Bgp Bgp tips and tricks border gateway protocol Cisco Cisco ios Cisco tips and tricks Networking networking tips and tricks,
How to configure BGP With Peer-group and Filtering Routing in IOS
Posted by Anbu
Published on Sunday, February 17, 2013
Problem:
How to configure BGP With Peer-group and Filtering Routing in IOS
Solution:
We are going to setup a peering session from AS 65500 with 65000, and we are going to announce the prefix 10.0.0.0/8
We have the IP address 172.16.1.200, while our peer have the IP address 172.16.1.1
There are different ways of filtering routes in IOS, but we’re going to focus on filtering with prefix-lists.
First enter global configuration mode by entering: ISP# conf t
To create a BGP process with AS number 65500 enter: ISP(config)# router bgp 65500
The following commands will create a peer group named IXPeers which will use the prefix-list announceAS65500 for outbound announcements.
ISP(config-router)#neighbor IXPeers peer-group
ISP(config-router)#neighbor IXPeers prefix-list announceAS65500 out
You should at best use an individual prefix-list for each and one of your peer to control inbound announcements to your autonomous system, but as this also means large administrative overhead, you can use a max prefix for the peers IXPeers.
Config: ISP(config-router)#neighbor IXPeers maximum-prefix 10
Set this to a number of prefixes you are comfortable with accepting from your peers, this is also a judgement of how much you trust your peers.
You can set a individual maximum-prefix for each peer by entering it in the neighbor statement for the peer in question.
(for example: Config: neighbor 10.20.30.40 maximum-prefix 50)
Now we are going to enter a static nullroute for the prefix 10.0.0.0/8, and redistribute it to BGP and also create the prefix-list announceAS65500
This static route to the virtual Null interface will also effectively blackhole any traffic destined for a not existing subnet in your network.
We are also going to add a static route for two more prefixes, so we can verify that the filtering works. (PS! You can apply a route map on the redistribute command to filter which prefixes that should enter the BGP table at all.)
ISP(config)#ip route 10.0.0.0 255.0.0.0 null 0
ISP(config)#ip route 192.168.0.0 255.255.255.0 null 0
ISP(config)#ip route 192.168.8.0 255.255.254.0 null 0
ISP(config)#ip prefix-list announceAS65500 seq 5 permit 10.0.0.0/8
ISP(config)#router bgp 65500
ISP(config-router)#redistribute static
You can now verify that the prefix 10.0.0.0/8 exists in your local BGP table.
ISP#sh ip bgp 10.0.0.0/8
BGP routing table entry for 10.0.0.0/8, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0×820
Not advertised to any peer
Local
0.0.0.0 from 0.0.0.0 (172.16.1.200)
Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best
Enter BGP configuration again with router bgp 65500 in global configuration mode, and configure the peering session:
ISP(config-router)#neighbor 172.16.1.1 remote-as 65000
ISP(config-router)#neighbor 172.16.1.1 peer-group IXPeers
*Sep 6 04:43:21.207: %BGP-5-ADJCHANGE: neighbor 172.16.1.1 Up
The peering session is now established, let us verify on the IXPeer side which prefixes that are announced. (PS! This only works with the neighbor 172.16.1.200 soft-reconfiguration inbound command in BGP configuration.)
IX-Peer#sh ip bgp neighbor 172.16.1.200 received-routes | include *>
*> 10.0.0.0 172.16.1.200 0 0 65500 ?
Voila, the only network announced from 65500 is now 10.0.0.0/8!
You can now modify the prefix-list to allow other prefixes to be announced:
ISP(config)#ip prefix-list announceAS65500 seq 10 permit 192.168.0.0/24
ISP#clear ip bgp 172.16.1.1 soft out
And verification from the IXPeer
IX-Peer#sh ip bgp neighbor 172.16.1.200 received-routes | include *>
*> 10.0.0.0 172.16.1.200 0 0 65500 ?
*> 192.168.0.0 172.16.1.200 0 0 65500 ?
How to configure BGP With Peer-group and Filtering Routing in IOS
Solution:
We are going to setup a peering session from AS 65500 with 65000, and we are going to announce the prefix 10.0.0.0/8
We have the IP address 172.16.1.200, while our peer have the IP address 172.16.1.1
There are different ways of filtering routes in IOS, but we’re going to focus on filtering with prefix-lists.
First enter global configuration mode by entering: ISP# conf t
To create a BGP process with AS number 65500 enter: ISP(config)# router bgp 65500
The following commands will create a peer group named IXPeers which will use the prefix-list announceAS65500 for outbound announcements.
ISP(config-router)#neighbor IXPeers peer-group
ISP(config-router)#neighbor IXPeers prefix-list announceAS65500 out
You should at best use an individual prefix-list for each and one of your peer to control inbound announcements to your autonomous system, but as this also means large administrative overhead, you can use a max prefix for the peers IXPeers.
Config: ISP(config-router)#neighbor IXPeers maximum-prefix 10
Set this to a number of prefixes you are comfortable with accepting from your peers, this is also a judgement of how much you trust your peers.
You can set a individual maximum-prefix for each peer by entering it in the neighbor statement for the peer in question.
(for example: Config: neighbor 10.20.30.40 maximum-prefix 50)
Now we are going to enter a static nullroute for the prefix 10.0.0.0/8, and redistribute it to BGP and also create the prefix-list announceAS65500
This static route to the virtual Null interface will also effectively blackhole any traffic destined for a not existing subnet in your network.
We are also going to add a static route for two more prefixes, so we can verify that the filtering works. (PS! You can apply a route map on the redistribute command to filter which prefixes that should enter the BGP table at all.)
ISP(config)#ip route 10.0.0.0 255.0.0.0 null 0
ISP(config)#ip route 192.168.0.0 255.255.255.0 null 0
ISP(config)#ip route 192.168.8.0 255.255.254.0 null 0
ISP(config)#ip prefix-list announceAS65500 seq 5 permit 10.0.0.0/8
ISP(config)#router bgp 65500
ISP(config-router)#redistribute static
You can now verify that the prefix 10.0.0.0/8 exists in your local BGP table.
ISP#sh ip bgp 10.0.0.0/8
BGP routing table entry for 10.0.0.0/8, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0×820
Not advertised to any peer
Local
0.0.0.0 from 0.0.0.0 (172.16.1.200)
Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best
Enter BGP configuration again with router bgp 65500 in global configuration mode, and configure the peering session:
ISP(config-router)#neighbor 172.16.1.1 remote-as 65000
ISP(config-router)#neighbor 172.16.1.1 peer-group IXPeers
*Sep 6 04:43:21.207: %BGP-5-ADJCHANGE: neighbor 172.16.1.1 Up
The peering session is now established, let us verify on the IXPeer side which prefixes that are announced. (PS! This only works with the neighbor 172.16.1.200 soft-reconfiguration inbound command in BGP configuration.)
IX-Peer#sh ip bgp neighbor 172.16.1.200 received-routes | include *>
*> 10.0.0.0 172.16.1.200 0 0 65500 ?
Voila, the only network announced from 65500 is now 10.0.0.0/8!
You can now modify the prefix-list to allow other prefixes to be announced:
ISP(config)#ip prefix-list announceAS65500 seq 10 permit 192.168.0.0/24
ISP#clear ip bgp 172.16.1.1 soft out
And verification from the IXPeer
IX-Peer#sh ip bgp neighbor 172.16.1.200 received-routes | include *>
*> 10.0.0.0 172.16.1.200 0 0 65500 ?
*> 192.168.0.0 172.16.1.200 0 0 65500 ?
0 comments
Readers Comments