05-26-2016 08:44 PM - edited 03-05-2019 04:05 AM
Hi, In ASR9000, we can see a route-policy when show bgp neighbor x.x.x.x. This route-policy is for filtering prefix. but under interface for connection to bgp peer x.x.x.x, we also can see an access-group, which also is for filtering prefix. My question is what is relation between the two configurations? why do we use two configuratin for filter? Thank you
05-27-2016 01:30 AM
Under interface configuration access-group was used to filter data-plane traffic, including any kind of IP packet, of course, BGP packet is due to be filtered as BGP is one kind of IP packet. In toher words, it only permit some IP packet into this interface, and deny other IP packet from entering into this interface.
Route-policy under BGP process configuration was used to filter control-plane traffic , in this case, that is filter IP ROUTE PREFIX in BGP route advertisement. In other words, it only permit some IP prefix enter into local BGP table, and deny other IP prefix from enter into local BGP table.
HTH
05-27-2016 07:53 AM
Thank you so much for your reply.
Lets suppose some PREFIX are covered by interface access-group and BGP route-policy, if we want the PREFIX go through to the bgp peer, the PREFIX must be permitted by both route-policy and access-group at the same time, ether of both could block the traffic, right?
05-27-2016 09:08 AM
Under interface configuration you need to permit bgp session like the below:
ip extended access-list PERMIT_BGP
permit tcp host x.x.x.x host y.y.y.y eq BGP
permit tcp host y.y.y.y host x.x.x.x eq BGP
This ACL can make it possible for BGP established BGP session.
Then you need to create IP prefix access-list to permit PREFIX to enter local BGP table.
then applied it into route-map under BGP configuration like
router bgp xxxx
neighbor xx.xx.xx.xx route-map PERMIT-PREFIX.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide