Route Filtering and Route Selection in BGP

© 2001, Cisco Systems, Inc.

Route Filtering and Route Selection in BGP

© 2001, Cisco Systems, Inc. Route Filtering and Route Selection in BGP-2

Objectives

Upon completion of this lesson, you will be able to perform the following tasks:

• Configure AS-path filters, prefix lists and route-maps

• Filter incoming and outgoing BGP updates with AS-path filters, prefix lists and route-maps

• Influence BGP route selection• Monitor and troubleshoot BGP filters• Implement non-disruptive BGP policy changes• Limit the number of routes received from a BGP

neighbor

Multi-Homed BGP Networks

www.cisco.com© 2001, Cisco Systems, Inc. Route Filtering and Route Selection in BGP-3


Objectives

Upon completion of this section, you will be able to perform the following tasks:

• Describe the issues in multi-homed BGP networks

• Describe the need to influence BGP route selection

• Describe the need for BGP filters


Multi-homed CustomersBusiness Requirements

• Some customers need redundant Internet access for their mission-critical applications

• Full redundancy is only achieved by connecting to two independent Service Providers

Internet

Multi-homedCustomer

Service Provider #2

Service Provider #1


Multi-homed CustomersTechnical Requirements

• Multi-homed customers have to run BGP with the Internet Service Providers

• They usually need public AS-number and provider-independent address space

Internet

Multi-homedCustomer

Service Provider #2BGP

Service Provider #1

BGP


Multi-homed CustomersSimple-Minded Approach

• Configure two BGP sessions and announce your address space

Internet

Multi-homedCustomer

Service Provider #2BGP

Service Provider #1

BGP

router bgp my-AS-number neighbor provider-A remote-as ISP-A neighbor provider-B remote-as ISP-B network my-network


The Results of Simple-Minded Approach

• BGP routes are selected based on AS-path length• The default BGP route selection does not always

result in optimum routing

as123#show ip bgpBGP table version is 16, local router ID is 1.2.3.4Status codes: s suppressed, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*> 1.0.0.0 0.0.0.0 0 32768 i* 21.0.0.0 3.4.5.6 0 37 21 i*> 2.3.4.5 0 0 21 i*> 37.0.0.0 3.4.5.6 0 0 37 i* 2.3.4.5 0 21 37 i* 40.0.0.0 3.4.5.6 0 0 37 40 i*> 2.3.4.5 0 21 40 i


Routing Policies for Multi-Homed Customers

Multi-homed customers could require a number of routing policies, for example:

• One provider is primary, the other is backup• Traffic to direct customers of the ISPs go

direct, all other traffic goes through the primary provider

• All transatlantic traffic goes through one ISPs• Traffic toward a specific destination goes only

through one of the ISPs


Primary/Backup Provider

• Internet traffic always flows over primary ISP• Routes received from primary ISP should be preferred

over routes received from backup ISP• A route selection tool is needed in BGP - weights or local

preference

Internet

Multi-homedCustomer

Backup ISP

Primarylink

Backup link

Upstream ASAnotherCustomer

Primary ISP


Local Traffic Goes Direct

• Internet traffic flows over primary ISP, traffic to customers of backup ISP goes direct

• Route selection has to be performed based on AS-numbers in the AS-path

Internet

Multi-homedCustomer

Backup ISP

Primarylink

Backup link


Primary ISP


Transit Traffic Issue

• Customers could become transit AS for the Service Providers

Internet

Multi-homedCustomer

Service Provider #2

Service Provider #1

• Requirement: do not propagate provider routes to other providers


Routing Update Reliability Issue

• Customers running BGP could announce any route to the Service Providers

Internet

Multi-homedCustomerAS12321.0.0.0/8

Service Provider #2

Service Provider #1

BGP

BGP

Network=10.0.0.0/8AS-Path=123

• Requirement: Service Providers have to filterIP prefixes in incoming updates


Return Traffic Issue

Internet

Multi-homedCustomer

Backup ISP

Primarylink

Backup link


Primary ISP

• Customers can only influence their outgoing traffic, not the return traffic

• Return traffic can take any path - Backup ISP must also perform proper route selection


Multi-Homed Customer Requirement Summary

BGP must support the following mechanisms:

• Route selection based on BGP neighbors• Route selection based on AS-numbers in the

AS-path• Filters based on AS-numbers in the AS-path• Filters on IP prefixes


Summary

After completing this section, you should be able to perform the following tasks:

• Describe the issues in multi-homed BGP networks

• Describe the need to influence BGP route selection

• Describe the need for BGP filters


Review Questions

• Why would a customer want connection to two service providers?

• What are the technical requirements for multi-homed customers?

• Which routing protocol needs to be deployed between multi-homed customers and the ISP?

• Why do we need to influence BGP route selection rules?

• List three potential customer routing policies• What are the issues an ISP with multi-homed

customers is facing?

AS-Path Filters



Objectives


• Describe the applications of AS Path Filters• Describe AS Path regular expression syntax• Use AS Path regular expressions to match

BGP routes• Configure AS-path filters• Configure filtering of inbound or outbound

updates with AS-path filters


AS Path Filtering

Several scenarios require BGP route filtering based on AS-path

• Announce only local routes to the ISP - AS-path needs to be empty

• Select routes based on a specific AS-number in the AS-path

• Accept routes for specific AS only from some BGP neighbors

AS-path filters use regular expressions


AS Path Regular Expressions

27 31 31723 223

|27 31 23 317 223|

AS path converted to string

ip as-path access-list 1 permit 31

String matched with regexp


Regular ExpressionsSimple String Matches

• String of characters in regular expression matches any equivalent substring in AS path

how many times does 31 match|213 317 2316 31|answer:|213 317 2316 31|


Regular ExpressionsAlternatives

• Expressionexpr1|expr2matches the string if either subexpression matches the string

how many times does 21|31 match|213 317 2316 31|answer:|213 317 2316 31|


Regular ExpressionsRanges and Wildcard Characters• A range of characters matches any single

character in the rangeexamples:[1234] or [1-4]

• dot (.) matches any single characterhow many times does [1-3].[34] match|213 317 2316 31|answer:|213 317 2316 31| |213 317 2316 31|


Regular ExpressionsMatching Delimiters

^ matches beginning of string$ matches end of string_ matches any delimiter (beginning,

end, whitespace, tab, comma)how many times does ^21, 31$, _31_ match|213 317 218 31 731|answer: |213 317 218 31 731|


Regular ExpressionsGrouping

Parenthesis can be used to group smaller regular expressions into larger expressions

how many times does (213|218)_31 match|213 317 1218 316 31|answer: |213 317 1218 316 31|


Regular ExpressionsSpecial Characters

\ To use the special characters as single-character patterns, remove the special meaning by preceding each character with a backslash (\)

how do you match AS 213 in beginning of string|(213 317) 1218 316 31|answer: ^\(213_


Regular ExpressionsRepeating Operators

* matches zero or more atoms? matches zero or one atom+ matches one or more atoms

Atom is a single character or a grouping

how do you match AS sequences “23 45” and“23 78 45” in single regular expression

answer: _23(_78)?_45_


Sample Regular Expressions

_100_^100$_100$^100_.^ [0-9]+$^$.*

Going through AS 100Directly connected to AS 100Originated in AS 100networks behind AS 100AS paths one AS longnetworks originated in local ASmatches everything


Configuring BGP AS-path Filters

ip as-path access-list number permit|deny regexprouter(config)#

• Configures AS-path access list

neighbor ip-address filter-list as-path-filter in|outrouter(config-router)#

• Configures inbound or outbound AS-path filter for specified BGP neighbor


AS-path BGP Filters

BGPtable

filter-list in filter-list out

Incoming neighbor Outgoing neighbor

My router


Testing your Regular Expressions

show ip bgp regexp expression router#

• Displays all routes in BGP table matching regular expression

show ip bgp filter filter-listrouter#

• Displays all routes in BGP table permitted by the specified AS-path access list

show ip as-path-access-list [filter-list]router#

• Displays one or all filter lists


Display the Filter Lists Configured in the Router

wg6r1#show ip as-path-access-listAS path access list 6 permit ^$AS path access list 7 deny _213_ permit .*AS path access list 8 permit _214_AS path access list 25 permit _42_AS path access list 27 deny _22_|_51$ permit .*


Display the Routes Matched by a Regular Expression

wg6r1#show ip bgp regexp ^\(65002_BGP table version is 85, local router ID is 197.6.2.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path*> 128.20.0.0 192.168.21.7 100 0 (65002 65003 65004) 99 7 22 i*> 128.22.0.0 192.168.21.7 100 0 (65002 65003 65004) 99 7 22 i*> 128.26.0.0 192.168.21.7 100 0 (65002 65003 65004) 99 7 22 26 i*> 128.37.0.0 192.168.21.2 100 0 (65002 65003 65004) 99 2 20 42 37 i*> 128.42.0.0 192.168.21.7 100 0 (65002 65003 65004) 99 7 20 42 i*> 128.51.0.0 192.168.21.7 100 0 (65002 65003 65004) 99 7 22 26 51 i*> 128.213.0.0 192.168.21.7 100 0 (65002 65003 65004) 99 7 20 213 i


Display the Routes Matched by a Filter List

wg6r1#show ip as-path-access-list 25AS path access list 25 permit _42_

wg6r1#show ip bgp filter-list 25BGP table version is 81, local router ID is 197.6.2.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path*> 128.37.0.0 192.168.21.2 100 0 (65002 65003 65004) 99 2 20 42 37 i*> 128.42.0.0 192.168.21.7 100 0 (65002 65003 65004) 99 7 20 42 i*> 192.26.11.0 192.168.20.20 0 0 20 42 26 i*> 192.37.11.0 192.168.20.20 0 0 20 42 37 i*> 192.42.11.0 192.168.20.20 0 0 20 42 i


Example: Filter Transit Routes

Internet

Multi-homedCustomer

Service Provider #2

Service Provider #1

router bgp customer-asneighbor ISP-router filter-list 1 out!ip as-path access-list 1 permit ^$


Summary


• Describe the applications of AS Path Filters• Describe AS Path regular expression syntax• Use AS Path regular expressions to match

BGP routes• Configure AS-path filters• Configure filtering of inbound or outbound

updates with AS-path filters


Regular Expressions Review Questions

• What does a regular expression 27 match?• List at least one AS-path matched by the regular

expression $27_• What is the difference between regular expressions

76 and _76_• What is the difference between _100_ and _100$• What is the difference between _100$ and [ ]100$• How do you match AS-paths that contain exactly

two AS-numbers?


AS-path Filters Review Questions

• How can you test your regular expression?• How can you test your AS-path filter before

using it?• What are the steps needed to apply new

inbound routing policy to a neighbor?• What is the recommended AS-path filter to be

used by multi-homed customers?• What is the recommended AS-path filter to be

used by ISP with multi-homed customers?

Prefix-List Filters



Objectives


• List the benefits of prefix lists versus IP access lists

• Describe the applications of prefix lists in BGP networks

• Configure prefix lists filters• Configure filtering of inbound or outbound

updates with prefix list


Requirements for Prefix-Based Filters

• Service Providers have to filter customer updates to ensure that the customers only announce their assigned address space

Internet

Multi-homedCustomerAS12321.0.0.0/8

Service Provider #2

Service Provider #1

BGP

BGP

Network=10.0.0.0/8AS-Path=123


Traditional Prefix Filters

• Traditional IP prefix filters were implemented with IP access-lists configured on distribute-list command

• IP access-lists used as route filters have several drawbacks:• Subnet mask cannot be matched• Access-list is evaluated sequentially for

every IP prefix in the routing update• Access-lists are hard to edit


Prefix Lists - New Route Filtering Mechanism

• Significant performance improvement on long filters• Inside IOS the prefix list is a tree structure and is not scanned

sequentially

• Support for incremental updates • Individual entries in prefix lists can be inserted or deleted

• More user-friendly command-line interface • The command-line interface for using access lists to filter

BGP updates is difficult to understand and use, since it uses the packet filtering format.

• Greater flexibility — can match on subnet masks


Prefix Lists Compared to IP Access Lists

• Key access list features are preserved:• Filtering using “permit” or “deny”• Order dependency (first match wins)• Security-focused: no match means deny

• The matching mechanism has changed• Match routes in a part of address space with

subnet mask longer or shorter than a set number


Prefix List Syntax

• Prefix lists have names and sequence numbers (like route maps)

• An entry with no le or ge parameter matches exactly the specified prefix

• An entry with le or ge parameter matches any route within the address space of address/prefix with prefix longer or equal to ge value and shorter or equal to le value

ip prefix-list list-name [seq seq] permit|deny address/prefix [ge value] [le value]

router(config)#


Prefix List Matching Rules

Prefix list entries with no ge or le option match only the specified route

• Similar to IP access lists with no wildcard bits• The matching process also considers subnet

mask

Which of the following routes will be matched by theip prefix-list MyList permit 192.168.0.0/16

192.168.0.0/16 192.168.0.0/20 192.168.2.0/24


Prefix List Matching Rules

A prefix list entry with ge or le option matches any prefix within specified address space where the subnet mask falls within specified limits

Which of the following routes will be matched by:

ip prefix-list MyList permit 192.168.0.0/16 le 20

192.168.0.0/16 192.168.17.0/20 192.168.2.0/24

ip prefix-list MyList permit 192.168.0.0/16 ge 18

192.168.0.0/16 192.168.17.0/20 192.168.2.0/24


More Prefix-list Examples

What will be matched byip prefix-list A permit 0.0.0.0/0 ge 32ip prefix-list B permit 128.0.0.0/2 ge 17ip prefix-list C permit 0.0.0.0/0 le 32ip prefix-list D permit 0.0.0.0/0ip prefix-list E permit 0.0.0.0/1 le 24

A) All host routesB) Any subnet in class-B address spaceC) All routesD) Just the default routeE) Any prefix in class-A address space covering at least 256

addresses


Prefix List Usage in the BGP Process

neighbor ip-address prefix-list list inrouter(config-router)#

• Filter inbound BGP routing updates from the neighbor

neighbor ip-address prefix-list list outrouter(config-router)#

• Filter outbound BGP routing updates to the neighbor

distribute-list prefix-list prefix-list out routing-processrouter(config-router)#

• Filters routes redistributed from specified routing process into BGP


My router

BGP Filters — Overview

BGPtable

prefix-list in

filter-list in

prefix-list out

filter-list outIGP

(OSPF, EIGRP)

Distribute list out



Displaying Prefix Lists

show ip prefix-list [list-name] [detail|summary]router#

• Displays all or specified prefix list

Barney#show ip prefix-list detailPrefix-list with the last deletion/insertion: InFilterip prefix-list InFilter: count: 4, range entries: 3, sequences: 5 - 20, refcount: 2 seq 5 deny 128.0.0.0/2 le 15 (hit count: 0, refcount: 2) seq 10 deny 192.0.0.0/3 ge 25 (hit count: 0, refcount: 1) seq 15 deny 193.0.0.0/8 ge 21 (hit count: 0, refcount: 1) seq 20 permit 0.0.0.0/0 (hit count: 0, refcount: 1)


Modifying Prefix Lists

show ip prefix-list list-namerouter#

• Displays the prefix list and the sequence numbers

no ip prefix-list seq seq conditionrouter(config-route-map)#

• Erases the line with specified sequence number from the prefix list

ip prefix-list seq seq conditionrouter(config-route-map)#

• Inserts the line into the prefix list at the specified point


Prefix-List ExampleFiltering Customer Prefixes

Internet

Multi-homedCustomerAS123172.16.0.0

Backup ISP

Primarylink

Backup linkPrimary ISP

• Requirement: the customer shall only announceprefixes from assigned address space(172.16.0.0/16), with subnet masks no longer than /24

router bgp Primary-ISP-as neighbor Customer prefix-list Cust-A in!ip prefix-list Cust-A permit

172.16.0.0/16 le 24


Prefix-List ExampleFiltering Peer Prefixes

Internet

Multi-homedCustomer

Backup ISP

Primarylink

Backup linkPrimary ISP

• Requirement: the ISP will not accept routes withsubnet masks longer than /24, subnet masks from class-B address space shall be no longerthan /20

router bgp Primary-ISP-as neighbor Backup-ISP prefix-list Peer in!ip prefix-list Peer permit 128.0.0.0/2 le 20ip prefix-list Peer permit 0.0.0.0/0 le 24


Summary


• List the benefits of prefix lists versus IP access lists

• Describe the applications of prefix lists in BGP networks

• Configure prefix lists filters• Configure filtering of inbound or outbound

updates with prefix list


Review Questions

• What are the benefits of prefix-lists as compared to IP access lists?

• Why would an ISP with multi-homed customers need prefix lists?

• Why would an ISP deploy prefix lists against updates from another ISP?

• How are the prefix lists and the AS-path filters combined?

Route-Maps as BGP Filters



Objectives


• Configure route maps as BGP filters• Describe the applications of BGP filtering

based on route maps


Route Maps as BGP Filters

• Some scenarios require complex filters• Filters on IP prefixes coming from

specific AS-number• Filters on other BGP attributes

• In some cases, we even need to modify BGP attributes

• Route-maps provide solution to both requirements


Route Maps — Review

Route maps are very complex access lists:• lines in access-lists statements in route maps• addresses and masks in access-lists match

conditions in route maps • access-list number route-map name• statements in route-maps are numbered

– you can insert and delete statements in a route-map– you can edit match conditions in a statement

• route-map statement can modify matched route with ‘set’ option


Route-map Syntax

route-map name [permit|deny sequence]match conditionmatch conditionset parameter!...

• Default statement action is ‘permit’• Route not matched by any statement is dropped• ‘Permit all’ is achieved by specifying permit without

‘match’ clause (no need to use artificial no-op)• Match conditions in one statement are ANDed together• First matching statement permits or denies the route


Route-map Conditions

• Route-map conditions are specified in the match statement.

• Route-maps can match on:• Route’s network number and subnet mask matched with IP

prefix-list• Route originator• BGP next-hop address• BGP origin• Tag attached to IGP route• AS-path• BGP community attached to BGP route• IGP route type (internal/external …)


Route-map Set Options

Route-maps can also change the attributes of BGP routes:

• origin• BGP next-hop• weight• BGP community• Local Preference• Multi-exit-discriminator (MED)


Prefix List Usage in the Route Maps

match ip address prefix-list list-namerouter(config-route-map)#

• Use prefix list to match routes in route-map match condition

match ip next-hop prefix-list list-namerouter(config-route-map)#

• Match routes where the next hop matches the conditions in the prefix list

match ip route-source prefix-list list-namerouter(config-route-map)#

• Match routes received from BGP peer that matches the prefix list


Using Route-Maps as BGP Filters

neighbor ip-address route-map name in | outrouter(config-router)#

• Applies a route-map to incoming or outgoing BGP updates

• Prefixes not permitted by route-map are discarded• Route-maps can also change BGP attributes in

incoming or outgoing updates• Route-maps, filter-lists and prefix-lists are

evaluated in sequence (effectively and-ed together)


My router

BGP Filters

BGPtable

prefix-list in

filter-list in

route-map infilter, set attributes

prefix-list out

filter-list out

route-map outfilter, set attributes

IGP(OSPF, EIGRP)

Distribute list outRoute-map onredistribution



Summary


• Configure route maps as BGP filters• Describe the applications of BGP filtering

based on route maps


Review Questions

• Why would you use route-maps on BGP neighbors?• Which BGP attributes can you match with a route-

map?• Which BGP attributes can you set with a route-map?• Where can you use a route-map in BGP?• How does a set statement in an outgoing route-map

affect the BGP table?• How are the route-maps combined with prefix-lists

and AS-path filters?

Influencing BGP Route Selection with Weights



Objectives


• Describe the usage of BGP weights to influence BGP route selection process

• Influence BGP route selection process by configuring weights

• Change BGP weights with AS-path filters• Change BGP weights with a route-map• Monitor BGP route selection process


BGP Route Selection Criteria

• Prefer highest weight (local to router)• Prefer highest local-preference (global within AS)• Prefer routes that the router originated• Prefer shorter AS paths (only length is compared)• Prefer lowest origin code (IGP < EGP < Unknown)• Prefer lowest MED• Prefer external (EBGP) paths over internal (IBGP)• For IBGP paths, prefer path through closest IGP

neighbor• For EBGP paths, prefer oldest (most stable) path• Prefer paths from router with the lower BGP router ID


Influencing BGP Route Selection

BGP routing policy can be specified by using:

• Weights, which provide local routing policy (within a router)

• Local-preference, which provides AS-wide routing policy

BGP weights are specified per neighbor• default weight• as-path based weight• complex criteria with route-maps


My router

Applying BGP Weights

BGPtable

route-map in(filters, weights)

default weight

filter-list weight

Incoming neighbor


Configuring Per-Neighbor Weights

neighbor ip-address weight weightsrouter(config-router)#

• All routes from the BGP neighbor get the specified weight

• BGP routes with higher weight are preferred• Weights are only applied to new incoming updates• To enforce new weights, reestablish BGP sessions

with your neighbors by using clear ip bgp command


Primary/Backup ProviderCustomer Configuration

• Routes received from primary ISP should be preferred over routes received from backup ISP

Internet

Multi-homedCustomer

Backup ISP

Primarylink

Backup link


Primary ISP

router bgp Customer-AS neighbor Primary-ISP weight 150 neighbor Backup-ISP weight 100


Primary/Backup Provider Routing Policy Results

Customer#show ip bgpBGP table version is 16, local router ID is 1.2.3.4Status codes: s suppressed, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*> 1.0.0.0 0.0.0.0 0 32768 i*> 21.0.0.0 3.4.5.6 150 37 21 i* 2.3.4.5 0 100 21 i*> 37.0.0.0 3.4.5.6 0 150 37 i* 2.3.4.5 100 21 37 i*> 40.0.0.0 3.4.5.6 0 150 37 40 i* 2.3.4.5 100 21 40 i


Configuring Weights Based on AS-path Filters

neighbor ip-address filter-list as-path-acl weight weightsrouter(config-router)#

• All routes from BGP neighbor that match specified AS-path filter get the configured weight

• The AS-path filter is applied after the default weight• Several AS-path filters can be configured and are

applied in sequence• Incoming routes not matched by the filter-list AS-

path filter with weight option are not discarded, only the weight is not affected

• Weights are only applied to new incoming updates


Local Traffic Goes DirectCustomer Configuration

• Traffic to customers of backup ISP goes direct

Internet

Multi-homedCustomer

AS 21

Primarylink

Backup link


AS 37

router bgp Customer-AS neighbor Primary-ISP weight 150 neighbor Backup-ISP weight 100 neighbor Backup-ISP filter-list 7 weight 200!ip as-path access-list 7 permit _21$


Local Traffic Goes DirectRouting Policy Results

Customer#show ip bgpBGP table version is 16, local router ID is 1.2.3.4Status codes: s suppressed, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*> 1.0.0.0 0.0.0.0 0 32768 i* 21.0.0.0 3.4.5.6 150 37 21 i*> 2.3.4.5 0 200 21 i*> 37.0.0.0 3.4.5.6 0 150 37 i* 2.3.4.5 100 21 37 i*> 40.0.0.0 3.4.5.6 0 150 37 40 i* 2.3.4.5 100 21 40 i


Configuring Weights with Route-Maps

router bgp as-number neighbor ip-address route-map route-map-name in!route-map route-map-name permit sequence match condition set weight weight

router(config)#

• Weights can be set with route-maps in complex scenarios

• Routes can be matched on any combination of prefix-lists, AS-path filters or other BGP attributes

• Routes not matched by the route-map are discarded.


Complex Route Selection Example

• Set weight 200 to networks coming from 2.3.4.5 originated in AS 21router bgp 123neighbor 2.3.4.5 route-map w200 in!route-map w200 permit 10match as-path 47set weight 200!route-map w200 permit 20set weight 100!ip as-path access-list 47 permit _21$


Monitoring BGP Route Selection and Weights

show ip bgprouter>

• Displays all BGP routes, best routes are marked with >, weight associated with every route is displayed

show ip bgp prefix [mask]router>

• Displays all paths for specific BGP routes


Monitoring BGP Table

Fred#show ip bgpBGP table version is 11, local router ID is 12.1.2.3Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*> 10.0.0.0 1.2.0.1 500 100 37 213 i* 1.1.0.1 1000 0 213 i*> 11.0.0.0 1.2.0.1 500 100 37 48 i* 1.1.0.1 1000 0 213 48 i*> 12.0.0.0 0.0.0.0 0 32768 i*> 14.0.0.0 1.1.0.3 0 0 387 i

show ip bgprouter>

• Displays weights associated with all routes in BGP table. Indicates the best route with “>”


Displaying Entries in BGP Table

Fred#show ip bgp 11.0.0.0BGP routing table entry for 11.0.0.0/8, version 5Paths: (2 available, best #1, advertised over EBGP) 213 1.2.0.1 from 1.2.0.1 (10.1.1.1) Origin IGP, metric 500, localpref 100, valid, external, best 213 1.1.0.1 from 1.1.0.1 (11.0.0.1) Origin IGP, metric 1000, localpref 100, valid, external

show ip bgp ip-prefix [mask subnet-mask]router>

• Displays detailed information about all paths for a single prefix


My router

Summary: All BGP Route-Selection and Filtering Tools

BGPtable

prefix-list in

filter-list in


default weight

filter-list weight

prefix-list out

filter-list out

route-map out(filters, ...)

IGP(OSPF, EIGRP)

Distribute list out

Route-map onredistribution



Summary


• Describe the usage of BGP weights to influence BGP route selection process

• Influence BGP route selection process by configuring weights

• Change BGP weights with AS-path filters• Change BGP weights with a route-map• Monitor BGP route selection process


Review Questions

• What is the difference between local-preference and weight?

• How can you set BGP weights?• What is the default weight for routes received from a

BGP neighbor?• How would you implement primary/backup ISP

routing policy?• When are the weights configured on a neighbor

enforced?• What is the difference between filter-list in and filter-

list weight configuration command?

Implementing Changes in BGP Policy



Objectives


• Explain the need for explicit actions when changing BGP policy

• Use soft reconfiguration to prevent disruptive changes of BGP policies

• Identify whether the routers are BGP route-refresh capable

• Use BGP route-refresh to minimize memory usage


Filter Caveats

• All filters apply only to new incoming and outgoing updates

• To change outbound routing policy you have to resend BGP updates to your neighbors

• To change inbound routing policy you have to force your neighbor to resend the updates to you

• Traditional mechanism: clear BGP sessions• IOS 11.2 enhancement — soft reconfiguration• IOS 12.1 enhancement — route refresh


Clearing the BGP Session

clear ip bgp * | ip-adress | peer-group-namerouter#

• Tears down the BGP session with all neighbors, specific neighbor or all neighbors in a peer-group

• All BGP routes are lost after the session is torn down, connectivity through the BGP neighbor is lost

• New session is reestablished within 30 - 60 seconds• Full routing update is exchanged once the session is

reestablished, resulting in enforcement of new routing policy

• Processing the full Internet routing table can take a long time — clearing the BGP session is a very disruptive way to implement routing policies


BGP Soft Reconfiguration

• Soft reconfiguration was introduced in IOS 11.2 to facilitate non-disruptive changes in BGP routing policies

• Outbound soft-reconfiguration resends complete BGP table

Always enabled, not configurable• Inbound soft-reconfiguration stores

complete BGP table of your neighbor in router memory


neighbor ip-address soft-reconfiguration inrouter(config-router)#

• Configures inbound soft-reconfiguration for a BGP neighbor• Consumes memory for an extra copy of neighbor routes

Using Soft Reconfiguration

clear ip bgp * | ip-address | peer-group soft outrouter#

• Resends all BGP routes to the neighbors• Always enabled, no additional memory consumption

clear ip bgp * | ip-address | peer-group soft inrouter#

• Replays stored neighbor routes through inbound BGP filters• Only works with soft reconfiguration enabled


My router

Configuring Soft Reconfiguration Inbound

Distribute list in

filter-list in


default weight

filter-list weight

Copy of updatesreceived from

neighbor

neighbor ip-address soft-reconfiguration inrouter(config-router)#

Incoming neighbor

BGP table


My router

Using Soft Reconfiguration Inbound

BGP table

Distribute list in

filter-list in


default weight

filter-list weight

Copy of updatesreceived from

neighbor

clear ip bgp ip-address soft inrouter#


My router

Soft Reconfiguration Outbound

BGP table

Distribute list out

filter-list out

route-map out(filters, ...)

Outgoing neighbor

clear ip bgp ip-address soft outrouter#

replay


My router

Soft Reconfiguration-Related Show Commands

BGPtable

Filters and routemaps

Filters and routemaps

Incoming neighbor

show ip bgp neighbor address received

show ip bgp neighbor address routes show ip bgp

show ip bgp neighbor address advertised

Outgoing neighbor


BGP Route Refresh

• Inbound soft reconfiguration consumes memory on the receiving router

It’s only needed because there is no mechanism in standard BGP to request retransmission of BGP routes

• BGP route refresh is an optional BGP capability that allows a BGP router to request retransmission of BGP routes from a neighbor


BGP Route Refresh Operation

RTR-A RTR-B

BGP session

Step #1 - Route refresh is negotiated when the BGP session is established

Step #2 - Inbound routing policy is changed on RTR-B

Step #4 - RTR-B sends route refresh message to RTR-A

Route Refresh message

Step #5 - RTR-A resends all BGP routes to RTR-B

BGP routes are resent

Step #3 - Operator requests inbound soft reconfiguration

Router#clear ip bgp address soft in


clear ip bgp * | ip-address | peer-group [ soft ] in 12.1router#

• For neighbors that support BGP route refresh, sends route refresh requests

• For neighbors with inbound soft reconfiguration configured replays stored routes

• Fails for all other neighbors

Using BGP Route Refresh

show ip bgp neighbor [address]router#

• Displays whether route refresh is negotiated with the neighbor


Show ip bgp neighborCisco IOS 12.1 Printout

Router#show ip bgp neighbor 192.168.3.101BGP neighbor is 192.168.3.101, remote AS 3, internal link BGP version 4, remote router ID 192.168.3.101 BGP state = Established, up for 02:15:33 Last read 00:00:33, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received Address family IPv4 Unicast: advertised and received Received 1417 messages, 0 notifications, 0 in queue Sent 1729 messages, 2 notifications, 0 in queue Route refresh request: received 9, sent 29 Minimum time between advertisement runs is 5 seconds

For address family: IPv4 Unicast BGP table version 188, neighbor version 188 Index 2, Offset 0, Mask 0x4 1 accepted prefixes consume 36 bytes Prefix advertised 322, suppressed 0, withdrawn 230

... Rest deleted …


Summary


• Explain the need for explicit actions when changing BGP policy

• Use soft reconfiguration to prevent disruptive changes of BGP policies

• Identify whether the routers are BGP route-refresh capable

• Use BGP route-refresh to minimize memory usage


Review Questions

• How can you enforce a new BGP routing policy?• Why is clearing a BGP session a disruptive change in

routing policy?• Which mechanisms can you use for non-disruptive changes

in BGP routing policy?• What is the impact of inbound soft reconfiguration?• What is the memory and CPU impact of outbound soft

reconfiguration?• When would you prefer inbound soft reconfiguration over

route refresh?• How do you determine whether a BGP neighbor supports

route refresh?

Limiting the Number of Prefixes Received from

a BGP Neighbor



Objectives


• Describe the need for limiting the number of routes received from a BGP neighbor

• Configure BGP maximum-prefix function• Monitor BGP maximum-prefix function


Limiting the Number of Routes Received from a Neighbor

Problem definition:• A misconfigured BGP neighbor can send a

huge number of prefixes that exhaust router’s memory or overload the CPU (several Internet-wide incidents have already occurred)

• All other filtering mechanisms only specify what we’re willing to accept but not how much

• A new tool is needed to establish a hard limit on the number of prefixes received from a neighbor


Maximum-Prefix Command

• Controls how many prefixes can be received from a neighbor

• Optional threshold parameter specifies the percentage where a warning message is logged (default is 75%)

• Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop neighborship)

neighbor ip-address maximum-prefix maximum [threshold] [warning-only]

router(config-router)#


Monitoring Maximum-Prefix Operation

show ip bgp neighbor [address]router#

• For neighbors with maximum-prefix configured displays the maximum number of prefixes and the warning threshold

• For neighbors exceeding the maximum number of prefixes displays the reason the BGP session is idle


Monitoring Maximum-Prefix Settings

Barney#show ip bgp neighbors 1.3.0.3BGP neighbor is 1.3.0.3, remote AS 387, external link Index 2, Offset 0, Mask 0x4 Community attribute sent to this neighbor BGP version 4, remote router ID 14.1.2.3 BGP state = Established, table version = 6, up for 20:55:10 Last read 00:00:08, hold time is 180, keepalive is 60 seconds Minimum time between advertisement runs is 30 seconds Received 1262 messages, 0 notifications, 0 in queue Sent 1262 messages, 0 notifications, 0 in queue Inbound path policy configured Outbound path policy configured Route map for incoming advertisements is LocPref Route map for outgoing advertisements is BackupComm Connections established 1; dropped 0 Last reset never No. of prefix received 2, maximum limit 5 Threshold for warning message 70%


Actions on Exceeding Maximum Number of Prefixes

Barney#%BGP-4-MAXPFX: No. of prefix received from 1.3.0.3 reaches 4, max 5%BGP-3-MAXPFXEXCEED: No. of prefix received from 1.3.0.3: 6 exceed limit 5

Barney#show ip bgp sumBGP table version is 22, main routing table version 229 network entries (9/27 paths) using 1920 bytes of memory5 BGP path attribute entries using 572 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd1.0.0.1 4 213 1269 1268 22 0 0 21:02:19 81.3.0.3 4 387 1272 1274 0 0 0 00:00:08 Idle

Barney#show ip bgp neighbor 1.3.0.3BGP neighbor is 1.3.0.3, remote AS 387, external link ... Last reset 00:00:18, due to : Peer exceeding maximum prefix limit Peer had exceeded the max. no. of prefixes configured. Reduce the no. of prefix and clear ip bgp 1.3.0.3 to restore peering No active TCP connectionBarney#


Summary


• Describe the need for limiting the number of routes received from a BGP neighbor

• Configure BGP maximum-prefix function• Monitor BGP maximum-prefix function


Review Questions

• Why would you want to limit number of BGP prefixes received from a neighbor?

• What happens when the number of configured prefixes is exceeded?

• What happens after the BGP session with an offending neighbor is torn down?

• When would a directly-connected BGP neighbor stay in idle state?


Summary

After completing this lesson, you should be able to perform the following tasks:

• Configure AS-path filters, prefix lists and route-maps

• Filter incoming and outgoing BGP updates with AS-path filters, prefix lists and route-maps

• Influence BGP route selection• Monitor and troubleshoot BGP filters• Implement non-disruptive BGP policy changes• Limit the number of routes received from a BGP

neighbor


Documents

Route Filtering and Route Selection in BGP