Filter BGP updates based on the
AS_path attribute.
Scenario:
We want to deny any update whose
AS_path starts with 200 and ends with 200. In other words, we want
to deny any updates originating in AS 200.
Lab Tasks:
Cable the lab and address the
interfaces as shown in the graphic. Use the default subnet mask
for all addresses. All Ethernet interfaces should use the .1
address. For example, 12.0.0.1.
Enable BGP routing on each router.
Only advertise the network off the Ethernet interfaces. The
configurations should be as follows:
Verify that you can see networks
12.0.0.0, 11.0.0.0 and 170.10.0.0 in the routing table. Use the
show
ip route
and
show
ip bgp
commands to do this.
Verify connectivity with the ping command. What are the
differences in the path to network 11.0.0.0 in the routing tables
of Routers A and B?
Now we have decided to filter
updates originating from AS 200 as described in the scenario on
Page 1. We are going to do this from Router A. Log into Router A.
To deny these updates, we will need
to configure a special access list to do so. It is necessary in
this scenario to deny updates from AS 200 but permit updates from
elsewhere. The first command will be to deny updates containing
AS_path attributes beginning and ending with 200. The command is:
Access list
1 denies any update whose AS_path starts with 200 (specified by the
^) and ends with 200 (specified by the $). Because Router C sends
updates about 11.0.0.0 whose AS_path attributes start with 200 and
end with 200, such updates will match the access list and be denied.
By specifying that the update must also end with 200, the access
list permits updates from another AS that may be connected to AS
200. For example, if AS 500 was attached to AS 200, the AS_path
attribute would be {200, 500} so it would be permitted.
Since we want to permit all other
updates, we need a command to do this. The command is:
In this
access list statement, the period symbol means any character, and
the asterisk symbol means a repetition of that character. Together,
.* matches any value of the AS_path attribute, which in effect
permits any update that has not been denied by the previous access
list statement.
The last step is to apply the access
list to a neighbor. We do not want these updates passed on to AS
100. So use the following neighbor command:
RouterA(config)#router
bgp 300 RouterA(config)#neighbor 2.2.2.2 filter-list 1 out
To verify the expressions are
working as intended, issue the command:
RouterA#show ip bgp regexp ^200$
What do you notice?
Log into Router B and check the
routing table. Do you see a route for 11.0.0.0?
If you still see network 11.0.0.0,
issue the clear ip bgp * command and wait a few seconds. Did the
11.0.0.0 network return?