Simple BGP Filter

Sumber : rendo.blogspot.com

Basically, there are 2 methods to do BGP routes filtering, the first method is by route prefixes and the second is by AS path. We also can combine those two methods for filtering.

This note will focused on bgp filtering in Cisco devices or PC router using Zebra/Quagga as routing daemon for low until mid-level BGP router. Zebra and Quagga have similar CLI with Cisco so all term "Cisco" in the following text in this note will also applicable for Zebra/Quagga.
In Cisco, we can do BGP filter by using one of these syntaxes:
a. distribute-list
distribute-list is used for prefix based filter. See "neighbor 203.111.127.4 distribute-list 59 in" in the example below. Distribute-list is followed by IP ACL number.

b. prefix-list
prefix-list is similar as distribute-list but used for AS path based filter. Prefix-list is followed by AS-path ACL.

c. route-map
Route-map can be used for both filtering and manipulating the routes. BGP filter using route-map can be based on either prefix or as-path.
Route manipulation that can be done by route-map, i.e:
1. Prepend the ASN
2. Change the community
3. Change the next-hop
4. Change the BGP attribute
5. etc.

As you can see in the example, there are 2 groups of prefix that advertised to the ISP. First group is listed in ACL 60 and the second group is listed in ACL 65. The first group is advertised without any prepend but the second group is. Prepend for second group is simple example for route manipulation. By using route-map, we can also do some separate actions for different ACL.



Which one is suitable for you? It’s depend on your requirements. If you only need to do filtering without any route manipulation, you can use prefix-list or distribute-list, but if you need to do any manipulation, you must use route-map.


Example configuration, all the IP and ASN are faked.
—————————————————-
router bgp 33333
neighbor 203.111.127.4 remote-as 4444
neighbor 203.111.127.4 description BGP peer to ISP
neighbor 203.111.127.4 ebgp-multihop 255
neighbor 203.111.127.4 soft-reconfiguration inbound
neighbor 203.111.127.4 distribute-list 59 in
neighbor 203.111.127.4 route-map EXPORT-TO-ISP out
!

ip as-path access-list 11 permit ^333331_
ip as-path access-list 11 deny ^_

access-list 59 permit 0.0.0.0
access-list 59 deny any
access-list 60 remark ACL untuk export BGP ke ISP
access-list 60 permit 204.199.224.0 0.0.0.255
access-list 60 permit 204.199.225.0 0.0.0.255
access-list 60 permit 204.199.234.0 0.0.0.255
access-list 60 permit 204.199.233.0 0.0.0.255
access-list 60 permit 204.199.236.0 0.0.0.255
access-list 60 deny any
access-list 60 remark ACL untuk export BGP ke ISP
access-list 65 remark ACL untuk export BGP ke ISP 2 prepend
access-list 65 permit 204.199.226.0 0.0.0.255
access-list 65 permit 204.199.227.0 0.0.0.255
access-list 65 permit 204.199.228.0 0.0.0.255
access-list 65 permit 204.199.232.0 0.0.0.255
access-list 65 permit 204.199.235.0 0.0.0.255
access-list 65 permit 204.199.237.0 0.0.0.255
access-list 65 permit 204.199.238.0 0.0.0.255
access-list 65 permit 204.199.239.0 0.0.0.255
access-list 65 deny any
access-list 65 remark ACL untuk export BGP ke ISP 2 prepend

route-map EXPORT-TO-ISP permit 10
match ip address 65
set as-path prepend 33333 33333 33333 33333 33333 33333 33333 33333 33333 33333
!
route-map EXPORT-TO-ISP permit 15
match ip address 60
!
route-map EXPORT-TO-ISP permit 20
match as-path 11
!