BGP Prefix Filter English version

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

now every protocol every routing protocol in every routing protocol we need to know how to filter certain updates updates on certain network for for some particular network if you don't really like to learn it or if you don't want someone to learn the network that you're rip advertisers or BGP advertisers you need to know how to filter them now there is a network called fifteen network coming from somewhere which I don't want to learn in my routing table for which I don't want to run BGP process now I need to know how to filter it only the 15 euro the other networks that is coming from the other autonomous system I would like to have but except that 50 Network 5-0 network so you need to know how to filter the particular network or you may have some policy like this one this particular IP address need to be the Gateway only then I'll accept the update you know I'm repeating again when routes are learnt in BGP you may have many autonomous system giving you the route information but you may you may wish to you may wish to use one particular neighboring autonomous system as the Gateway not all the autonomous system you want to choose one over the other one now you know you need to know how to filter the other one so that you can use this one or unit we need to tell our BGP that if the next hop address is this particular neighbor then you accept the update otherwise you don't accept it you filter it you know that's what inbound route map what is inbound you know you you you allow the to be learnt into your routing algorithm into your BGP algorithm inbound what is outbound you allow the update to be sent out to the external neighbor that is outbound so we need to know how to filter in and out that's what this chapter is about now you can do this filtration by changing the BGP timer by changing the BGP s attribute the path attribute like weight or local preference or Emme D you can also limit by saying the number of prefixes that route during loading process can accept like how many routes thousand routes only accepted something like that you know even you can set some limit and you can also configure prefix dampening you we'll talk about this later so you know there are various ways in which you can do the filtration to do the filtration you need to know distribution lists we need to know IP prefix list or BGP map or autonomous system path access list or IP prefix list or filter list along with the route map you know if popular is like you use always IP prefix list with the distribution list and also somewhere sometime route map no it is it's more populates up to you you know what to use they all work in similar fashion now as we as we saw in the previous slide we have various ways in which you can filter you can even you can you can say what is permitted and what is denied you can use a road map you can use filter list or you can use IP prefix list or you can use a distribution list now when we have these many options what if I have all four options if I have all four options said for the inbound policy then the traffic comes from outside when the update comes from outside it will try to match with the road map if road map is not getting matched only then if we look into the filter list and a filter list is not matching only then it will look into the prefix list and then the distribution this is the order in which the lookup happens for the inbound traffic say for example if the IP prefix list is configured to do XYZ and if you have a road map with some attribute to dual ABC what will be taken first ABC will be taken first so always the route map will be read first and then the filter list and then the prefix list and then the distribution list this is the order in which the processing of policy happens in PGP filter for out for outbound traffic traffic that is going out this is T V this is the order just the opposite road maps comes last and the distribution list goes on the top prefix this goes to the second and fifth of this comes as the third so outbound this is the order in which the processing happens for the filter for the circle is inbound for the outbound this is the order this order is very important in the real world as far as for the higher level exams like CCIE Y you know you you might have returned some access list along with the route map and we may think like you know that is in effect that is taking effort for the outbound traffic no no for outbound traffic distribution list will be prioritized so your distribution list is not allowing even if your roadmap and access list allows it is of no use because the distribution list is what read first for the outbound traffic whereas for the inbound traffic roadmap and access race and so on or read first so if this is allowed then traffic is allowed if this block the traffic is blocked so this order is very important now whenever you do some changes like you know changing the filter and putting some filters and so on you need to make sure the other outer gates the update to make the other routers to get the update there are different types of reset available one is the hard reset the other one is a soft reset the third one is also their dynamic soft reset so there are three types of reset available in BGP when you say clear IB BGP 3ip BGP what do you mean is you mean hard reset when you say clear IP BGP soft you mean soft reset but you might have seen that whenever we do some changes sometime before you reset the change gets distributed to everyone it is because of the dynamic soft reset support so for some feature some routers support dynamic soft reset means when an update is made there bit is sent to everyone whereas in hard reset when you when you manually say clear IP BGP you mean to say that I want to do hard reset what it will do is it will terminate or it will tear down the peering sessions with the neighbor and it will reestablish the TCP connection and learn from the peer as a fresh update and it learns the update from the beginning as a fresh update so it terminates the neighbor it tears down the neighbor which means it removes all the update which was in use and then it relearn's everything from the scratch that is what hard reset is well a soft reset is you you store the updates that you are having in a separate memory and also you learn the new update from the neighbor and update your story database so apply the new BGP policy that you learned to the existing policies this is non-destructive it is non-destructive what is non-destructive your neighbors are not getting disconnected where isn't the hard reset neighbors get disconnected and reestablish the neighbor hard reset is disruptive neighbors will go down and come where as in soft reset neighbors they don't go down only the new updates are getting added to the existing update which was there in additional storage memory so soft reset hard reset now the soft reset at Hawtree the soft reset is for inbound as well as for our board session if I want to do reset only for the inbound then I'll say clear IP bgp soft in if it is only for the outbound if it is only for the neighbor then I'll say clear IP BGP soft out there any question on hard reset and soft reset no it is taking care that automatically if for time being it will move all the updates to a additional memory location so that it can learn the new updates and then it will try to append it will try to add the new BGP policy to the existing update that allocation is taken care out a meter cube IV algorithm so dynamic inbound soft reset is there by default you no need to do anything but you can check you can check whether a particular router has dynamically learned from the neighbor how an adept show IP BGP neighbor you see big page of information in that you will see one of the line saying received at out refresh capability from the peer now and you see this one then this router is capable of dynamically learning the update whenever the change happens now actually our our aim was to talk about you know learn about filtering but whenever you do some changes you need to reset that's why I added this in the reset in the middle now going back to the filtering stuff prefix filtering now this is an example which shows how to influence the inbound pass selection so that's also kind of filtering what is that see router a or router de can router D can take this path to reach a router D can come to e and it can it can come to a doctor D can also come to C B and then a so what I can do is if if I want router D not to come via E to reach a repeating me if if I means you know if the router a do not want router router D to come by ie what it can do is it can increment the AAS but what what type of protocol is BGP it's a path vector protocol right now you tell me according to what do you see here rotor D will take the path via router e to reach this 172 17 1 1 or it will take yr CB and a because it is only 1 2 jumps right it is only 2 jumps but if you wish to filter this route you know I do not want to take this route I'd I draw I do not want to allow D to take this book I want to filter this room what I can do is I can go to R where R a and when I advertise this 172 17 Network instead of simply saying 6 5 5 3 6 I'll say 6 5 5 3 6 2 3 times more repeatedly so when the bet goes out from our router a rotary is receiving as if it is coming from three hops now for router for sorry for router it is three hop then for outer deed will be for hub so rotor D will compare and see one hop and from E to e8 looks like three help so for help in stuff coming like this throw to D we'll go by at this way one two and three help it is cheaper less number of hops so what we can do is we can append we can add more a as values so that one path can be filtered the other part can be preferred so similar the example is what you are seeing here what I am doing here is I am prepend insane out my I am writing road map prepared is not a keyword it's it's a name just this prepend from the capital letter is the name for the road map you can give any name route map india route map welcome whatever route map Kasana anything a route map give a name and then say permit which is default actually you no need to even say this ten is also not necessary you can simply hit enter sequence number ten is the default number so route map prepend and then i say said yes pre-planned is a keyword these are all keyword and I am repeatedly writing 65536 65536 where I am doing I am doing this on top tray so I am telling rotary a that prepend the six five five three six two times where I need to prepare prepend whenever I send an update to this neighbor one nine two one six eight 1.2 say I'm calling the road map here and I'm saying outbound so whenever you send the update to this guy prepared this value usually it will send only one six five five three six to this guy or nine two and six zero one dot to say that Cypress Oh mine too and surrounded according to dr. B usually it will see as one hop but because you are propelling two times now it will look like what three hops already one hop now you're adding two more duplication of the number two more two more here so already one is there you are propelling two more so 402 B it will look like three how to reach RA and far outer C it will look like for harp so router seen stuff coming where B it will try to go by at D because why I dealed is only three up so router a has filtered this path or router a has made it over C to filter this path and choose the other path sorry easy to understand right okay next is yeah you can do it see I'm just showing one of the way even you can do anyway many many things that is that is coming in external slights there are many ways in which you can do this this is one of the way what what we are using here is a route map see we saw here for the inbound road map is what checked first for the outbound route map is what checked last here I am writing route map for the outbound traffic and we are just learning all the methods are for filtering road map is also one of the method right we are learning that next so a road map is not the only method you also filter less we also have you prefixes distribution so we need to learn all yep so road map is what the one way we have seen just next you see prefix list I can write a prefix list saying if if you are learning or if you are you know it depends in on out if I say in then if you are learning any default route from anyone deny IP prefix list ABC is your where your name to identify this prefix list you can give any name IP prefix this ABC deny default roads or if you say I want to deny or I want to permit only ten network then you can type u prefix this ABC hamed 10.0.0.0 slash eight so this will not permit ten network if it is slash 16 or 24 it will permit only then it work with slash eight now let's see one example know how you will use this that's for next example see this example below write example below similarly like this prefix this I'm using another prefix list but this prefix this is something different in the previous of prefix list there is only one prefix length what is the prefix length eight here what is the prefix length any prefix length zero means any but here I am saying give the prefix Linda what is prefix length subnet mask if the prefix length is somewhere between 8 to 24 nope if the subnet mask is 23 24 2016 anything between 8 to 24 any network see that's what here I am writing IP prefix list this is any name you can view max 24 is a name sequence number you can give optionally otherwise it will give automatically 1 2 3 4 I'm saying permit any network whose prefix length is greater than or equal to 8 similarly less than or equal to 24 so G means greater than or equal to 8 so it should be 8 or about oh and then also it should be less than or equal to 24 now I am calling this max 24 we're under BGP distribution list and I'm saying in now you understand how I have to use this distribution list prefix is a key word call the prefix this name and then you define in or out I'm saying in did you understand similarly you also have another prefixes C I can also use true to prefix lists in one distribution list to prefix lists in one distribution is say for example I'm saying distribution list prefix max 24 see max 24 is what you wrote here right what does max 24 doing it will be permitting any any subnet which is greater than 8 and less than 24 any network with subnet greater than or equal to 8 and less than or equal to 24 so that I am calling and also I am saying Gateway should be a loud list coming in what is a loud list here it says a loud list says this address C it is matching slash that it means you know this is the only address so this only address I'm calling is what gave me gateway is a key word gateways a key word I'm saying whatever you have learned in this prefix list whatever the network you're permitted that network should be coming from this gateway this next stop only then you would you accept you see the condition how this distribution is puts it checks for any network whose subnet mask is above 8 and less than 24 not only that the abate also should be coming inside from where from this particular gateway address from this particular IP address neighbor address easy to understand right no this is more secure I agree but not only that it is also filtering the other neighbors you see you need not to do this job this you know a monkey job like you know adding unnecessary how counts these are all not necessary I can say Travis a if this is a gateway accepted meaning what I'm going to Rd and saying if if this is a gateway sorry you are asking know why we can't do this in Rd I can do in Rd say I can go to Rd and say if this 170 217 one one update is coming from ar e then accept it so I am filtering the other path going where C is filtered you know so prefix list is one nice example you can use with sorry one nice feature you can use with distribution list to do filtering is it clear alright the next thing is about filtering using a s number using the autonomous system number using the a s path but for that you use something called regular expression what is regular expression you know there are special symbols like in a programming language symbols to tell router what to be considered and what not to consider see this example see this diagram there are three autonomous system autonomous system three is connected to one and one is connected to four and four will be connected to some other autonomous system on top like internet you know so don't think that we have only three autonomous system see here this is also connected to some other autonomous system this is also going to due to some other automation know goes like that so we have various autonomous system now I want this router to learn the routes that is coming only from this autonomous system so whatever was coming from X to Y and Y to router for in the outer forgives to our one our one should not learn it you understand what anything I want a turn of a system one router r1 router to learn the update that is originating from autonomous 4 if at all originating from autonomous system for which is from router for if the needle that is coming from Y if it will be given to one one should not accept it one should accept only the update coming from order for innocent so how can I do this that is what our first example is right so let's see the first example I want to learn only the update coming from ok let's say I have a connection like this also here anyhow so that's the scenario on this neighbor from this neighbor out of four I want to learn update that is originating from autonomous 4 I do not want anything from anywhere to come in what I can do is I can write like this IPAs path access list 1 permit this one means you know here it can be the first number can be only 4 and they last them there should not be any the number dollar means anything that you write before dollar is the last number when you put cap means this number should be the first number this is what called as a regular expression yeah so what will happen any update coming from X Network last number will not be here for last number will be X any update that is coming from autonomous system for the last number will be 4 and because r1 is receiving it the first number also will be 4 because it is directly connected autonomous system so no other updates will be received in see that's what we are doing here I have written IPAs path command I cannot call directly a spot here in BGP one mistake is there okay it should be in secondly so you know I cannot call directly thee yes path into the neighbor statement there is no command to add it so what I do is I go to route map and call the a s pot matching s path 1 and then called his road map in the bgp neighbor statement yesin alright I think for this you need to go through the attribute class because it is not covered for you you are struggling to understand right

Info

Channel: Jayachandran

Views: 11,800

Rating: undefined out of 5

Keywords: jayachandran, sathiyan, BGP, filter, filter-list, distribution-list, route map, Path selection

Id: TrcsWtVbJ2w

Channel Id: undefined

Length: 31min 3sec (1863 seconds)

Published: Sat Feb 04 2017