Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
BGP allows the filtering of BGP Update messages on any BGP router. The router can filter
updates per neighbor for both inbound and outbound Updates on any BGP router.
After adding a new BGP filter to a router’s configuration, the BGP neighbor relationships
must be reset or cleared to cause the filter to take effect. The IOS BGP clear command
tells the router specifically how to reset the neighborship. This section also examines the
variations on the BGP clear command, including the more disruptive hard reset options
and the less disruptive soft reset options.
BGP Filtering Overview
BGP filtering works generally like IGP filtering, particularly like EIGRP. Similar to EIGRP,
BGP Updates can be filtered on any router, without the restrictions that exist for OSPF
with various area design issues. The filtering can examine the prefix information about
www.CareerCert.info
Chapter 14: Internal BGP and BGP Route Filtering 477
each router and both the prefix and prefix length information, in either direction (in or
out), on any BGP router.
The biggest conceptual differences between BGP and IGP filtering relate to what BGP can
match about a prefix to make a choice of whether to filter the route. EIGRP focuses on
matching the prefix/length. BGP can also match the prefix/length but can also match the
large set of BGP Path Attributes (PA). For example, a filter could compare a BGP route’s
AS_Path PA and check to see if the first ASN is 4, that at least three ASNs exist, and that
the AS_Path does not end with 567. The matching of routes based on their PA settings has
no equivalent with any of the IGPs.
The biggest configuration difference between BGP and IGP filtering, beside the details of
matching BGP PAs, has to do with the fact that the filters must apply to specific neighbors
with BGP. With EIGRP, the filters can be applied to all outbound updates from
EIGRP, or all inbound updates into EIGRP, using a single EIGRP distribute-list command.
BGP configuration does not allow filtering of all inbound or outbound updates. Instead,
the BGP filtering configuration enables filters per neighbor (using a neighbor command),
referencing the type of BGP filter, the filter number or name, and the direction (in or out).
So, a router could literally use the same filter for all BGP Updates sent by a router, but the
configuration would require a neighbor command for each neighbor that enabled the
same filter.
The ROUTE course and exam focus on Enterprise routing topics, whereas BGP filtering—
especially the more detailed filtering with BGP PAs—is used most frequently by ISP network
engineers. As a result, CCNP ROUTE appears to cover BGP filtering very lightly, at
least compared to IGP filtering.
This section does briefly describe the BGP filtering commands, showing a few samples
just for perspective. Table 14-2 summarizes the BGP filtering options and commands,
along with the fields in the BGP Update message that can be matched with each type. Following
the table, the text shows an example of how an Enterprise might apply an outbound
and inbound filter based on prefix/length.
Table 14-2 BGP Filtering Tools
BGP
Subcommand
Commands
Referenced by
neighbor Command
What Can Be Matched
neighbor distribute-
list (standard
ACL)
access-list, ip access-list Prefix, with WC mask
neighbor distribute-
list (extended
ACL)
access-list, ip access-list Prefix and prefix length, with WC mask for
each
neighbor prefixlist
ip prefix-list Exact or “first N” bits of prefix, plus range
of prefix lengths
www.CareerCert.info
478 CCNP ROUTE 642-902 Official Certification Guide
neighbor filter-list ip as-path access-list AS_PATH contents; all NLRI whose
AS_PATHs are matched considered to be a
match
neighbor routemap
route-map Prefix, prefix length, AS_PATH, and/or any
other PA matchable within a BGP route map
Inbound and Outbound BGP Filtering on Prefix/Length
Enterprises that choose to use BGP benefit from both learning routes from the connected
ISPs and advertising the Enterprise’s public prefix to the same ISPs. However, when the
eBGP connections to the various ISPs come up, the Enterprise BGP routers advertise all
the best routes in each router’s BGP table over the eBGP connection. As a result, the ISPs
could learn a best route that causes one ISP to send packets to the Enterprise, with the Enterprise
then forwarding the packet out to another ISP. In such a case, the Enterprise AS
would be acting as a transit AS; in other words, an AS through which packets go through,
rather than being the destination or source of the packet.
The Enterprise engineers can, and probably should, make an effort to filter inappropriate
routes sent to the ISP over the eBGP peer connections with the goal of preventing the Enterprise
AS from becoming a transit AS. Additionally, the Enterprise can filter all private
IP address ranges, in case any such address ranges get into the Enterprise BGP router’s
BGP table.
As an example, consider Figure 14-7, with the now-familiar prefix 192.135.250.0/28. As
seen in earlier examples, both E1 and E2 learn this prefix, and both agree that the best
route from ASN 11 (the Enterprise) toward this prefix is through E2. The figure shows the
BGP routing updates as dashed lines.
E1’s best route for 192.135.250.0/28 lists E2 as the next-hop router, so without any filtering
in place, E1 then advertises prefix 192.135.250.0/28 to Router I1-1 in ISP1. I1-1 may be
configured to filter this prefix. (In the examples throughout Chapters 13 and 14, router I1-
1 was indeed configured to filter such prefixes.) However, if the Enterprise did not filter
this prefix when advertising to ISP1, and ISP1 did not filter it, then ISP1 might choose the
route through ASN 11 as its best route, making ASN 11 a transit AS for this prefix and
consuming the Enterprise’s Internet bandwidth.
Typically, an Enterprise would use outbound filtering on its eBGP neighborships, filtering
all routes except for the known public prefixes that need to be advertised into the Internet.
Example 14-10 shows just such a case, using the neighbor prefix-list command. The
example also highlights a particularly useful command, show ip bgp neighbor neighborid
advertised-routes, which shows the post-filter BGP update sent to the listed neighbor.
The example shows the BGP Update before adding the filter, after adding the filter, and
then after clearing the peer connection to router I1-1.
E1(config-router)#neighbor 1.1.1.1 prefix-list only-public out
E1(config-router)#^Z
E1#
! Next, the Update sent to I1-1 is displayed.
E1# show ip bgp neighbor 1.1.1.1 advertised-routes
BGP table version is 16, local router ID is 128.107.9.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 128.107.0.0/19 0.0.0.0 32768 i
*>i192.135.250.0/28 10.100.1.2 0 100 0 3 4 i
Total number of prefixes 2
! Next, the peer connection is cleared, causing the filter to take effect.
E1# clear ip bgp 1.1.1.1
E1#
*Aug 17 20:19:51.763: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down User reset
*Aug 17 20:19:52.763: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
! Finally, the Update is displayed with the filter now working.
E1# show ip bgp neighbor 1.1.1.1 advertised-routes
BGP table version is 31, local router ID is 128.107.9.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 128.107.0.0/19 0.0.0.0 32768 i
Total number of prefixes 1
Example 14-10 shows an interesting progression if you just read through the example start
to finish. To begin, the show ip bgp 1.1.1.1 advertised-routes command lists the routes
that E1 has advertised to neighbor 1.1.1.1 (Router I1-1) in the past. Then, the configuration
shows a prefix-list that matches only 128.107.0.0/19, with a permit action; all other prefixes
will be denied by the implied deny all at the end of each prefix list. Then, the neighbor
1.1.1.1 prefix-list only-public out BGP subcommand tells BGP to apply the prefix list to
filter outbound routes sent to I1-1.
The second part of the output shows an example of how BGP operates on a Cisco router,
particularly how BGP requires that the neighbor be cleared before the newly configured
filter takes effect. Router E1 has already advertised two prefixes to this neighbor:
www.CareerCert.info
Chapter 14: Internal BGP and BGP Route Filtering 481
128.107.0.0/19 and 192.135.250.0/28, as seen at the beginning of the example. To make the
filtering action take effect, the router must be told to clear the neighborship with router
I1-1. The clear ip bgp 1.1.1.1 command tells E1 to perform a hard reset of that neighbor
connection, which brings down the TCP connection, and removes all BGP table entries associated
with that neighbor. The neighbor (I1-1, using address 1.1.1.1) also removes its BGP
table entries associated with Router E1. After the neighborship recovers, E1 resends its
BGP Update to Router I1-1–but this time with one less prefix, as noted at the end of the
example with the output of the show ip bgp neighbor 1.1.1.1 advertised-routes command.
This same filtering action could have been performed with several other configuration options:
using the neighbor distribute-list or neighbor route-map commands. The neighbor
distribute-list command refers to an IP ACL, which tells IOS to filter routes based on
matching the prefix (standard ACL) or prefix/length (extended ACL). The neighbor routemap
command refers to a route-map that can use several matching options to filter routes,
keeping routes matched with a route-map permit clause and filtering routes matched with a
route-map deny clause. Example 14-11 shows two such options just for comparison’s sake.
Example 14-11 Alternatives to the Configuration in Example 14-10
! First option – ACL 101 as a distribute-list
access-list 101 permit ip host 128.107.0.0 host 255.255.224.0
router bgp 11
neighbor 1.1.1.1 distribute-list 101 out
! Second option: Same prefix list as Example 12-10, referenced by a route map
ip prefix-list only-public seq 5 permit 128.107.0.0/19
!
route-map only-public-rmap permit 10
match ip address prefix-list only-public
!
router bgp 11
neighbor 1.1.1.1 route-map only-public-rmap out
Clearing BGP Neighbors
As noted in Example 14-10 and the related explanations, IOS does not cause a newly configured
BGP filter to take effect until the neighbor relationship is cleared. The neighborship
can be cleared in several ways, including reloading the router and by administratively
disabling and re-enabling the BGP neighborship using the neighbor shutdown and no
neighbor shutdown configuration commands. However, IOS supports several options on
the clear ip bgp exec command for the specific purpose of resetting BGP connections.
This section examines the differences in these options.
Each variation on the clear ip bgp... command either performs a hard reset or soft reset of
one or more BGP neighborships. When a hard reset occurs, the local router brings down
the neighborship, brings down the underlying TCP connection, and removes all BGP table
entries learned from that neighbor. Both the local and neighboring router reacts just like it
www.CareerCert.info
482 CCNP ROUTE 642-902 Official Certification Guide
Table 14-3 BGP clear Command Options
Command Hard or
Soft
One or All
Neighbors
Direction (in or
out)
clear ip bgp * Hard all both
clear ip bgp neighbor-id Hard one both
clear ip bgp neighbor-id out Soft one out
clear ip bgp neighbor-id soft
out
Soft one out
clear ip bgp neighbor-id in Soft one in
clear ip bgp neighbor-id soft in Soft one in
clear ip bgp * soft Soft all both
clear ip bgp neighbor-id soft Soft one both
does for any failed BGP neighborship by removing its BGP table entries learned over that
neighborship. With a soft reset, the router does not bring down the BGP neighborship or
the underlying TCP connection. However, the local router re-sends outgoing Updates, adjusted
per the outbound filter and reprocesses incoming Updates per the inbound filter,
which adjusts the BGP tables based on the then-current configuration.
Table 14-3 lists many of the variations on the clear ip bgp command, with a reference as
to whether it uses hard or soft reset.
The commands listed in the table should be considered as pairs. In the first pair, both commands
perform a hard reset. The first command uses a * instead of the neighbor IP address,
causing a hard reset of all BGP neighbors, while the second command resets that
particular neighbor.
The second pair of commands performs soft resets for a particular neighbor but only for
outgoing updates, making these commands useful when a router changes its outbound
BGP filters. Both commands do the same function; two such commands exist in part because
of the history of the BGP implementation in the IOS. When issued, these two commands
cause the router to reevaluate its existing BGP table and create a new BGP Update
for that neighbor. The router builds that new Update based on the existing configuration,
so any new or changed outbound filters affect the contents of the Update. The router
sends the new BGP Update, and the neighboring router receives the new Update and adjusts
its BGP table as a result.
The third pair of commands performs soft resets for a particular neighbor, but only for incoming
updates, making these commands useful when a router changes its inbound BGP
filters. However, unlike the two previous commands in the table, these two commands do
have slightly different behavior and need a little more description.
Key
Topic
www.CareerCert.info
Chapter 14: Internal BGP and BGP Route Filtering 483
The clear ip bgp neighbor-id soft in command, the older command of the two, works
only if the configuration includes the neighbor neighbor-id soft-reconfiguration inbound
BGP configuration command for this same neighbor. This configuration command
causes the router to retain the received BGP Updates from that neighbor. This consumes
extra memory on the router, but it gives the router a copy of the original pre-filter Update
received from that neighbor. Using that information, the clear ip bgp neighbor-id soft in
tells IOS to reapply the inbound filter to the cached received Update, updating the local
router’s BGP table.
The newer version of the clear ip bgp command, namely the clear ip bgp neighbor-id in
command (without the soft keyword), removes the requirement for the neighbor
neighbor-id soft-reconfiguration inbound configuration command. Instead, the router
uses a newer BGP feature, the route refresh feature, which essentially allows a BGP router
to ask its neighbor to re-send its full BGP Update. The clear ip bgp neighbor-id in command
tells the local router to use route refresh feature to ask the neighbor to re-send its
BGP Update, and then the local router can apply its current inbound BGP filters, updating
its BGP table.
Example 14-12 shows a sample of how to confirm whether a router has the route refresh
capability. In this case, both the local router (E1 from Figure 14-5) and the neighbor (I1-1
from Figure 14-5) have route refresh capability. As a result, E1 can perform a soft reset inbound
without the need to consume the extra memory with the neighbor soft-reconfiguration
inbound configuration command.
Example 14-12 Alternatives to the Configuration in Example 14-10
E1# show ip bgp neighbor 1.1.1.1
BGP neighbor is 1.1.1.1, remote AS 1, external link
BGP version 4, remote router ID 1.1.1.1
BGP state = Established, up for 00:04:21
Last read 00:00:20, last write 00:00:48, hold time is 180, keepalive interval
is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(new)
! Lines omitted for brevity
The last pair of commands in Table 14-3 do a soft reset both inbound and outbound at the
same time, either for all neighbors (the * option) or for the single neighbor listed in the
clear command.
Displaying the Results of BGP Filtering
To verify and troubleshoot filtering configurations, you need to see both the before and
after results of the filter. IOS provides several show commands that allow you to do exactly
that. For instance, Example 14-10 shows several cases of the show ip bgp neighbor
advertised-routes command that shows the post-filter BGP Updates sent by a router.
Figure 14-8 summarizes these commands, showing how they can be used to display the
pre- and post-filter BGP table contents. The figure shows Router E1, with inbound filtering
www.CareerCert.info
484 CCNP ROUTE 642-902 Official Certification Guide
Key
Topic
I1-1
Router E1
I3-1
BGP Table
BGP Table
Subset
Learned from
I3-1
show ip bgp neighbors I3-1 routes
Outbound
Filter
Inbound
Filter
Sent
Update
Received
Update
show ip bgp neighbors I3-1 received-routes
show ip bgp
show ip bgp neighbors I1-1 advertised-routes
“Best”
Routes
Figure 14-8 show Commands Related to BGP Filtering
for Updates received from Router I3-1 and outbound filtering of BGP Updates sent to
Router I1-1.
The commands for displaying inbound updates, at the bottom of the figure, display output
in the same format as the show ip bgp command. These commands restrict the contents
to either exactly what has been received from that one neighbor (the show ip bgp
neighbor received-routes command) or what has been received and passed through any
inbound filter (the show ip bgp neighbor routes command).
One of the two commands helpful for the inbound direction, namely the show ip bgp
neighbor received-routes command, requires the configuration of the BGP subcommand
neighbor soft-reconfiguration inbound. As a result, to see the pre-filter BGP Update received
from a neighbor, a router must configure this extra command, which causes the
router to use more memory to store the inbound Update. (A router cannot use the BGP
route refresh option just to get another copy of the incoming Update to list in this command.)
However, when learning in a lab, the extra memory should not pose a problem.
Of the two commands for outbound filtering, the post-filter command is somewhat obvious,
but there is no command to specifically display a pre-filter view of the BGP Update
sent to a neighbor. However, BGP advertises the best route for each prefix in the BGP
table, within certain restrictions. Those restrictions include that BGP will not advertise
iBGP-learned routes to an iBGP peer, and a router will not advertise the best route back to
the same neighbor that advertised that route. So, to see the pre-filter BGP table entries,
use the show ip bgp command, look for all the best routes, and then consider the additional
rules. Use the show ip bgp neighbor advertised-routes to display the post-filter
BGP Update for a given neighbor.
Example 14-13 shows the output of these commands on E1. In this case, E1 has been already
been configured with an inbound filter that filters inbound prefixes 184.0.0.0/8 and
www.CareerCert.info
Chapter 14: Internal BGP and BGP Route Filtering 485
185.0.0.0/8. (The filter configuration is not shown.) As a result, the post-filter output lists
five prefixes, and the pre-filter output lists seven prefixes. The example also shows the error
message when soft-reconfiguration is not configured.
Example 14-13 Displaying the BGP Table Pre- and Post-Inbound Filter
E1# show ip bgp neighbors 1.1.1.1 routes
BGP table version is 78, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 1.1.1.1 0 0 1 i
*> 181.0.0.0/8 1.1.1.1 0 1 2 111 111 i
*> 182.0.0.0/8 1.1.1.1 0 1 2 222 i
*> 183.0.0.0/8 1.1.1.1 0 1 2 i
* 192.135.250.0/28 1.1.1.1 0 1 2 3 4 i
Total number of prefixes 5
E1# show ip bgp neighbors 1.1.1.1 received-routes
% Inbound soft reconfiguration not enabled on 1.1.1.1
E1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
E1(config)#router bgp 11
E1(config-router)#neighbor 1.1.1.1 soft-reconfiguration inbound
E1(config-router)#^Z
E1#
E1# show ip bgp neighbors 1.1.1.1 received-routes
BGP table version is 78, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 1.1.1.1 0 0 1 i
*> 181.0.0.0/8 1.1.1.1 0 1 2 111 111 i
*> 182.0.0.0/8 1.1.1.1 0 1 2 222 i
*> 183.0.0.0/8 1.1.1.1 0 1 2 i
*> 184.0.0.0/8 1.1.1.1 0 1 2 i
*> 185.0.0.0/8 1.1.1.1 0 1 2 i
* 192.135.250.0/28 1.1.1.1 0 1 2 3 4 i
Total number of prefixes 7
No comments:
Post a Comment