WB1 7.43 BGP Filtering with Prefix-Lists

7.43 BGP Filtering with Prefix-Lists
• Configure a prefix-list on R2 so that it does not accept the prefix 222.22.2.0/24 from BB2; this prefix-list should be applied directly to the neighbor.
• Configure a prefix-list on R4 so that it does not accept any prefixes with a subnet mask greater than /22 from BB3; this prefix-list should be applied through a route-map to the neighbor.

---------------------------------

Prefix lists are the most preferable way to filter subnets in BGP based on their IP addressing information. Prefix list is an ordered sequence of entries, where each entry specifies either a single IP prefix or a range of prefixes.

Prefix lists are stored in efficient data structures allowing for very fast lookup and information retrieval. They have certain performance benefits over the standard and extended IOS access-lists when used for prefix filtering.

Here is the syntax for a typical prefix-list entry:

ip prefix-list <NAME> seq <Num> {permit|deny} <Subnet>/<Prefix > [ge <Length1>] [le <Length2>]

Entries in a prefix list are processed sequentially, until the first match. As soon as the match is found, the processing is stopped and associated action performed. The <Subnet>/<Prefix> pair specifies the major subnet that all prefix matching this entry should belong to.

For example this could be 192.168.0.0/16 or 172.16.8.0/24 and so on – any valid classless prefix. The modifiers ge and le are optional and used to specify a prefix range. Specifically, a prefix matches the entry if:

a) The prefix is a subnet of <Subnet>/<Prefix>, i.e. the prefix subnet is a subset of <Subnet> and prefix-length is greater than or equal than <Prefix>.

b) The prefix length is less than or equal to <Length2>. That is, if the le modifier is used, then the prefix length must be within the [<Prefix>,<Length2>] range.

For example, with 192.168.0.0/16 le 24 an example of valid prefix is 192.168.2.0/24 or 192.168.0.0/22 as both prefixes are subnets to
192.168.0.0/16 and have prefix-length less than or equal to 24. However, 192.168.2.128/25 will not match the above prefix-list entry.
c) The prefix length is greater than or equal to <Length1> but less than 32 is the ge modifier is used. That is, the prefix-length should be within the [<Length1>,32] range. It’s is obvious that <Length1> should be greater than or equal than <Prefix>.

Take for example prefix-list entry 172.16.3.0/24 ge 25. It would match 172.16.3.128/25, 172.16.3.0/30, 172.16.3.1/32 but not the
172.16.3.0/24.

If both le and ge modifiers are in use, the resulting prefix-length range is between <Length1> and <Length2> inclusive.

For example, 172.16.0.0/16 ge 24 le 30 would match 172.16.0.0/24, 172.16.3.0/24, 172.16.3.252/30 and so on.

Two common questions with prefix-lists is how to match the default route and match all prefixes.

The entries are permit 0.0.0.0/0 and permit 0.0.0.0/0 le 32 respectively.

The first entry matches the prefix with the prefix-length of
zero and the network part of 0.0.0.0.表示Default Route

The second entry matches any subnet of 0.0.0.0/0 which encompasses the whole IPv4 address space.表示ANY Address

Prefix lists could be applied directly to a BGP peer using the command neighbor <IP> prefix-list <NAME {in|out} or using a route-map matching the prefix-list.

The latter is a preferable way, as it allows you for more flexible policy editing.

--------------------------------------

R2變更前

Rack1R2#show ip bgp regexp 254$
*> 205.90.31.0      192.10.1.254             0             0 254 ?
*> 220.20.3.0       192.10.1.254             0             0 254 ?
*> 222.22.2.0       192.10.1.254             0             0 254 ?
Rack1R2#

R2變更後

Rack1R2#show ip bgp regexp 254$
*> 205.90.31.0      192.10.1.254             0             0 254 ?
*> 220.20.3.0       192.10.1.254             0             0 254 ?
Rack1R2#

R4變更前

Rack1R4#show ip bgp | include 204.12.1.254
*> 112.0.0.0        204.12.1.254                           0 54 50 60 i
*> 113.0.0.0        204.12.1.254                           0 54 50 60 i
*> 114.0.0.0        204.12.1.254                           0 54 i
*> 115.0.0.0        204.12.1.254                           0 54 i
*> 116.0.0.0        204.12.1.254                           0 54 i
*> 117.0.0.0        204.12.1.254                           0 54 i
*> 118.0.0.0        204.12.1.254                           0 54 i
*> 119.0.0.0        204.12.1.254                           0 54 i

R4變更後 (根本沒差異)

Rack1R4#show ip bgp | include 204.12.1.254
*> 112.0.0.0        204.12.1.254                           0 54 50 60 i
*> 113.0.0.0        204.12.1.254                           0 54 50 60 i
*> 114.0.0.0        204.12.1.254                           0 54 i
*> 115.0.0.0        204.12.1.254                           0 54 i
*> 116.0.0.0        204.12.1.254                           0 54 i
*> 117.0.0.0        204.12.1.254                           0 54 i
*> 118.0.0.0        204.12.1.254                           0 54 i
*> 119.0.0.0        204.12.1.254                           0 54 i

----------------------------------------------

R2:
ip prefix-list BLOCK_222 deny 222.22.2.0/24
ip prefix-list BLOCK_222 permit 0.0.0.0/0 le 32
!
router bgp 200
  neighbor 192.10.1.254 prefix-list BLOCK_222 in

R4:
ip prefix-list SHORTER_THAN_22 permit 0.0.0.0/0 le 22
!
route-map FROM_BB3 permit 100
 match ip address prefix-list SHORTER_THAN_22
!
router bgp 100
 neighbor 204.12.1.254 route-map FROM_BB3 in

我的另外一種解法：
R4:
ip prefix-list GE_22 seq 5 permit 0.0.0.0/0 ge 22
!
route-map DENY_GE_22 deny 10
 match ip address prefix-list GE_22
!
route-map DENY_GE_22 permit 100
!
router bgp 100
 neighbor 204.12.1.254 route-map DENY_GE_22 in