9.2
Route Filtering and Manipulation Process (Policies)
9.2.3
How to ID and filter routes based on NLRI

To restrict the routing information that the router learns or advertises, you can filter based on routing updates to or from a particular neighbor using a distribution list. In the figure, RTD in AS2 is originating network 192.68.10.0/24 and sending it to RTF. RTF will pass the update to RTA via IBGP, which in turn will propagate it to AS1. By doing so, AS1 could become a transit AS advertising that network 192.68.10.0/24 is reachable through this AS.

To prevent this situation from happening, RTA's administrator configures a filter to prevent 192.68.10.0/24 from being advertised to AS1. This is demonstrated in the configuration for RTA.

Note: Click on topology to view command outputs.

In this configuration, the distribute-list command combined with access-list 1 prevents RTA from advertising prefix 192.68.10.0/24 to its neighbor in AS1. The access-list is used to identify the prefixes to be filtered, while the distribute-list applies the filtering to the outgoing updates (note the out keyword).

Note that access-list 1 ends with permit any; when using access lists for filtering, anything that does not match will be denied. This is why it is important to specify the default action; in this example, 192.68.10.0/24 will be denied, and everything else will be allowed.

Using access lists to filter supernets or ranges of updates can be a bit trickier. Assume, for example, that RTF in the Figure has different subnets of 172.16.x.x, and you want to advertise an aggregate of the form 172.16.0.0/16, but not the subnets. A standard access list would not work because it permits more than is desired, since it filters based on the network address only. For example, this access list would permit not only the 172.16.0.0/16 summary, but also all the components of that summary as well:

access-list 1 permit 172.16.0.0 0.0.255.255

To restrict the update to the 172.16.0.0/16 summary, you can use an extended access list. While extended access lists used for filtering packets have the form:

access-list <number> {deny | permit} <protocol> source source-wildcard destination destination-wildcard | mask mask-wildcard

Extended access lists used for filtering BGP updates through a distribute-list are slightly different:

access-list number <permit|deny> network network-wildcard mask mask-wildcard

For example:

access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0

(where a "0" is an exact match bit, and a "1" is a do-not-care-bit).

The preceding extended access list indicates that aggregate 172.16.0.0/16 is to be sent only because we have indicated that the mask should match 255.255.0.0 exactly. An update of the form 172.16.0.0/17 would not be permitted by this list.

Lab Activity
  In this lab, you will learn how to filter routing information using a distribute list in BGP.