9.2
BGP Route Filtering and Policy Routing
9.2.3
Using distribute-list to filter BGP routes
To restrict the routing information that the router learns or advertises, you can filter routing updates. You can apply route filters to or from a particular neighbor by using the distribute-list command (see Chapter 7, Route Optimization, for more details about the syntax of this command). In the figure, RTD in AS2 is originating network 192.68.10.0/24 and sending it to RTF. RTF will pass the update to RTA via IBGP, which in turn will propagate it to AS1. By doing so, AS3 could become a transit AS advertising that it is a path to reach network 192.68.10.0/24.

To prevent this situation from happening, you can configure RTA as shown in the figure (click the figure to see the configuration).

The distribute-list keyword, used as part of a BGP neighbor statement, prevents RTA from advertising prefix 192.68.10.0/24 to RTC. The access list is used to identify the prefixes to be filtered and the distribute-list and out keywords apply the filter to outgoing updates.

Note that access list 1 concludes with a permit 0.0.0.0 255.255.255.255 statement that is the same as a permit any statement. Remember that, when using access lists for filtering, anything that does not match a permit statement will be denied. Without the permit 0.0.0.0 255.255.255.255 clause, all updates to RTC would be suppressed.

Whereas configuring BGP neighbor statements to include the distribute-list keyword is effective for filtering specific routes, controlling supernets can be a bit trickier.

Configuring a distribute list relies on creating an access list. If you use a standard access list, you are afforded only limited functionality. RTA connects to multiple subnets in the 172.16.0.0 /16 address space. You want to advertise an aggregate address of 172.16.0.0 /16, but not the individual subnets themselves. A standard access list would not work because it permits more than is desired; it filters based on the network address only. For example, this access list would permit not only the 172.16.0.0/16 summary, but also all the components of that summary:

access-list 1 permit 172.16.0.0 0.0.255.255

To restrict the update to the 172.16.0.0/16 summary, you can use an extended access list. We usually think of extended access lists as matching both source and destination addresses. In the case of a BGP route filter, an extended list matches first the network address and second the subnet mask of the prefix. Both network and mask are paired with their own wildcard bitmask, using the following syntax:

router(config)#access-list number permit|deny network network-wildcard mask mask-wildcard

To permit the aggregate address in the example, you would configure an extended access list to match the network address and also the 16-bit mask of the prefix. Using this configuration, RTA would not send a subnet route (such as 172.16.0.0 /17 or 172.16.10.0 /24) in an update to AS1.

RTA(config)#router bgp 3
RTA(config-router)#neighbor 172.16.1.1 remote-as 3
RTA(config-router)#neighbor 172.16.20.1 remote-as 1
RTA(config-router)#neighbor 172.16.20.1 distribute-list 101 out
RTA(config-router)#EXIT
RTA(config)#access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0

If using an extended access list to accomplish this type of filtering seems confusing to you, you are not alone. Improved user-friendliness was one of the factors that motivated Cisco to include the ip prefix-list command in IOS 12.0. This command is described in the next section.