I. Outbound Filter Based on BGP Prefix
Before starting, make sure that the BGP session is already established.
SUMMARY STEPS:
configureset policy prefix-list [prefix name] rule [rule number] action [permit/deny]set policy prefix-list [prefix name] rule [rule number] le (less than or equal)set policy prefix-list [prefix name] rule [rule number] ge (greater than or equal)set policy prefix-list [prefix name] rule [rule number] prefix [prefix match]
EXAMPLE:
set policy prefix-list bogon-ip rule 10 action permit
set policy prefix-list bogon-ip rule 10 le 32
set policy prefix-list bogon-ip rule 10 prefix 172.16.0.0/12
Explanation of the rule above:
A prefix-list rule named bogon-ip is created with rule number 10 and action permit for prefix 172.16.0.0/12, allowing prefixes up to length /32 or shorter.
Example of BGP Prefix-Based Outbound Route Filtering
Goal:
We will block all bogon IPs and only advertise public IPs belonging to Skyline and STI from Router A, with a minimum prefix length of /32.
Router A (SENDER):
# show protocols bgp [Your ASN] neighbor [IP Neighbour]
address-family {
ipv4-unicast {
nexthop-self
prefix-list {
export deny.default.route
}
route-map {
export rule.out
import rule.in
}
}
}
description ROUTER A
remote-as [ ASN ROUTER B ]
# show policy route-map rule.out
rule 10 {
action deny
match {
ip {
address {
prefix-list bogon-ip
}
}
}
}
rule 11 {
action permit
match {
ip {
address {
prefix-list own-pref.core
}
}
}
}
# show policy prefix-list bogon-ip
rule 10 {
action permit
le 32
prefix 172.16.0.0/12
}
rule 11 {
action permit
le 32
prefix 10.0.0.0/8
}
rule 12 {
action permit
le 32
prefix 192.168.0.0/16
}
rule 13 {
action permit
le 32
prefix 169.254.0.0/16
}
# show policy prefix-list own-pref.core
rule 10 {
action permit
le 32
prefix [your prefix/]
}
rule 99 {
action deny
prefix 0.0.0.0/0
}
II. BGP AS-PATH FILTERING
Before starting, make sure that the BGP session is already established.
SUMMARY STEPS:
configureset policy as-path-list [as-path name] rule [rule number] action [permit/deny]set policy as-path-list [as-path name] rule [rule number] regex (BGP regular expression)
Commonly Used Regex Patterns:
| No | Regex | Meaning | Example |
|---|---|---|---|
| 1 | ^ | Starts with | ^55653 → starts with AS 55653 |
| 2 | $ | Ends with | ^55653$ → starts and ends with AS 55653, no other ASN in between |
| 3 | _ | Any occurrence | _55653$ → ends with AS 55653, regardless of previous ASNs (originated ASN is 55653) |
| 4 | ( ) | Grouping | `_(55653 |
| 5 | .+ | Anything | Matches any AS path (usually used at the end to allow or deny everything) |
Operators:
| Operator | Definition |
|---|---|
{m,n} | At least m and at most n repetitions of the term |
{m} | Exactly m repetitions |
{m,} | m or more repetitions |
* | Zero or more repetitions (same as {0,}) |
+ | One or more repetitions (same as {1,}) |
? | Zero or one repetition (same as {0,1}) |
| ` | ` |
– | Inclusive range between start and end |
^ | Character at the beginning (implicitly added) |
$ | Character at the end (implicitly added) |
( ) | Group of terms, no space inside |
[ ] | Set or range of AS numbers; can use ^ inside to exclude a number |
EXAMPLE:
We only want to allow ASN 133803.
rule 10 {
action permit
description BLABLABLA
regex ^133803$
}
rule 11 {
action deny
regex .+
}
III. ROUTE MAP
Before starting, make sure that BGP is already established.
SUMMARY STEPS:
configureset policy route-map [route-map name] rule [rule number] action [deny/permit]set policy route-map [route-map name] rule [rule number] match ip address [access-list/prefix-list] [number or name]set policy route-map [route-map name] rule [rule number] set [aggregator/as-path-exclude/as-path-prepend/atomic-aggregate/bgp-extcommunity-rt/comm-list/community/ip-next-hop/local-preference/originator-id/weight]
EXAMPLE:
rule 10 {
action deny
match {
ip {
address {
prefix-list bogon-ip
}
}
}
}
rule 11 {
action permit
match {
ip {
address {
prefix-list own-pref.core
}
}
}
}
Leave a Reply