BGP IPv6 Route Filtering on Cisco IOS

Filtering IPv6 routes in BGP is similar to IPv4 filtering.  There are 3 methods we can use:

  • Prefix-list
  • Filter-list
  • Route-map

Each of these can be applied in- or outbound. I’ll explain how you can use these for filtering, this is the topology I will use:

R1 R2 BGP IPv6 4 prefixes

R1 and R2 are using IPv6 addresses and will use MP-BGP so that R1 can advertise some prefixes on its loopback interfaces. All prefixes on the loopback interfaces are /64 subnets while loopback3 has a /96 subnet.

Configuration

Let’s start with a basic MP-BGP configuration so that R1 and R2 become eBGP neighbors:

R1 & R2#
(config)ipv6 unicast-routing
R1(config)#router bgp 1
R1(config-router)#bgp router-id 1.1.1.1
R1(config-router)#neighbor 2001:db8:0:12::2 remote-as 2
R1(config-router)#address-family ipv6
R1(config-router-af)#neighbor 2001:db8:0:12::2 activate
R1(config-router-af)#network 2001:db8:0:1::/64
R1(config-router-af)#network 2001:db8:0:11::/64
R1(config-router-af)#network 2001:db8:0:111::/64
R1(config-router-af)#network 2001:db8:0:1111::/96
R2(config)#router bgp 2
R2(config-router)#bgp router-id 2.2.2.2
R2(config-router)#neighbor 2001:db8:0:12::1 remote-as 1
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 activate

Let’s check if R2 has learned all prefixes:

R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:1::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:1111::/96 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

There we go, everything is in the routing table. Now we can play with some of the filtering options…

Prefix-List Filtering

Let’s start with the prefix-list. R1 is advertising one /96 subnet. Let’s see if we can configure R2 to filter this network:

R2(config)#ipv6 prefix-list SMALL_NETWORKS permit 2001::/16 le 64

This prefix-list checks the entire 2001::/16 range and permits subnets with a /64 or larger. Anything smaller will be denied. Let’s activate it:

R2(config)#router bgp 2
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 prefix-list SMALL_NETWORKS in

We activate the prefix-list inbound on R2 for everything that we receive from R1. Let’s reset BGP to speed things up:

R2#clear ip bgp *

Let’s check R2 to see if our prefix is gone:

R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:1::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

Great, it has been filtered succesfully!

Filter-List Filtering

Let’s try the filter-list. We can use this to filter prefixes from certain autonomous systems. Everything that R1 is advertising only has AS 1 in the AS path, I’ll configure AS prepending so we have something to play with:

R1(config)#ipv6 prefix-list FIRST_LOOPBACK permit 2001:db8:0:1::/64

R1(config)#route-map PREPEND permit 10
R1(config-route-map)#match ipv6 address prefix-list FIRST_LOOPBACK
R1(config-route-map)#set as-path prepend 11
R1(config)#route-map PREPEND permit 20

R1(config)#router bgp 1
R1(config-router)#address-family ipv6
R1(config-router-af)#neighbor 2001:db8:0:12::2 route-map PREPEND out

The above configuration will make sure that whenever R1 advertises 2001:db8:0:1::/64 it will add AS 11 to the AS path. Let’s verify this:

R2#show ip bgp all
For address family: IPv4 Unicast


For address family: IPv6 Unicast

BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 2001:DB8:0:1::/64
                    2001:DB8:0:12::1
                                             0             0 1 11 i
*> 2001:DB8:0:11::/64
                    2001:DB8:0:12::1
                                             0             0 1 i
*> 2001:DB8:0:111::/64
                    2001:DB8:0:12::1
                                             0             0 1 i

For address family: IPv4 Multicast

Above you can see that 2001:DB8:0:1::/64 now has AS 11 in its AS path. Let’s configure a filter-list on R2 to get rid of this network:

R2(config)#ip as-path access-list 11 permit ^1$

R2(config)#router bgp 2
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 filter-list 11 in

R2#clear ip bgp *

The as-path access-list above only permits prefixes from AS1, nothing else. We attach it inbound to everything we receive from R1. This is the result:

R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

It’s gone from the routing table, mission accomplished.

Route-Map Filtering

Route-maps are really useful and can be used to match on many different things. I’ll use an IPv6 access-list in a route-map to filter 2001:DB8:0:11::/64:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

501 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. What about this method, Rene?

    access-list 1 permit 1.1.1.0 0.0.0.255
    
    route-map NO-EXPORT permit 10
      match ip address 1
    
    neighbor 192.168.12.2 route-map NO-EXPORT out
    neighbor 192.168.13.3 route-map NO-EXPORT out
    

    Ofc we can use “match ip address prefix-list” as well. And my deepest respect for all what you do for us all.

  2. Hello Rene,

    Great job as always, it is possible if you publish the routers configurations? I would like to see how you did the configuration, this also helps me clearing the theory.

    It’s just a question.

    Thank you very much!!

  3. Jason,
    This is actually a very good question which required wireshark and some musing on my part to figure out.

    Here’s the short answer:
    If you included R1’s AS in the filter:
    R1(config)#ip as-path access-list 1 permit ^4444$
    It would indeed stop ISP1 and ISP2 from using R1 as a transit path. However, there is also a negative consequence. R1’s advertisements to ISP1 and ISP2 would also be filter out.

    Here’s the long answer:
    The interesting question is why does it do this? To answer this question, the first point to understand is what the ip as-path command i

    ... Continue reading in our forum

  4. hello Rene, I am a bit confused, No-Export community tells BGP neighbors to advertise a prefix only to iBGP neighbors so why if we use the “no-export” community we still need to use the command “send-community”? it should still export the prefixes to iBGP based on the no-export community… am I wrong?

  5. oh, now I see, I confused the export of the community with the prefixes :slight_smile: so no export will make sure we won’t expotr the prefix but then we need send community to make sure the “no export” is propagated?

36 more replies! Ask a question or join the discussion by visiting our Community Forum