Overview:
Filters are tools that match routing entries. The following five filters are currently provided for BGP use:
• Access Control List (Access Control List)
• IP-Prefix List (IP-Prefix List)
• AS-Path-Filter (AS-Path-Filter)
• Community Attribute Filter (Community -Filter)
• Extcommunity-Filter
The routing control notes summarize the use of ACLs and prefix lists in BGP; here are the three newly added filters:
• AS path filter:
• Community filter:
• Expanded community filter:
AS path filter:
Overview: The
AS path filter uses the AS-Path list carried by BGP routes to filter routes. If you do not want traffic to pass through certain ASs, you can use the AS path filter to filter the routes carrying these AS numbers. In addition, use ACL or address prefix list to filter BGP routes. On the one hand, the configuration may be cumbersome (multiple ACLs or prefix lists need to be defined). On the other hand, new routes are added and it is not easy to maintain. In this case, AS path filtering can also be used. Device.
The AS path filter uses regular expressions to define matching rules. The regular expression consists of two parts: metacharacters and numeric values:
- Metacharacters define the matching rules.
- The value defines the matched object.
The following table shows the specific functions of special characters:
multiple filter rules (permit or deny) can be defined under the same filter number. During the matching process, these rules are in an "or" relationship, that is, as long as the routing information passes one of the rules, it is considered to pass the set of AS path filters identified by the filter number, but no matching entry is default Is to refuse.
On Huawei devices, run the command ip as-path-filter {as-path-filter-number | as-path-filter-name} [index index-number] {permit | deny} regular-expression to configure the AS path filter.
Experiment:
1. Purpose:
Use AS-Path-Filter to match routing entries starting with 10AS and filter.
2. Steps:
Establish an EBGP neighbor relationship between R1, R2, and R3, and advertise their own loopback port to enter it. Now R3 can learn the corresponding routing entry:
Then configure on R3:
[R3]ip as-path-filter gok deny 10$ //Match routing entries starting with
10AS [R3-bgp]peer 10.1.23.2 as-path-filter huawei improt
and then on R3: found that there are no entries and
no matches will not be allowed to pass , So you need to configure one to allow other entries to pass, and configure on R3:
[R3]ip as-path-filter gok permit ^20 //Allow pass ending with 20, then check on R3: check the corresponding routing entry again
Community filter:
Overview:
The community attribute of BGP is used to identify a group of routes with common properties. The community attribute can be used to classify routes artificially to facilitate the management of routes.
In actual applications, some intra-AS routes may not need to be advertised to other external ASs, while out-AS routes need to be advertised to other external ASs. These routes have different prefixes (not convenient to use the address prefix list) and may come from different ASs (not convenient Use AS path filter). At this time, you can set the same community attribute value for these routes within the AS at the edge of the AS, and set another community attribute value for the routes outside the AS, so that the community attribute value can be used to control and filter routes.
Experiment:
1. Background introduction:
Here we require that the Shaolin routes sent by R3 to R4 are all marked with an LP attribute value of 100, and the Wudang routes sent to R4 are all marked with an LP attribute value of 200. How to achieve this goal through community attributes?
The general approach is that we first require R1 to pass the routing strategy to mark the Shaolin route sent to R3 with a team attribute of 100:1. The Wudang route sent to R3 is marked with a team attribute of 200:1. Then follow up the corresponding attributes on R3 to modify the LP value, and then send it to R4.
2. Specific placement:
On R1:
Configure the prefix list:
Configure the corresponding routing policy:
Configure BGP:
Note: The advertisement-community needs to be configured manually, otherwise the message will not carry the corresponding community attribute
On R2:
Configure prefix list:
Configure routing policy:
Configure BGP: On
R3:
Configure community attribute filter, match corresponding community attribute:
Configure routing policy, set priority for different matched community attributes:
Configure BGP: On
R4:
Configure BGP:
You can view the corresponding entries on R4: You can see that the corresponding routing entries
have been modified after receiving the LP value: We use the command display bgp routing-table community 100:1 and the command display bgp routing-table community on R3 200:1 View the BGP routes corresponding to the team attributes 100:1 and 200:1. It can be seen that all the routes sent from Shaolin have been marked with a team attribute of 100:1, while Wudang routes have been marked with 200:1.
Assuming that in the above example, AS1 does not want AS2 to be able to access the Shaolin network segment and Wudang network segment in this AS, you can use No_Export to achieve this. At this time, there is a route to AS1 on R2. We modify the following configuration on R1:
route-policy R1 permit node 5
if-match ip-prefix shaolin
apply community 100:1 no-export
route-policy R1 permit node 10
if-match ip-prefix wudang
apply community 200:1 no-export
Then we can see on R2 that there are no routing entries on R1:
BGP routes are often tens of thousands. If there are a large number of different but very similar, the team attributes need to implement the same routing strategy (for example: need to carry the team Routes with attributes "100:1, 200:1, 300:1, 400:1, 500:1..." implement the same strategy), how to simplify the configuration?
Refer to what we said before, if we need to implement the same strategy for routes carrying team attributes "100:1, 200:1, 300:1, 400:1, 500:1...", we must configure multiple team attribute filters:
ip community-filter 1 permit 100:1
ip community-filter 2 permit 200:1
ip community-filter 3 permit 300:1
ip community-filter 4 permit 400:1
ip community-filter 5 permit 500:1
This is very troublesome. At this time, we can use the advanced team attribute filter. The function of the advanced team attribute filter is the same as that of the ordinary team attribute filter. The difference is that the filter number is 100~199.
Advanced team attribute filters can use regular expressions to formulate groups, which is very useful when using team attributes in the AA:NN format.
As in the above example, if we use the advanced team attribute filter, we only need to configure one command:
ip community-filter 101 permit .*:1
Relevant configuration summary:
Execute the command ip community-filter to configure the community attribute filter, and make corresponding calls through router-policy. Huawei equipment commands are as follows:
Configure the standard community attribute filter: execute the command ip community-filter basic comm-filter-name [index index-number] {permit | deny} [community-number | aa:nn | internet [strict-match] | no-export- subconfed | no-advertise | no-export], or execute the command ip community-filter basic-comm-filter-num [index index-number] {permit | deny} [community-number | aa:nn | internet | no-export -subconfed | no-advertise | no-export].
Configure advanced community filter: Run the command ip community-filter {advanced comm-filter-name | adv-comm-filter-num} [index index-number] {permit | deny} regular-expression.
Note the distinction:
apply community 100 Change the community name to 100.
apply community 100 150 Change the community name to 100 or 150, that is, BGP routes belong to two communities.
apply community 100 150 additive Two community attributes of 100 and 150 are added on the original basis. That is, BGP routes belong to three communities.
apply community none Delete the community attribute of BGP routes.
Extended community filter:
The extended community filter of BGP is similar to the community filter. It is mainly used to filter private network routes and make corresponding calls through router-policy.
Configure VPN-Target extended community attributes:
Configure basic VPN-Target extended community filter: execute the command ip extcommunity-filter {basic-extcomm-filter-num | basic basic-extcomm-filter-name }[ index index-number] {deny | permit} {rt {as -number:nn | 4as-number:nn | ipv4-address:nn}} &<1-16>.
Configure advanced VPN-Target extended community filter: Run the command ip extcommunity-filter {advanced-extcomm-filter-num | advanced advanced-extcomm-filter-name }[ index index-number] {deny | permit} regular-expression.
E.g:
Reference materials: "Huawei hedex document", "Switch in the rivers and lakes"