BGP Route Filtering: Prefix Lists

1
499

Summary

Next on the chopping block when it comes to filtering routes shared between BGP neighbors is a prefix list. There isn’t anything confusing to this one, the name is pretty accurate. You are simply creating an exact list of prefixes to be allowed. This is similar to a route-map for filtering shared routes but I think it is more accurate when pin-pointing the routes you want to filter.

For example, in a route-map, you may allow something like 192.168.0.0/16 with the ACL you created. You are not just allowing that specific route, you are allowing everything that falls under it, like if you had 192.168.0.0/16 subnetted into smaller subnets. All would be allowed.With a prefix list, the route being shared has to match exactly:

 

ip prefix-list ALLOW seq 5 permit 192.168.1.0/24
ip prefix-list ALLOW seq 10 permit 192.168.2.0/24
ip prefix-list ALLOW seq 15 permit 192.168.3.0/24
ip prefix-list ALLOW seq 20 permit 192.168.5.0/24

With that example, those routes must match exactly to be allowed. Say, for example, 192.168.5.0/24 was subnetted into two smaller subnets, because the routes are not exactly matching, they would not be shared.

That is very quick and easy, but there is always more! You can created broader scopes with a prefix list, like an ACL.

There are two ways to do this. Take the normal prefix-list and add “ge” or “le” for greater than or equal to and less than or equal to. Look at the first example:

ip prefix-list RANGE seq 5 permit 192.168.0.0/16 ge 24

What this is actually say is that 192.168.0.0/16 is being included. Also included are any routes that match 192.168.0.0 the first 16 bits and then have a subnet mask greater than or equal to 24. With this, you can create a single statement with a prefix list now to encompass more than just a single route.

The other way to do it is like this:

ip prefix-list RANGE seq 5 permit 192.168.0.0/16 le 32

This is saying we want to match the first 16 network bits and then the routes must have a mast less than or equal to 32. This could potentially include a large number of routes.

And lastly, if you really want to get crazy and have some fun, you can use both options, “ge” and “le”. You can have something like this:

ip prefix-list RANGE seq 5 permit 192.168.0.0/16 ge 24 le 32

Overall this is just a way to add more control to the routes that you want to include \ deny.

BGP Usage

Usage is very similar to a route-map in BGP. You add another neighbor statement and then determine if you want your prefix-list to apply inbound or outbound. This is useful depending on what direction you are looking to control routes in.

A configuration may look a bit like this:

!
ip prefix-list RANGE seq 5 permit 192.168.0.0/16 le 32
!
router bgp 65000
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 65000
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 2.2.2.2 prefix-list RANGE out

That would apply our prefix list to the BGP neighbor peering and only share those routes that are specified accordingly.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.