Last updated: 14-06-2019 18:34
Policy-based on AS path, community or the prefix for rejecting/accepting selected routes and/or setting attributes to influence path selection.
Per neighbour prefix filter with incremental configuration can be applied either inbound or outbound. It is based upon network numbers (using familiar IP address/mask format)
Note: Using access-lists in Cisco IOS for filtering prefixes was deprecated long ago and is strongly discouraged.
ip[v6] prefix-list list-name [seq value] permit|deny network/len [ge value] [le value]
Both “ge” and “le” are optional and are used to specify the range of the prefix length to be matched for prefixes that are more specific than network/len. Sequence number is also optional.
Deny default route
Router(config)# ip prefix-list EG deny 0.0.0.0/0
Permit the prefix 35.0.0.0/8
Router(config)# ip prefix-list EG permit 35.0.0.0/8
Deny the prefix 172.16.0.0/12
Router(config)# ip prefix-list EG deny 172.16.0.0/12
In 192/8 allow up to /24
Router(config)# ip prefix-list EG permit 192.0.0.0/8 le 24
This allows all prefix sizes in the 192.0.0.0/8 address block, apart from /25, /26, /27, /28, /29, /30, /31 and /32.
In 192/8 deny /25 and above. This denies all prefix sizes /25, /26, /27, /28, /29, /30, /31 and /32 in the address block 192.0.0.0/8. It has the same effect as the previous example.
Router(config)# ip prefix-list EG deny 192.0.0.0/8 ge 25
In 193/8 permit prefixes between /12 and /20. This denies all prefix sizes /8, /9, /10, /11, /21, /22, ... and higher in the address block 193.0.0.0/8.
Router(config)# ip prefix-list EG permit 193.0.0.0/8 ge 12 le 20
Permit all prefixes, 0.0.0.0 matches all possible addresses, 0 le 32 matches all possible prefix lengths.
Router(config)# ip prefix-list EG permit 0.0.0.0/0 le 32
Example configuration:
Router(config)# router bgp 100 Router(config-router)# network 105.7.0.0 mask 255.255.0.0 Router(config-router)# neighbor 102.10.1.1 remote-as 110 Router(config-router)# neighbor 102.10.1.1 prefix-list AS110-IN in Router(config-router)# neighbor 102.10.1.1 prefix-list AS110-OUT out Router(config-router)# exit Router(config)# ip prefix-list AS110-IN deny 218.10.0.0/16 Router(config)# ip prefix-list AS110-IN permit 0.0.0.0/0 le 32 Router(config)# ip prefix-list AS110-OUT permit 105.7.0.0/16 Router(config)# ip prefix-list AS110-OUT deny 0.0.0.0/0 le 32
Filter routes based on AS path for both inbound or outbound. Example Configuration:
Router(config)# router bgp 100 Router(config-router)# network 105.7.0.0 mask 255.255.0.0 Router(config-router)# neighbor 102.10.1.1 filter-list 5 out Router(config-router)# neighbor 102.10.1.1 filter-list 6 in Router(config-router)# exit Router(config)# ip as-path access-list 5 permit ^200$ Router(config)# ip as-path access-list 6 permit ^150$
Like Unix regular expressions
. | Match one character |
* | Match any number of preceding expression |
+ | Match at least one of preceding expression |
^ | Beginning of line |
$ | End of line |
\ | Escape a regular expression character |
_ | Beginning, end, white-space, brace |
| Or | |
() | brackets to contain expression |
[] | brackets to contain number ranges |
A route-map is like a “programme” for IOS Has “line” numbers, like programmes. Each line is a separate condition/action Concept is basically:
Route-map continue lets ISPs apply multiple conditions and actions in one route-map.
There is an implicit deny at the end of the route-map; however, it is good practice for readibility to add a deny at the end of permit statements.
Lines can have multiple set statements. All set statements are implemented
Router(config)# route-map SAMPLE permit 10 Router(config-route-map)# set community 300:1 Router(config-route-map)# set local-preference 120
Lines can have multiple match statements, all conditions must match.
Router(config)# route-map SAMPLE permit 10 Router(config-route-map)# match community 1 Router(config-route-map)# match ip address prefix-list MY-LIST Router(config-route-map)# set local-preference 300
A match statement can have multiple commands, at least one command must match.
Router(config)# route-map SAMPLE permit 10 Router(config-route-map)# match ip address prefix-list MY-LIST OTHER-LIST Router(config-route-map)# set community 300:10
Route-map with only a match statement, only prefixes matching go through, the rest are dropped
Router(config)# route-map SAMPLE permit 10 Router(config-route-map)# match ip address prefix-list MY-LIST
Line with only a set statement, all prefixes are matched and set and any following lines are ignored.
Router(config)# route-map SAMPLE permit 10 Router(config-route-map)# set local-preference 120 Router(config-route-map)# route-map SAMPLE permit 20 Router(config-route-map)# remark This line is ignored Router(config-route-map)# set community 300:5
Line with a match/set statement and no following lines. Only prefixes matching the condition are set, the rest are dropped.
Router(config)# route-map SAMPLE permit 10 Router(config-route-map)# match ip address prefix-list MY-LIST Router(config-route-map)# set local-preference 120
Omitting the third line below means that prefixes not matching list-one or list-two are dropped.
Router(config)# route-map SAMPLE permit 10 Router(config-route-map)# match ip address prefix-list LIST-ONE Router(config-route-map)# set local-preference 120 Router(config-route-map)# route-map SAMPLE permit 20 Router(config-route-map)# match ip address prefix-list LIST-TWO Router(config-route-map)# set local-preference 80 Router(config-route-map)# route-map SAMPLE permit 30 Router(config-route-map)# remark Don’t forget this
Matching prefixes. If address matches HIGH-PREF set local-pref 120, and then exit, otherwise if address matches LOW-PREF, set local-pref 80, and then exit. No other condition, so all other prefixes are dropped.
Router(config)# router bgp 100 Router(config-router)# neighbor 1.1.1.1 route-map INFILTER in Router(config-router)# exit route-map INFILTER permit 10 Router(config-route-map)# match ip address prefix-list HIGH-PREF Router(config-route-map)# set local-preference 120 Router(config-route-map)# route-map INFILTER permit 20 Router(config-route-map)# match ip address prefix-list LOW-PREF Router(config-route-map)# set local-preference 80 Router(config-route-map)# exit Router(config)# ip prefix-list HIGH-PREF permit 10.0.0.0/8 Router(config)# ip prefix-list LOW-PREF permit 20.0.0.0/8
If prefix originated from AS150, then set local-pref to 80, and exit, otherwise if prefix transited AS210 (ie AS210 appears in the path), then set local-pref to 200, and exit. No other condition, so all other prefixes are dropped.
Router(config)# router bgp 100 Router(config-router)# neighbor 102.10.1.2 remote-as 200 Router(config-router)# neighbor 102.10.1.2 route-map FILTER-ON-ASPATH in Router(config)# route-map FILTER-ON-ASPATH permit 10 Router(config-route-map)# match as-path 1 Router(config-route-map)# set local-preference 80 Router(config)# route-map FILTER-ON-ASPATH permit 20 Router(config-route-map)# match as-path 2 Router(config-route-map)# set local-preference 200 Router(config-route-map)# exit Router(config)# ip as-path access-list 1 permit _150$ Router(config)# ip as-path access-list 2 permit _210_
Example configuration of AS-PATH prepend. Use your own AS number when prepending. Otherwise BGP loop detection may cause disconnects. Deliberate insertion of other ASNs is called AS PATH poisoning.
Router(config)# router bgp 100 Router(config-router)# network 105.7.0.0 mask 255.255.0.0 Router(config-router)# neighbor 102.10.1.2 remote-as 300 Router(config-router)# neighbor 102.10.1.2 route-map SETPATH out Router(config-router)# exit Router(config)# route-map SETPATH permit 10 Router(config-route-map)# set as-path prepend 100 100
If prefix belongs to communities 150:3 AND 200:5, then set local-pref to 50, and exit Otherwise if prefix belongs to ONLY community 88:6, then set local-pref to 200, and exit No other condition, so all other prefixes are dropped.
Router(config)# router bgp 100 Router(config-router)# neighbor 102.10.1.2 remote-as 200 Router(config-router)# neighbor 102.10.1.2 route-map FILTER-ON-COMMUNITY in Router(config)# route-map FILTER-ON-COMMUNITY permit 10 Router(config-route-map)# match community 1 Router(config-route-map)# set local-preference 50 Router(config-route-map)# route-map FILTER-ON-COMMUNITY permit 20 Router(config-route-map)# match community 2 exact-match Router(config-route-map)# set local-preference 200 Router(config-route-map)# exit Router(config)# ip community-list 1 permit 150:3 200:5 Router(config)# ip community-list 2 permit 88:6
When multiple values are configured in the same community list statement, a logical AND condition is created. All community values must match to satisfy an AND condition.
Router(config)# ip community-list 1 permit 150:3 200:5
When multiple values are configured in separate community list statements, a logical OR condition is created. The first list that matches a condition is processed.
Router(config)# ip community-list 1 permit 150:3 Router(config)# ip community-list 1 permit 200:5
Setting Communities
Router(config)# router bgp 100 Router(config-router)# network 105.7.0.0 mask 255.255.0.0 Router(config-router)# neighbor 102.10.1.1 remote-as 200 Router(config-router)# neighbor 102.10.1.1 send-community Router(config-router)# neighbor 102.10.1.1 route-map SET-COMMUNITY out Router(config)# route-map SET-COMMUNITY permit 10 Router(config-route-map)# match ip address prefix-list NO-ANNOUNCE Router(config-route-map)# set community no-export Router(config-route-map)# route-map SET-COMMUNITY permit 20 Router(config-route-map)# match ip address prefix-list AGGREGATE Router(config-route-map)# exit Router(config)# ip prefix-list NO-ANNOUNCE permit 105.7.0.0/16 ge 17 Router(config)# ip prefix-list AGGREGATE permit 105.7.0.0/16
Handling multiple conditions and actions in one route-map (for BGP neighbour relationships only).
Router(config)# route-map PEER-FILTER permit 10 Router(config-route-map)# match ip address prefix-list GROUP-ONE Router(config-route-map)# continue 30 Router(config-route-map)# set metric 2000 Router(config-route-map)# route-map PEER-FILTER permit 20 Router(config-route-map)# match ip address prefix-list GROUP-TWO Router(config-route-map)# set community no-export Router(config-route-map)# route-map PEER-FILTER permit 30 Router(config-route-map)# match ip address prefix-list GROUP-THREE Router(config-route-map)# set as-path prepend 100 100
For policies applied to a specific BGP neighbour, the following sequence is applied:
For inbound updates, the order is:
For outbound updates, the order is:
New policies only apply to the updates going through the router AFTER the policy has been introduced or changed. To facilitate policy changes on the entire BGP table the router handles the BGP peerings need to be refreshed. This is done by clearing the BGP session either in or out. Do NOT forget in or out — forgetting results in a hard reset of the BGP session
Router# clear ip bgp <neighbour-addr> in|out
Ability to clear the BGP sessions of groups of neighbours configured according to several criteria.
Internet is made up of ISPs of all shapes and sizes. Some have local coverage (access providers) while others can provide regional or per country coverage and others are global in scale.
These ISPs interconnect their businesses, they don’t interconnect with every other ISP (over 49500 distinct autonomous networks) – won't scale. They interconnect according to practical and business needs. Some ISPs provide transit to others, they interconnect other ISP networks. Around 6300 autonomous networks provide transit.
Carrying traffic across a network usually for a fee. An example: Access provider connects to a regional provider.
Exchanging routing information and traffic usually for no fee. This is sometimes called settlement free peering. Example: Regional provider connects to another regional provider.
Two ISPs connect their networks over a private link. Can be peering arrangementwith no charge for traffic and share cost of the link or can be transit arrangement where one ISP charges the other for traffic and one ISP (the customer) pays for the link.
Several ISPs meeting in a common neutral location and interconnect their networks, usually is a peering arrangement between their networks.
Bi-lateral Peering - Very similar to Private Peering, but may take place at a public peering point (IXP).
Multilateral Peering - Takes place at Internet Exchange Points, where operators all peer with each other via a Router Server.
Mandatory Multilateral Peering - Where operators are forced to peer with each other as condition of IXP membership. Strongly discouraged: Has no record of success.
Open Peering
Selective Peering
Closed Peering
Peering Database documents ISPs peering policies:
All operators of ASNs should register in the peeringdb. Participation in peering fora is encouraged too.
Minimise the cost of operating the business:
Transit
Peering
Access Providers - Don’t have to pay their regional provider transit fees for local traffic. It keeps latency and costs for local traffic low. There is Unlimited bandwidth through the IXP (compared with costly and limited bandwidth through transit provider).
Regional Providers - Don't have to pay their global provider transit fees for local and regional traffic. It keeps latency and costs for local and regional traffic low Unlimited bandwidth through the IXP (compared with costly and limited bandwidth through global provider).
Content Providers & Content Distribution Services - Don't have to pay their regional provider transit fees for local traffic. Keeps latency and costs for local traffic low Unlimited bandwidth through the IXP (compared with costly and limited bandwidth through transit provider).
Root, ccTLD and gTLD operators - Adds to the resiliency of the global DNS system. Keeps latency and response time for local resolver traffic very low.
Global Providers can be located close to IXPs attracted by the potential transit business available. This is advantageous for access & regional providers as they can peer with other similar providers at the IXP and in the same facility pay for transit to their regional or global provider (Not across the IXP fabric, but a separate connection).
A local IXP is defined as:
"a public peering point serving the local Internet industry"
Local means where it becomes cheaper to interconnect with other ISPs at a common location than it is to pay transit to another ISP to reach the same consumer base.
A Regional ISP is a local IXP that has attracted regional ISPs and ISPs from outside the locality. Regional ISPs peer with each other and show up at several of these Regional IXPs. Local ISPs peer with ISPs from outside the locality but they don't compete in each other's markets. In this way local ISPs don’t have to pay transit costs and ISPs from outside the locality don’t have to pay transit costs. Quite often ISPs of disparate sizes and influences will happily peer to defray transit costs.
Transit
Peering
Minimise number of transit providers while maintaining reduedancy. Aggregate capacity to transit providers to gain better value per Mb/s.
It comes down to cost of going to an IXP; Free peering or paying for transit from an ISP co-located in same facility, or perhaps close by. THe alternative is not going to an IXP and paying for the cost of transit directly to an upstream provider.