 10.15.1.0 0.0.0.255
access-list 40 permit 10.100.102.0 0.0.0.255
access-list 45 permit 10.20.117.0 0.0.0.255
access-list 50 permit 10.49.49.0 0.0.0.255
access-list 55 permit 10.23.24.0 0.0.0.255
access-list 60 permit 10.49.128.0 0.0.0.255
access-list 65 permit 172.16.1.0 0.0.0.255

........

ip prefix-list 10 seq 1 deny 10.20.0.0/16
ip prefix-list 10 seq 2 deny 172.20.0.0/16
ip prefix-list 10 seq 5 permit 0.0.0.0/0

route-map DefaultRoute permit 10
match ip address 5 10 15 20 25 30 35 40 45 50 55 60 65
set as-path prepend 65551 65551 65551
!

Peter Paluch · ‎03-24-2016

Hello Christopher,

neighbor 12.2.112.1 activate

This command is present in an address-family section in your BGP configuration, most probably in an address-family ipv4. The purpose of this command is to tell your BGP to exchange IPv4 routes with this neighbor. BGP is capable of carrying multiple types of routes in a single session, and the activate command allows you to precisely specify which types of routes shall be exchanged with a specific neighbor.

neighbor 12.2.112.1 route-map DefaultRoute out

Route maps have many purposes; route filtering is one of them. Whether a route-map performs route manipulation, route filtering, or both - this depends on how the route-map is written. If considering the route-map you have posted then it does the following:

If an advertised route matches any of the ACLs you have posted, it will be allowed to be advertised to 12.2.112.1, and its AS_PATH attribute will be artificially extended by prepending the AS number 65551 three times.
All other routes will be denied and not advertised to the neighbor.

Are you sure there is no route-map DefaultRoute permit 20 block present in your config? It is possible you have not posted it.

I have to say that the way the ACLs are used here suggests that whoever configured this must have confused ACL numbers with ACL entry numbering. An ACL can have multiple entries, not just one. Multiple entries of the same ACL have the same ACL number. The configuration you have posted consists of thirteen (!) ACLs, each one of them consisting of just a single entry. More properly, the configuration should have been similar to this:

access-list 1 permit 0.0.0.0
access-list 1 permit 10.255.128.0 0.0.0.255
access-list 1 permit 10.20.130.0 0.0.0.255
access-list 1 permit 172.20.128.0 0.0.0.255
access-list 1 permit 12.91.116.64 0.0.0.25
access-list 1 permit 10.20.11.0 0.0.0.255
access-list 1 permit 10.15.1.0 0.0.0.255
access-list 1 permit 10.100.102.0 0.0.0.255
access-list 1 permit 10.20.117.0 0.0.0.255
access-list 1 permit 10.49.49.0 0.0.0.255
access-list 1 permit 10.23.24.0 0.0.0.255
access-list 1 permit 10.49.128.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.255
!
route-map DefaultRoute permit 10
 match ip address 1
 set as-path prepend 65551 65551 65551

Additionally, prefix-lists are also used for route filtering. Can someone give me an example or help to clarify when to use ip prefix-lists vs access-lists?

This is very easy. Use prefix-lists to perform route filtering whenever possible. Using access lists to filter routes is cumbersome. Standard ACLs can only filter routes based on their network addresses but are unable to match their netmasks; extended ACLs, depending on where and how they are used, may either be filtering based on next hop and network address (not netmask), or based on network address and netmask. These combinations are extremely unintuitive and hard to remember - this is caused by the fact that ACLs have been originally created to filter packet flows, not routing update contents, and they have only been forced to allow route filtering as well in times when prefix lists were not yet implemented.

Prefix lists, on the other hand, have been designed from the very beginning to perform route matching and filtering based on the address and netmask. They are optimized for this operation are are easy to read and create, therefore, they are the preferred choice for route filtering.

Best regards,
Peter

View solution in original post

Peter Paluch · ‎03-24-2016

Hello Christopher,

neighbor 12.2.112.1 activate

This command is present in an address-family section in your BGP configuration, most probably in an address-family ipv4. The purpose of this command is to tell your BGP to exchange IPv4 routes with this neighbor. BGP is capable of carrying multiple types of routes in a single session, and the activate command allows you to precisely specify which types of routes shall be exchanged with a specific neighbor.

neighbor 12.2.112.1 route-map DefaultRoute out

Route maps have many purposes; route filtering is one of them. Whether a route-map performs route manipulation, route filtering, or both - this depends on how the route-map is written. If considering the route-map you have posted then it does the following:

If an advertised route matches any of the ACLs you have posted, it will be allowed to be advertised to 12.2.112.1, and its AS_PATH attribute will be artificially extended by prepending the AS number 65551 three times.
All other routes will be denied and not advertised to the neighbor.

Are you sure there is no route-map DefaultRoute permit 20 block present in your config? It is possible you have not posted it.

I have to say that the way the ACLs are used here suggests that whoever configured this must have confused ACL numbers with ACL entry numbering. An ACL can have multiple entries, not just one. Multiple entries of the same ACL have the same ACL number. The configuration you have posted consists of thirteen (!) ACLs, each one of them consisting of just a single entry. More properly, the configuration should have been similar to this:

access-list 1 permit 0.0.0.0
access-list 1 permit 10.255.128.0 0.0.0.255
access-list 1 permit 10.20.130.0 0.0.0.255
access-list 1 permit 172.20.128.0 0.0.0.255
access-list 1 permit 12.91.116.64 0.0.0.25
access-list 1 permit 10.20.11.0 0.0.0.255
access-list 1 permit 10.15.1.0 0.0.0.255
access-list 1 permit 10.100.102.0 0.0.0.255
access-list 1 permit 10.20.117.0 0.0.0.255
access-list 1 permit 10.49.49.0 0.0.0.255
access-list 1 permit 10.23.24.0 0.0.0.255
access-list 1 permit 10.49.128.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.255
!
route-map DefaultRoute permit 10
 match ip address 1
 set as-path prepend 65551 65551 65551

Additionally, prefix-lists are also used for route filtering. Can someone give me an example or help to clarify when to use ip prefix-lists vs access-lists?

This is very easy. Use prefix-lists to perform route filtering whenever possible. Using access lists to filter routes is cumbersome. Standard ACLs can only filter routes based on their network addresses but are unable to match their netmasks; extended ACLs, depending on where and how they are used, may either be filtering based on next hop and network address (not netmask), or based on network address and netmask. These combinations are extremely unintuitive and hard to remember - this is caused by the fact that ACLs have been originally created to filter packet flows, not routing update contents, and they have only been forced to allow route filtering as well in times when prefix lists were not yet implemented.

Prefix lists, on the other hand, have been designed from the very beginning to perform route matching and filtering based on the address and netmask. They are optimized for this operation are are easy to read and create, therefore, they are the preferred choice for route filtering.

Best regards,
Peter