[Contents] [Prev] [Next] [Index] [Report an Error]

Filtering Prefixes

To filter routes based on the prefix, you can do any of the following:

Define an access list with the access list command and apply the list to routes received from or passed to a neighbor with the neighbor distribute-list command.
Define a prefix list with the ip prefix-list command and apply the list to routes received from or passed to a neighbor with the neighbor prefix-list command.
Define a prefix tree with the ip prefix-tree command and apply the list to routes received from or passed to a neighbor with the neighbor prefix-tree command.

The router compares each route’s prefix against the conditions in the list or tree one by one. If the first match is for a permit condition, the route is accepted or passed. If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit deny condition for all routes. The implicit rule is displayed by show access-list and show configuration commands.

You cannot selectively place conditions in or remove conditions from an access list, prefix, list, or prefix tree. You can insert a new condition only at the end of a list or tree.

Consider the network structure in Figure 21.

Figure 21: Filtering with Access Lists

Image g013176.gif

The following commands configure router Boston to apply access list reject1 to routes inbound from router SanJose. Access list reject1 rejects routes matching 172.24.160.0/19.



host3(config)#router bgp 17 

host3(config-router)#neighbor 10.5.5.4 remote-as
873 

host3(config-router)#neighbor 10.5.5.4 distribute-list
reject1 in 

host3(config-router)#exit 

host3(config)#access-list reject1 permit 172.24.48.0
0.0.255 

host3(config)#access-list reject1 deny 172.24.160.0
0.0.255 

host3(config)#access-list reject1 permit 172.24.24.0
0.0.255

Consider the network shown in Figure 22. Router NY originates network 10.16.22.0/23 and advertises it to router LA. Suppose you do not want router LA to advertise that network to router Boston. You can apply an access list to updates from router LA to router Boston that prevents router LA from propagating updates for network 10.16.22.0/23.

Figure 22: Filtering Routes with an Access List

Image g013177.gif

The following commands configure router LA:



host2(config)#router bgp 400 

host2(config-router)#network 172.24.160.0
mask 255.255.224.0 

host2(config-router)#neighbor 10.72.4.2 remote-as
300 

host2(config-router)#neighbor 10.5.5.1 remote-as
100 

host2(config-router)#neighbor 10.5.5.1 distribute-list
1 out 

host2(config-router)#exit 

host2(config)#access-list 1 deny 10.16.22.0
0.254.255.255

access-list

Use to define an IP access list to permit or deny routes based on the prefix.
Each access list is a set of permit or deny conditions for routes based on matching a route’s prefix.
Use the neighbor distribute-list command to apply the access list to routes received from or forwarded to a neighbor.
Use the log keyword to log an Info event in the ipAccessList log whenever an access-list rule is matched.
Use the no version to delete an IP access list or the specified entry in the access list.
See access-list.

clear access-list

Use to clear IP access list counters.
Each access list has a counter for its entries.
Examplehost1#clear access-list reject1
There is no no version.
See clear access-list.

neighbor distribute-list

Use to filter routes to selected prefixes as specified in an access list.
Using distribute lists is one of three ways to filter BGP advertisements. The other ways are as follows:
- Use AS-path filters with the ip as-path access-list and the neighbor filter-list commands.
- If you specify a BGP peer group by using the peerGroupName argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer. However, you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy.
- Use filters with route maps with the route-map and the neighbor route-map commands.
New policy values are applied to all routes that are sent (outbound policy) or received (inbound policy) after you issue the command.
To apply the new policy to routes that are already present in the BGP routing table, you must use the clear ip bgp command to perform a soft clear or hard clear of the current BGP session.

Behavior is different for outbound policies configured for peer groups for which you have enabled Adj-RIBs-Out. If you change the outbound policy for such a peer group and want to fill the Adj-RIBs-Out table for that peer group with the results of the new policy, you must use the clear ip bgp peer-group command to perform a hard clear or outbound soft clear of the peer group. You cannot merely perform a hard clear or outbound soft clear for individual peer group members because that causes BGP to resend only the contents of the Adj-RIBs-Out table.
Use the no version to disassociate the access list from a neighbor.
See neighbor distribute-list.

neighbor prefix-list

Use to assign an inbound or outbound prefix list.
If you specify a BGP peer group by using the peerGroupName argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer. However, you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy.
Examplehost1(config-router)#neighbor 192.168.1.158 prefix-list seoul19 in
New policy values are applied to all routes that are sent (outbound policy) or received (inbound policy) after you issue the command.
To apply the new policy to routes that are already present in the BGP routing table, you must use the clear ip bgp command to perform a soft clear or hard clear of the current BGP session.

Behavior is different for outbound policies configured for peer groups for which you have enabled Adj-RIBs-Out. If you change the outbound policy for such a peer group and want to fill the Adj-RIBs-Out table for that peer group with the results of the new policy, you must use the clear ip bgp peer-group command to perform a hard clear or outbound soft clear of the peer group. You cannot merely perform a hard clear or outbound soft clear for individual peer group members because that causes BGP to resend only the contents of the Adj-RIBs-Out table.
Use the no version to remove the prefix list.
See neighbor prefix-list.

neighbor prefix-tree

Use to assign an inbound or outbound prefix tree.
If you specify a BGP peer group by using the peerGroupName argument, all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer. However, you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy.
Examplehost1(config-router)#neighbor 192.168.1.158 prefix-tree newyork out
New policy values are applied to all routes that are sent (outbound policy) or received (inbound policy) after you issue the command.
To apply the new policy to routes that are already present in the BGP routing table, you must use the clear ip bgp command to perform a soft clear or hard clear of the current BGP session.

Behavior is different for outbound policies configured for peer groups for which you have enabled Adj-RIBs-Out. If you change the outbound policy for such a peer group and want to fill the Adj-RIBs-Out table for that peer group with the results of the new policy, you must use the clear ip bgp peer-group command to perform a hard clear or outbound soft clear of the peer group. You cannot merely perform a hard clear or outbound soft clear for individual peer group members because that causes BGP to resend only the contents of the Adj-RIBs-Out table.
IPv6 prefix trees are not supported, Therefore you can specify an IPv6 address with this command only within the IPv4 address family and when you want to advertise IPv4 routes to IPv6 peers.
Use the no version to remove the prefix tree.
See neighbor prefix-tree.

[Contents] [Prev] [Next] [Index] [Report an Error]