BGP IPv6 Route Filtering on Cisco IOS

Filtering IPv6 routes in BGP is similar to IPv4 filtering.  There are 3 methods we can use:

  • Prefix-list
  • Filter-list
  • Route-map

Each of these can be applied in- or outbound. I’ll explain how you can use these for filtering, this is the topology I will use:

R1 R2 BGP IPv6 4 prefixes

R1 and R2 are using IPv6 addresses and will use MP-BGP so that R1 can advertise some prefixes on its loopback interfaces. All prefixes on the loopback interfaces are /64 subnets while loopback3 has a /96 subnet.

Configuration

Let’s start with a basic MP-BGP configuration so that R1 and R2 become eBGP neighbors:

R1 & R2#
(config)ipv6 unicast-routing
R1(config)#router bgp 1
R1(config-router)#bgp router-id 1.1.1.1
R1(config-router)#neighbor 2001:db8:0:12::2 remote-as 2
R1(config-router)#address-family ipv6
R1(config-router-af)#neighbor 2001:db8:0:12::2 activate
R1(config-router-af)#network 2001:db8:0:1::/64
R1(config-router-af)#network 2001:db8:0:11::/64
R1(config-router-af)#network 2001:db8:0:111::/64
R1(config-router-af)#network 2001:db8:0:1111::/96
R2(config)#router bgp 2
R2(config-router)#bgp router-id 2.2.2.2
R2(config-router)#neighbor 2001:db8:0:12::1 remote-as 1
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 activate

Let’s check if R2 has learned all prefixes:

R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:1::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:1111::/96 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

There we go, everything is in the routing table. Now we can play with some of the filtering options…

Prefix-List Filtering

Let’s start with the prefix-list. R1 is advertising one /96 subnet. Let’s see if we can configure R2 to filter this network:

R2(config)#ipv6 prefix-list SMALL_NETWORKS permit 2001::/16 le 64

This prefix-list checks the entire 2001::/16 range and permits subnets with a /64 or larger. Anything smaller will be denied. Let’s activate it:

R2(config)#router bgp 2
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 prefix-list SMALL_NETWORKS in

We activate the prefix-list inbound on R2 for everything that we receive from R1. Let’s reset BGP to speed things up:

R2#clear ip bgp *

Let’s check R2 to see if our prefix is gone:

R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:1::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

Great, it has been filtered succesfully!

Filter-List Filtering

Let’s try the filter-list. We can use this to filter prefixes from certain autonomous systems. Everything that R1 is advertising only has AS 1 in the AS path, I’ll configure AS prepending so we have something to play with:

R1(config)#ipv6 prefix-list FIRST_LOOPBACK permit 2001:db8:0:1::/64

R1(config)#route-map PREPEND permit 10
R1(config-route-map)#match ipv6 address prefix-list FIRST_LOOPBACK
R1(config-route-map)#set as-path prepend 11
R1(config)#route-map PREPEND permit 20

R1(config)#router bgp 1
R1(config-router)#address-family ipv6
R1(config-router-af)#neighbor 2001:db8:0:12::2 route-map PREPEND out

The above configuration will make sure that whenever R1 advertises 2001:db8:0:1::/64 it will add AS 11 to the AS path. Let’s verify this:

R2#show ip bgp all
For address family: IPv4 Unicast


For address family: IPv6 Unicast

BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 2001:DB8:0:1::/64
                    2001:DB8:0:12::1
                                             0             0 1 11 i
*> 2001:DB8:0:11::/64
                    2001:DB8:0:12::1
                                             0             0 1 i
*> 2001:DB8:0:111::/64
                    2001:DB8:0:12::1
                                             0             0 1 i

For address family: IPv4 Multicast

Above you can see that 2001:DB8:0:1::/64 now has AS 11 in its AS path. Let’s configure a filter-list on R2 to get rid of this network:

R2(config)#ip as-path access-list 11 permit ^1$

R2(config)#router bgp 2
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::1 filter-list 11 in

R2#clear ip bgp *

The as-path access-list above only permits prefixes from AS1, nothing else. We attach it inbound to everything we receive from R1. This is the result:

R2#show ipv6 route bgp | begin 2001
B   2001:DB8:0:11::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0
B   2001:DB8:0:111::/64 [20/0]
     via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

It’s gone from the routing table, mission accomplished.

Route-Map Filtering

Route-maps are really useful and can be used to match on many different things. I’ll use an IPv6 access-list in a route-map to filter 2001:DB8:0:11::/64:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, become a member now!

  • Learn CCNA, CCNP and CCIE R&S. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 798 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
2512 Sign Ups in the last 30 days
satisfaction-guaranteed
  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,

    I think that it is a errata:

    This prefix-list checks the entire 2001::/16 range and permits subnets with a /64 or larger.
    It should be:

    This prefix-list checks the entire 2001::/16 range and permits subnets with a /64 o smaller

    Thanks you

  2. Hi Diego,

    Thanks for the message, this sentence is correct though. Take a look at the prefix-list:

    ipv6 prefix-list SMALL_NETWORKS permit 2001::/16 le 64

    The “le 64” part means that it will match /64, /63, /62, /61, /60, etc. All of these are “larger” subnets than /64.

    Rene

  3. Hi Rene
    Great lesson!
    you might want to fix the BGP configuration for R2

    R2(config)#router bgp 1
    R2(config-router)#bgp router-id 2.2.2.2
    R2(config-router)#neighbor 2001:db8:0:12::1 remote-as 2
    R2(config-router)#address-family ipv6
    R2(config-router-af)#neighbor 2001:db8:0:12::2 activate
    

    Thank you

  4. Hello Rene,

    I was doing a LAB and I discovered something interesting and I wanted to ask you why:

    which is the difference to have the next route-map here:

    router bgp 21
     no synchronization
     bgp router-id 15.15.15.15
     bgp log-neighbor-changes
     neighbor 2001:DB8:12::1 remote-as 20
     neighbor 2001:DB8:12::1 route-map BLOCK_MAP in <------------
     no auto-summary
     !
     address-family ipv6
      neighbor 2001:DB8:12::1 activate
      neighbor 2001:DB8:12::1 prefix-list NET64 in
     exit-address-family
    

    OR HERE

    router bgp 21
     no synchronization
     bgp router-id 15.15.15.15
     bgp log
    ... Continue reading in our forum

18 more replies! Ask a question or join the discussion by visiting our Community Forum