Friday, April 20, 2012

BGP filtering with Prefix-Lists

BGP filtering with Prefix-Lists
In this example, we will filter the BGP routes by using prefix-list
Here is the initial configuration of the router:

interface Loopback4
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.45.4 255.255.255.0
 !
router bgp 4
 no synchronization
 bgp log-neighbor-changes
 network 4.4.4.4 mask 255.255.255.255
 neighbor 192.168.45.5 remote-as 5
 no auto-summary

Here is the BGP table:

R4#show ip bgp
BGP table version is 4, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i
*> 55.55.55.0/24    192.168.45.5             0             0 5 i

Lets filter the 55.55.55.0/24:
Firstly we will create a prefix-list  access-list.
Prefix-list name is R5-in

ip prefix-list R5-in seq 5 deny 55.55.55.0/24
ip prefix-list R5-in seq 10 permit 0.0.0.0/0 le 32

Then, we apply the prefix-list to the BGP configuration:

R4(config)#router bgp 4                                     
R4(config-router)#neighbor 192.168.45.5 prefix-list R5-in in

Then we see that 55.55.55.0/24 IP prefix is no longer exists:

R4#show ip bgp
BGP table version is 5, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i

BGP filtering with Extended Access-list

BGP filtering with Extended Access-list
In this example, we will filter the BGP routes by using extended access-list.
Here is the initial configuration of the router:

interface Loopback4
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.45.4 255.255.255.0
 !
router bgp 4
 no synchronization
 bgp log-neighbor-changes
 network 4.4.4.4 mask 255.255.255.255
 neighbor 192.168.45.5 remote-as 5
 no auto-summary

Here is the BGP table:

R4#show ip bgp
BGP table version is 4, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i
*> 55.55.55.0/24    192.168.45.5             0             0 5 i

Lets filter the 55.55.55.0/24:
Firstly we will create an extended access-list.
Access-list name is R5-in.
We are matching both IP prefix and subnet mask in this extended access-list(Standard access-list matches just the prefix, not subnet mask):

ip access-list extended R5-in
 deny   ip host 55.55.55.0 host 255.255.255.0
 permit ip any any

Then, we apply the named extended access-list to the BGP configuration by using distribute-list command:

R4(config)#router bgp 4                                    
R4(config-router)#neighbor 192.168.45.5 distribute-list R5-in in

Then we see that 55.55.55.0/24 network is no longer exists:

R4#show ip bgp
BGP table version is 5, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i

R4# show access-lists
Extended IP access list R5-in
    10 deny ip host 55.55.55.0 host 255.255.255.0 (2 matches)
    20 permit ip any any (2 matches)

BGP filtering with Standard Access-list

BGP filtering with Standard Access-list
In this example, we will filter the BGP routes by using standard access-list.
Here is the initial configuration of the router:

interface Loopback4
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.45.4 255.255.255.0
 !
router bgp 4
 no synchronization
 bgp log-neighbor-changes
 network 4.4.4.4 mask 255.255.255.255
 neighbor 192.168.45.5 remote-as 5
 no auto-summary

Here is the BGP table:

R4#show ip bgp
BGP table version is 4, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i
*> 55.55.55.0/24    192.168.45.5             0             0 5 i

Lets filter the 55.55.55.0/24:
Firstly we will create a standard access-list.
Access-list name is R5-in

ip access-list standard R5-in
 deny   55.55.55.0 0.0.0.255
 permit any

Then, we apply the named access-list to the BGP configuration by using distribute-list command:

R4(config)#router bgp 4                                    
R4(config-router)#neighbor 192.168.45.5 distribute-list R5-in in

Then we see that 55.55.55.0/24 network is no longer exists:

R4#show ip bgp
BGP table version is 5, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i

Basic EBGP configuration

Basic EBGP configuration between two Cisco IOS routers:
Here is the basic external BGP configuration between two routers.
(We announced loopback IP addresses on both routers for testing)
First router:
interface Loopback4
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.45.4 255.255.255.0
 !
router bgp 4
 no synchronization
 bgp log-neighbor-changes
 network 4.4.4.4 mask 255.255.255.255
 neighbor 192.168.45.5 remote-as 5
 no auto-summary

Second Router:
interface Loopback5
 ip address 5.5.5.5 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.45.5 255.255.255.0
!
router bgp 5
 no synchronization
 bgp log-neighbor-changes
 network 5.5.5.5 mask 255.255.255.255
 neighbor 192.168.45.4 remote-as 4
 no auto-summary

BGP is up:
R4#show ip bgp summary
BGP router identifier 192.168.0.4, local AS number 4
BGP table version is 3, main routing table version 3
2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory
3/2 BGP path/bestpath attribute entries using 372 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 772 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.45.5    4     5      10      10        3    0    0 00:06:22        1

BGP table is created:

R4#show ip bgp
BGP table version is 3, local router ID is 192.168.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.4/32       0.0.0.0                  0         32768 i
*> 5.5.5.5/32       192.168.45.5             0             0 5 i

Routing table entry for remote route shows the BGP route:
R4#show ip route 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via "bgp 4", distance 20, metric 0
  Tag 5, type external
  Last update from 192.168.45.5 00:07:25 ago
  Routing Descriptor Blocks:
  * 192.168.45.5, from 192.168.45.5, 00:07:25 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 5

Reachability test:
R4#ping 5.5.5.5 source 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/68 ms

Cisco IOS BGP Best Path Selection

Cisco IOS BGP Best Path Selection

1.   Select the path which has the highest weight.
2.   Select the path which has the highest local-preference
3.   Select the path which was locally originated via a network or aggregate command or through redistribution.
4.   Select the path which has the shortest AS_PATH.
5.   Select the path which has the lowest origin type(igp<egp<incomplete).
6.   Select the path which has the lowest med.
7.   Select the  eBGP paths rather than iBGP paths.
8.   Select the path which has the lowest IGP metric to the BGP next hop.
9.   Select the path which was received first, when all paths are external
10.  Select the path which comes from a neighbor that has lowest Router-id.
11.  Select the path which has the minimum cluster list length, when the originator  is the same for all paths.It is used  when there is a Route-Reflector in the topology.
12.  Select the path which comes from the lowest neighbor address.