© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1

Route Selection Using Policy Controls

Filtering with Prefix-Lists

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-2

Outline

• Overview • Requirements for Prefix-Based Filters• Prefix-Lists vs. IP Access-Lists • Configuring Prefix-Lists• BGP Filters Implementation• Implementing Prefix-Lists in the BGP Process• Modifying Prefix-Lists• Monitoring Prefix-Lists• Summary

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-3

Requirements for Prefix-Based Filters

• Service providers have to filter customer updates to ensure that the customers announce only their assigned address space.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-4

Prefix-Lists vs. IP Access-Lists

Traditional prefix filters• Traditional IP prefix filters were implemented with IP access-

lists configured with the distribute-list command.• IP access-lists used as route filters have several drawbacks:

– Subnet mask cannot be easily matched.– Access-lists are evaluated sequentially for every IP prefix in the

routing update.– Access-lists are hard to edit.– Extended access-lists can be cumbersome to configure.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-5

Prefix-Lists vs. IP Access-Lists (Cont.)

Prefix-lists• New route-filtering mechanism• Significant performance improvement on long filters

– Inside Cisco IOS software, the prefix-list is a tree structure and is not scanned sequentially.

• Support for incremental updates – Individual entries in prefix-lists can be inserted or deleted.

• More user-friendly CLI – The CLI for using access-lists to filter BGP updates is difficult to understand

and use, because it uses the packet-filtering format.

• Greater flexibility; can match on subnet masks

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-6

Prefix-Lists vs. IP Access-Lists (Cont.)

• Key access-list features are preserved.– Filtering using “permit” or “deny”– Order dependency (first match wins)– Security-focused: no match means “deny”

• The matching mechanism has changed.– Matches routes in a part of address space with subnet

mask longer or shorter than a set number

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-7

Configuring Prefix-Lists

ip prefix-list list-name [seq seq] {permit|deny} network/len [ge value] [le value]

router(config)#

• Prefix-lists have names and sequence numbers (like route-maps).

• An entry with no le or ge parameter matches exactly the specified prefix.

• An entry with an le or ge parameter matches any route within the address space of address/prefix with prefix longer or equal to ge value and shorter than or equal to le value.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-8

Configuring Prefix-Lists (Cont.)

Prefix-list matching rules• Prefix-list entries with no ge or le option match only the

specified route.– Similar to IP access-lists with no wildcard bits– Matching also considers subnet mask

Which of the following routes will be matched by:ip prefix-list MyList permit 192.168.0.0/16?

192.168.0.0/16 192.168.0.0/20 192.168.2.0/24

X X

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-9

Configuring Prefix-Lists (Cont.)

• A prefix-list entry with ge or le option matches any prefix within specified address space where the subnet mask falls within specified limits.

Which of the following routes will be matched by:

ip prefix-list MyList permit 192.168.0.0/16 le 20?

192.168.0.0/16 192.168.17.0/20 192.168.2.0/24

ip prefix-list MyList permit 192.168.0.0/16 ge 18?

192.168.0.0/16 192.168.17.0/20 192.168.2.0/24

X

X

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-10

Configuring Prefix-Lists (Cont.)

What will be matched by:a) ip prefix-list A permit 0.0.0.0/0 ge 32b) ip prefix-list B permit 128.0.0.0/2 ge 17c) ip prefix-list C permit 0.0.0.0/0 le 32d) ip prefix-list D permit 0.0.0.0/0e) ip prefix-list E permit 0.0.0.0/1 le 24

a) All host routesb) Any subnet in class B address spacec) All routesd) Just the default routee) Any prefix in class A address space covering at least 256

addresses

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-11

BGP Filters Implementation

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-12

Implementing Prefix-Lists in theBGP Process

neighbor {ip-address|peer-group-name} prefix-list prefix-listname {in|out}

router(config-router)#

• Filters inbound or outbound BGP routing updates for a configured neighbor session

distribute-list prefix-list prefix-list out routing-processrouter(config-router)#

• Filters routes redistributed from specified routing process into BGP

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-13

Prefix-List Example:Filtering Customer Prefixes

• Requirement: The customer will announce prefixes only from assigned address space (172.16.0.0/16), with subnet masks no longer than /24.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-14

Prefix-List Example:Filtering Peer Prefixes

• Requirement: The ISP will not accept routes with subnet masks longer than /24; subnet masks from class B address space will be no longer than /20.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-15

Modifying Prefix-Lists

show ip prefix-list list-name [detail|summary]router#

• Displays the prefix-list and the sequence numbers

no ip prefix-list seq seq conditionrouter(config)#

• Erases the line with the specified sequence number from the prefix-list

ip prefix-list seq seq conditionrouter(config)#

• Inserts the line into the prefix-list at the specified point

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-16

Monitoring Prefix-Lists

show ip prefix-list [detail | summary] prefix-list-name [network/length] [seq sequence-number] [longer] [first-match]

router#

• To display information about a prefix-list or prefix-list entries

show ip bgp prefix-list prefix-list-namerouter#

• Displays all routes in the BGP table matching the prefix-list• Used for easier monitoring of a desired network prefix group in

the BGP table

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-17

Monitoring Prefix-Lists (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-18

Monitoring Prefix-Lists (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-19

Summary

• Customers with multihomed networks are responsible for announcing their own networks using BGP, and service providers with multihomed customers must take precautions not to accept, use, or forward any erroneous routing information that is received from their customers.

• Prefix-lists have a number of advantages over access-lists, including faster “permit” or “deny” determinations and easier CLI editing.

• Prefix-lists are configured using the ip prefix-list global configuration command.

• Filter-lists and prefix-lists can be optionally applied on either incoming or outgoing neighbors in any combination.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-20

Summary (Cont.)

• Prefix-lists can filter incoming or outgoing BGP updates to neighbors and filter routes that are being redistributed into the BGP process from other routing protocols. Use the neighbor prefix-list router configuration command to distribute BGP neighbor information as specified in a prefix-list.

• Certain Cisco IOS commands (such as the show ip prefix-list command) are used to modify configured prefix-list filters.

• To display or monitor statistics about a prefix-list or prefix-list entries, you can use the show ip prefix-list EXEC command.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-21