Previous | Table of Contents | Next |
The concept of route filtering is straightforward. A BGP speaker can choose what routes to send and what routes to receive from any of its BGP peers. Route filtering is essential in defining routing policies. An autonomous system can identify the inbound traffic it is willing to accept from other neighbors by specifying the list of routes it advertises to its neighbors. Conversely, an AS can control what routes its outbound traffic uses by specifying the routes it accepts from its neighbors.
Troubleshooting:
Example: Ch. 10, pp. 306-312. Route Filtering and Attribute Manipulation
Filtering is also used on the protocol level to limit routing updates flowing from one protocol to another. Recall that earlier this chapter discussed the possibility of injecting BGP routes in the IGP and IGP or static routes into BGP. Cisco's terminology for this process is redistributing between protocols. This chapter also discussed the dangers of mutual redistribution between protocols. Filtering is essential in specifying exactly what goes from BGP into the IGP and vice versa.
Routes permitted through a filter can have their attributes manipulated. Manipulating the attributes affects the BGP decision process of identifying best routes.
Inbound and Outbound Filtering
Both the inbound and outbound filtering concepts can be applied to the peer and to the protocol level; figure 5-23 illustrates this behavior.
Figure 5-23 Inbound outbound filtering example.
At the peer level, inbound filtering indicates that the BGP speaker is filtering routing updates coming from other peers, whereas outbound filtering limits the routing updates advertised from the BGP speaker to other peers. Filtering behavior is the same whether the BGP peers are external (EBGP) or internal (IBGP).
At the protocol level, inbound filtering limits the routing updates being injected into a protocol. Outbound filtering limits the routing updates being injected from this protocol. With respect to BGP, for example, inbound filtering limits the updates being redistributed from other protocols such as IGP and static into BGP. Outbound filtering limits the updates being redistributed from BGP into IGP.
Route Filtering and Manipulation Process
Filtering and manipulating a route or a set of routes involves three actions:
Notes:
Cisco uses the concept of route maps to achieve filtering and attribute manipulation. Route maps are discussed in Chapter 10, "Configuring Basic BGP Function and Attributes."
Identifying Routes
Identifying routes is the process of setting criteria to differentiate routes from each other. Such criteria could be based on the IP prefix of the route, the autonomous system from which a route was originated, a list of ASs a route has passed through, a specific attribute value inside the route, and so on. A list of criteria instances is contained in the filtering rules, and a route is compared to the first instance in the list. If the route does not match the first instance, it is checked against the next instance in the list. After a route matches an instance, it is considered identified and will not be compared to any further instances.
If the route proceeds to be compared against the entire list of instances and there is still no match, then the route is discarded.
Identifying routes based on the Network Layer Reachability Information (NLRI) or the AS_path list or both is the most common way of identifying routes. Each of these methods is discussed in more detail in the following sections, "See Identifying Routes Based on the NLRI" and "See Identifying Routes Based on the AS_Path."
Permitting or Denying the Routes
After the route has been identified, action can be taken upon it. The route is permitted or denied, depending on what filtering rules have been established for that juncture. The criteria for permitting or denying routes depends on the policies an AS is setting. If the route is permitted, then it is either accepted "as is," or submitted for modification of attributes, again, depending on what policies are to be set. If the route is denied, then that route is discarded.
Manipulating Attributes
If a route is permitted, its attributes can be changed to affect the decision process. In earlier sections, you saw how attributes such as local preference and MED can be added or made larger or smaller to prefer a route over another. As you will see later on, attribute manipulation is key to establishing route policies, load balancing, and route symmetry.
Figure 5-24 explains in detail how multiple instances can be applied on a set of routes to find a match. Note that each instance could have one or more criteria. A route could be checked based on its prefix and its AS_path information, for example.
Figure 5-24 Summary example of route filtering and manipulation process.
Also note that after a route matches, it is not compared to any more instances. Hence, the order in which the instances are checked is important. An instance that permits all routes for example, if put at the beginning of the list, will override all the other instances.
Identifying Routes Based on the NLRI
A BGP route could be identified by its Network Layer Reachability Information (NLRI), which is the prefix and the mask, as discussed in Chapter 4, "Interdomain Routing Basics." For filtering purposes, a prefix or a range of prefixes is defined. If the route falls within the range, it will be identified.
Troubleshooting:
Example: Ch. 10, pp. 308-310. Identifying and Filtering Routes Based on the NLRI
Figure 5-25 illustrates filtering criteria of 10.1.0.0 0.0.255.255, which represents a range of routes identified by a prefix 10.1.0.0 and an inverse mask 0.0.255.255. The 0s in the mask indicate a match, whereas the 1s indicate a do-not-care-bit. The 10.1.0.0 0.0.255.255 range will identify all routes of the form 10.1.X.X. Presented with the prefixes shown in figure 5-25, this filter will identify 10.1.1.0/24, 10.1.2.0/24, and 10.1.2.2/30, and will exclude 11.2.0.0/16 and 12.1.1.0/24.
Figure 5-25 NLRI filtering criteria example.
Previous | Table of Contents | Next |