Cartdriymcg3h2
BGP Outbound Route Filtering
R1 and R2 are EBGP Neighbors. R1 is receiving the following routes from R2:
R1#sho ip bgp | be Net Network Next Hop Metric LocPrf Weight Path *> 200.0.0.0 192.168.12.2 0 0 200 i *> 200.0.1.0 192.168.12.2 0 0 200 i *> 200.0.2.0 192.168.12.2 0 0 200 i *> 200.0.3.0 192.168.12.2 0 0 200 i R1#
Suppose R1 wants to only allow the first 2 routes. We could do it with a prefix-list as follows:
R1(config)#ip prefix-list FROMR2 permit 200.0.0.0/24 R1(config)#ip prefix-list FROMR2 permit 200.0.1.0/24 R1(config)#router bgp 100 R1(config-router)#neighbor 192.168.12.2 prefix-list FROMR2 in
When debugging, we can see that the last two prefixes get denied at R1:
R1#debug ip bgp updates in BGP updates debugging is on (inbound) for address family: IPv4 Unicast R1#cle ip bgp * R1# *Mar 1 00:06:21.491: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Down User reset *Mar 1 00:06:22.627: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Up *Mar 1 00:06:22.683: BGP(0): 192.168.12.2 rcvd UPDATE w/ attr: nexthop 192.168.12.2, origin i, metric 0, path 200 *Mar 1 00:06:22.687: BGP(0): 192.168.12.2 rcvd 200.0.3.0/24 -- DENIED due to: distribute/prefix-list; *Mar 1 00:06:22.695: BGP(0): 192.168.12.2 rcvd 200.0.2.0/24 -- DENIED due to: distribute/prefix-list; *Mar 1 00:06:22.699: BGP(0): 192.168.12.2 rcvd 200.0.1.0/24 *Mar 1 00:06:22.699: BGP(0): 192.168.12.2 rcvd 200.0.0.0/24
Wouldn’t it be nice if R1 could somehow tell R2 not to send those prefixes anyway, since R1 will just deny them? Well that’s what outbound route filterin(ORF) does. Configuration is simple. Since R1 is the one sending the prefix-list to R2, it will have the send keyword:
R1(config)#router bgp 100 R1(config-router)#neighbor 192.168.12.2 capability orf prefix-list send R2(config)#router bgp 200 R2(config-router)#neighbor 192.168.12.1 capability orf prefix-list receive
Let’s clear ip bgp again:
R1#cle ip bgp * R1# *Mar 1 00:12:21.755: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Down User reset *Mar 1 00:12:23.571: %BGP-5-ADJCHANGE: neighbor 192.168.12.2 Up *Mar 1 00:12:23.627: BGP(0): 192.168.12.2 rcvd UPDATE w/ attr: nexthop 192.168.12.2, origin i, metric 0, path 200 *Mar 1 00:12:23.631: BGP(0): 192.168.12.2 rcvd 200.0.1.0/24 *Mar 1 00:12:23.635: BGP(0): 192.168.12.2 rcvd 200.0.0.0/24 *Mar 1 00:12:23.723: BGP(0): Revise route installing 1 of 1 routes for 200.0.0.0/24 -> 192.168.12.2(main) to main IP table *Mar 1 00:12:23.727: BGP(0): Revise route installing 1 of 1 routes for 200.0.1.0/24 -> 192.168.12.2(main) to main IP table
We don’t see any message about R1 denying pre fixes because R2 is now doing the filtering. How can we verify on R2? With the sho ip bgp neighbors command. For brevity, this is only a partial output:
R2#sho ip bgp neighbors AF-dependant capabilities: Outbound Route Filter (ORF) type (128) Prefix-list: Send-mode: received Receive-mode: advertised Outbound Route Filter (ORF): received (2 entries) Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 2 0 Prefixes Total: 2 0 Implicit Withdraw: 0 0 Explicit Withdraw: 0 0 Used as bestpath: n/a 0 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- ORF prefix-list: 2 n/a Total: 2 0
From the above output we can also see that R2 is advertising itself in receive mode (accepts the ORF) while the neighbor is in send-mode (sends the ORF to R2). Also the ORF permits 2 entries which is the value next to “Prefixes Current” and “Prefixes Total.” In the bottom section we see that R2 has 2 locally denied prefixes due to “ORF prefix-list.”
Regards, Bryan (Post by Bryan Bartik)
Tags: BGP, ccie lab, CCIE Training
Extraordinary Concept.., Thanks a lot
Excellence!
Excellence!
[...] Configuring BGP outbound route filtering. [...]
[...] Configuring BGP outbound route filtering. [...]
Good job.
New thing i learned wrt prefix-list.
keep goin on.
Good job.
New thing i learned wrt prefix-list.
keep goin on.