CCNP Certification BSCI Exam Tutorial: Using Prefix Lists To Filter BGP
By Chris Bryant, CCIE #12933
Once you have the fundamentals of BGP down, it's important to learn how to filter BGP routing updates. There are several methods of doing so, but the one Cisco recommends (and one you're sure to see plenty of on Cisco certification exams) is the use of prefix lists. The following network will be used in this tutorial to show the configuration and effect of prefix lists.
R4 is advertising three networks via BGP.
R4(config)#router bgp 4
R4(config-router)#network 21.0.0.0 mask 255.0.0.0
R4(config-router)#network 22.0.0.0 mask 255.0.0.0
R4(config-router)#network 23.0.0.0 mask 255.0.0.0
R4(config-router)#network 21.0.0.0 mask 255.0.0.0
R4(config-router)#network 22.0.0.0 mask 255.0.0.0
R4(config-router)#network 23.0.0.0 mask 255.0.0.0
R4's eBGP neighbor R3 sees these routes and places them into its BGP table as shown below. R3 has two iBGP peers, R1 and R2, and is advertising itself as the next-hop IP address for all BGP routes sent to those two routers.
R3#show ip bgp
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
BGP table version is 4, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 21.0.0.0 10.2.2.4 0 0 4 i
*> 22.0.0.0 10.2.2.4 0 0 4 i
*> 23.0.0.0 10.2.2.4 0 0 4 i
*> 21.0.0.0 10.2.2.4 0 0 4 i
*> 22.0.0.0 10.2.2.4 0 0 4 i
*> 23.0.0.0 10.2.2.4 0 0 4 i
R3(config)#router bgp 123
R3(config-router)#neighbor 172.12.123.1 next-hop-self
R3(config-router)#neighbor 172.12.123.2 next-hop-self
R3(config-router)#neighbor 172.12.123.1 next-hop-self
R3(config-router)#neighbor 172.12.123.2 next-hop-self
Both R2 and R1 see the three routes.
R2#show ip bgp
BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i21.0.0.0 172.12.123.3 0 100 0 4 i
*>i22.0.0.0 172.12.123.3 0 100 0 4 i
*>i23.0.0.0 172.12.123.3 0 100 0 4 i
*>i21.0.0.0 172.12.123.3 0 100 0 4 i
*>i22.0.0.0 172.12.123.3 0 100 0 4 i
*>i23.0.0.0 172.12.123.3 0 100 0 4 i
R1#show ip bgp
BGP table version is 4, local router ID is 19.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
BGP table version is 4, local router ID is 19.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i21.0.0.0 172.12.123.3 0 100 0 4 i
*>i22.0.0.0 172.12.123.3 0 100 0 4 i
*>i23.0.0.0 172.12.123.3 0 100 0 4 i
*>i21.0.0.0 172.12.123.3 0 100 0 4 i
*>i22.0.0.0 172.12.123.3 0 100 0 4 i
*>i23.0.0.0 172.12.123.3 0 100 0 4 i
If we wanted R3 to receive all three of these routes from R4 but not advertise them to R2 and R1, we've got a couple of options on how to block these routes. Cisco's recommendation is the use of prefix lists, and once you get used to the syntax (which you should do before taking and passing the BSCI), you'll see they are actually easier to use than access lists in this case.
In this case, we're going to configure R3 to send only the route to 21.0.0.0 to R1 and 23.0.0.0 to R2. Neither R1 nor R2 will have the route to 22.0.0.0. However, we do want these two routers to get any future routes that R4 advertises into BGP.
Since these two routers will learn about these routes from an iBGP neighbor, they will not advertise the routes to each other after learning their one assigned route.
On R3, we'll write a prefix list that denies 22.0.0.0/8 and 23.0.0.0/8, but permits all other routes. This command will be applied to updates sent to R1 via the neighbor statement. After applying the command and applying a soft reset on R3, R1 sees only the 21.0.0.0 route.
R3(config)#ip prefix-list FILTER_R1 deny 22.0.0.0/8
R3(config)#ip prefix-list FILTER_R1 deny 23.0.0.0/8
R3(config)#ip prefix-list FILTER_R1 permit 0.0.0.0/0 le 32
R3(config)#router bgp 123
R3(config-router)#neighbor 172.12.123.1 prefix-list FILTER_R1 out
R3(config)#ip prefix-list FILTER_R1 deny 23.0.0.0/8
R3(config)#ip prefix-list FILTER_R1 permit 0.0.0.0/0 le 32
R3(config)#router bgp 123
R3(config-router)#neighbor 172.12.123.1 prefix-list FILTER_R1 out
R3#clear ip bgp * soft
R1#show ip bgp
BGP table version is 6, local router ID is 19.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
BGP table version is 6, local router ID is 19.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i21.0.0.0 172.12.123.3 0 100 0 4 i
*>i21.0.0.0 172.12.123.3 0 100 0 4 i
The paths to 22.0.0.0/8 and 23.0.0.0/8 have been successfully filtered.
On R3, we'll write a prefix-list that will filter 21.0.0.0/8 and 22.0.0.0/8, but allow all other routes. After applying this prefix list to R2 via the neighbor command and performing a soft reset on R3, R2 sees only the route to 23.0.0.0.
R3(config)#ip prefix-list FILTER_R2 deny 21.0.0.0/8
R3(config)#ip prefix-list FILTER_R2 deny 22.0.0.0/8
R3(config)#ip prefix-list FILTER_R2 permit 0.0.0.0/0 le 32
R3(config)#router bgp 123
R3(config-router)#neighbor 172.12.123.2 prefix-list FILTER_R2 out
R3(config)#ip prefix-list FILTER_R2 deny 22.0.0.0/8
R3(config)#ip prefix-list FILTER_R2 permit 0.0.0.0/0 le 32
R3(config)#router bgp 123
R3(config-router)#neighbor 172.12.123.2 prefix-list FILTER_R2 out
R3#clear ip bgp * soft
R2#show ip bgp
BGP table version is 6, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
BGP table version is 6, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i23.0.0.0 172.12.123.3 0 100 0 4 i
*>i23.0.0.0 172.12.123.3 0 100 0 4 i
The paths to 21.0.0.0/8 and 22.0.0.0/8 have been successfully filtered.
To see the prefix lists configured on a route as well as the order of the statements in each list, run show ip prefix-list.
R3#show ip prefix-list
ip prefix-list FILTER_R1: 3 entries
seq 5 deny 22.0.0.0/8
seq 10 deny 23.0.0.0/8
seq 15 permit 0.0.0.0/0 le 32
ip prefix-list FILTER_R2: 3 entries
seq 5 deny 21.0.0.0/8
seq 10 deny 22.0.0.0/8
seq 15 permit 0.0.0.0/0 le 32
ip prefix-list FILTER_R1: 3 entries
seq 5 deny 22.0.0.0/8
seq 10 deny 23.0.0.0/8
seq 15 permit 0.0.0.0/0 le 32
ip prefix-list FILTER_R2: 3 entries
seq 5 deny 21.0.0.0/8
seq 10 deny 22.0.0.0/8
seq 15 permit 0.0.0.0/0 le 32
Using prefix lists properly is an important part of CCNP exam success, and for those of you with an eye on the CCIE, it's even more important. Learn as many methods as you can to filter BGP routes, and start with the fundamental method - prefix lists!
To your success,
Chris Bryant
CCIE #12933
No comments:
Post a Comment