BGP Lab Exercise 4 ------------------ 1. This exercise will investigate the use of prefix-lists for filtering BGP announcements from both BGP neighbours. Before you begin, remove the AS-path filter configuration you added in Lab Exercise 3. 2. Define the prefix-lists that you will need. This first one specifies which routes you will send out to any BGP neighbour. RouterA(config)# ip prefix-list my-routes description My routes outbound RouterA(config)# ip prefix-list my-routes permit 196.200.220.32/28 RouterA(config)# ip prefix-list my-routes deny 0.0.0.0/0 le 32 Double check that you set your "my-routes" outbound filter to contain the networks you wish to announce. 3. Now define the prefix-list for the prefixes you expect to hear from your peer AS. RouterA(config)# ip prefix-list peer-AS2 description routes from AS2 inbound RouterA(config)# ip prefix-list peer-AS2 permit 196.200.220.48/28 RouterA(config)# ip prefix-list peer-AS2 deny 0.0.0.0/0 le 32 4. Finally define the sanity prefix-list for prefixes you would expect to hear from your upstream ISP. In this example we assume we receive the full Internet Routing Table, or the default route, so we simply permit everything and discard the prefixes we should never hear on the Internet. See RFC5735 and the Team Cymru website at http://www.cymru.com/Documents for more information on these special prefixes and the sanity filter. RouterA(config)# ip prefix-list sanity-filter description Sanity Inbound RouterA(config)# ip prefix-list sanity-filter deny 10.0.0.0/8 le 32 RouterA(config)# ip prefix-list sanity-filter deny 127.0.0.0/8 le 32 RouterA(config)# ip prefix-list sanity-filter deny 169.254.0.0/16 le 32 RouterA(config)# ip prefix-list sanity-filter deny 172.16.0.0/12 le 32 RouterA(config)# ip prefix-list sanity-filter deny 192.0.2.0/24 le 32 RouterA(config)# ip prefix-list sanity-filter deny 192.168.0.0/16 le 32 RouterA(config)# ip prefix-list sanity-filter permit 0.0.0.0/0 le 32 In most classroom exercises, you trust your provider enough that you can use a simple sanity filter that denies a few things and then permits everything else. 5. Now apply the prefix filter to the BGP session you have with your peer. RouterA(config-router)# address-family ipv4 RouterA(config-router-af)# neighbor 196.200.220.xxx prefix-list my-routes out RouterA(config-router-af)# neighbor 196.200.220.xxx prefix-list peer-AS2 in 6. And now apply the prefix filter to the BGP session you have with your upstream in AS100. RouterA(config-router)# address-family ipv4 RouterA(config-router-af)# neigh 196.200.222.1 prefix-list my-routes out RouterA(config-router-af)# neigh 196.200.222.1 prefix-list sanity-filter in 7. To implement the new policy, don't forget to request a "route refresh" on the two BGP sessions. The following commands will do the needful. clear ip bgp 100 in ! apply new policy outbound to AS100 clear ip bgp 100 out ! apply new policy inbound from AS100 clear ip bgp 2 in ! apply new policy outbound to AS2 clear ip bgp 2 out ! apply new policy inbound to AS2 8. Check the BGP process using "sh ip bgp" to see what prefixes you are receiving from your neighbouring AS. 9. What routes do you see? What paths are available? 10. We now repeat the exercise using IPv6. Define the prefix-lists that you will need. This first one specifies which routes you will send out to any BGP neighbour. RouterA(config)# ipv6 prefix-list my-v6routes description My routes outbound RouterA(config)# ipv6 prefix-list my-v6routes permit 2001:4348:220:10::/60 RouterA(config)# ipv6 prefix-list my-v6routes deny ::/0 le 128 Double check that you set your "my-v6routes" outbound filter to contain the networks you wish to announce. 11. Now define the prefix-list for the prefixes you expect to hear from your peer AS. RouterA(config)# ipv6 prefix-list v6peer-AS2 descr routes from AS2 inbound RouterA(config)# ipv6 prefix-list v6peer-AS2 permit 2001:3238:220:20::/60 RouterA(config)# ipv6 prefix-list v6peer-AS2 deny ::/0 le 128 12. Finally define the sanity prefix-list for prefixes you would expect to hear from your upstream ISP. In this example we assume we receive the full Internet Routing Table, or the default route, so we simply permit everything and discard the prefixes we should never hear on the Internet. See http://www.cymru.com/Bogons/ipv6.txt for more information on these special prefixes and the sanity filter. RouterA(config)# ipv6 prefix-list v6sanity-filter description Sanity Inbound RouterA(config)# ipv6 prefix-list v6sanity-filter deny ::/0 RouterA(config)# ipv6 prefix-list v6sanity-filter deny ::1/128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny fe80::/10 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny fec0::/10 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny fc00::/7 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny ff00::/8 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny 2001:db8::/32 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter permit ::/0 le 128 In most classroom exercises, you trust your provider enough that you can use a simple sanity filter that denies a few things and then permits everything else. 13. Now apply the prefix filter to the BGP session you have with your peer. RouterA(config-router)# address-family ipv6 RouterA(config-router-af)# neigh 2001:4348:220:xx::x prefix-l my-v6routes out RouterA(config-router-af)# neigh 2001:4348:220:xx::x prefix-l v6peer-AS2 in 14. And now apply the prefix filter to the BGP session you have with your upstream in AS100. RouterA(config-router)# address-family ipv6 RouterA(config-router-af)# neigh 2001:4348:220:xx::x prefix-l my-v6routes out RouterA(config-router-af)# neigh 2001:4348:220:xx::x prefix-l v6sanity-filter in 15. To implement the new policy, don't forget to request a "route refresh" on the two BGP sessions. The following commands will do the needful. clear bgp ipv6 unicast 100 in ! apply new policy outbound to AS100 clear bgp ipv6 unicast 100 out ! apply new policy inbound from AS100 clear bgp ipv6 unicast 2 in ! apply new policy outbound to AS2 clear bgp ipv6 unicast 2 out ! apply new policy inbound to AS2 16. Check the BGP process using "sh bgp ipv6 unicast" to see what prefixes you are receiving from your neighbouring AS. 17. What routes do you see? What paths are available?