Route Filtering in BGP
Because BGP focuses on administrative control of routing, it's only natural that it should have vast filtering capabilities—and it does have vast filtering capabilities! This is, in fact, one the most confusing areas of configuring BGP. The following sections discuss the filtering capabilities of BGP via route maps, set and match statements, prefix lists, and distribution lists.
Figure D-6. Next Hop on a Multi-Access Network
Filtering with Route Maps
Filtering in BGP on Cisco routers is typically done using route maps, which are constructed as a set of matches and sets within a sequence. The matches, for filtering, specify the condition that a prefix must match in order to be considered. The set statement determines what is to be done to the prefix once it's determined that the prefix matches.
The sequences represent the order in which route-map statements are checked, much like BASIC line numbers represented program execution order (if you've ever used the original BASIC). A typical route map is constructed something like the following:
route-map filter permit 10
match something
set something
route-map filter permit 20
match something
set something
In the route map named filter, the permit sequence 10 will be evaluated before the permit sequence 20.
Filtering with Sets and Matches
To give you a better idea of the type of filtering that can be done with a route map, here is a short list of possible matches that can be configured as options of the match command:
ip address— Matches either the IP address listed or the IP addresses permitted by the listed access list.
community-list— Matches a given community string from within a community list.
If the prefix advertised is permitted by the condition in the match statement, then a set may be applied. Some possible set statements used to alter the prefix are
set community— Sets the community string associated with the prefix.
set local-preference— Sets the local preference associated with this prefix.
set weight— Sets the administrative weight associated with the prefix.
These various combinations allow to you filter (or classify) prefixes advertised by a neighbor and then set various aspects of that prefix. The administrator has very fine control over what path is chosen through the network.
Filtering with Prefix Lists
BGP also supports the use of prefix lists for filtering the destinations received from or advertised to a peer. A prefix list can be configured either in a way similar to a route map (with sequence numbers within the given prefix list being used to determine the order of evaluation) or in a way similar to access lists (with the order of operation being determined by the order of configuration). For example, to filter all of the private address space out of advertisements to a peer, you could use:
ip prefix-list noprivates deny 10.0.0.0/8
ip prefix-list noprivates deny 172.16.0.0/19
ip prefix-list noprovates deny 192.168.0.0/16
ip prefix-list noprivates permit any
!
router bgp 100
distribute-list prefix noprovates out
Filtering with Distribution Lists
Prefixes accepted from or advertised to a neighbor can also be controlled using distribution lists. Standard access lists used as distribution lists operate as expected, blocking those prefixes denied and allowing those prefixes permitted.
Extended access lists, however, can be used to filter based on the subnet mask as well as the destination network. The standard form of the extended access list is
access-list number {permit|deny} protocol source wildcard destination wildcard
There are further options dealing with protocol types and/or port numbers not listed here, as well as some keywords. When using an extended access list as a BGP distribution list, however, the syntax becomes
access-list number {permit|deny} ip network wildcard subnet mask wildcard
This allows you to configure a distribution list that filters out all destinations in the 10.0.0.0 network with a prefix length of greater than 24 bits, for example:
access-list 101 permit ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0