BGP Lab 9 BGP Route filtering (CCNP Level)
Download Lab: GNS3
Image requirements:
Many ways exist to filter routes in BGP you can use prefix-list, distribute-list with ACL, route-map as well as AS-path filtering but this is topic of future labs, autonomous system 250 is a customer to its upstream ISPs, that is why it is not a transient AS meaning that policies have to be placed to control what prefixes can enter or exit this AS. In this lab, you will implement BGP outbound route filtering on the router ER1 using prefix-list to advertise only AS250 prefixes, also router ER2 has to follow the same policy as router ER1 but in its case, you will install policy by using distribute-list with ACL defining routes. It is not enough to just trust your customer route filtering because mistakes can be made and there would be dire consequences for ISPs, for example, what if the link between ISP1 and ER1 is slow 100 Mbps and then other customers will route their traffic through AS250 to get to AS102, using this slow link ISP will cause SLA violation that is why it is imperative to control what can be exchanged between autonomous systems. AS101 will place an inbound and outbound route filtering using route-map to control what can be exchanged with AS 250, the same goes for AS102.
Lab tasks:
1. Before you start configuring route filtering go to the "Clearing BGP neighbors" section of this lab and learn about the different commands to clear your BGP neighbors.
2. Verify what routes router ER1 advertise to its peers in the AS101 and AS102. (show ip bgp neighbor 50.0.0.100 advertised-routes). You probably going to see that all of the networks from multiple ISPs are being propagated.
3. On the router ER1, configure prefix-list permitting only 20.0.0.0/20 subnet then apply it to both neighbors ISP1 and ISP2 in the outbound direction as shown in the configuration example.
4. On the router ER2, configure extended access-list to permit only 20.0.0.0/20 subnet then apply it to both neighbors ISP1 and ISP2 in the outbound direction using the distribute-list.
5. Perform outbound soft bgp neighbor reset on both routers ER1 and ER2 then verify if policies you applied are working as intended. Also, you can verify that both ISP1 and ISP2 routers received only the prefix of AS250 from ER1 and ER2 routers.
6. Implement inbound route filtering permitting only AS250 prefix of 20.0.0.0/20 on the router ISP1. Configure prefix-list and route-map then match this prefix-list inside the route-map then apply the route-map to neighbors, routers ER1 and ER2 in the inbound direction. Do soft inbound bgp reset and verify that policies have been implemented properly.
7. Configure router ISP2 the same way as router ISP1 for inbound route filtering.
8. The new policy at AS101 states that prefixes of AS104 will not be advertised to its customers. Configure ISP1's outbound filter in the way that routers in the AS250 will receive all routes but 80.0.0.0/20. Use route-map and prefix-list.
Verify that AS250 does not receive the prefix of AS104 via AS101. Currently, AS102 will not install any outbound filtering towards AS250.
9. Save configuration on all affected routers.
10. Verify connectivity between R1's Loopback1 interface (use public IP address as the source) and ISP4's IP address 80.0.1.1.
Configuration example:
Filter outbound routes with prefix-list:
!
R1(config)# ip prefix-list PERMIT_LOCAL_ROUTES permit 192.168.0.0/16 ge 24
!
R1(config)# router bgp 11
R1(config-router)# neighbor 10.10.10.10 prefix-list PERMIT_LOCAL_ROUTES out
!
R1# clear ip bgp 10.10.10.10 soft out
R1# show ip bgp neighbor 10.10.10.10 advertised-routes
Filter outbound routes with distribute-list:
!
R2(config)# access-list 120 permit ip host 192.168.0.0 host 255.255.0.0
!
R2(config)# router bgp 11
R2(config-router)# neighbor 10.10.10.10 distribute-list 120 out
Filter outbound routers with route-map:
!
ISP10(config)# ip prefix-list SOME_ROUTES permit 172.20.0.0/16 ge 24 le 25
!
ISP10(config)# route-map FILTER_OUT permit 10
ISP10(config-route-map)# match ip address prefix-list SOME_ROUTES
ISP10(config-route-map)# exit
!
ISP10(config)# router bgp 25
ISP10(config-router)# neighbor 11.11.11.11 route-map FITER_OUT out
Filter Inbound routers with route-map:
!
ISP10(config)# ip prefix-list SOME_ROUTES permit 172.30.0.0/16 ge 24 le 25
!
ISP10(config)# route-map FILTER_IN permit 10
ISP10(config-route-map)# match ip address prefix-list SOME_ROUTES
ISP10(config-route-map)# exit
!
ISP10(config)# router bgp 25
ISP10(config-router)# neighbor 11.11.11.11 route-map FITER_IN in
Verifying BGP filtering:
!
ISP1# show ip bgp neighbor 11.11.11.11 advertised-routes
R1# show ip bgp neighbor 10.10.10.10 routes
Clearing BGP Neighbors:
! Neighbors Direction H/S
R1# clear ip bgp * ( all both hard )
R1# clear ip bgp 10.1.1.1 ( one both hard )
R1# clear ip bgp 10.1.1.1 out ( one out soft )
R1# clear ip bgp 10.1.1.1 soft out ( one out soft )
R1# clear ip bgp 10.1.1.1 in ( one in soft )
R1# clear ip bgp 10.1.1.1 soft in ( one in soft )
R1# clear ip bgp * soft ( all both soft )
R1# clear ip bgp 10.1.1.1 soft ( one both soft )
Verify routes before the inbound filter applied:
You can see what prefixes your router receives before your inbound filter with the command:
!
R1# show ip bgp neighbor 50.0.0.100 received-routes
!
But router will give you the message saying that you need to enable soft-reconfiguration inbound before you display these routes, to fix it use this:
!
R1(config)# router bgp 11
R1(config-router)# neighbor 50.0.0.100 soft-reconfiguration inbound
Topology:
Comments
Post a Comment