Friday, February 21, 2020

BGP IPv6 Route Filtering on Cisco IOS

Filtering IPv6 routes in BGP is similar to IPv4 filtering.  There are 3 methods we can use:
  • Prefix-list
  • Filter-list
  • Route-map
Each of these can be applied in- or outbound. I’ll explain how you can use these for filtering, this is the topology I will use:
R1 R2 BGP IPv6 4 prefixes
R1 and R2 are using IPv6 addresses and will use MP-BGP so that R1 can advertise some prefixes on its loopback interfaces. All prefixes on the loopback interfaces are /64 subnets while loopback3 has a /96 subnet.

Configuration

Let’s start with a basic MP-BGP configuration so that R1 and R2 become eBGP neighbors:
R1 & R2#
(config)ipv6 unicast-routing
R1(config)#router bgp 1
R1(config-router)#bgp router-id 1.1.1.1
R1(config-router)#neighbor 2001:db8:0:12::2 remote-as 2
R1(config-router)#address-family ipv6
R1(config-router-af)#neighbor 2001:db8:0:12::2 activate
R1(config-router-af)#network 2001:db8:0:1::/64
R1(config-router-af)#network 2001:db8:0:11::/64
R1(config-router-af)#network 2001:db8:0:111::/64
R1(config-router-af)#network 2001:db8:0:1111::/96
R2(config)#router bgp 2
R2(config-router)#bgp router-id 2.2.2.2
R2(config-router)#neighbor 2001:db8:0:12::1 remote-as 1
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 activate
Let’s check if R2 has learned all prefixes:
R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:1::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:1111::/96 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
There we go, everything is in the routing table. Now we can play with some of the filtering options…

Prefix-List Filtering

Let’s start with the prefix-list. R1 is advertising one /96 subnet. Let’s see if we can configure R2 to filter this network:
R2(config)#ipv6 prefix-list SMALL_NETWORKS permit 2001::/16 le 64
This prefix-list checks the entire 2001::/16 range and permits subnets with a /64 or larger. Anything smaller will be denied. Let’s activate it:
R2(config)#router bgp 2
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 prefix-list SMALL_NETWORKS in
We activate the prefix-list inbound on R2 for everything that we receive from R1. Let’s reset BGP to speed things up:
R2#clear ip bgp *
Let’s check R2 to see if our prefix is gone:
R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:1::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
Great, it has been filtered succesfully!

Filter-List Filtering

Let’s try the filter-list. We can use this to filter prefixes from certain autonomous systems. Everything that R1 is advertising only has AS 1 in the AS path, I’ll configure AS prepending so we have something to play with:
R1(config)#ipv6 prefix-list FIRST_LOOPBACK permit 2001:db8:0:1::/64

R1(config)#route-map PREPEND permit 10
R1(config-route-map)#match ipv6 address prefix-list FIRST_LOOPBACK
R1(config-route-map)#set as-path prepend 11
R1(config)#route-map PREPEND permit 20

R1(config)#router bgp 1
R1(config-router)#address-family ipv6
R1(config-router-af)#neighbor 2001:db8:0:12::2 route-map PREPEND out
The above configuration will make sure that whenever R1 advertises 2001:db8:0:1::/64 it will add AS 11 to the AS path. Let’s verify this:
R2#show ip bgp all
For address family: IPv4 Unicast


For address family: IPv6 Unicast

BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 2001:DB8:0:1::/64
                    2001:DB8:0:12::1
                                             0             0 1 11 i
*> 2001:DB8:0:11::/64
                    2001:DB8:0:12::1
                                             0             0 1 i
*> 2001:DB8:0:111::/64
                    2001:DB8:0:12::1
                                             0             0 1 i

For address family: IPv4 Multicast
Above you can see that 2001:DB8:0:1::/64 now has AS 11 in its AS path. Let’s configure a filter-list on R2 to get rid of this network:
R2(config)#ip as-path access-list 11 permit ^1$

R2(config)#router bgp 2
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 filter-list 11 in

R2#clear ip bgp *
The as-path access-list above only permits prefixes from AS1, nothing else. We attach it inbound to everything we receive from R1. This is the result:
R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
It’s gone from the routing table, mission accomplished.

Route-Map Filtering

Route-maps are really useful and can be used to match on many different things. I’ll use an IPv6 access-list in a route-map to filter 2001:DB8:0:11::/64:
R2(config)#ipv6 access-list THIRD_LOOPBACK
R2(config-ipv6-acl)#permit 2001:db8:0:11::/64 any

R2(config)#route-map MY_FILTER deny 10
R2(config-route-map)#match ipv6 address THIRD_LOOPBACK
R2(config-route-map)#exit
R2(config)#route-map MY_FILTER permit 20

R2(config)#router bgp 2
R2(config-router-af)#neighbor 2001:db8:0:12::1 route-map MY_FILTER in

R2#clear ip bgp *
The configuration above has an access-list called “THIRD_LOOPBACK” that matches 2001:DB8:0:11::/64 and is denied in the route-map called “MY_FILTER”. Last but not least, we apply it inbound on R2. Here’s the result:
R2#show ipv6 access-list
IPv6 access list THIRD_LOOPBACK
    permit ipv6 2001:DB8:0:11::/64 any (1 match) sequence 10
R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
The access-list tells us that it has a match and you can see it’s gone from the routing table.

Order of Operation

You have now seen how you can use a prefix-list, filter-list and route-map to filter IPv6 prefixes. You can apply all of these at the same time if you want, I didn’t remove any of my previous configurations when I was writing this lesson. Take a look at R2:
R2#show run | sec address-family ipv6
 address-family ipv6
  neighbor 2001:DB8:0:12::1 activate
  neighbor 2001:DB8:0:12::1 prefix-list SMALL_NETWORKS in
  neighbor 2001:DB8:0:12::1 route-map MY_FILTER in
  neighbor 2001:DB8:0:12::1 filter-list 11 in
On a production network you probably won’t use all of these at the same time. The route-map is a popular choice since you can use it for pretty much anything, filtering and doing things like prepending the AS path.
If you do activate all of these at the same time then you might want to know in what order the router will process these filtering techniques. Here they are:
Inbound:
  • Route-map
  • Filter-List
  • Prefix-List
Outbound:
  • Prefix-List
  • Filter-List
  • Route-Map
Why do we care about this? Imagine you have an inbound route-map and prefix-list. If you permitted a prefix in the prefix-list but denied it in the route-map then you will never see the prefix in your BGP table since the route-map is processed before the prefix-list.
For outbound filtering it’s the other way around. If you permit something in the route-map but denied it in a filter-list then it will never be advertised…the filter-list is processed before the route-map for outbound updates.
Don’t make it too hard for yourself…it’s best to stick to using the route-map only since you can attach prefix-lists and as-path access-lists to it.
hostname R1
!
ipv6 unicast-routing
!
interface FastEthernet0/0
 ipv6 address 2001:DB8:0:12::1/64
!
interface Loopback0
 ipv6 address 2001:DB8:0:1::1/64
!
interface Loopback1
 ipv6 address 2001:DB8:0:11::1/64
!
interface Loopback2
 ipv6 address 2001:DB8:0:111::1/64
!
interface Loopback3
 ipv6 address 2001:DB8:0:1111::1/96
!
router bgp 1
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 2001:DB8:0:12::2 remote-as 2
 !
 address-family ipv4
  neighbor 2001:DB8:0:12::2 activate
  neighbor 2001:DB8:0:12::2 route-map PREPEND out
 exit-address-family
 !
 address-family ipv6
  network 2001:DB8:0:1::/64
  network 2001:DB8:0:11::/64
  network 2001:DB8:0:111::/64
  network 2001:DB8:0:1111::/96
  neighbor 2001:DB8:0:12::2 activate
  neighbor 2001:DB8:0:12::2 route-map PREPEND out
 exit-address-family
!
ipv6 prefix-list FIRST_LOOPBACK permit 2001:db8:0:1::/64
route-map PREPEND permit 10
 match ipv6 address prefix-list FIRST_LOOPBACK
 set as-path prepend 11
route-map PREPEND permit 20
!
end
hostname R2
!
ipv6 unicast-routing
!
interface FastEthernet0/0
 ipv6 address 2001:DB8:0:12::2/64
!
router bgp 2
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 neighbor 2001:DB8:0:12::1 remote-as 1
 !
 address-family ipv4
  no neighbor 2001:DB8:0:12::1 activate
 exit-address-family
 !
 address-family ipv6
  neighbor 2001:DB8:0:12::1 activate
  neighbor 2001:DB8:0:12::1 prefix-list SMALL_NETWORKS in
  neighbor 2001:DB8:0:12::1 route-map MY_FILTER in
  neighbor 2001:DB8:0:12::1 filter-list 11 in
 exit-address-family
!
ipv6 prefix-list SMALL_NETWORKS permit 2001::/16 le 64
!
ip as-path access-list 11 permit ^1$
!
ipv6 access-list THIRD_LOOPBACK
 permit 2001:db8:0:11::/64 any
!
route-map MY_FILTER deny 10
 match ipv6 address THIRD_LOOPBACK
route-map MY_FILTER permit 20
!
end

That’s all I have for now, I hope this has been useful to understand BGP IPv6 filtering. If you have any questions, just leave a comment.
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)