Border Gateway Protocol (BGP) Route filtering methods is a method of selectively identifying routes that are advertised or received from neighbor routers. Route filtering may be used to manipulate traffic flows, reduce memory utilization, or improve security. For example, it is common for ISPs to deploy route filters on BGP peerings to customers. BGP Route filtering ensures that only the customer routes are allowed over the peering link preventing the customer from accidentally becoming a transit AS on the Internet.
Complete BGP Route Processing Logic
BGP Route Filtering Policy Processing
IOS XE provides four methods of filtering routes inbound or outbound for a specific BGP peer. These methods can be used individually or simultaneously with other methods:
- Distribute list: A distribute list involves the filtering of network prefixes based on a standard or extended ACL. An implicit deny is associated with any prefix that is not permitted.
- Prefix list: A list of prefix-matching specifications permit or deny network prefixes in a top-down fashion, similar to an ACL. An implicit deny is associated with any prefix that is not permitted.
- AS path ACL/filtering: A list of regex commands allow for the permit or deny of a network prefix based on the current AS path values. An implicit deny is associated with any prefix that is not permitted.
- Route maps: Route maps provide a method of conditional matching on a variety of prefix attributes and taking a variety of actions. Actions could be a simple permit or deny; or could include modifying the BGP attribute. An implicit deny is associated with any prefix that is not permitted.
Viewing Reference BGP Table Command
To view the reference BGP table, the following command can be used:
Router# show bgp ipv4 unicast | begin Network
BGP Route Filtering Distribute List
BGP Route Filtering Distribute lists allow the filtering of network prefixes on a neighbor-by-neighbor basis, using standard or extended ACLs. Configuring a distribute list requires using the BGP address-family configuration command neighbor ip-address distribute-list {acl-number | acl-name} {in|out}. Remember that extended ACLs for BGP use the source fields to match the network portion and the destination fields to match against the network mask.
Viewing Routes Filtered by BGP Distribute List
To view the routes filtered by the BGP distribute list, the following command can be used:
Router# show bgp ipv4 unicast | begin Network
Prefix List Filtering
Prefix lists allow the filtering of network prefixes on a neighbor-by-neighbor basis, using a prefix list. Configuring a prefix list involves using the BGP address family configuration command neighbor ip-address prefix-list prefix-list-name {in | out}.
Verification of Filtering with a BGP Prefix List
Router# show bgp ipv4 unicast | begin Network
AS Path ACL Filtering
Selecting routes from a BGP neighbor by using the AS path requires the definition of an AS path access control list (AS path ACL).
Route Maps
Route maps provide additional functionality over pure filtering. Route maps provide a method to manipulate BGP path attributes as well. Route maps are applied on a BGP neighbor basis for routes that are advertised or received. A different route map can be used for each direction. The route map is associated with the BGP neighbor with the command neighbor IP-address route-map route-map-name {in|out} under the specified address family.
BGP Table Before Applying a Route Map
R1# show bgp ipv4 unicast | begin Network
Route maps allow for multiple steps in processing as well. To demonstrate this concept, our route map will consist of four steps:
Verifying Changes from R1’s Route Map to AS 65200
R1# show bgp ipv4 unicast | b Network
Clearing BGP Connections
Depending on the change to the BGP route manipulation technique, a BGP session may need to be refreshed in order to take effect. BGP supports two methods of clearing a BGP session. The first method is a hard reset, which tears down the BGP session, removes BGP routes from the peer, and is the most disruptive. The second method is a soft reset, which invalidates the BGP cache and requests a full advertisement from its BGP peer.
Routers initiate a hard reset with the command clear ip bgp ip-address [soft] and a soft reset by using the optional soft keyword. All of a router’s BGP sessions can be cleared by using an asterisk * in lieu of the peer’s IP address.
When a BGP policy changes, the BGP table must be processed again so that the neighbors can be notified accordingly. Routes received by a BGP peer must be processed again. If the BGP session supports route refresh capability, the peer re-advertises (refreshes) the prefixes to the requesting router, allowing for the inbound policy to process using the new policy changes. The route refresh capability is negotiated for each address family when the session is established.
Performing a soft reset on sessions that support route refresh capability actually initiates a route refresh. Soft resets can be performed for a specific address family with the command clear bgp afi safi {ip-address|*} soft [in | out]. Soft resets reduce the number of routes that must be exchanged if multiple address families are configured with a single BGP peer. Changes to the outbound routing policies use the optional out keyword, and changes to inbound routing policies use the optional in the keyword. You can use an * in lieu of specifying a peer’s IP address to perform that action for all BGP peers.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
