In the following post I will use this network topology:
R1 router BGP is configured as follows:
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor ebgp peer-group
neighbor ebgp password cisco
neighbor ebgp ebgp-multihop 5
neighbor ebgp version 4
neighbor ebgp soft-reconfiguration inbound
neighbor 10.1.12.2 remote-as 2503
neighbor 10.1.12.2 peer-group ebgp
neighbor 10.1.13.3 remote-as 3113
neighbor 10.1.13.3 peer-group ebgp
no auto-summary
Looking on R1 bgp table will shows us all the prefixes from all AS's:
R1#sh ip bgp
BGP table version is 71, local router ID is 200.5.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.1.13.3 0 3113 5523 i
* 10.1.12.2 0 2503 4413 5523 i
* 2.2.2.0/24 10.1.13.3 0 3113 4413 2503 ?
*> 10.1.12.2 0 0 2503 ?
r 10.1.12.0/24 10.1.13.3 0 3113 4413 2503 ?
r> 10.1.12.2 0 0 2503 ?
* 10.1.24.0/24 10.1.13.3 0 3113 4413 2503 ?
*> 10.1.12.2 0 0 2503 ?
* 12.0.1.0/24 10.1.13.3 0 3113 4413 2503 ?
*> 10.1.12.2 0 0 2503 ?
* 13.0.1.0/24 10.1.12.2 0 2503 4413 3113 i
*> 10.1.13.3 0 0 3113 i
* 14.0.1.0/24 10.1.13.3 0 3113 4413 i
*> 10.1.12.2 0 2503 4413 i
*> 55.1.0.0/24 10.1.13.3 0 3113 5523 i
* 10.1.12.2 0 2503 4413 5523 i
*> 55.2.0.0/24 10.1.13.3 0 3113 5523 i
* 10.1.12.2 0 2503 4413 5523 i
*> 55.3.0.0/24 10.1.13.3 0 3113 5523 i
* 10.1.12.2 0 2503 4413 5523 i
The first AS-path filter I use is to filter out routes that pass-through R4 (AS4413), I will configure the following as-path access-list:
ip as-path access-list 1 deny _4413_
ip as-path access-list 1 permit .*
Which means everything that has in the beginning, middle or in the end the path 4413, then apply this as-path ACL to the neighbors with the in direction:
R1(config-router)#neighbor ebgp filter-list 1 in
(In this LAB I'm using peer-group which calls ebgp for configuring same configuration for both eBGP neighbors R2 and R3)
The result of this AS-Path filter:
R1#sh ip bgp
BGP table version is 73, local router ID is 200.5.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 10.1.13.3 0 3113 5523 i
*> 2.2.2.0/24 10.1.12.2 0 0 2503 ?
r> 10.1.12.0/24 10.1.12.2 0 0 2503 ?
*> 10.1.24.0/24 10.1.12.2 0 0 2503 ?
*> 12.0.1.0/24 10.1.12.2 0 0 2503 ?
*> 13.0.1.0/24 10.1.13.3 0 0 3113 i
*> 55.1.0.0/24 10.1.13.3 0 3113 5523 i
*> 55.2.0.0/24 10.1.13.3 0 3113 5523 i
*> 55.3.0.0/24 10.1.13.3 0 3113 5523 i
All prefixes are coming from everywhere beside AS4413. Take note that a permit statement must be configured else an implicit deny will take place.
Next I will configure an AS-Path which allows only AS4413 originated prefixes using the following ACL:
ip as-path access-list 3 permit _4413$
The result:
R1#sh ip bgp
BGP table version is 83, local router ID is 200.5.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 14.0.1.0/24 10.1.13.3 0 3113 4413 i
*> 10.1.12.2 0 2503 4413 i
R1 has learned only AS4413 prefixes and nothing else.
More examples can be:
".*" is the regular expression for match-all
"^$" matches self-originating prefix, if the router AS is 100, this would match paths with an origin of AS 100 (only internal prefixes in the AS)
Nice guide.
ReplyDelete