CCNP Labs: CCNP ROUTE: 8. Route Filtering and Clearing BGP Peers

BGP allows the filtering of BGP Update messages on any BGP router. The router can filter updates per neighbor for both inbound and outbound Updates on any BGP router.
After adding a new BGP filter to a router’s configuration, the BGP neighbor relationships must be reset or cleared to cause the filter to take effect.

The biggest conceptual differences between BGP and IGP filtering relate to what BGP can match about a prefix to make a choice of whether to filter the route.
EIGRP focuses on matching the prefix/length. BGP can also match the prefix/length but can also match the large set of BGP Path Attributes (PA).

The biggest configuration difference between BGP and IGP filtering, beside the details of matching BGP PAs, has to do with the fact that the filters must apply to specific neighbors with BGP.
BGP configuration does not allow filtering of all inbound or outbound updates.
Instead, the BGP filtering configuration enables filters per neighbor (using a neighbor command), referencing the type of BGP filter, the filter number or name, and the direction (in or out).

Typically, an Enterprise would use outbound filtering on its eBGP neighborships, filtering all routes except for the known public prefixes that need to be advertised into the Internet, in order to avoid becoming a Transit AS.

BGP Filtering tools:

1. neighbor distribute-list (using standard or extended ACL)
2. neighbor prefix-list
3. neighbor filter-list (used for filtering based on AS_PATH and "ip as-path access-list" command)
4. neighbor route-map (used for filtering based on prefix, prefix length, AS_PATH, any PAs)

First, we should shutdown the Fa0/0 interfaces on both R1 and R2, so that each of them has a single link to the ISP (to R101 and R102 respectively) and the FastEthernet interfaces on R103:
R1(config)#int fa 0/0
R1(config-if)#shutdown
R2(config)#int fa0/0
R2(config-if)#shutdown
R103(config)#int fa 0/0
R103(config-if)#shutdown
R103(config-if)#int fa 0/1
R103(config-if)#shutdown

Let's start with the below configurations loaded on the routers, for the eBGP neighborships to be established.

R1:

!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 101.101.101.101 remote-as 101
neighbor 101.101.101.101 password ccnp
neighbor 101.101.101.101 ebgp-multihop 2
neighbor 101.101.101.101 update-source Loopback1
no auto-summary
!
ip route 101.101.101.101 255.255.255.255 201.1.1.2
!

R2:

!
interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 102.102.102.102 remote-as 102
neighbor 102.102.102.102 ebgp-multihop 2
neighbor 102.102.102.102 update-source Loopback2
no auto-summary
!
ip route 102.102.102.102 255.255.255.255 202.2.2.6
!

R101:

!
interface Loopback101
ip address 101.101.101.101 255.255.255.255
!
router bgp 101
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 password ccnp
neighbor 1.1.1.1 ebgp-multihop 2
neighbor 1.1.1.1 update-source Loopback101
neighbor 104.104.104.104 remote-as 104
neighbor 104.104.104.104 password ccnp
neighbor 104.104.104.104 ebgp-multihop 2
neighbor 104.104.104.104 update-source Loopback101
no auto-summary
!
ip route 1.1.1.1 255.255.255.255 201.1.1.1
ip route 104.104.104.104 255.255.255.255 114.1.1.2
!

R102:

!
interface Loopback102
ip address 102.102.102.102 255.255.255.255
!
router bgp 102
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 ebgp-multihop 2
neighbor 2.2.2.2 update-source Loopback102
neighbor 103.103.103.103 remote-as 103
neighbor 103.103.103.103 ebgp-multihop 2
neighbor 103.103.103.103 update-source Loopback102
no auto-summary
!
ip forward-protocol nd
ip route 2.2.2.2 255.255.255.255 202.2.2.5
ip route 103.103.103.103 255.255.255.255 123.1.1.2
!

R103:

!
interface Loopback103
ip address 103.103.103.103 255.255.255.255
!
router bgp 103
no synchronization
bgp log-neighbor-changes
neighbor 102.102.102.102 remote-as 102
neighbor 102.102.102.102 ebgp-multihop 2
neighbor 102.102.102.102 update-source Loopback103
neighbor 104.104.104.104 remote-as 104
neighbor 104.104.104.104 ebgp-multihop 2
neighbor 104.104.104.104 update-source Loopback103
no auto-summary
!
ip route 102.102.102.102 255.255.255.255 123.1.1.1
ip route 104.104.104.104 255.255.255.255 134.1.1.2
!

R104:

!
interface Loopback40
ip address 192.168.40.40 255.255.255.255
!
interface Loopback41
ip address 192.168.41.41 255.255.255.255
!
interface Loopback42
ip address 192.168.42.42 255.255.255.255
!
interface Loopback43
ip address 192.168.43.43 255.255.255.255
!
interface Loopback44
ip address 192.168.44.44 255.255.255.255
!
interface Loopback104
ip address 104.104.104.104 255.255.255.255
!
router bgp 104
no synchronization
bgp log-neighbor-changes
network 192.168.40.40 mask 255.255.255.255
network 192.168.41.41 mask 255.255.255.255
network 192.168.42.42 mask 255.255.255.255
network 192.168.43.43 mask 255.255.255.255
network 192.168.44.44 mask 255.255.255.255
neighbor 101.101.101.101 remote-as 101
neighbor 101.101.101.101 password ccnp
neighbor 101.101.101.101 ebgp-multihop 2
neighbor 101.101.101.101 update-source Loopback104
neighbor 103.103.103.103 remote-as 103
neighbor 103.103.103.103 ebgp-multihop 2
neighbor 103.103.103.103 update-source Loopback104
no auto-summary
!
ip route 101.101.101.101 255.255.255.255 114.1.1.1
ip route 103.103.103.103 255.255.255.255 134.1.1.1
!

As a result, R1 learnes about the following networks from R101:

R101#show ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 6, local router ID is 101.101.101.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.40.40/32 104.104.104.104 0 0 104 i
*> 192.168.41.41/32 104.104.104.104 0 0 104 i
*> 192.168.42.42/32 104.104.104.104 0 0 104 i
*> 192.168.43.43/32 104.104.104.104 0 0 104 i
*> 192.168.44.44/32 104.104.104.104 0 0 104 i

Total number of prefixes 5

R1#show ip bgp
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.40.40/32 101.101.101.101 0 101 104 i
*> 192.168.41.41/32 101.101.101.101 0 101 104 i
*> 192.168.42.42/32 101.101.101.101 0 101 104 i
*> 192.168.43.43/32 101.101.101.101 0 101 104 i
*> 192.168.44.44/32 101.101.101.101 0 101 104 i

Let's say ISP 1 does not want to advertise some of these routes to the Enterprise.
We can now use the filtering tools described above.

1) For the 192.168.40.40 route we will use an access list referenced by a distribute-list.

R101(config)#access-list 101 deny ip host 192.168.40.40 host 255.255.255.255
R101(config)#access-list 101 permit ip any any
R101(config)#router bgp 101
R101(config-router)#neighbor 1.1.1.1 distribute-list 101 out
R101#clear ip bgp 1.1.1.1
R101#
*Mar 1 00:24:22.767: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down User reset
R101#
*Mar 1 00:24:24.119: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

Now, R101 only advertises routes except 192.168.40.40/32 to R1:

R101#show ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 6, local router ID is 101.101.101.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.41.41/32 104.104.104.104 0 0 104 i
*> 192.168.42.42/32 104.104.104.104 0 0 104 i
*> 192.168.43.43/32 104.104.104.104 0 0 104 i
*> 192.168.44.44/32 104.104.104.104 0 0 104 i

Total number of prefixes 4

Checking on R1:

R1#show ip bgp
BGP table version is 25, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.41.41/32 101.101.101.101 0 101 104 i
*> 192.168.42.42/32 101.101.101.101 0 101 104 i
*> 192.168.43.43/32 101.101.101.101 0 101 104 i
*> 192.168.44.44/32 101.101.101.101 0 101 104 i

Note: The clear ip bgp 1.1.1.1 command tells E1 to perform a hard reset of that neighbor connection, which brings down the TCP connection, and removes all BGP table entries associated with that neighbor.

2) For the 192.168.41.41 route we will use a prefix-list.

Continuing the above example, we should apply a filter for the requested route.

R101(config)#ip prefix-list no41 deny 192.168.41.41/32
R101(config)#ip prefix-list no41 permit 0.0.0.0/0 le 32
R101(config-router)#no neighbor 1.1.1.1 distribute-list 101 out
R101(config-router)#neighbor 1.1.1.1 prefix-list no41 out
R101#clear ip bgp 1.1.1.1
R101#
*Mar 1 00:34:22.755: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down User reset
R101#
*Mar 1 00:34:24.051: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

As expected, now the 192.168.41.41 route is filtered:

R101#show ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 6, local router ID is 101.101.101.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.40.40/32 104.104.104.104 0 0 104 i
*> 192.168.42.42/32 104.104.104.104 0 0 104 i
*> 192.168.43.43/32 104.104.104.104 0 0 104 i
*> 192.168.44.44/32 104.104.104.104 0 0 104 i

Total number of prefixes 4

Checking on R1:

R1#show ip bgp
BGP table version is 33, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.40.40/32 101.101.101.101 0 101 104 i
*> 192.168.42.42/32 101.101.101.101 0 101 104 i
*> 192.168.43.43/32 101.101.101.101 0 101 104 i
*> 192.168.44.44/32 101.101.101.101 0 101 104 i

3) For all the 192.168.x.x routes to be filtered we will use a filter-list. They will not be filtered based on the prefix, but based on the AS_PATH.
For example, if we want R101 to not send R1 any routes which have AS 104 at the end of the AS_PATH (originated in AS 104) and permit all other routes:

R101(config)#ip as-path access-list 222 deny _104$
R101(config)#ip as-path access-list 222 permit .*
R101(config)#router bgp 101
R101(config-router)#no neighbor 1.1.1.1 prefix-list no41 out
R101(config-router)#neighbor 1.1.1.1 filter-list 222 out
R101#clear ip bgp 1.1.1.1
R101#
*Mar 1 01:14:32.711: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down User reset
R101#
*Mar 1 01:14:34.863: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

As a result, R101 filtered all routes originating in AS 104.

R101#show ip bgp neighbors 1.1.1.1 advertised-routes

Total number of prefixes 0

R1#show ip bgp

R1#

4) For the 192.168.43.43 and 192.168.44.44 routes we will use a prefix-list referenced by route-map. All other routes will be permitted.

R101(config)#router bgp 101
R101(config-router)#no neighbor 1.1.1.1 filter-list 222 out
R1#show ip bgp
BGP table version is 44, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.40.40/32 101.101.101.101 0 101 104 i
*> 192.168.41.41/32 101.101.101.101 0 101 104 i
*> 192.168.42.42/32 101.101.101.101 0 101 104 i
*> 192.168.43.43/32 101.101.101.101 0 101 104 i
*> 192.168.44.44/32 101.101.101.101 0 101 104 i

R101(config)#ip prefix-list no4344 permit 192.168.43.43/32
R101(config)#ip prefix-list no4344 permit 192.168.44.44/32
R101(config)#route-map no_43_44 deny 10
R101(config-route-map)#match ip address prefix-list no4344
R101(config)#route-map no_43_44 permit 20

R101(config)#router bgp 101
R101(config-router)#neighbor 1.1.1.1 route-map no_43_44 out
R101#clear ip bgp 1.1.1.1
R101#
*Mar 1 01:35:03.467: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down User reset
R101#
*Mar 1 01:35:05.607: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

R101#show ip bgp neighbors 1.1.1.1 advertised-routes
BGP table version is 6, local router ID is 101.101.101.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.40.40/32 104.104.104.104 0 0 104 i
*> 192.168.41.41/32 104.104.104.104 0 0 104 i
*> 192.168.42.42/32 104.104.104.104 0 0 104 i

Total number of prefixes 3

Checking on R1:

R1#show ip bgp
BGP table version is 62, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.40.40/32 101.101.101.101 0 101 104 i
*> 192.168.41.41/32 101.101.101.101 0 101 104 i
*> 192.168.42.42/32 101.101.101.101 0 101 104 i

Clearing BGP Neighbors

The neighborship can be cleared in several ways, including reloading the router and by administratively disabling and re-enabling the BGP neighborship using the neighbor shutdown and no neighbor shutdown configuration commands.

Each variation on the clear ip bgp... command either performs a hard reset or soft reset of one or more BGP neighborships.
When a hard reset occurs, the local router brings down the neighborship, brings down the underlying TCP connection, and removes all BGP table entries learned from that neighbor.
With a soft reset, the router does not bring down the BGP neighborship or the underlying TCP connection.
However, the local router re-sends outgoing Updates, adjusted per the outbound filter and reprocesses incoming Updates per the inbound filter, which adjusts the BGP tables based on the then-current configuration.

Syntax:
clear ip bgp {* | all | autonomous-system-number | neighbor-address | peer-group group-name} [in [prefix-filter] | out | slow | soft [in [prefix-filter] | out | slow]]

Note: If the word "in" or "out" is not specified in the command, the clearing process will be applied for both directions.

Note: The clear ip bgp neighbor-id soft in command, the older command of the two, works only if the configuration includes the neighbor neighbor-id soft-reconfiguration inbound BGP configuration command for this same neighbor.
This configuration command causes the router to retain the received BGP Updates from that neighbor.
This consumes extra memory on the router, but it gives the router a copy of the original pre-filter Update received from that neighbor.
Using that information, the clear ip bgp neighbor-id soft in tells IOS to reapply the inbound filter to the cached received Update, updating the local router’s BGP table.

Note: The newer version of the clear ip bgp command, namely the clear ip bgp neighbor-id in command (without the soft keyword), removes the requirement for the neighbor neighbor-id soft-reconfiguration inbound configuration command.
Instead, the router uses a newer BGP feature, the route refresh feature, which essentially allows a BGP router to ask its neighbor to re-send its full BGP Update.
The clear ip bgp neighbor-id in command tells the local router to use route refresh feature to ask the neighbor to re-send its BGP Update, and then the local router can apply its current inbound BGP filters, updating its BGP table.

The route refresh capability can be verified with the following command:

R1#show ip bgp neighbors 101.101.101.101
BGP neighbor is 101.101.101.101, remote AS 101, external link
BGP version 4, remote router ID 101.101.101.101
BGP state = Established, up for 00:30:51
Last read 00:00:50, last write 00:00:51, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)

Displaying results of BGP filtering:

1) The show ip bgp neighbor received-routes command, requires the configuration of the BGP subcommand neighbor soft-reconfiguration inbound.
As a result, to see the pre-filter BGP Update received from a neighbor, a router must configure this extra command.

R1#show ip bgp neighbors 101.101.101.101 received-routes
% Inbound soft reconfiguration not enabled on 101.101.101.101

R1(config)#router bgp 100
R1(config-router)#neighbor 101.101.101.101 soft-reconfiguration inbound

R1#show ip bgp neighbors 101.101.101.101 received-routes
BGP table version is 62, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 192.168.40.40/32 101.101.101.101 0 101 104 i
*> 192.168.41.41/32 101.101.101.101 0 101 104 i
*> 192.168.42.42/32 101.101.101.101 0 101 104 i

Total number of prefixes 3

2) Use the show ip bgp neighbor advertised-routes to display the post-filter BGP Update for a given neighbor.

CCNP Labs

Tuesday, May 6, 2014

CCNP ROUTE: 8. Route Filtering and Clearing BGP Peers

No comments:

Post a Comment