BGP Route Filtering

Published by Joe Conklin on

What is route filtering and why to use it?

In the context of network routing, route filtering is the process by which certain routes are not considered for inclusion in the local route database, or not advertised to one’s neighbours. Route filtering is particularly important for use on large networks or on the Internet where it is used for a variety of reasons. To facilitate route filtering a distribute-list is used to control routing updates either coming to or from a router.

In the example below we will configure only 3 routers that will all participate in dynamic routing. However, behind each router eight unique networks will exist. These networks will only be used for the demonstration but are designed in such a way that makes summarization very easy. For example we are using 172.16.0.0-172.16.7.0 that can easily be summarized as 172.16.0.0 255.255.248.0 or /21 or further subnetted into smaller address spaces such as 172.16.0.0 255.255.252.0 or /22.

Steps to configure route filtering

Step 1: Configure all applicable network interfaces. To simulate networks behind each router will be create dot1q vlan sub-interfaces on FastEthernet0/0.

R1(config)#interface FastEthernet0/0.1
R1(config-subif)#encapsulation dot1Q 1
R1(config-subif)#ip address 172.16.0.1 255.255.255.0
!
R1(config)#interface FastEthernet0/0.2
R1(config-subif)#encapsulation dot1Q 2
R1(config-subif)#ip address 172.16.1.1 255.255.255.0
!
R1(config)#interface FastEthernet0/0.3
R1(config-subif)#encapsulation dot1Q 3
R1(config-subif)#ip address 172.16.2.1 255.255.255.0
!
R1(config)#interface FastEthernet0/0.4
R1(config-subif)#encapsulation dot1Q 4
R1(config-subif)#ip address 172.16.3.1 255.255.255.0
!
R1(config)#interface FastEthernet0/0.5
R1(config-subif)#encapsulation dot1Q 5
R1(config-subif)#ip address 172.16.4.1 255.255.255.0
!
R1(config)#interface FastEthernet0/0.6
R1(config-subif)#encapsulation dot1Q 6
R1(config-subif)#ip address 172.16.5.1 255.255.255.0
!
R1(config)#interface FastEthernet0/0.7
R1(config-subif)#encapsulation dot1Q 7
R1(config-subif)#ip address 172.16.6.1 255.255.255.0
!
R1(config)#interface FastEthernet0/0.8
R1(config-subif)#encapsulation dot1Q 8 native
R1(config-subif)#ip address 172.16.7.1 255.255.255.0
!
R1(config)#interface FastEthernet1/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
!
R1(config)#interface FastEthernet1/1
R1(config-if)#ip address 10.1.1.5 255.255.255.252

Step 2: Configure a BGP routing process, advertise all applicable networks and define neighbors.

R1(config)#router bgp 65011
R1(config-router)#network 10.1.1.0 mask 255.255.255.252
R1(config-router)#network 10.1.4.0 mask 255.255.255.252
R1(config-router)#network 172.16.0.0 mask 255.255.255.0
R1(config-router)#network 172.16.1.0 mask 255.255.255.0
R1(config-router)#network 172.16.2.0 mask 255.255.255.0
R1(config-router)#network 172.16.3.0 mask 255.255.255.0
R1(config-router)#network 172.16.4.0 mask 255.255.255.0
R1(config-router)#network 172.16.5.0 mask 255.255.255.0
R1(config-router)#network 172.16.6.0 mask 255.255.255.0
R1(config-router)#network 172.16.7.0 mask 255.255.255.0
R1(config-router)#neighbor 10.1.1.2 remote-as 65012
R1(config-router)#neighbor 10.1.1.6 remote-as 65013

Step 3: Repeat steps 1 and 2 on R2 and R3 where R2 will make use of networks 172.16.8.0-172.16.15.0 and R3 will make use of 172.16.16.0-172.16.23.0.

Step 4: On each router create an access-list and define the network boundary as 255.255.252.0 or /30. This will advertise only the first four networks out of the 255.255.248.0 or /29 address space.

R1(config)#router bgp 65011
R1(config-router)#neighbor 10.1.1.2 distribute-list 1 out
R1(config-router)#neighbor 10.1.1.6 distribute-list 1 out
!
R1(config)#access-list 1 permit 172.16.0.0 0.0.3.255
R2(config)#router bgp 65012
R2(config-router)#neighbor 10.1.1.1 distribute-list 1 out
R2(config-router)#neighbor 10.1.1.10 distribute-list 1 out
!
R2(config)#access-list 1 permit 172.16.8.0 0.0.3.255
R3(config)#router bgp 65013
R3(config-router)#neighbor 10.1.1.9 distribute-list 1 out
R3(config-router)#neighbor 10.1.1.5 distribute-list 1 out
!
R3(config)#access-list 1 permit 172.16.16.0 0.0.3.255

Verify the configuration

Now that the configuration is finished lets verify our neighbors and routes. Using the show ip bgp neighbors and show ip route commands you can verify the remote routes to which your router has formed and adjacency and verify the expected routes are being advertised. Use the ping command to verify connectivity. Per the below routing table on R1 we can view the first four network address spaces behind R2 and R3 have been advertised. If you check the routing table on R2 or R3 you will see the same for the first four network address spaces behind R1.

Categories: Cisco NetworkingCisco RoutingDynamic Routing

Related Posts

Cisco Networking

BGP Load Sharing

What is load sharing and why to use it? Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the Read more…

Cisco Firewall

Configuring Dynamic Multipoint VPN and Zone Based Firewall

What is a Dynamic Multipoint VPN and why to use it? DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

What is a Layer 2 MPLS VPN and why to use it? Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers Read more…