Re: BGP Filter Question

From: Benedict Munyao (bmunyao@gmail.com)
Date: Mon Oct 22 2007 - 16:07:58 ART

• Next message: Mark Snow: "Re: Voice Query - Unable to use all the ports on 3560 to"
• Previous message: Usankin, Andrew: "RE: Voice Query - Unable to use all the ports on 3560 to"
• Maybe in reply to: Joe Gagznos: "BGP Filter Question"
• Next in thread: Mohamed M Moustafa: "Re: BGP Filter Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rich,

My understanding of the BGP processing order for outbound policies is as
follows.

1. All bgp prefixes in the bgp table will get to be processed by
"distribute-list" policy.
2. Only those allowed by "distribute-list" will be processed by
"prefix-list" policy.
3. Only those making it past the "prefix-list" will then be checked against
"filter-list".
4. Finally, those which survive the first three filtering policies get to be
processed thro the "route-map".

Below is the output from labbing this up:

AS1 AS3 AS2
R1------------------------R3-------------------------------R2
       155.1.13.0/24 155.1.23.0/24

R1
---------------------------------------------------------------------
Rack1R1(config-router)#do sh ip int bri | e unass
Interface IP-Address OK? Method Status
Protocol
Serial1/1 155.1.13.1 YES manual up
up
Loopback0 10.1.1.1 YES manual up
up

Rack1R1(config-router)#do sh run | s eigrp
router eigrp 10
 network 10.1.1.1 0.0.0.0
 network 155.1.13.1 0.0.0.0
 no auto-summary

Rack1R1(config-router)#do sh run | s bgp
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 30.3.3.3 remote-as 3
 neighbor 30.3.3.3 ttl-security hops 2
 neighbor 30.3.3.3 update-source Loopback0
 no auto-summary

R3
-------------------------------------------------------------------------------
Rack1R3(config)#do sh ip int bri | e unass
Interface IP-Address OK? Method Status
Protocol
Serial1/2 155.1.13.3 YES manual up
up
Serial1/3 155.1.23.3 YES manual up
up
Loopback0 30.3.3.3 YES manual up
up
Loopback1 31.3.3.3 YES manual up
up
Loopback2 32.3.3.3 YES manual up
up

Rack1R3(config)#do sh run | s eigrp
router eigrp 10
 network 30.3.3.3 0.0.0.0
 network 155.1.13.3 0.0.0.0
 network 155.1.23.3 0.0.0.0
 no auto-summary

Rack1R3(config)#do sh run | s bgp
router bgp 3
 no synchronization
 bgp log-neighbor-changes
 network 30.3.3.0 mask 255.255.255.0
 network 31.3.3.0 mask 255.255.255.0
 network 32.3.3.0 mask 255.255.255.0
 neighbor 10.1.1.1 remote-as 1
 neighbor 10.1.1.1 ttl-security hops 3
 neighbor 10.1.1.1 update-source Loopback0
 neighbor 155.1.23.2 remote-as 2
 no auto-summary

R2
------------------------------------------------------------------------
Rack1R2(config-router)#do sh ip int bri | e unass
Interface IP-Address OK? Method Status
Protocol
Serial1/1 155.1.23.2 YES manual up
up
Loopback0 20.2.2.2 YES manual up
up

Rack1R2(config-router)#do sh run | s eigrp
router eigrp 10
 network 20.2.2.2 0.0.0.0
 network 155.1.23.2 0.0.0.0
 no auto-summary

Rack1R2(config-router)#do sh run | s bgp
router bgp 2
 no synchronization
 bgp log-neighbor-changes
 network 20.2.2.0 mask 255.255.255.0
 neighbor 155.1.23.3 remote-as 3
 no auto-summary

Before adding policies on R3:
-----------------------------------------------------------------------------------------------------------
Rack1R1(config-router)#do sh ip bgp
BGP table version is 7, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
* 20.2.2.0/24 30.3.3.3 0 3 2 i
* 30.3.3.0/24 30.3.3.3 0 0 3 i
* 31.3.3.0/24 30.3.3.3 0 0 3 i
* 32.3.3.0/24 30.3.3.3 0 0 3 i
Rack1R1(config-router)#

With outbound policies on R3
---------------------------------------------------------------------------------------------------
Rack1R3(config-router)#do sh run | s route-map
route-map PREPEND permit 10
 set as-path prepend 3 3
route-map PREPEND permit 20

Rack1R3(config-router)#do sh run | i access-list
ip as-path access-list 1 permit ^2$

Rack1R3(config)#router bgp 3
Rack1R3(config-router)#neighbor 10.1.1.1 route-map PREPEND out
Rack1R3(config-router)#neighbor 10.1.1.1 filter-list 1 out
Rack1R3(config-router)#do clear ip bgp * soft

Rack1R1(config-router)#do sh ip bgp
BGP table version is 7, local router ID is 10.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
* 20.2.2.0/24 30.3.3.3 0 3 3 3 2 i
Rack1R1(config-router)#

Note that after R3 picked only the prefix from AS2, it then went on to
process the route-map.

Sincerely
Benedict Munyao

On 10/17/07, Rich Collins <nilsi2002@gmail.com> wrote:
>
> The filter list will never see the prepend since it comes before the
> route-map.
>
> For outbound updates the order of preference is:
>
> 1. prefix-list, distribute-list
> 2. filter-list
> 3. route-map
>
>
> Let's say you were filtering on the inbound. You could use the below
> statement for filtering one or more prepends of 123. This version _123$
> is
> not tight enough.
>
> ip as-path access-list 1 permit ^(123_)+$
>
>
> -Rich
>
>
> On 10/17/07, Joe Gagznos <kemphall@yahoo.com> wrote:
> >
> > Just want to check this. I have the following bgp
> > configuration:
> >
> > router bgp 123
> > network 1.2.3.0 mask 255.255.255.0
> > neighbor 221.122.10.1 remote as 2131
> > neighbor 221.122.10.1 route-map pathprepend out
> > neighbor 221.122.10.1 filter-list 1 out
> >
> > route-map pathprepend permit 10
> > set as-path prepend 123 123
> > route-map pathprepend permit 20
> >
> > ip as-path access-list 1 permit ^$
> > ip as-path access-list 1 permit ^123$
> > ip as-path access-list 1 deny .*
> >
> > Is the as path access list going to fail this route
> > advertisement? If I changed the access list to the
> > following would I still only be allowing routes
> > originating from 123 and allow as much prepending as I
> > want?
> >
> > ip as-path access-list 1 permit ^$
> > ip as-path access-list 1 permit _123$
> > ip as-path access-list 1 deny .*
> >
> > Thanks for your help!
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Mark Snow: "Re: Voice Query - Unable to use all the ports on 3560 to"
• Previous message: Usankin, Andrew: "RE: Voice Query - Unable to use all the ports on 3560 to"
• Maybe in reply to: Joe Gagznos: "BGP Filter Question"
• Next in thread: Mohamed M Moustafa: "Re: BGP Filter Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:17 ART