![]() ![]() |
9.8 | ![]() |
BGP Route Filtering and Policy Routing | |
9.8.3 | ![]() |
Using distribute-list to filter BGP routes |
To restrict the routing information that the router learns or
advertises, filter routing updates. Apply route filters to or from a
particular neighbor by using the
distribute-list
command. See Module 8, Route Optimization, for more details about the
syntax of this command. RTD in AS2 is originating network
192.68.10.0/24 and sending it to RTF.
![]() To prevent this situation from happening, configure RTA. Click on
RTA in
Figure
The distribute-list keyword, used as part of a BGP neighbor statement, prevents RTA from advertising prefix 192.68.10.0/24 to RTC. The access list is used to identify the prefixes to be filtered and the distribute-list and out keywords apply the filter to outgoing updates.Notice that access-list 1 concludes with a permit 0.0.0.0 255.255.255.255 statement that is the same as a permit any statement. Remember that, when using access lists for filtering, anything that does not match a permit statement will be denied. Without the permit 0.0.0.0 255.255.255.255 clause, all updates to RTC would be suppressed.Configuring BGP neighbor statements to include the distribute-list keyword is effective for filtering specific routes, but controlling supernets can be more complicated.Configuring a distribute list relies on creating an access list. If using a standard access list, there is only limited functionality. RTA connects to multiple subnets in the 172.16.0.0/16 address space. The purpose is to advertise an aggregate address of 172.16.0.0/16, but not the individual subnets themselves. A standard access list would not work because it permits more than is desired. It filters based on the network address only. The following example shows that this access list would permit not only the 172.16.0.0/16 summary, but also all the components of that summary:
To restrict the update to the 172.16.0.0/16 summary, use an extended access list. It is usually thought of extended access lists as matching both source and destination addresses. In the case of a BGP route filter, an extended access list matches the network address first and then the subnet mask of the prefix. Both network and mask are paired with their own wildcard bitmask, using the following syntax:
To permit the aggregate address in the example, configure an extended access list to match the network address and also the 16-bit mask of the prefix. Using this configuration, RTA would not send a subnet route, such as 172.16.0.0 /17 or 172.16.10.0 /24, in an update to AS1.
If using an extended access list to accomplish this type of filtering seems confusing, that is not unusual. Improved user friendliness was one of the factors that motivated Cisco to include the ip prefix-list command in IOS 12.0. This command is described in the next section.
|