{"id":811,"date":"2021-08-20T03:10:59","date_gmt":"2021-08-20T03:10:59","guid":{"rendered":"http:\/\/feralpacket.org\/?p=811"},"modified":"2021-08-20T03:10:59","modified_gmt":"2021-08-20T03:10:59","slug":"bgp-filtering-notes","status":"publish","type":"post","link":"https:\/\/feralpacket.org\/?p=811","title":{"rendered":"BGP Filtering Notes"},"content":{"rendered":"

BGP Filtering<\/b><\/p>\n

IP address based (numerical):<\/p>\n

 – neighbor <ip add> prefix-list <name> in | out<\/span><\/p>\n

 – neighbor <ip add> distribute-list <acl> in | out<\/span><\/p>\n

 – neighbor <ip add> route-map <name> in | out<\/span><\/p>\n

AS Path based (string):<\/p>\n

 – neighbor <ip add> filter-list <as-path acl number> in | out<\/span><\/p>\n

     -> e.g. – 100 200 300 i<\/p>\n

Regular Expressions are required to match and filter AS-PATH<\/p>\n

ACL filtering in BGP with distribute-list<\/p>\n

 – Use extended ACLs<\/p>\n

<\/p>\n

<\/p>\n

Source doesn’t need to be specified in the ACL because the ACL is referenced in the neighbor command.<\/p>\n

access-list <number> permit | deny <protocol> <network> <wildcard> <subnet> <wildcard><\/span><\/p>\n

Filter-> Any network starting with 10.x.x.x and subnet mask of 255.255.255.0.<\/p>\n

access-list 100 deny ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.0<\/span><\/p>\n

access-list 100 permit ip any any<\/span><\/p>\n

<\/p>\n

access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.0.0<\/span><\/p>\n

access-list 100 permit ip any any<\/span><\/p>\n

<\/p>\n

Prefix-list and distribute-list cannot be applied to the same neighbor in the same direstion.<\/p>\n

      -> A route-map with multiple statements can get around this.<\/p>\n

neighbor <ip add> filter-list <as-path acl> in | out<\/span><\/p>\n

 – as-path ACL can patch the as–path by using regular expressions<\/p>\n

ip as-path access-list <number> permit | deny REXEXP<\/span><\/p>\n

REGEXP works on character strings<\/p>\n

 – Every string has a start of the string and an end of the string<\/p>\n

     -> ^ – start<\/p>\n

     -> $ – end<\/p>\n

^100 200$ – 9 character string (including the space between 100 and 200)<\/p>\n

ip as-path access-list 1 deny 100<\/span><\/p>\n

 – Will match<\/p>\n

     -> 100<\/p>\n

     -> 1100<\/p>\n

     -> 1008<\/p>\n

REGEXP Operators \/ Delimiters<\/p>\n

     ? – 0 or 1 occurrence of the character<\/p>\n

     . – any character 0 – 9, but not a space<\/p>\n

     _ – start of string, end of string, or a space<\/p>\n

     ^ – start of string<\/p>\n

     $ – end of string<\/p>\n

     [] – specific single character range, [123], [1-5]<\/p>\n

     ^$ – locally originated<\/p>\n

     + – 1 or more occurrences<\/p>\n

     * – 0 or more occurrences<\/p>\n

     .* – any number<\/p>\n

ip  as-path access-list 1 denty ^100_<\/span><\/p>\n

 – Will match:<\/p>\n

     -> 100 200          – yes<\/p>\n

     -> 100                – yes<\/p>\n

     -> 100 800 900    – yes<\/p>\n

     -> 1008 500         – no<\/p>\n

^1[2-5]8$<\/p>\n

 – Will match:<\/p>\n

     -> 128<\/p>\n

     -> 138<\/p>\n

     -> 148<\/p>\n

     -> 158<\/p>\n

5?<\/p>\n

 – 5 will be there one time or will be missing<\/p>\n

Match -> 100 200 300 or 100 300<\/p>\n

     -> ^100_200_300$<\/p>\n

     -> ^100_300$<\/p>\n

          – or –<\/p>\n

     -> ^100(_200)?_300$<\/p>\n

Match -> ^100$, ^100_100$, and ^100_100_100$<\/p>\n

     -> ^(100_)+<\/p>\n

          – or –<\/p>\n

     -> (100_)+$<\/p>\n

sh ip bgp regexp _100_<\/span><\/p>\n

BGP Community<\/b><\/p>\n

 – Standard Community<\/p>\n

     -> 32-bit value<\/p>\n

 – Extended Community<\/p>\n

     -> 64-bit value<\/p>\n

 – Can be sent with updates and can be used to change path attributes<\/p>\n

 – Every router must have send-community set for all neighbors, otherwise the community values will be removed<\/p>\n

<\/p>\n

Match a community and take action<\/p>\n

     -> if 100:50, increase local preference to 500<\/p>\n

Set community<\/p>\n

 – In a route-map<\/p>\n

Match community<\/p>\n

 – Community list, called in a route-map<\/p>\n

ip community-list { 1-99 | 100-500 } permit | deny <community value><\/span><\/p>\n

 – 1 – 99<\/p>\n

     -> Standard ACL<\/p>\n

     -> Simple numeric value<\/p>\n

 – 100 – 500<\/p>\n

     -> Extended ACL<\/p>\n

     -> REGEXP can be used<\/p>\n

R3(config)# access-list 1 permit 5.5.5.5<\/span><\/p>\n

route-map COMMUNITY<\/span><\/p>\n

 match ip add 1<\/span><\/p>\n

 set community 100:50<\/span><\/p>\n

route-map COMMUNITY permit 20<\/span><\/p>\n

router bgp 200<\/span><\/p>\n

 neighbor 13.0.0.1 route-map COMMUNITY out<\/span><\/p>\n

 neighbor 13.0.0.1 send-community<\/span><\/p>\n

clear ip bgp 13.0.0.1 out<\/span><\/p>\n

clear ip bgp 13.0.0.1 in<\/span><\/p>\n

clear ip bgp 13.0.0.1<\/span><\/p>\n

R1(config)# ip community-list 1 permite 100:50<\/span><\/p>\n

 route-map MATCH_COMM<\/span><\/p>\n

  match community 1<\/span><\/p>\n

  set local-preference 500<\/span><\/p>\n

route-map MATCH_COM permit 20<\/span><\/p>\n

router bgp 100<\/span><\/p>\n

 neighbor 13.0.0.3 route-map MATCH_COMM<\/span><\/p>\n

sh ip bgp 5.5.5.5<\/span><\/p>\n

 – Community: ______<\/p>\n

     -> will display 32-bit number<\/p>\n

     -> old format<\/p>\n

ip bgp-community new-format<\/span><\/p>\n

sh ip bgp 5.5.5.5<\/span><\/p>\n

 – Community: 100:50<\/p>\n

     -> new format<\/p>\n

<\/p>\n

Well Known Community Values<\/b><\/p>\n

no-export<\/p>\n

 – Update will not be sent to any eBGP neighbor<\/p>\n

no-advertise<\/p>\n

 – Update will not be sent to any iBGP or eBGP neighbor<\/p>\n

LOCAL-AS<\/p>\n

 – Update will not be sent to another confederation<\/p>\n

additive<\/p>\n

 – Will add community to the existing list<\/p>\n

R1(config)# route-map COMMUNITY<\/span><\/p>\n

 set community no-export<\/span><\/p>\n

set community 100:50 additive<\/span><\/p>\n

<\/p>\n

Deleting Community Values<\/b><\/p>\n

R2(config)# ip community-list 1 permit 100:60<\/span><\/p>\n

route-map DELETE<\/span><\/p>\n

 set com-list 1 delete<\/span><\/p>\n

router bgp 200<\/span><\/p>\n

 neighbor 23.0.0.3 route-map DELETE<\/span><\/p>\n

 neighbor 23.0.0.3 send-community<\/span><\/p>\n

<\/p>\n

BGP Remove Private-AS<\/b><\/p>\n

 – AS<\/p>\n

     -> 2 bytes<\/p>\n

     -> 1 – 65535<\/p>\n

     -> 64512 – 65534<\/p>\n

          -> Private AS numbers<\/p>\n

 – Removes any AS in the private AS range before sending updates to a neighbor<\/p>\n

R3(config)# router bgp 100<\/p>\n

 neighbor 36.0.0.6 remove-private-as<\/p>\n

<\/p>\n

BGP Default Routing<\/b><\/p>\n

 1. network 0.0.0.0 mask 0.0.0.0<\/span><\/p>\n

     -> Injects a default route to all neighbors<\/p>\n

     -> Needs a default route to be present in the routing table<\/p>\n

 2. neighbor <ip add> default-originate [route-map <name>]<\/span><\/p>\n

     -> Per neighbor<\/p>\n

     -> Default route does not need to be present in the routing table<\/p>\n

BGP Dampening<\/b><\/p>\n

 – It is a procedure to suppress flapping routes<\/p>\n

 – It uses a penalty system where on every flap, a penalty value 1000 is associated with the route<\/p>\n

 – The moment the value is associated with the route, it starts decreasing on an exponential decay rate<\/p>\n

 – If the route gains a penalty value of 2000, the route is suppressed<\/p>\n

     -> Value called suppress limit<\/p>\n

     -> Can be changed<\/p>\n

 – Value has to decrease to 750 before the route is no longer suppressed<\/p>\n

     -> Value called the reuse limit<\/p>\n

suppress limit<\/p>\n

     -> {P(0)}<\/p>\n

reuse limit<\/p>\n

     -> {P(t)}<\/p>\n

          -> t in minutes<\/p>\n

half-life<\/p>\n

     -> The time in minutes the router will take to reduce the penalty to half of the suppress limit<\/p>\n

     -> default is 15 minutes<\/p>\n

<\/p>\n

Max suppress time<\/p>\n

     -> 4 * half-life<\/p>\n

          -> 60 minutes by default<\/p>\n

Scenario -> Configure BGP Dampening on R1 so that if a route flaps 6 times, it is suppressed;  the penalty should reach 3000 after 40 minutes;  the route should be reusable after the penalty reaches 2000.   <\/p>\n

     suppress limit -> 6000<\/p>\n

     half-life -> 40 minutes<\/p>\n

     reuse limit -> 2000<\/p>\n

     max suppress time -> 160 minutes<\/p>\n

router bgp 100<\/span><\/p>\n

 bgp dampening 40 2000 6000 160<\/span><\/p>\n

Scenario -> Dampen route 5.5.5.5 if it flaps 3 times, unsuppress it when the penalty reaches 1000, half-life is 20 minutes<\/p>\n

R1(config)# access-list 1 permit 5.5.5.5<\/span><\/p>\n

 route-map DAMPENING<\/span><\/p>\n

  match ip add 1<\/span><\/p>\n

  set dampening 20 1000 3000 80<\/span><\/p>\n

 route-map DAMPENING permit 20<\/span><\/p>\n

router bgp 100<\/span><\/p>\n

 bgp dampening route-map DAMPENING<\/span><\/p>\n

<\/p>\n

sh ip bgp dampening parameters<\/span><\/p>\n

sh ip bgp dampening dampened-paths<\/span><\/p>\n

sh ip bgp dampening flap-statistics<\/span><\/p>\n

sh ip bgp<\/span><\/p>\n

 d> 5.5.5.5          -> dampened, currently up<\/p>\n

 h> 5.5.5.5          -> history, another router suppressed, currently down<\/p>\n

BGP Timers<\/b><\/p>\n

 – Keepalive<\/p>\n

     -> 60 seconds<\/p>\n

 – Holddown<\/p>\n

     -> 180 seconds<\/p>\n

router bgp 100<\/span><\/p>\n

 bgp timer 30 90<\/span><\/p>\n

Batch Updates<\/b><\/p>\n

 – BGP holds the new updates to be sent to a neighbor according to the following timer<\/p>\n

     -> iBGP – 5 seconds<\/p>\n

     -> eBGP – 30 seconds<\/p>\n

 – Also called advertise-interval<\/p>\n

 – If set to 0, updates are sent immediately<\/p>\n

router bgp 100<\/span><\/p>\n

 neighbor <ip add> advertisement-interval <seconds><\/span><\/p>\n

BGP Scan Time<\/b><\/p>\n

 – By default, BGP scans the BGP table for changes every 60 seconds<\/p>\n

router bgp 100<\/span><\/p>\n

 bgp scan-time <seconds><\/span><\/p>\n

<\/p>\n

BGP AS-Override \/ AllowAS-In<\/b><\/p>\n

 – If the link between R4 <-> R5 is goes down, R6 will not be able to reach R7<\/p>\n

R1(config)# router bgp 100<\/span><\/p>\n

 neighbor 13.0.0.2 as-override<\/span><\/p>\n

 neighbor 13.0.0.3 as-override<\/span><\/p>\n

     -> update to R3<\/p>\n

          -> 6.6.6.6          100 100 i<\/p>\n

     – or –<\/p>\n

R2(config)# router bgp 200<\/span><\/p>\n

 neighbor 12.0.0.1 allowas-in<\/span><\/p>\n

R3(config)# router bgp 200<\/span><\/p>\n

 neighbor 13.0.0.1 allowas-in<\/span><\/p>\n

Allowas-in<\/p>\n

 – Accept updates that contain our own AS in the path<\/p>\n

 – Should be used as a temporary solution only while the link between R4 <-> R5 is down<\/p>\n","protected":false},"excerpt":{"rendered":"

BGP Filtering<\/p>\n","protected":false},"author":1,"featured_media":799,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[39,31,10,57],"class_list":["post-811","post","type-post","status-publish","format-standard","hentry","category-ccie","tag-bgp","tag-published","tag-service-provider","tag-share"],"_links":{"self":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=811"}],"version-history":[{"count":1,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/811\/revisions"}],"predecessor-version":[{"id":981,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/811\/revisions\/981"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/media\/799"}],"wp:attachment":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}