BGP Lab Exercise 4 ------------------ 1. This exercise will investigate the use of prefix-lists for filtering BGP announcements from both BGP neighbours. Before you begin, remove the AS-path filter configuration you added in Lab Exercise 3. 2. Define the prefix-lists that you will need. This first one specifies which routes you will send out to any BGP neighbour. RouterA(config)# ip prefix-list my-routes description My routes outbound RouterA(config)# ip prefix-list my-routes permit 196.200.220.32/28 RouterA(config)# ip prefix-list my-routes deny 0.0.0.0/0 le 32 Double check that you set your "my-routes" outbound filter to contain the networks you wish to announce. 3. Finally define the sanity prefix-list for prefixes you would expect to hear from your upstream ISP. In this example we assume we receive the full Internet Routing Table, or the default route, so we simply permit everything and discard the prefixes we should never hear on the Internet. See RFC5735 and the Team Cymru website at http://www.team-cymru.org/documents.html for more information on these special prefixes and the sanity filter. RouterA(config)# ip prefix-list sanity-filter description Sanity Inbound RouterA(config)# ip prefix-list sanity-filter deny 10.0.0.0/8 le 32 RouterA(config)# ip prefix-list sanity-filter deny 127.0.0.0/8 le 32 RouterA(config)# ip prefix-list sanity-filter deny 169.254.0.0/16 le 32 RouterA(config)# ip prefix-list sanity-filter deny 172.16.0.0/12 le 32 RouterA(config)# ip prefix-list sanity-filter deny 192.0.2.0/24 le 32 RouterA(config)# ip prefix-list sanity-filter deny 192.168.0.0/16 le 32 RouterA(config)# ip prefix-list sanity-filter permit 0.0.0.0/0 le 32 In most classroom exercises, you trust your provider enough that you can use a simple sanity filter that denies a few things and then permits everything else. 4. And now apply the prefix filter to the BGP session you have with your upstream in AS100. RouterA(config-router)# address-family ipv4 RouterA(config-router-af)# neigh 196.200.220.1 prefix-list my-routes out RouterA(config-router-af)# neigh 196.200.220.1 prefix-list sanity-filter in 5. And now also apply the prefix filter to the BGP session you have with your upstream in AS200, on another rotuer in the group. RouterD(config-router)# address-family ipv4 RouterD(config-router-af)# neigh 196.200.221.1 prefix-list my-routes out RouterD(config-router-af)# neigh 196.200.221.1 prefix-list sanity-filter in 6. To implement the new policy, don't forget to request a "route refresh" on the two BGP sessions. The following commands will do the needful. clear ip bgp 100 in ! apply new policy outbound to AS100 clear ip bgp 100 out ! apply new policy inbound from AS100 clear ip bgp 200 in ! apply new policy outbound to AS200 clear ip bgp 200 out ! apply new policy inbound to AS200 7. Check the BGP process using "sh ip bgp" to see what prefixes you are receiving from your neighbouring AS. 8. What routes do you see? What paths are available? 9. We now repeat the exercise using IPv6. Define the prefix-lists that you will need. This first one specifies which routes you will send out to any BGP neighbour. RouterA(config)# ipv6 prefix-list my-v6routes description My routes outbound RouterA(config)# ipv6 prefix-list my-v6routes permit 2001:4348:220:10::/60 RouterA(config)# ipv6 prefix-list my-v6routes deny ::/0 le 128 Double check that you set your "my-v6routes" outbound filter to contain the networks you wish to announce. 10. Finally define the sanity prefix-list for prefixes you would expect to hear from your upstream ISP. In this example we assume we receive the full Internet Routing Table, or the default route, so we simply permit everything and discard the prefixes we should never hear on the Internet. See http://www.cymru.com/Bogons/ipv6.txt for more information on these special prefixes and the sanity filter. RouterA(config)# ipv6 prefix-list v6sanity-filter description Sanity Inbound RouterA(config)# ipv6 prefix-list v6sanity-filter deny ::/0 RouterA(config)# ipv6 prefix-list v6sanity-filter deny ::1/128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny fe80::/10 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny fec0::/10 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny fc00::/7 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny ff00::/8 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter deny 2001:db8::/32 le 128 RouterA(config)# ipv6 prefix-list v6sanity-filter permit ::/0 le 128 In most classroom exercises, you trust your provider enough that you can use a simple sanity filter that denies a few things and then permits everything else. 11. And now apply the prefix filter to the BGP session you have with your upstream in AS100. RouterA(config-router)# address-family ipv6 RouterA(config-router-af)# neigh 2001:4348:220:xx::x prefix-l my-v6routes out RouterA(config-router-af)# neigh 2001:4348:220:xx::x prefix-l v6sanity-filter in and to your upstream in AS200 on another router RouterD(config-router)# address-family ipv6 RouterD(config-router-af)# neigh 2001:4348:220:xx::x prefix-l my-v6routes out RouterD(config-router-af)# neigh 2001:4348:220:xx::x prefix-l v6sanity-filter in 12. To implement the new policy, don't forget to request a "route refresh" on the two BGP sessions. The following commands will do the needful. clear bgp ipv6 unicast 100 in ! apply new policy outbound to AS100 clear bgp ipv6 unicast 100 out ! apply new policy inbound from AS100 clear bgp ipv6 unicast 200 in ! apply new policy outbound to AS2 clear bgp ipv6 unicast 200 out ! apply new policy inbound to AS2 16. Check the BGP process using "sh bgp ipv6 unicast" to see what prefixes you are receiving from your neighbouring AS. 17. What routes do you see? What paths are available?