Welcome Guest!
twitter facebook rss

,

How to configure BGP With Peer-group and Filtering Routing in IOS

Problem:

How to configure BGP With Peer-group and Filtering Routing in IOS



Solution:


We are going to setup a peering session from AS 65500 with 65000, and we are going to announce the prefix 10.0.0.0/8

We have the IP address 172.16.1.200, while our peer have the IP address 172.16.1.1

There are different ways of filtering routes in IOS, but we’re going to focus on filtering with prefix-lists.

First enter global configuration mode by entering: ISP# conf t

To create a BGP process with AS number 65500 enter: ISP(config)# router bgp 65500

The following commands will create a peer group named IXPeers which will use the prefix-list announceAS65500 for outbound announcements.

ISP(config-router)#neighbor IXPeers peer-group
ISP(config-router)#neighbor IXPeers prefix-list announceAS65500 out

You should at best use an individual prefix-list for each and one of your peer to control inbound announcements to your autonomous system, but as this also means large administrative overhead, you can use a max prefix for the peers IXPeers.

Config: ISP(config-router)#neighbor IXPeers maximum-prefix 10

Set this to a number of prefixes you are comfortable with accepting from your peers, this is also a judgement of how much you trust your peers.

You can set a individual maximum-prefix for each peer by entering it in the neighbor statement for the peer in question.

(for example: Config: neighbor 10.20.30.40 maximum-prefix 50)

Now we are going to enter a static nullroute for the prefix 10.0.0.0/8, and redistribute it to BGP and also create the prefix-list announceAS65500

This static route to the virtual Null interface will also effectively blackhole any traffic destined for a not existing subnet in your network.

We are also going to add a static route for two more prefixes, so we can verify that the filtering works. (PS! You can apply a route map on the redistribute command to filter which prefixes that should enter the BGP table at all.)

ISP(config)#ip route 10.0.0.0 255.0.0.0 null 0
ISP(config)#ip route 192.168.0.0 255.255.255.0 null 0
ISP(config)#ip route 192.168.8.0 255.255.254.0 null 0
ISP(config)#ip prefix-list announceAS65500 seq 5 permit 10.0.0.0/8
ISP(config)#router bgp 65500
ISP(config-router)#redistribute static

You can now verify that the prefix 10.0.0.0/8 exists in your local BGP table.

ISP#sh ip bgp 10.0.0.0/8
BGP routing table entry for 10.0.0.0/8, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0×820
Not advertised to any peer
Local
0.0.0.0 from 0.0.0.0 (172.16.1.200)
Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best

Enter BGP configuration again with router bgp 65500 in global configuration mode, and configure the peering session:

ISP(config-router)#neighbor 172.16.1.1 remote-as 65000
ISP(config-router)#neighbor 172.16.1.1 peer-group IXPeers
*Sep 6 04:43:21.207: %BGP-5-ADJCHANGE: neighbor 172.16.1.1 Up

The peering session is now established, let us verify on the IXPeer side which prefixes that are announced. (PS! This only works with the neighbor 172.16.1.200 soft-reconfiguration inbound command in BGP configuration.)

IX-Peer#sh ip bgp neighbor 172.16.1.200 received-routes | include *>
*> 10.0.0.0 172.16.1.200 0 0 65500 ?

Voila, the only network announced from 65500 is now 10.0.0.0/8!

You can now modify the prefix-list to allow other prefixes to be announced:

ISP(config)#ip prefix-list announceAS65500 seq 10 permit 192.168.0.0/24
ISP#clear ip bgp 172.16.1.1 soft out

And verification from the IXPeer

IX-Peer#sh ip bgp neighbor 172.16.1.200 received-routes | include *>

*> 10.0.0.0 172.16.1.200 0 0 65500 ?
*> 192.168.0.0 172.16.1.200 0 0 65500 ?

0 comments

Readers Comments

Latest Posts

Sponsored By

Featured Video

Our Sponsors

Our Sponsors

Visit Nepal Info and Guide