BGP Prefix Filtering

Hello All,

Can anybody tell me why my prefix filtering isn't working when trying to use a prefix-list to filter in BGP? The configuration and topology are below. Basically I'm trying to filter out the 172 prefixes from being advertised to AS 2. I have tried 15.3 and 12.4(24) code.

ip prefix-list PERMIT192 seq 5 permit 192.168.0.0/16 le 32

router bgp 1
 bgp log-neighbor-changes
 redistribute connected
 neighbor 10.1.1.2 remote-as 2
 neighbor 10.1.1.2 distribute-list PERMIT192 out

 

R1#sh ip bgp neighbors 10.1.1.2 advertised-routes
BGP table version is 10, local router ID is 192.168.4.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.1.1.0/24      0.0.0.0                  0         32768 ?
 *>  172.168.1.0/24   0.0.0.0                  0         32768 ?
 *>  172.168.2.0/24   0.0.0.0                  0         32768 ?
 *>  172.168.3.0/24   0.0.0.0                  0         32768 ?
 *>  172.168.4.0/24   0.0.0.0                  0         32768 ?
 *>  192.168.1.0      0.0.0.0                  0         32768 ?
 *>  192.168.2.0      0.0.0.0                  0         32768 ?
 *>  192.168.3.0      0.0.0.0                  0         32768 ?
 *>  192.168.4.0      0.0.0.0                  0         32768 ?

Total number of prefixes 9

 

image

Comments

  • I would put the prefix list in route-map PEFIX192 deny 10

    Match ip address prefix-list

    Then catch all others with

    route-map PREFIX192 permit 20

    neighbor 10.1.1.2 route-map PREFIX92 out

    Then

    On 14 Apr 2015 16:13, "acsbmx_1" <[email protected]> wrote:

    Hello All,

    Can anybody tell me why my prefix filtering isn't working when trying to use a prefix-list to filter in BGP? The configuration and topology are below. Basically I'm trying to filter out the 172 prefixes from being advertised to AS 2. I have tried 15.3 and 12.4(24) code.

    ip prefix-list PERMIT192 seq 5 permit 192.168.0.0/16 le 32

    router bgp 1
     bgp log-neighbor-changes
     redistribute connected
     neighbor 10.1.1.2 remote-as 2
     neighbor 10.1.1.2 distribute-list PERMIT192 out

     

    R1#sh ip bgp neighbors 10.1.1.2 advertised-routes
    BGP table version is 10, local router ID is 192.168.4.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
                  x best-external, a additional-path, c RIB-compressed,
    Origin codes: i - IGP, e - EGP, ? - incomplete
    RPKI validation codes: V valid, I invalid, N Not found

         Network          Next Hop            Metric LocPrf Weight Path
     *>  10.1.1.0/24      0.0.0.0                  0         32768 ?
     *>  172.168.1.0/24   0.0.0.0                  0         32768 ?
     *>  172.168.2.0/24   0.0.0.0                  0         32768 ?
     *>  172.168.3.0/24   0.0.0.0                  0         32768 ?
     *>  172.168.4.0/24   0.0.0.0                  0         32768 ?
     *>  192.168.1.0      0.0.0.0                  0         32768 ?
     *>  192.168.2.0      0.0.0.0                  0         32768 ?
     *>  192.168.3.0      0.0.0.0                  0         32768 ?
     *>  192.168.4.0      0.0.0.0                  0         32768 ?

    Total number of prefixes 9

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • What if there is a restriction against using route-maps or ACL's? This is the only other way I can think of besides filter based on AS Path which gets a little hairy and I'd rather not go that route.

  • Can you try with deny instead of permit in your prefix-list because that is your intention

    On 14 Apr 2015 16:51, "acsbmx_1" <[email protected]> wrote:

    What if there is a restriction against using route-maps or ACL's? This is the only other way I can think of besides filter based on AS Path which gets a little hairy and I'd rather not go that route.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • I think that worked. For some reason I thought I tried that before and it didnt work? Here is the resulting config. Hopefully someone else can benefit from this.

    ip prefix-list DENY172: 2 entries
       seq 5 deny 172.168.0.0/16 le 32
       seq 10 permit 0.0.0.0/0 le 32

     

    router bgp 1
     bgp log-neighbor-changes
     redistribute connected
     neighbor 10.1.1.2 remote-as 2
     neighbor 10.1.1.2 prefix-list DENY172 out

     

  • The only caveat to this is that if there are other subnets that need to be filtered out. So think Internet. It's easy enough to create 1 entry for the 172.168 network, but having to filter out every prefix to just allow the one you want through is not feasible or scalable. There has to be a better solution that I'm just not thinking of.

  • To allow single prefix just use permit prefix list and the implicit deny will take care of the rest

    On 14 Apr 2015 18:07, "acsbmx_1" <[email protected]> wrote:

    The only caveat to this is that if there are other subnets that need to be filtered out. So think Internet. It's easy enough to create 1 entry for the 172.168 network, but having to filter out every prefix to just allow the one you want through is not feasible or scalable. There has to be a better solution that I'm just not thinking of.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • I initially used a single prefix in the PL and it wasn't working. I
    think I actually found what my issue was. I was using a distribute-list
    neighbor option rather than the prefix-list option. once I started to use the prefix-list on the neighbor statement it starting working as I would expect. I guess there is different use cases for the DL's vs the PL's. Thanks for the help everyone.

  • I see syntax should be distribute list prefix PERMIT192 out so you omitted prefix. Seems like it takes it as ACL name if you don't use prefix....look it up command reference

    On 14 Apr 2015 20:26, "acsbmx_1" <[email protected]> wrote:

    I initially used a single prefix in the PL and it wasn't working. I
    think I actually found what my issue was. I was using a distribute-list
    neighbor option rather than the prefix-list option. once I started to use the prefix-list on the neighbor statement it starting working as I would expect. I guess there is different use cases for the DL's vs the PL's. Thanks for the help everyone.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • I did try the global BGP distribute-list prefix syntax first which didnt work either. When you add the distribute-list to the neighbor statement, you are not presented with a prefix option in code 12.4 or 15.4. You only have the option for an ACL. Seems like they want you to use the neighbor x.x.x.x prefix-list instead of the neighbor x.x.x.x distribute list when using a PL.

  • It is acrually used under router configuration mode so it applies to advertisements to all neighbors

    R1(config-router)distribute list prefix

    On 15 Apr 2015 13:49, "acsbmx_1" <[email protected]> wrote:

    I did try the distribute-list prefix syntax and first which didnt work either. When you add the distribute-list to the neighbor statement, you are not presented with a prefix option in code 12.4 or 15.4. You only have the option for an ACL. Seems like they want you to use the neighbor x.x.x.x prefix-list instead of the distribute list when using a PL.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Alright, that's what I tried initially and it didn't work. So maybe a bug or something. If nothing else I've learned there are two ways to do this now. So definitely a good learning experience.

  • you've referenced an acl in the distribute list statement instead of a prefix list. the cmd is

     

    distribute-list prefix PERMIT192 out

  • Just read the posts above, sorry didn't realise others saw. Do this then

     

    route-map 192only permit 10

     match ip address perfix-list PERMIT192

     

    ip prefix-list PERMIT192 seq 5 permit 192.168.0.0/16 le 32

     

    router bgp 1

    no  neighbor 10.1.1.2 distribute-list PERMIT192 out

     neighbor 10.1.1.2 route-map 192only out

    end

     

    clear ip bgp * soft out

Sign In or Register to comment.