|
To restrict the routing information that the
router learns or advertises, you can filter based on routing updates to or from
a particular neighbor using a distribution list. In the figure, RTD in AS2 is
originating network 192.68.10.0/24 and sending it to RTF. RTF will pass the
update to RTA via IBGP, which in turn will propagate it to AS1. By doing so, AS1
could become a transit AS advertising that network 192.68.10.0/24 is reachable
through this AS.
To prevent this situation from happening, RTA's
administrator configures a filter to prevent 192.68.10.0/24 from being
advertised to AS1. This is demonstrated in the configuration for RTA.
Note: Click on topology to view command
outputs.
In this configuration, the distribute-list
command combined with access-list 1 prevents RTA from advertising prefix
192.68.10.0/24 to its neighbor in AS1. The access-list is used to identify the
prefixes to be filtered, while the distribute-list applies the filtering to the
outgoing updates (note the out keyword).
Note that access-list 1 ends with permit
any; when using access lists for
filtering, anything that does not match will be denied. This is why it is
important to specify the default action; in this example, 192.68.10.0/24 will be
denied, and everything else will be allowed.
Using access lists to filter supernets or ranges
of updates can be a bit trickier. Assume, for example, that RTF in the Figure has different subnets of 172.16.x.x, and you want to advertise an aggregate of
the form 172.16.0.0/16, but not the subnets. A standard access list would not
work because it permits more than is desired, since it filters based on the
network address only. For example, this access list would permit not only the
172.16.0.0/16 summary, but also all the components of that summary as well:
access-list 1 permit 172.16.0.0 0.0.255.255
To restrict the update to the 172.16.0.0/16
summary, you can use an extended access list. While extended access lists used
for filtering packets have the form:
access-list <number> {deny | permit}
<protocol> source source-wildcard destination destination-wildcard | mask
mask-wildcard
Extended access lists used for filtering BGP
updates through a distribute-list are slightly different:
access-list
number <permit|deny> network network-wildcard mask mask-wildcard
For example:
access-list
101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0
(where a "0" is an exact match bit, and
a "1" is a do-not-care-bit).
The preceding extended access list indicates that
aggregate 172.16.0.0/16 is to be sent only because we have indicated that the
mask should match 255.255.0.0 exactly. An update of the form 172.16.0.0/17 would
not be permitted by this list.
 |
 |
Lab
Activity |
| |
In
this lab, you will learn how to filter routing
information using a distribute list in BGP. |
|
|
|
|