Filtering outbound BGP announcements in Cisco IOS

We previously looked at a sample BGP setup for a Cisco 6500 series router. What if you have multiple BGP peers and want to restrict which prefixes or IP blocks you announce to which peers. Simple. We can use the prefix-list command.

What you announce to each BGP peer will effect the traffic that comes in. So sometimes filtering what you announce can help shape your inbound traffic usage, or it can be used to limit one of your peers to very little traffic so you have a backdoor option during a high load event or DDoS.

Lets look at a sample BGP config:

router bgp 17500
bgp log-neighbor-changes
neighbor 200.10.20.1 remote-as 1000
neighbor 200.10.20.1 ebgp-multihop 5
neighbor 200.10.20.1 update-source GigabitEthernet5/8
neighbor 100.5.10.1 remote-as 2000
neighbor 100.5.10.1 ebgp-multihop 5
neighbor 100.5.10.1 update-source GigabitEthernet4/8
!
address-family ipv4
neighbor 200.10.20.1 activate
neighbor 200.10.20.1 next-hop-self
neighbor 200.10.20.1 send-community
neighbor 200.10.20.1 soft-reconfiguration inbound
neighbor 200.10.20.1 prefix-list PeerA-out out
neighbor 200.10.20.1 filter-list 1 in
neighbor 200.10.20.1 filter-list 15 out
neighbor 100.5.10.1 activate
neighbor 100.5.10.1 next-hop-self
neighbor 100.5.10.1 send-community
neighbor 100.5.10.1 soft-reconfiguration inbound
neighbor 100.5.10.1 prefix-list PeerB-out out
neighbor 100.5.10.1 filter-list 1 in
neighbor 100.5.10.1 filter-list 15 out

My ASN is 17500 and I have two BGP uplinks, one to AS 1000 (we’ll call this Peer A) and one to AS 2000 (we’ll call this Peer B). I am announcing the following prefixes:

190.45.60.0/24
209.88.40.0/24
20.10.180.0/24

As you can see, for each peer, I have included a statement with

    prefix-list “LIST-NAME” out

This statement restricts what my ASN will broadcast OUT to my peers. Lets say I want to BGP announce all three prefixes to Peer A, but I only want to announce 190.45.60.0/24 to Peer B. This is what those respective prefix-list’s will look like:

ip prefix-list PeerA-out seq 1 permit 190.45.60.0/24
ip prefix-list PeerA-out seq 2 permit 209.88.40.0/24
ip prefix-list PeerA-out seq 3 permit 20.10.180.0/22
ip prefix-list PeerA-out seq 100 deny 0.0.0.0/0
ip prefix-list PeerB-out seq 1 permit 190.45.60.0/24
ip prefix-list PeerB-out seq 100 deny 0.0.0.0/0

Thats all there is to it.

Total Views: 764 ,