Configuring BGP Filters

By using BGP filters, you can flexibly filter routes to be received.

Context

BGP uses the following types of filters to filter routes:

Access Control List (ACL)
IP-Prefix
AS_Path filter
Community filter
Large-Community filter
Extcommunity filter
Route-policy

Procedure

Configure an ACL.
An ACL is a series of sequential rules composed of permit and deny clauses. These rules are described based on source addresses, destination addresses, and port numbers of packets. ACL rules are used to classify packets. After ACL rules are applied to interfaces on the router, the router permits or denies packets based on the ACL rules.

For details on ACL configurations, see HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - IP Services.

An ACL can be used as a filtering condition of a route-policy or used in the filter-policy { acl-number | acl-name acl-name } import or peer { group-name | ipv4-address } filter-policy { acl-number | acl-name acl-name } import command.
Configure an IP prefix list.
An IP prefix list is a type of filter used to filter routes based on destination addresses. An IP prefix list is identified by its name. An IP prefix list can be used flexibly to implement accurate filtering. For example, it can be used to filter a route or routes to a network segment. If a large number of routes with different prefixes need to be filtered, configuring an IP prefix list to filter the routes is very complex.

An IP prefix list can be used as a filtering condition of a route-policy or used in the filter-policy ip-prefix ip-prefix-name import or peer { group-name | ipv4-address } ip-prefix ip-prefix-name import command.
1. Run system-view
  The system view is displayed.
2. Run ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ip-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
  An IPv4 prefix list is configured.
  
  The mask length range can be specified as mask-length <= greater-equal-value <= less-equal-value <= 32. If only greater-equal is specified, the prefix range is [greater-equal-value, 32]. If only less-equal is specified, the prefix range is [mask-length, less-equal-value].
  
  An IPv4 prefix list is identified by its name, and each IP prefix list can contain multiple entries. Each entry is identified by an index number, and can specify a matching range in the form of a network prefix uniquely. An IPv4 prefix list named abcd is used as an example.
```
#
ip ip-prefix abcd index 10 permit 1.0.0.0 8
ip ip-prefix abcd index 20 permit 10.0.0.0 8
```
  During route matching, the system checks the entries by index number in ascending order. If a route matches an entry, the route will not be matched with the next entry.
  
  The NetEngine 8000 F denies all unmatched routes by default. If all entries in an IPv4 prefix list are in deny mode, all routes will be denied by the IPv4 prefix list. In this case, define an entry permit 0.0.0.0 0 less-equal 32 after the entries in deny mode to allow all the other IPv4 routes to be permitted by the IPv4 prefix list.
  
  If more than one IP prefix entry is defined, at least one entry should be set in permit mode.
3. Run commit
  The configuration is committed.

Configure an AS_Path filter.

An AS_Path filter is used to filter BGP routes based on the AS_Path attributes contained in the BGP routes. If you do not want traffic to pass through an AS, configure an AS_Path filter to filter out the traffic carrying the AS number. In addition, configuring an ACL or an IP prefix list to filter BGP routes may be complicated (as multipleACLs or IP prefix lists need to be defined) and make it difficult to maintain new routes. In this case, you can configure an AS_Path filter.

If the AS_Path information of a summarized route is lost, the AS_Path filter cannot be used to filter the summarized route, but can still be used to filter the specific routes from which the summarized route is derived.

An AS_Path filter can be used as a filtering condition of a route-policy or be used in the peer as-path-filter command.

Run system-view
The system view is displayed.

Run ip as-path-filter { as-path-filter-number | as-path-filter-name } [ index index-number ] { permit | deny } regular-expression

An AS_Path filter is configured.

An AS_Path filter defines matching rules with a regular expression. A regular expression is composed of the following parts:

Metacharacter: defines matching rules.
General character: defines matching objects.

**Table 1** Description of metacharacters
Special Character	Function	Example
.	Matches any single character.	.* matches any string in an AS_Path and is used to match any route.
^	Indicates the beginning of a matched string.	^65 matches strings beginning with 65: Examples of matched strings: 65, 651, 6501, and 65001 Examples of unmatched strings: 165, 1650, 6650, and 60065
$	Indicates the end of a matched string.	65$ matches strings ending with 65: Examples of matched strings: 65, 165, 1065, 10065, and 60065 Examples of unmatched strings: 651, 1650, 6650, 60650, and 65001 ^65$ matches AS_Path 65 only. NOTE: ^$ matches an empty string (empty AS_Path) and is usually used to match routes in the local AS.
_	Matches a sign, such as a comma (,), left brace ({), right brace (}), left parenthesis ((), right parenthesis ()), and space. In addition, it can be used at the beginning of a regular expression with the same function as the caret sign (^) or at the end of a regular expression with the same function as the dollar sign ($).	^65001_ matches the AS_Paths that begin with 65001 followed by a symbol. Specifically, ^65001_ matches AS_Paths with 65001 as the leftmost AS number (the number of the last AS through which a route passes) and the routes sent by peers in AS 65001. _65001_ matches the strings (AS_Paths) that contain 65001, which is used to match the routes that pass through AS 65001. _65001$ matches the AS_Paths that end with a sign followed by 65001. Specifically, _65001$ matches AS_Paths with 65001 as the rightmost AS number (the number of the first AS through which a route passes), which is used to match the routes that originate in AS 65001.
\	Defines an escape character, which is used to mark the next character (common or special) as a common character.	An AS_Confed_Sequence contains parentheses (()). The parentheses (()) in regular expressions provide special functions. To match such special characters by removing their special meanings, you can use the backslash (\). For example: $65002_ matches the AS_Confed_Sequences that begin with (65002 followed by a sign. Specifically, \(65002_ matches AS_Confed_Sequences with 65002 as the leftmost AS number (the number of the last AS through which a route passes) and the routes sent by peers in AS 65002. \(._65003_.$ matches the AS_Confed_Sequence that contains AS number 65003 and the routes that pass through AS 65003 in a confederation. _65004\) matches a string that ends with 65004 and with a sign before 65004. That is, the most significant AS number (start AS) of AS_Confed_Sequence is 65004. This string can also be used to match the routes originating in AS 65004 in a confederation and the routes directly advertised by AS 65004 in the confederation. _65004\) provides the same function as 65004\). Similarly, backslashes (\) can be used to remove the special meanings of the left bracket ([) and right bracket (]) used in an AS_Confed_Set and the left brace ({) and right brace (}) used in an AS_Set.
*	Matches the strings in which the preceding character occurs zero or more times.	65* matches the AS_Paths that begin with 6 and contain zero or multiple 5s. Examples of matched strings: 6, 65, 655, 6559, 65259, and 65529 Examples of unmatched strings: 5, 56, 556, 5669, 55269, and 56259
+	Matches the strings in which the preceding character occurs one or more times.	65+ matches the AS_Paths that begin with 6 and contain one or multiple 5s. Examples of matched strings: 65, 655, 6559, 65259, and 65529 Examples of unmatched strings: 56, 556, 5669, 55269, and 56259
?	Matches the strings in which the preceding character occurs zero or one time.	65? matches the AS_Paths that begin with 6 and contain zero or one 5. Examples of matched strings: 6 and 65 Examples of unmatched strings: 655, 6559, and 65529
()	Defines a subexpression, which can be empty. The parentheses can be empty in between.	100(200)+ matches 100200, 100200200, and so on.
x\|y	Matches x or y.	100\|65002\|65003 matches 100, 65002, or 65003.
[xyz]	Matches any character in the regular expression.	[896] matches 8, 9, or 6.
[^xyz]	Matches any character that is not contained in the regular expression.	[^896] matches any character, except 8, 9, and 6.
[a-z]	Matches any character within the specified range.	[2-4] matches any of 2, 3, and 4; [0-9] matches any digits from 0 to 9. NOTE: The value in the square brackets ([]) must be a digit from 0 to 9. For example, to match a number ranging from 735 to 907, use the regular expression of (73[5-9]\|7[4-9][0-9]\|8[0-9][0-9]\|90[0-7]).
[^a-z]	Matches any character beyond the specified range.	[^2-4] matches AS_Paths without 2, 3, and 4, and [^0-9] matches AS_Paths without digits from 0 to 9.

For example, ^10 matches only the AS_Path attribute beginning with 10. ^ indicates that the beginning of a string character is matched.

You can define multiple rules (permit or deny) for the same filter. During the matching, the relationship between these rules is OR. If a route meets one of the matching rules, it matches this AS_Path filter.

For details on a regular expression, see the HUAWEI NetEngine 8000 F SeriesRouter Configuration Guide - Basic Configurations.

Run commit
The configuration is committed.

Configure a community filter.
A BGP community attribute is used to identify a group of routes with the same properties. Routes can be classified through the community attribute, which facilitates route management.

Some AS internal routes may not need to be advertised to any other AS, whereas AS external routes need to be advertised to other ASs. These AS external routes have different prefixes (as a result, an IP prefix list is inapplicable) and may come from different ASs (as a result, an AS_Path filter is inapplicable). You can set a community attribute value for these AS internal routes and another community attribute value for these AS external routes on an ASBR to control and filter these routes.
1. Run system-view
  The system view is displayed.
2. Run ip community-filter
  A community filter is configured.
  - To configure the standard community filter, run the ip community-filter basic comm-filter-name [ index index-number ] { permit | deny } [ community-number | aa:nn | internet [ strict-match ] | no-export-subconfed | no-advertise | no-export ] &<1-20> command, or the ip community-filter basic-comm-filter-num [ index index-number ] { permit | deny } [ community-number | aa:nn | internet | no-export-subconfed | no-advertise | no-export ] &<1-20> command.
  - To configure the advanced community filter, run the ip community-filter { advanced comm-filter-name | adv-comm-filter-num } [ index index-number ] { permit | deny } regular-expression command.
3. Run commit
  The configuration is committed.
Configure a Large-Community filter.
The Large-Community attribute can completely represent a 2-byte or 4-byte Autonomous System Number (ASN), and has two 4-byte LocalData IDs. The administrator can therefore apply route-policies more flexibly. The Large-Community attribute extends and can be used together with a community attribute.
1. Run system-view
  The system view is displayed.
2. Run ip large-community-filter
  A Large-Community filter is configured.
  - To configure a basic Large-Community filter, run the ip large-community-filter basic large-comm-filter-name [ index index-number ] { permit | deny } { aa:bb:cc } &<1-16> command.
  - To configure an advanced Large-Community filter, run the ip large-community-filter advanced large-comm-filter-name [ index index-number ] { permit | deny } regular-expression command.
3. Run the commit
  The configuration is committed.
Configure an extended community filter.
Similar to a BGP community filter, a BGP extcommunity filter is used to filter private network routes.
1. Run system-view
  The system view is displayed.
2. Perform either of the following operations as required to configure an extcommunity filter.
  To configure a VPN-Target extcommunity filter:
  - To configure a basic VPN-Target extcommunity filter, run the ip extcommunity-filter { basic-extcomm-filter-num | basic basic-extcomm-filter-name }[ index index-number ] { deny | permit } { rt { as-number:nn | 4as-number:nn | ipv4-address:nn } } &<1-16> command.
  - To configure an advanced VPN-Target extcommunity filter, run the ip extcommunity-filter { advanced-extcomm-filter-num | advanced advanced-extcomm-filter-name }[ index index-number ] { deny | permit } regular-expression command.
  To configure an SoO extcommunity filter:
  - To configure a basic SoO extcommunity filter, run the ip extcommunity-list soo basic basic-extcomm-filter-name [ index index-number ] { permit | deny } { site-of-origin } &<1-16> command.
  - To configure an advanced SoO extcommunity filter, run the ip extcommunity-list soo advanced advanced-extcomm-filter-name [ index index-number ] { permit | deny } regular-expression command.
  Multiple entries can be defined in an extcommunity filter. The relationship between the entries is "OR". This means that if a route matches one of the rules, the route matches the filter.
3. Run commit
  The configuration is committed.
Configure a route-policy.
A route-policy is used to match routes or route attributes, and to change route attributes when specific conditions are met. As the preceding filters can be used as matching conditions of a route-policy, the route-policy is powerful in functions and can be used flexibly.
1. Run system-view
  The system view is displayed.
2. Run route-policy route-policy-name { permit | deny } node node
  A node is configured for a route-policy, and the view of the route-policy is displayed.
  A route-policy consists of multiple nodes. For example, the route-policy route-policy-example permit node 10 command specifies node 10 and the route-policy route-policy-example deny node 20 command specifies node 20. The two nodes belong to the route-policy specified by route-policy-example. The relationship between the nodes of a route-policy is "OR". The details are as follows:
  - If a route matches one node, the route matches the route-policy and will not be matched against the next node. For example, there are two nodes defined using the route-policy route-policy-example permit node 10 and route-policy route-policy-example deny node 20 commands. If a route matches the node defined using the route-policy route-policy-example permit node 10 command, the route will not be matched against the node defined using the route-policy route-policy-example deny node 20 command.
  - If a route does not match any node, the route fails to match the route-policy.
  When a route-policy is used to filter a route, the route is first matched against the node with the smallest node value. For example, if two nodes are configured using the route-policy route-policy-example permit node 10 and route-policy route-policy-example deny node 20 commands, a route is first matched against the node configured using the route-policy route-policy-example permit node 10 command.
  
  The NetEngine 8000 F considers that each unmatched route fails to match the route-policy by default. If more than one node is defined in a route-policy, at least one of them must be in permit mode.
3. (Optional) Perform the following operations as needed to configure if-match clauses for current nodes of the route-policy.
  if-match clauses are used to filter routes. If no if-match clause is specified, all routes will match the node in the route-policy.
  - To configure an ACL as the if-match clause, run the if-match acl { acl-number | acl-name } command.
  - To configure an IP prefix list as the if-match clause, run the if-match ip-prefix ip-prefix-name command.
    
    The if-match acl and if-match ip-prefix commands cannot be used together in the same node of a route-policy, because the latest configuration will override the previous one.
  - To match the AS-Path attribute of BGP routes, run the if-match as-path-filter as-path-filter-number &<1-16> command.
  - To match the community attribute of BGP routes, run either of the following commands:
    - if-match community-filter { basic-comm-filter-num [ whole-match ] | adv-comm-filter-num } ^* &<1-16>
    - if-match community-filter comm-filter-name [ whole-match ]
    - if-match community-filter { adv-comm-filter-num sort-match } ^* &<1-16>
    - if-match community-filter comm-filter-name sort-match
  - To match the Large-community attribute of BGP routes, run the if-match large-community-filter large-comm-filter-name [ whole-match ] command.
  - To match the VPN-Target extended community attribute of BGP routes, run the if-match extcommunity-filter { { basic-extcomm-filter-num | adv-extcomm-filter-num } &<1-16> | basic-extcomm-filter-name | advanced-extcomm-filter-name } command.
  - To match the SoO extended community attribute of BGP routes, run the if-match extcommunity-list soo extcomm-filter-name command.
  The operations in Step 3 can be performed in any order. A node may have multiple if-match clauses or no if-match clause.
  
  The relationship between the if-match clauses in a node of a route-policy is "AND". A route must match all the rules before the action defined by the apply clause is taken. For example, if two if-match clauses (if-match acl 2003 and if-match as-path-filter 100) are defined in the route-policy route-policy-example permit node 10 command, a route is considered to match node 10 only when it matches the two if-match clauses.
4. (Optional) Perform the following operations as needed to configure apply clauses for current nodes of the route-policy.
  apply clauses can be used to set attributes for routes matching if-match clauses. If this step is not performed, the attributes of routes matching if-match clauses keep unchanged.
  - To configure BGP to overwrite or add the specified AS number for the AS_Path attribute of matched routes, run the apply as-path { as-number-plain | as-number-dot } &<1-128>{ additive | overwrite | delete } or apply as-path asValues { additive | overwrite | delete } command.
  - To delete a specified BGP community attribute from a route, run the apply comm-filter { comm-filter-number | comm-filter-name } delete command.
    
    The apply comm-filter delete command deletes the community attribute according to the specified value in the community filter. The referenced ip community-filter command can specify only one community attribute. To delete more than one community attribute, run the command multiple times. If multiple community attributes are specified in one community filter, none of them can be deleted. For more information, see the HUAWEI NetEngine 8000 F SeriesRouter Command Reference.
  - To delete all community attributes from a BGP route, run the apply community none command.
  - To set community attributes for a BGP route, run the apply community { { community-number | aa:nn } &<1-32> | internet | no-advertise | no-export | no-export-subconfed } ^* [ additive ], or apply community community-list community-list-name command.
    
    A BGP community list must be configured using the ip community-list command and community attributes must be configured for the list using the community command before you run the apply community community-list community-list-name command.
  - To delete the Large-community attribute of BGP routes, run the apply large-community none command.
  - To set the Large-community attribute of BGP routes, run the apply large-community { aa:bb:cc } &<1-16> { additive | overwrite | delete } or apply large-community-list large-community-list-name { additive | overwrite | delete } command.
    
    Before running the apply large-community-list large-community-list-name command to set the BGP Large-community attribute, run the ip large-community-list command to configure a BGP Large-community list and run the large-community command to configure values for the Large-community list.
  - To set a VPN-Target extended community attribute for a route, run the apply extcommunity { rt { as-number:nn | ipv4-address:nn } } &<1-16> [ additive ] command.
  - To set a BGP SoO extended community attribute for a route, run the apply extcommunity soo { site-of-origin } &<1-16> additive command.
  - To set the bandwidth extended community attribute, run the apply extcommunity bandwidth { extCmntyString | none } or apply extcommunity bandwidth aggregate [ limit bandwidth-value ] command.
  - To set the local preference for a BGP route, run the apply local-preference [ + | - ] preference command.
  - To set the Origin attribute for a BGP route, run the apply origin { egp { as-number-plain | as-number-dot } | igp | incomplete } command.
  - To set a preferred value for a BGP route, run the apply preferred-value preferred-value command.
  - To set dampening parameters for an EBGP route, run the apply dampening half-life-reach reuse suppress ceiling command.
  The operations in Step 4 can be performed in any order. A node may have multiple apply clauses or no apply clause.
5. Run commit
  The configuration is committed.