Tag Archives: BGP Authentication

BGP Filtering / Authentication / BGP Peer group notes for exam day!

No topology for this particular post, just some quick notes on BGP filtering which probably won’t be a huge topic on ROUTE as it’s more a Service Provider

So here we go.

BGP Filtering can be done on any router, there are no limitations like in OSPF where filtering is done on specific router types or points in the network.

Filtering can be done for inbound and outbound updates.

After filtering is enabled via filter-list / distribute-list / route-map, neighbor relationships must be reset or cleared to take effect which is done with “clear ip bg * soft [in/out]”

Now any type of filtering must be configured on a router per neighbor via the neighbor statement, whereas in IGP’s you could often just use a single command or two within the protocol itself.

Peer groups is beyond the scope of CCNP just a bit, but in case it does come up on the exam, it is a way to logically group together routers with exact the exact same BGP filtering where it will apply a light of commands across all neighbors in the Peer Group.

To Filter in BGP, you have 4 options:

  • Distribute-list
  • Prefix-list
  • Filter-list
  • Route-map

To show what they require as a next step in the command, I ran them on R1:

R1(config-router)#neighbor 172.12.15.5 distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP access list number (expanded range)
  WORD         IP Access-list name

R1(config-router)#neighbor 172.12.15.5 prefix-list ?
  WORD  Name of a prefix list

R1(config-router)#neighbor 172.12.15.5 filter-list ?
  <1-500>  AS path access list

R1(config-router)#neighbor 172.12.15.5 route-map ?
  WORD  Name of route map

R1(config-router)#neighbor 172.12.15.5 route-map (Word)

Now with Route-Maps you can match on ACL’s, Prefix-Lists, AS Path Access-Lists, so these give you the most flexibility.

With BGP, the filter-list does not work as it did with OSPF, where it requires a prefix-list to reference – Instead it wants something called an AS path access list.

The AS Path access-list is configured with the following:

R1(config)#ip as-path access-list ?
  <1-500>  AS path access list number

R1(config)#ip as-path access-list 1 ?
  deny    Specify packets to reject
  permit  Specify packets to forward

R1(config)#ip as-path access-list 1 permit ?
  LINE  A regular-expression to match BGP AS paths. Use “ctrl-v ?” to enter “?”

R1(config)#ip as-path access-list 1 permit 200 ?
LINE    <cr>

R1(config)#ip as-path access-list 1 permit 200 500 ?
LINE    <cr>

R1(config)#ip as-path access-list 1 permit 200 500 300 ?
LINE    <cr>

R1(config)#ip as-path access-list 1 permit 200 500 300

As you can see, this is meant to filter routes based on their AS_PATH, rather than any sort of network or prefix information.

I’m going to move on here, as the ROUTE exam I believe (hope) only really requires you to know of but not need to configure these different filtering types.

My next post I have a great screen snip of Distribute-List’s differences between protocols, then I have a lot of note reviewing for BGP to get to 🙂