© 2005 Cisco Systems, Inc. All rights reserved. BGP v Route Selection Using Policy Controls Filtering with Prefix-Lists
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Outline Overview Requirements for Prefix-Based Filters Prefix-Lists vs. IP Access-Lists Configuring Prefix-Lists BGP Filters Implementation Implementing Prefix-Lists in the BGP Process Modifying Prefix-Lists Monitoring Prefix-Lists Summary
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Requirements for Prefix-Based Filters Service providers have to filter customer updates to ensure that the customers announce only their assigned address space.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Prefix-Lists vs. IP Access-Lists Traditional prefix filters Traditional IP prefix filters were implemented with IP access- lists configured with the distribute-list command. IP access-lists used as route filters have several drawbacks: –Subnet mask cannot be easily matched. –Access-lists are evaluated sequentially for every IP prefix in the routing update. –Access-lists are hard to edit. –Extended access-lists can be cumbersome to configure.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Prefix-Lists vs. IP Access-Lists (Cont.) Prefix-lists New route-filtering mechanism Significant performance improvement on long filters –Inside Cisco IOS software, the prefix-list is a tree structure and is not scanned sequentially. Support for incremental updates –Individual entries in prefix-lists can be inserted or deleted. More user-friendly CLI –The CLI for using access-lists to filter BGP updates is difficult to understand and use, because it uses the packet-filtering format. Greater flexibility; can match on subnet masks
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Prefix-Lists vs. IP Access-Lists (Cont.) Key access-list features are preserved. –Filtering using permit or deny –Order dependency (first match wins) –Security-focused: no match means deny The matching mechanism has changed. –Matches routes in a part of address space with subnet mask longer or shorter than a set number
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Configuring Prefix-Lists ip prefix-list list-name [seq seq] {permit|deny} network/len [ge value] [le value] router(config)# Prefix-lists have names and sequence numbers (like route- maps). An entry with no le or ge parameter matches exactly the specified prefix. An entry with an le or ge parameter matches any route within the address space of address/prefix with prefix longer or equal to ge value and shorter than or equal to le value.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Configuring Prefix-Lists (Cont.) Prefix-list matching rules Prefix-list entries with no ge or le option match only the specified route. –Similar to IP access-lists with no wildcard bits –Matching also considers subnet mask Which of the following routes will be matched by: ip prefix-list MyList permit /16? / / /24 XX
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Configuring Prefix-Lists (Cont.) A prefix-list entry with ge or le option matches any prefix within specified address space where the subnet mask falls within specified limits. Which of the following routes will be matched by: ip prefix-list MyList permit /16 le 20? / / /24 ip prefix-list MyList permit /16 ge 18? / / /24 XX
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Configuring Prefix-Lists (Cont.) What will be matched by: a)ip prefix-list A permit /0 ge 32 b)ip prefix-list B permit /2 ge 17 c)ip prefix-list C permit /0 le 32 d)ip prefix-list D permit /0 e)ip prefix-list E permit /1 le 24 a)All host routes b)Any subnet in class B address space c)All routes d)Just the default route e)Any prefix in class A address space covering at least 256 addresses
© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Filters Implementation
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Implementing Prefix-Lists in the BGP Process neighbor {ip-address|peer-group-name} prefix-list prefix-listname {in|out} router(config-router)# Filters inbound or outbound BGP routing updates for a configured neighbor session distribute-list prefix-list prefix-list out routing-process router(config-router)# Filters routes redistributed from specified routing process into BGP
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Prefix-List Example: Filtering Customer Prefixes Requirement: The customer will announce prefixes only from assigned address space ( /16), with subnet masks no longer than /24.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Prefix-List Example: Filtering Peer Prefixes Requirement: The ISP will not accept routes with subnet masks longer than /24; subnet masks from class B address space will be no longer than /20.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Modifying Prefix-Lists show ip prefix-list list-name [detail|summary] router# Displays the prefix-list and the sequence numbers no ip prefix-list seq seq condition router(config)# Erases the line with the specified sequence number from the prefix-list ip prefix-list seq seq condition router(config)# Inserts the line into the prefix-list at the specified point
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Monitoring Prefix-Lists show ip prefix-list [detail | summary] prefix-list-name [network/length] [seq sequence-number] [longer] [first- match] router# To display information about a prefix-list or prefix-list entries show ip bgp prefix-list prefix-list-name router# Displays all routes in the BGP table matching the prefix-list Used for easier monitoring of a desired network prefix group in the BGP table
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Monitoring Prefix-Lists (Cont.)
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Monitoring Prefix-Lists (Cont.)
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Summary Customers with multihomed networks are responsible for announcing their own networks using BGP, and service providers with multihomed customers must take precautions not to accept, use, or forward any erroneous routing information that is received from their customers. Prefix-lists have a number of advantages over access-lists, including faster permit or deny determinations and easier CLI editing. Prefix-lists are configured using the ip prefix-list global configuration command. Filter-lists and prefix-lists can be optionally applied on either incoming or outgoing neighbors in any combination.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Summary (Cont.) Prefix-lists can filter incoming or outgoing BGP updates to neighbors and filter routes that are being redistributed into the BGP process from other routing protocols. Use the neighbor prefix-list router configuration command to distribute BGP neighbor information as specified in a prefix-list. Certain Cisco IOS commands (such as the show ip prefix-list command) are used to modify configured prefix-list filters. To display or monitor statistics about a prefix-list or prefix- list entries, you can use the show ip prefix-list EXEC command.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v