|
To restrict the routing information that the router
learns or advertises, you can filter routing updates. You can apply route
filters to or from a particular neighbor by using the distribute-list
command (see Chapter 7, Route Optimization, for more details about the syntax of
this command). In the figure, RTD in AS2 is originating network 192.68.10.0/24
and sending it to RTF. RTF will pass the update to RTA via IBGP, which in turn
will propagate it to AS1. By doing so, AS3 could become a transit AS advertising
that it is a path to reach network 192.68.10.0/24.
To prevent this situation from happening, you can
configure RTA as shown in the figure (click the figure to see the
configuration).
The distribute-list
keyword, used as part of a BGP neighbor
statement, prevents RTA from advertising prefix 192.68.10.0/24 to RTC. The
access list is used to identify the prefixes to be filtered and the distribute-list
and out
keywords apply the filter to outgoing updates.
Note that access list 1 concludes with a permit
0.0.0.0 255.255.255.255 statement that is the same as a permit any
statement. Remember that, when using
access lists for filtering, anything that does not match a permit
statement will be denied. Without the permit
0.0.0.0 255.255.255.255 clause, all updates to RTC would be
suppressed.
Whereas configuring BGP neighbor
statements to include the distribute-list
keyword is effective for filtering specific routes, controlling supernets can be
a bit trickier.
Configuring a distribute list relies on creating
an access list. If you use a standard access list, you are afforded only limited
functionality. RTA connects to multiple subnets in the 172.16.0.0 /16 address
space. You want to advertise an aggregate address of 172.16.0.0 /16, but not the
individual subnets themselves. A standard access list would not work because it
permits more than is desired; it filters based on the network address only. For
example, this access list would permit not only the 172.16.0.0/16 summary, but
also all the components of that summary:
access-list 1 permit 172.16.0.0 0.0.255.255
To restrict the update to the 172.16.0.0/16
summary, you can use an extended access list. We usually think of extended
access lists as matching both source and destination addresses. In the case of a
BGP route filter, an extended list matches first the network address and second
the subnet mask of the prefix. Both network and mask are paired with their own
wildcard bitmask, using the following syntax:
router(config)#access-list number
permit|deny network network-wildcard mask mask-wildcard
To permit the aggregate address in the example,
you would configure an extended access list to match the network address and
also the 16-bit mask of the prefix. Using this configuration, RTA would not send
a subnet route (such as 172.16.0.0 /17 or 172.16.10.0 /24) in an update to AS1.
RTA(config)#router bgp 3
RTA(config-router)#neighbor 172.16.1.1 remote-as 3
RTA(config-router)#neighbor 172.16.20.1 remote-as 1
RTA(config-router)#neighbor 172.16.20.1 distribute-list 101 out
RTA(config-router)#EXIT
RTA(config)#access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0
0.0.0.0
If using an extended access list to accomplish
this type of filtering seems confusing to you, you are not alone. Improved
user-friendliness was one of the factors that motivated Cisco to include the ip
prefix-list command in IOS 12.0. This
command is described in the next section.
|