🔹 CCNP-ENCOR V1.1 350-401 | Chapter 12: Advanced BGP Policies and Filtering 🔹

By /

In this chapter, we’re diving into advanced BGP configurations, focusing on prefix filtering, route maps, community attributes, and AS path manipulation. These tools allow for greater control over BGP behavior and enhanced route selection, making them essential for ISPs and large networks that require precise traffic management. Let’s look at the tools and commands that will help you optimize BGP routing!

Why we study advanced topics , we need multi-homing in our companies see below to know what we are talking about and why we need policies and filters
and to avoid your company to become a transit area for the world 🙂

1. 📏 Prefix Match Specifications and Prefix Lists

Prefix lists allow for granular filtering of IP prefixes in BGP. By specifying IP ranges and prefix lengths, you can control which prefixes are advertised or accepted by BGP neighbors.

demonstrates a prefix match specification with the high-order bit pattern 10.0.0.0, high-order bit count 8, and matching length between 22 and 26.

Example below for matching Private addresses

  • ip prefix-list RFC1918 seq 5 permit 192.168.0.0/16 ge 32
  • ip prefix-list RFC1918 seq 10 deny 0.0.0.0/0 ge 32
  • ip prefix-list RFC1918 seq 15 permit 10.0.0.0/8 le 32
  • ip prefix-list RFC1918 seq 20 permit 172.16.0.0/12 le 32
  • ip prefix-list RFC1918 seq 25 permit 192.168.0.0/16 le 32
  • Creating a Prefix List: You can define prefixes with le (less than or equal) and ge (greater than or equal) to specify a range of matching prefix lengths.🔹 Router(config)# ip prefix-list MY-PREFIX-LIST seq 5 permit 192.168.0.0/16 le 24
  • Applying Prefix Lists to BGP Neighbors: Prefix lists can be applied to neighbors for inbound or outbound filtering.🔹 Router(config-router)# neighbor <ip_address> prefix-list MY-PREFIX-LIST in

This setup lets you limit the range of IP prefixes a BGP neighbor can advertise or accept, giving you control over specific IP ranges.

2- BGP Network Selection


Extended ACLs react differently when matching BGP routes than when matching IGP routes. The source fields match against the network portion of the route, and the destination fields match against the network mask, as shown below Until the introduction of prefix lists, extended ACLs were the only match criteria used with BGP

🔍 Regular Expressions in BGP (AS Path Filtering)

BGP supports AS path filtering with regular expressions, allowing you to specify AS path patterns. This is particularly useful for filtering routes based on where they’ve been.

  • Define an AS Path Access List: Use regular expressions to create AS path access lists for filtering.🔹 Router(config)# ip as-path access-list 10 permit ^65000_.*_65001$
  • Applying AS Path Filters to BGP Neighbors: Attach the AS path filter to a BGP session with the filter-list command.🔹 Router(config-router)# neighbor <ip_address> filter-list 10 out

With AS path filtering, you can specify which AS paths are allowed or denied, enhancing control over the paths that BGP routes can take.

3. 🔧 Route Map Syntax and Processing

Route maps in BGP provide conditional routing controls using match and set statements. They let you modify routes based on conditions like prefix lists, access lists, or AS paths.

  • Define a Route Map: Use route maps to match specific prefixes or AS paths, then modify the route attributes accordingly.🔹 Router(config)# route-map SET-POLICY permit 10
    🔹 Router(config-route-map)# match ip address prefix-list ALLOW-LIST
    🔹 Router(config-route-map)# set local-preference 200
  • Apply Route Maps to Neighbors: Attach route maps for inbound or outbound sessions to control the routes received or advertised.🔹 Router(config-router)# neighbor <ip_address> route-map SET-POLICY in

Route maps provide flexible control over routing policies, allowing you to customize route preferences and behaviors.

4. 🔄 Route Map Conditional Matching and Multiple Conditions

Route maps allow multiple match conditions for complex route control, where all specified conditions must be met for the actions to be applied.

  • Conditional Matching with Multiple Conditions: Add several match statements within a route map sequence.🔹 Router(config-route-map)# match ip address prefix-list ALLOW-LIST
    🔹 Router(config-route-map)# match as-path 10

This allows for conditional logic in route maps, enabling multi-criteria filtering and route adjustments.

5. 🚦 Route Map Optional Actions

Route maps offer several optional actions to modify BGP attributes like local preference, MED, and AS path.

  • Set Local Preference: Adjust the local preference to influence outbound route selection.🔹 Router(config-route-map)# set local-preference 150
  • Set MED: Use the MED attribute to suggest a preferred path for inbound traffic.🔹 Router(config-route-map)# set metric 50
  • AS Path Prepending: Make a route less attractive by adding AS numbers to the path.🔹 Router(config-route-map)# set as-path prepend 65000 65000

These actions provide fine control over route preferences for both incoming and outgoing traffic.

6. 🗂 BGP Prefix List Filtering

BGP prefix list filtering allows you to specify the exact IP prefixes allowed in BGP updates, providing precise control over which routes are advertised or accepted {in| out} .

  • R1# configure terminal
  • Enter configuration commands, one per line. End with CNTL/Z.
  • R1(config)# ip prefix-list RFC1918 seq 5 permit 192.168.0.0/16 ge 32
  • R1(config)# ip prefix-list RFC1918 seq 10 deny 0.0.0.0/0 ge 32
  • R1(config)# ip prefix-list RFC1918 seq 15 permit 10.0.0.0/8 le 32
  • R1(config)# ip prefix-list RFC1918 seq 20 permit 172.16.0.0/12 le 32
  • R1(config)# ip prefix-list RFC1918 seq 25 permit 192.168.0.0/16 le 32
  • R1(config)# router bgp 65100
  • R1(config-router)# address-family ipv4 unicast
  • R1(config-router-af)# neighbor 10.12.1.2 prefix-list RFC1918 in

Prefix list filtering ensures only approved routes are advertised, optimizing routing tables and reducing unwanted traffic.

7. 📝 BGP Distribute List Filtering

Distribute lists allow you to apply access lists directly to BGP neighbors, filtering routes based on IP address criteria {in|out}.

provides R1’s BGP configuration, which demonstrates filtering with distribute lists. The configuration uses an extended ACL named ACL-ALLOW that contains two entries. The first entry allows for any prefix that starts in the 192.168.0.0 to 192.168.255.255 range with only a /32 prefix length. The second entry allows for prefixes that contain the 100.64.x.0 pattern with a prefix length of /25 to demonstrate the wildcard abilities of an extended ACL with BGP. The distribute list is then associated with R2’s BGP session.

R1
ip access-list extended ACL-ALLOW
permit ip 192.168.0.0 0.0.255.255 host 255.255.255.255
permit ip 100.64.0.0 0.0.255.0 host 255.255.255.128
!
router bgp 65100
neighbor 10.12.1.2 remote-as 65200
address-family ipv4
neighbor 10.12.1.2 activate
neighbor 10.12.1.2 distribute-list ACL-ALLOW in

Distribute lists provide simple and effective route filtering based on specific IP addresses or ranges.

AS_Path ACL Filtering

Selecting routes from a BGP neighbor by using the AS_Path requires the definition of an AS_Path access control list (AS_Path ACL). Regular expressions, introduced earlier in this chapter, are a component of AS_Path filtering.

Example of advertising only local traffic

R2
ip as-path access-list 1 permit ^$
!
router bgp 65200
neighbor 10.12.1.1 remote-as 65100
neighbor 10.23.1.3 remote-as 65300
address-family ipv4 unicast
neighbor 10.12.1.1 activate
neighbor 10.23.1.3 activate
neighbor 10.12.1.1 filter-list 1 out
neighbor 10.23.1.3 filter-list 1 out

Route MAP Filtering

R1
ip prefix-list FIRST-RFC1918 permit 192.168.0.0/16 le 32
ip as-path access-list 1 permit _65200$
ip prefix-list SECOND-CGNAT permit 100.64.0.0/10 le 32
!
route-map AS65200IN deny 10
description Deny RFC1918 192.168.0.0/16 routes via Prefix List Matching
match ip address prefix-list FIRST-RFC1918
!
route-map AS65200IN permit 20
description Change local preference for AS65200 originated route in 100.64.x.x/10
match ip address prefix-list SECOND-CGNAT
match as-path 1
set local-preference 222
!
route-map AS65200IN permit 30
description Change the weight for AS65200 originated routes
match as-path 1
set weight 23456
!
route-map AS65200IN permit 40
description Permit all other routes un-modified
!
router bgp 65100
neighbor 10.12.1.2 remote-as 65200
address-family ipv4 unicast
neighbor 10.12.1.2 activate
neighbor 10.12.1.2 route-map AS65200IN in

8. 🧭 BGP Communities for Neighbors

BGP communities allow routers to tag routes with specific community values, simplifying route management and enabling policy-based routing.

  • Enable BGP Community Support: Activate community support for BGP.🔹 Router(config-router)# neighbor <ip_address> send-community
  • Set Community Values: Assign community tags to routes for policy enforcement.🔹 Router(config-route-map)# set community 65000:100

BGP communities make route tagging and policy application easy and scalable, especially in large networks.

9. 🏠 BGP Private Communities

Private BGP communities are often used for internal routing policies, helping organizations manage traffic within their network.

  • Define a Community List: Create a community list for specific routing policies.🔹 Router(config)# ip community-list standard PRIVATE-COMMUNITY permit 65000:100
  • Apply Community List to Route Maps: Use route maps to filter or tag routes based on community membership.🔹 Router(config)# route-map PRIVATE-ROUTES permit 10
    🔹 Router(config-route-map)# match community PRIVATE-COMMUNITY

Private communities help manage routes within an AS, supporting organizational routing policies.

Following are four common well-known communities:

  • Internet: This is a standardized community for identifying routes that should be advertised on the Internet. In larger networks that deploy BGP into the core, advertised routes should be advertised to the Internet and should have this community set. This allows for the edge BGP routers to only allow the advertisement of BGP routes with the Internet community to the Internet. Filtering is not automatic but can be done with an outbound route map.
  • No_Advertise: Routes with this community will not be advertised to any BGP peer (iBGP or eBGP).
  • Local-AS: Routes with this community are not advertised to an eBGP peer but can be advertised to BGP confederation peers. BGP confederation peers are considered out-side the scope of the exam.
  • No_Export: When a route with this community is received, the route is not advertised to any eBGP peer. Routes with this community can be advertised to iBGP peers.

Matching community list

R1
ip community-list 100 permit 333:333
!
route-map COMMUNITY-CHECK deny 10
description Block Routes with Community 333:333 in it
match community 100
route-map COMMUNITY-CHECK permit 20
description Allow routes with either community in it
set weight 111
!
router bgp 65100
address-family ipv4 unicast
neighbor 10.12.1.2 route-map COMMUNITY-CHECK in

Set community

ip prefix-list PREFIX10.23.1.0 seq 5 permit 10.23.1.0/24
ip prefix-list PREFIX10.3.3.0 seq 5 permit 10.3.3.0/24
!
route-map SET-COMMUNITY permit 10
match ip address prefix-list PREFIX10.23.1.0
set community 10:23
route-map SET-COMMUNITY permit 20
match ip address prefix-list PREFIX10.3.3.0
set community 3:0 3:3 10:10 additive
route-map SET-COMMUNITY permit 30
!
router bgp 65100
address-family ipv4
neighbor 10.12.1.2 route-map SET-COMMUNITY in

10. 🔍 Understanding BGP Path Selection

🍊 BGP Path Selection: “We Love Orangies as Oranges Means Pure Refreshment” 🍊

In the world of Border Gateway Protocol (BGP), path selection can sometimes feel tricky! But don’t worry, I’ve got a fun and memorable way to help you remember the main attributes BGP uses to select the best path.

We use the phrase “We Love Orangies as Oranges Means Pure Refreshment” to represent these attributes. Let’s break it down and look at what each one does, including its classification as optional or mandatory, transitive or not, and whether it’s discretionary.

1. Weight (We)

  • Type: Cisco-specific, not part of the BGP standard.
  • Optional, non-transitive
  • Description: Weight is a local attribute to Cisco devices (locally significant), influencing path selection. The higher the weight, the more preferable the path.

2. Local Preference (Love)

  • Type: Well-known, discretionary
  • Description: Determines the preferred exit path for a BGP router. It is used to select the best path for outbound traffic. Higher values are preferred.

3. Originate (Oranges)

  • Type: Well-known, mandatory
  • Description: Paths Sourced locally are preferred ,
    it Means route preferred if we inject it , we can see 0.0.0.0 means we did it 🙂

4. AS-Path (as)

  • Type: Well-known, mandatory
  • Description: This is a list of the Autonomous Systems (AS) that the route has passed through. Shorter AS-Paths are generally preferred.

5. Origin Types (Oranges)

  • Type: Well-known, mandatory
  • Description: indicate how the route was injected to BGP, i Network command preferred over ? Distributed routes

6. Multi-Exit Discriminator (MED) (Means)

  • Type: Optional, non-transitive, discretionary
  • Description: MED is used to influence incoming traffic from neighboring ASes. Lower values are preferred, but it is non-transitive and only shared with direct neighbors.

7. Paths (Pure)

  • Description: Prefer EBGP over ibgp

8. Route ID (Refreshment)

  • lowest Router ID is the best

By remembering the phrase “We Love Orangies as Oranges Means Pure Refreshment,” you can recall the key attributes BGP uses to make path selection decisions.

In Chapter 12, we’ve explored a range of advanced BGP configurations, from prefix and distribute lists to route maps and community-based policies. These tools allow you to fine-tune routing, implement conditional logic, and ensure resiliency in your network, providing greater control over traffic paths and behavior. Use these commands to optimize your network’s BGP performance and enhance its resilience!

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top