9.8 BGP Route Filtering and Policy Routing  
  9.8.3 Using distribute-list to filter BGP routes  
To restrict the routing information that the router learns or advertises, filter routing updates. Apply route filters to or from a particular neighbor by using the distribute-list command. See Module 8, Route Optimization, for more details about the syntax of this command. RTD in AS2 is originating network 192.68.10.0/24 and sending it to RTF. RTF will pass the update to RTA by way of IBGP, which in turn will propagate it to AS1. By doing so, AS3 could become a transit AS advertising that it is a path to reach network 192.68.10.0/24.

To prevent this situation from happening, configure RTA. Click on RTA in Figure to view the configuration.

The distribute-list keyword, used as part of a BGP neighbor statement, prevents RTA from advertising prefix 192.68.10.0/24 to RTC. The access list is used to identify the prefixes to be filtered and the distribute-list and out keywords apply the filter to outgoing updates.

Notice that access-list 1 concludes with a permit 0.0.0.0 255.255.255.255 statement that is the same as a permit any statement. Remember that, when using access lists for filtering, anything that does not match a permit statement will be denied. Without the permit 0.0.0.0 255.255.255.255 clause, all updates to RTC would be suppressed.

Configuring BGP neighbor statements to include the distribute-list keyword is effective for filtering specific routes, but controlling supernets can be more complicated.

Configuring a distribute list relies on creating an access list. If using a standard access list, there is only limited functionality. RTA connects to multiple subnets in the 172.16.0.0/16 address space. The purpose is to advertise an aggregate address of 172.16.0.0/16, but not the individual subnets themselves. A standard access list would not work because it permits more than is desired. It filters based on the network address only. The following example shows that this access list would permit not only the 172.16.0.0/16 summary, but also all the components of that summary:

access-list 1 permit 172.16.0.0 0.0.255.255

To restrict the update to the 172.16.0.0/16 summary, use an extended access list. It is usually thought of extended access lists as matching both source and destination addresses. In the case of a BGP route filter, an extended access list matches the network address first and then the subnet mask of the prefix. Both network and mask are paired with their own wildcard bitmask, using the following syntax:

router(config)#access-list number permit|deny network network-wildcard mask mask-wildcard

To permit the aggregate address in the example, configure an extended access list to match the network address and also the 16-bit mask of the prefix. Using this configuration, RTA would not send a subnet route, such as 172.16.0.0 /17 or 172.16.10.0 /24, in an update to AS1.

RTA(config)#router bgp 3
RTA(config-router)#neighbor 172.16.1.1 remote-as 3
RTA(config-router)#neighbor 172.16.20.1 remote-as 1
RTA(config-router)#neighbor 172.16.20.1 distribute-list 101 out
RTA(config-router)#EXIT
RTA(config)#access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0

If using an extended access list to accomplish this type of filtering seems confusing, that is not unusual. Improved user friendliness was one of the factors that motivated Cisco to include the ip prefix-list command in IOS 12.0. This command is described in the next section.