Configuring BGP Filters
By using BGP filters, you can filter routes to be advertised.
Procedure
- Configure an ACL.
An ACL is a series of sequential rules composed of permit and deny clauses. These rules specify source addresses, destination addresses, or port numbers of packets. ACL rules are used to classify packets. After ACL rules are applied to a router, the router uses the ACL rules to permit or deny packets.
For details on ACL configurations, see the HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide-IP Services.
An ACL can be used as a filtering condition of a route-policy or used in the filter-policy { acl-number | acl-name acl-name } export [ direct | isis process-id | ospf process-id | rip process-id | static ] or peer { group-name | ipv4-address } filter-policy { acl-number | acl-name acl-name } export command.
- Configure an IP prefix list.
An IP prefix list is a type of filter used to filter routes based on destination addresses. An IP prefix list is identified by its name. An IP prefix list can be used flexibly to implement accurate filtering. For example, it can be used to filter a route or routes to a network segment. If a large number of routes with different prefixes need to be filtered, configuring an IP prefix list to filter the routes is very complex.
An IP prefix list can be used as a matching rule of a route-policy or used in the filter-policy ip-prefix ip-prefix-name export [ direct | isis process-id | ospf process-id | rip process-id | static ] or peer { group-name | ipv4-address } ip-prefix ip-prefix-name export command.
- Run ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
An IPv4 prefix list is configured.
The mask length range can be specified as mask-length <= greater-equal-value <= less-equal-value <= 32. If only greater-equal is specified, the prefix range is [greater-equal-value, 32]. If only less-equal is specified, the prefix range is [mask-length, less-equal-value].
An IPv4 prefix list is identified by its name, and each list contains one or multiple entries. Each entry is identified by an index, and can uniquely specify a matching range in the form of a network prefix. An IPv4 prefix list named abcd is used as an example.
# ip ip-prefix abcd index 10 permit 1.0.0.0 8 ip ip-prefix abcd index 20 permit 10.0.0.0 8
During route matching, the system checks the entries identified by indexes in ascending order. If a route matches an entry, it is no longer matched against the next entry.
The NetEngine 8000 F denies all unmatched routes by default. If all entries in an IP prefix list are set to deny mode, all routes will be denied. In this case, after multiple entries are specified in deny mode, define an entry permit 0.0.0.0 0 less-equal 32 to permit all the other IPv4 routes.
If more than one entry is defined in an IP prefix list, at least one entry must be set to permit mode.
- Run ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipv4-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
- Configure an AS_Path filter.
An AS_Path filter is used to filter BGP routes based on the AS_Path attributes contained in the BGP routes. If you do not want traffic to pass through an AS, configure an AS_Path filter to filter out the traffic carrying the AS number. If the BGP routing table of each device on a network is large, configuring an ACL or an IP prefix list to filter BGP routes is complex and complicates maintenance of new routes.
If the AS_Path information of a summarized route is lost, the AS_Path filter cannot be used to filter the summarized route, but can still be used to filter the specific routes from which the summarized route is derived.
An AS_Path filter can be used as a filtering condition of a route-policy or be used in the peer as-path-filter command.
- Run ip as-path-filter { as-path-filter-number | as-path-filter-name } [ index index-number ] { permit | deny } regular-expression
An AS_Path filter is configured.
An AS_Path filter defines matching rules with a regular expression. A regular expression is composed of the following parts:
Metacharacter: defines matching rules.
General character: defines matching objects.
Table 1 Description of metacharacters Special Character
Function
Example
.
Matches any single character.
.* matches any string in an AS_Path and is used to match any route.
^
Indicates the beginning of a matched string.
^65 matches strings beginning with 65:
- Examples of matched strings: 65, 651, 6501, and 65001
- Examples of unmatched strings: 165, 1650, 6650, and 60065
$
Indicates the end of a matched string.
65$ matches strings ending with 65:
- Examples of matched strings: 65, 165, 1065, 10065, and 60065
- Examples of unmatched strings: 651, 1650, 6650, 60650, and 65001
^65$ matches AS_Path 65 only.
NOTE:^$ matches an empty string (empty AS_Path) and is usually used to match routes in the local AS.
_
Matches a sign, such as a comma (,), left brace ({), right brace (}), left parenthesis ((), right parenthesis ()), and space. In addition, it can be used at the beginning of a regular expression with the same function as the caret sign (^) or at the end of a regular expression with the same function as the dollar sign ($).
- ^65001_ matches the AS_Paths that begin with 65001 followed by a symbol. Specifically, ^65001_ matches AS_Paths with 65001 as the leftmost AS number (the number of the last AS through which a route passes) and the routes sent by peers in AS 65001.
- _65001_ matches the strings (AS_Paths) that contain 65001, which is used to match the routes that pass through AS 65001.
- _65001$ matches the AS_Paths that end with a sign followed by 65001. Specifically, _65001$ matches AS_Paths with 65001 as the rightmost AS number (the number of the first AS through which a route passes), which is used to match the routes that originate in AS 65001.
\
Defines an escape character, which is used to mark the next character (common or special) as a common character.
An AS_Confed_Sequence contains parentheses (()). The parentheses (()) in regular expressions provide special functions. To match such special characters by removing their special meanings, you can use the backslash (\). For example:
- \(65002_ matches the AS_Confed_Sequences that begin with (65002 followed by a sign. Specifically, \(65002_ matches AS_Confed_Sequences with 65002 as the leftmost AS number (the number of the last AS through which a route passes) and the routes sent by peers in AS 65002.
- \(.*_65003_.*\) matches the AS_Confed_Sequence that contains AS number 65003 and the routes that pass through AS 65003 in a confederation.
- _65004\) matches a string that ends with 65004 and with a sign before 65004. That is, the most significant AS number (start AS) of AS_Confed_Sequence is 65004. This string can also be used to match the routes originating in AS 65004 in a confederation and the routes directly advertised by AS 65004 in the confederation. _65004\) provides the same function as 65004\).
Similarly, backslashes (\) can be used to remove the special meanings of the left bracket ([) and right bracket (]) used in an AS_Confed_Set and the left brace ({) and right brace (}) used in an AS_Set.
*
Matches the strings in which the preceding character occurs zero or more times.
65* matches the AS_Paths that begin with 6 and contain zero or multiple 5s.
- Examples of matched strings: 6, 65, 655, 6559, 65259, and 65529
- Examples of unmatched strings: 5, 56, 556, 5669, 55269, and 56259
+
Matches the strings in which the preceding character occurs one or more times.
65+ matches the AS_Paths that begin with 6 and contain one or multiple 5s.
- Examples of matched strings: 65, 655, 6559, 65259, and 65529
- Examples of unmatched strings: 56, 556, 5669, 55269, and 56259
?
Matches the strings in which the preceding character occurs zero or one time.
65? matches the AS_Paths that begin with 6 and contain zero or one 5.
- Examples of matched strings: 6 and 65
- Examples of unmatched strings: 655, 6559, and 65529
()
Defines a subexpression, which can be empty. The parentheses can be empty in between.
100(200)+ matches 100200, 100200200, and so on.
x|y
Matches x or y.
100|65002|65003 matches 100, 65002, or 65003.
[xyz]
Matches any character in the regular expression.
[896] matches 8, 9, or 6.
[^xyz]
Matches any character that is not contained in the regular expression.
[^896] matches any character, except 8, 9, and 6.
[a-z]
Matches any character within the specified range.
[2-4] matches any of 2, 3, and 4; [0-9] matches any digits from 0 to 9.
NOTE:The value in the square brackets ([]) must be a digit from 0 to 9. For example, to match a number ranging from 735 to 907, use the regular expression of (73[5-9]|7[4-9][0-9]|8[0-9][0-9]|90[0-7]).
[^a-z]
Matches any character beyond the specified range.
[^2-4] matches AS_Paths without 2, 3, and 4, and [^0-9] matches AS_Paths without digits from 0 to 9.
For example, ^10 matches only the AS_Path attribute beginning with 10. ^ indicates that the beginning of a string character is matched.
You can define multiple rules (permit or deny) for the same filter. During the matching, the relationship between these rules is OR. If a route meets one of the matching rules, it matches this AS_Path filter.
For details on a regular expression, see the HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - Basic Configurations.
- Run ip as-path-filter { as-path-filter-number | as-path-filter-name } [ index index-number ] { permit | deny } regular-expression
- Configure a community filter.
A BGP community attribute is used to identify a group of routes with the same properties. Routes can be classified through the community attribute, which facilitates route management.
Some AS internal routes may not need to be advertised to any other AS, whereas AS external routes need to be advertised to other ASs. These AS external routes have different prefixes (as a result, an IP prefix list is inapplicable) and may come from different ASs (as a result, an AS_Path filter is inapplicable). You can set a community attribute value for these AS internal routes and another community attribute value for these AS external routes on an ASBR to control and filter these routes.
- Configure a Large-Community filter.
The Large-Community attribute can completely represent a 2-byte or 4-byte Autonomous System Number (ASN), and has two 4-byte LocalData IDs. The administrator can therefore apply route-policies more flexibly. The Large-Community attribute extends and can be used together with a community attribute.
- Configure an extended community filter.
Similar to a BGP community filter, a BGP extcommunity filter is used to filter private network routes.
- Configure a route-policy.
A route-policy is used to match routes or route attributes, and to change route attributes when specific conditions are met. As the preceding filters can be used as matching conditions of a route-policy, the route-policy is powerful in functions and can be used flexibly.
- Run route-policy route-policy-name { permit | deny } node node
A route-policy with a node is configured, and the route-policy view is displayed.
A route-policy consists of multiple nodes. For example, the route-policy route-policy-example permit node 10 command specifies node 10 and the route-policy route-policy-example deny node 20 command specifies node 20. The two nodes belong to the route-policy specified by route-policy-example. The relationship between the nodes of a route-policy is "OR". The details are as follows:
- If a route matches one node, the route matches the route-policy and will not be matched against the next node. For example, there are two nodes defined using the route-policy route-policy-example permit node 10 and route-policy route-policy-example deny node 20 commands. If a route matches the node defined using the route-policy route-policy-example permit node 10 command, the route will not be matched against the node defined using the route-policy route-policy-example deny node 20 command.
- If a route does not match any node, the route fails to match the route-policy.
When a route-policy is used to filter a route, the route is first matched against the node with the smallest node value. For example, if two nodes are configured using the route-policy route-policy-example permit node 10 and route-policy route-policy-example deny node 20 commands, a route is first matched against the node configured using the route-policy route-policy-example permit node 10 command.
The NetEngine 8000 F considers that each unmatched route fails to match the route-policy by default. If more than one node is defined in a route-policy, at least one of them must be in permit mode.
- (Optional) Perform the following operations as needed to configure if-match clauses for current nodes of the route-policy.
if-match clauses are used to filter routes. If no if-match clause is specified, all routes will match the node in the route-policy.
To match an ACL, run the if-match acl { acl-number | acl-name } command.
To match an IP prefix list, run the if-match ip-prefix ip-prefix-name command.
The if-match acl and if-match ip-prefix commands cannot be used together in the same node of a route-policy, because the latest configuration will override the previous one.
To match the AS-Path attribute of BGP routes, run the if-match as-path-filter as-path-filter-number &<1-16> command.
To match the community attribute of BGP routes, run either of the following commands:
if-match community-filter { basic-comm-filter-num [ whole-match ] | adv-comm-filter-num } * &<1-16>
if-match community-filter comm-filter-name [ whole-match ]
if-match community-filter { adv-comm-filter-num sort-match } * &<1-16>
- if-match community-filter comm-filter-name sort-match
To match the Large-community attribute of BGP routes, run the if-match large-community-filter large-comm-filter-name [ whole-match ] command.
To match the VPN-Target extended community attribute of BGP routes, run the if-match extcommunity-filter { { basic-extcomm-filter-num | adv-extcomm-filter-num } &<1-16> | basic-extcomm-filter-name | advanced-extcomm-filter-name } command.
To match the SoO extended community attribute of BGP routes, run the if-match extcommunity-list soo extcomm-filter-name command.
The operations in Step 3 can be performed in any order. A node may have multiple if-match clauses or no if-match clause.
The relationship between the if-match clauses in a node of a route-policy is "AND". A route must match all the rules before the action defined by the apply clause is taken. For example, if two if-match clauses (if-match acl 2003 and if-match as-path-filter 100) are defined in the route-policy route-policy-example permit node 10 command, a route is considered to match node 10 only when it matches the two if-match clauses.
- (Optional) Perform the following operations as needed to configure apply clauses for current nodes of the route-policy.
apply clauses can be used to set attributes for routes matching if-match clauses. If this step is not performed, the attributes of routes matching if-match clauses keep unchanged.
To configure BGP to overwrite or add the specified AS number for the AS_Path attribute of matched routes, run the apply as-path { as-number-plain | as-number-dot } &<1-128>{ additive | overwrite | delete } or apply as-path asValues { additive | overwrite | delete } command.
To delete a specified BGP community attribute from a route, run the apply comm-filter { comm-filter-number | comm-filter-name } delete command.
The apply comm-filter delete command deletes the community attribute according to the specified value in the community filter. The referenced ip community-filter command can contain only one community attribute. To delete more than one community attribute, run the command multiple times. If multiple community attributes are specified in one community filter, none of them can be deleted. For more information, see the HUAWEI NetEngine 8000 F SeriesRouter Command Reference.
- To delete all community attributes from a BGP route, run the apply community none command.
- To set community attributes for a BGP route, run the apply community { { community-number | aa:nn } &<1-32> | internet | no-advertise | no-export | no-export-subconfed } * [ additive ], or apply community community-list community-list-name command.
A BGP community list must be configured using the ip community-list command and community attributes must be configured for the list using the community command before you run the apply community community-list community-list-name command.
- To delete the Large-community attribute of BGP routes, run the apply large-community none command.
- To set the Large-community attribute of BGP routes, run the apply large-community { aa:bb:cc } &<1-16> { additive | overwrite | delete } or apply large-community-list large-community-list-name { additive | overwrite | delete } command.
Before running the apply large-community-list large-community-list-name command to set the BGP Large-community attribute, run the ip large-community-list command to configure a BGP Large-community list and run the large-community command to configure values for the Large-community list.
- To set the BGP VPN target extended community attribute, run the apply extcommunity { rt extCmntyValue } &<1-16> [ additive ] command.
- To set a BGP SoO extended community attribute for a route, run the apply extcommunity soo { site-of-origin } &<1-16> additive command.
- To set the bandwidth extended community attribute, run the apply extcommunity bandwidth { extCmntyString | none } or apply extcommunity bandwidth aggregate [ limit bandwidth-value ] command.
- To set the local preference for a BGP route, run the apply local-preference [ + | - ] preference command.
- To set the Origin attribute for a BGP route, run the apply origin { egp { as-number-plain | as-number-dot } | igp | incomplete } command.
- To set a preferred value for a BGP route, run the apply preferred-value preferred-value command.
To set dampening parameters for an EBGP route, run the apply dampening half-life-reach reuse suppress ceiling command.
The operations in Step 4 can be performed in any order. A node may have multiple apply clauses or no apply clause.
- Run route-policy route-policy-name { permit | deny } node node
- Configure an IP address list.
Before configuring a conditional BGP route advertisement policy, you need to create an IP address list.