This will be the first of a few posts. In preparations for my second attempt at my CCIE RS Lab exam, I am going back to the basics on route filtering for BGP. The first form that I am going to look at is using a route-map. A route-map is similar to an ACL in the sense that sequence numbers are used, but that’s about where the similarities stop. When thinking of a route-map, I think ask myself the following questions:
- Do I want to permit or deny a route or routes?
- What route(s) does this include?
- Have I created an ACL that encompasses these routes?
- If not, do it.
- Am I simply permitting or denying routes are am I modifying them in some way?
With these questions, we can look at a basic route-map:
route-map LOCAL-PREF permit 10 match ip address 1 set local-preference 110 ! route-map LOCAL-PREF permit 20
What we can see here is that we are creating a route-map called LOCAL-PREF. The first sequence number is a permit statement. On this sequence, we are matching the ip addresses outlined in access-list 1. Then, to all of those ip addresses (or routes in the case of what we are doing here), the local preference is set to 110. Make note of the next line though: “route-map LOCAL-PREF permit 20”. This line is needed because of how a route-map works. Say you had other routes being shared through this route-map. If they were not included in ACL 1 and there was not an empty permit sequence at the end of the route-map, then those routes would be denied altogether. Similar to an implicit deny with an ACL.
In terms of the “set” command that is used, there are many criteria that can be set. These include the following:
Router(config-route-map)#set ? as-path Prepend string for a BGP AS-path attribute automatic-tag Automatically compute TAG value clns OSI summary address comm-list set BGP community list (for deletion) community BGP community attribute dampening Set BGP route flap dampening parameters default Set default information extcomm-list Set BGP/VPN extended community list (for deletion) extcommunity BGP extended community attribute global Set to global routing table interface Output interface ip IP specific information ipv6 IPv6 specific information level Where to import route local-preference BGP local preference path attribute metric Metric value for destination routing protocol metric-type Type of metric for destination routing protocol mpls-label Set MPLS label for prefix origin BGP origin code tag Tag value for destination routing protocol traffic-index BGP traffic classification number for accounting vrf Define VRF name weight BGP weight for routing table
Depending on what your configuration is requiring, you can use one of these options. The most common use is to help influence the routing paths traffic may take by setting local preference or the metric.
That example was to modify routes being shared, but you can also block routes altogether:
route-map FILTER deny 10 match ip address 1 ! route-map FILTER permit 20
In this case, route-map filter is matching ACL 1 in its first sequence, but notice this is a deny statement. Any routes matched in this sequence will be denied, and not shared. The empty permit sequence would then allow all remaining routes not outlines in ACL 1.
So how is the route-map used then? It’s actually very easy. in BGP you have a neighbor statement to setup your peering to a remote device. You simply add another neighbor statement, specifying the route-map you want to use and the direction. For direction, you can either choose “out” or “in”. This allows you to filter routes on an outbound basis that you are sharing to your peered routers as well as on an inbound basis to control what you receive from other devices.
For an example, say we were working with the route-map FILTER that I used above. I wanted to deny specific routes to my BGP neighbor 22.214.171.124. My BGP configuration may look a bit like this:
route-map LOCAL-PREF permit 10 router bgp 65000 bgp router-id 126.96.36.199 bgp log-neighbor-changes neighbor 188.8.131.52 remote-as 65000 neighbor 184.108.40.206 update-source Loopback0 neighbor 220.127.116.11 route-map FILTER out
This would set my route-map to filter the routes that I am sharing over to router 18.104.22.168. By changing the word “out” to “in” in the config above, I could easily make this work in the other direction if needed.