2.0.0 BGP advanced features-ASFilter, CommunityFilter, ORF, peer group

Peer Group

BGP peer group

When multiple devices in the network have similar configurations, using peer groups can greatly reduce the input of configuration commands.

Similar to a port group, by creating a group and then adding members to it, you can uniformly manage the members in the group.

Case configuration 1

Taking AR2 as an example, configure an IBGP group and add AR6 and AR5 to the group for unified management configuration:

# BGP进程中创建IBGP组
[AR2]bgp 100
[AR2-bgp]router-id 2.2.2.2
[AR2-bgp]group IBGP internal 
# 将IBGP成员添加入组中
[AR2-bgp]peer 10.1.26.6 group IBGP
[AR2-bgp]peer 10.1.25.5 group IBGP

Check the BGP configuration at this time and you can see that some commands are automatically completed:

bgp 100
 router-id 2.2.2.2
 group IBGP internal
 peer 10.1.25.5 as-number 100 
 peer 10.1.25.5 group IBGP 
 peer 10.1.26.6 as-number 100 
 peer 10.1.26.6 group IBGP 
 #
 ipv4-family unicast
  undo synchronization
  peer IBGP enable
  peer 10.1.25.5 enable
  peer 10.1.25.5 group IBGP 
  peer 10.1.26.6 enable
  peer 10.1.26.6 group IBGP 

Taking AR2 as an example, configure the EBGP group and add AR1 to the group for unified management configuration:

# 将EBGP成员添加入组中，并指定该组属于哪个AS。
# 下次再有该AS的EBGP邻居需要接入，直接添加入组中即可。
[AR2-bgp]peer 10.1.26.6 group IBGP# EBGP组也是同样的
[AR2]bgp 100
[AR2-bgp]router-id 2.2.2.2
[AR2-bgp]group EBGP_200 external 
[AR2-bgp]peer EBGP_200 as-number 200

# 将EBGP成员 AR1添加入组中
[AR2-bgp]peer 10.1.12.1 group EBGP_200

Community Filter

Community attributes are private attributes of BGP and are optional transition attributes . They are propagated between BGP peers and are not restricted by ASs.

The community attribute can be used to enable a group of BGP devices in multiple ASs to share the same policy, thereby simplifying the application of routing policies and reducing the difficulty of maintenance and management.

When a BGP device advertises a route , it adds or changes the community attribute of the route.

Personal note : The community value is similar to Tag, because Tag can only be used in the IGP protocol. There is no Tag field in BGP, but there is a community attribute.

recognized group attributes

In all BGP routes, there are default community attributes. The following are the default recognized community attributes.

Community attribute name	Group attribute number	illustrate
Internet	0（0x00000000）	After receiving a route with this attribute, the device can send the route to any BGP peer . By default, all routes belong to the Internet community.
No_Advertise	4294967042（0xFFFFFF02）	After a device receives a route with this attribute, it will not send the route to any BGP peer .
No_Export	4294967041（0xFFFFFF01）	After the device receives a route with this attribute, it will not send the route outside the AS .
No_Export_Subconfed	4294967043（0xFFFFFF03）	After the device receives a route with this attribute, it will not send the route outside the AS . If a confederation is used , this route will not be advertised to other sub-ASs in the confederation.

Personal note : By default on the Internet, No_Advertise is not advertised to any peer (it will be used by itself after receiving the route), No_Export is not expanded (it is only propagated within its own AS), NO_Export_Subconfed (it is not transmitted externally and not internally). .

community attribute format

The length of a Community attribute value is 32 bits and can be presented in two forms:

1. Decimal integer format.

2. AA: NN format, where AA represents the AS number and NN is a custom number .

于路由策略中修改团体属性时，可以看到可选参数：
[AR6-route-policy]apply community ?
  INTEGER<0-4294967295>  Specify community number
  STRING<3-11>           Specify aa<0-65535>:nn<0-65535>
  
  internet               Internet(well-known community attributes)
  no-advertise           Do not advertise to any peer (well-known community     
                         attributes)
  no-export              Do not export to external peers(well-known community   
                         attributes)
  no-export-subconfed    Do not send outside a sub-confederation(well-known     
                         community attributes)
  none                   No community attribute

Case configuration 2

The following is a simple case. Both AR5 and AR6 learn the Loop100 route of AR9 and introduce it into IBGP.

At this time, AR2 will learn the BGP routes with a cost of 2 and a cost of 20 to the loopback interface of AR9 . However, for AR2, if it wants to further distinguish these routes, it must use other means.

For convenience, you can configure routing policies on AR6 and AR5, and add the specified Community attributes when importing routes into BGP so that AR2 can quickly distinguish them.

View route details before the community attribute is configured on the route

• The default Community attribute Internet is not displayed.

<AR2>dis bgp routing-table 192.168.100.0

 BGP local router ID : 2.2.2.2
 Local AS number : 100
 Paths:   2 available, 1 best, 1 select
 BGP routing table entry information of 192.168.100.0/24:
 From: 10.1.26.6 (6.6.6.6)
 Route Duration: 00h05m48s  
 Relay IP Nexthop: 0.0.0.0
 Relay IP Out-Interface: GigabitEthernet0/0/0
 Original nexthop: 10.1.26.6
 Qos information : 0x0
 AS-path Nil, origin incomplete, MED 2, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255
 Not advertised to any peer yet

 BGP routing table entry information of 192.168.100.0/24:
 From: 10.1.25.5 (5.5.5.5)
 Route Duration: 00h05m55s  
 Relay IP Nexthop: 0.0.0.0
 Relay IP Out-Interface: GigabitEthernet0/0/2
 Original nexthop: 10.1.25.5
 Qos information : 0x0
 AS-path Nil, origin incomplete, MED 20, localpref 100, pref-val 0, valid, internal, pre 255, not preferred for MED
 Not advertised to any peer yet

Configuration commands

• (1) Create a routing policy and add community attributes.

[AR6]route-policy Community_ospf_100-1 permit node 10
[AR6-route-policy]apply community 100:1

[AR5]route-policy Community_isis_100-2 permit node 10
[AR5-route-policy]apply community 100:2

• (2) Apply the policy to OSPF/ISIS route introduction, and activate the community attribute for the specified neighbor.

[AR6]bgp 100
[AR6-bgp]import ospf 1 route-policy Community_ospf_100-1 
[AR6-bgp]peer 10.1.26.2 advertise-community

[AR5]bgp 100
[AR5-bgp]import isis 1 route-policy Community_isis_100-2
[AR5-bgp]peer 10.1.26.2 advertise-community

• After completing the operation, check the routing details and you can see Community : <CC:NN>.

<AR2>dis bgp routing-table 192.168.100.0

 BGP local router ID : 2.2.2.2
 Local AS number : 100
 Paths:   2 available, 1 best, 1 select
 BGP routing table entry information of 192.168.100.0/24:
 From: 10.1.26.6 (6.6.6.6)
 Route Duration: 00h13m40s  
 Relay IP Nexthop: 0.0.0.0
 Relay IP Out-Interface: GigabitEthernet0/0/0
 Original nexthop: 10.1.26.6
 Qos information : 0x0
 Community:<100:1>
 AS-path Nil, origin incomplete, MED 2, localpref 100, pref-val 0, valid, intern
al, best, select, active, pre 255
 Not advertised to any peer yet

 BGP routing table entry information of 192.168.100.0/24:
 From: 10.1.25.5 (5.5.5.5)
 Route Duration: 00h13m17s  
 Relay IP Nexthop: 0.0.0.0
 Relay IP Out-Interface: GigabitEthernet0/0/2
 Original nexthop: 10.1.25.5
 Qos information : 0x0
 Community:<100:2>
 AS-path Nil, origin incomplete, MED 20, localpref 100, pref-val 0, valid, inter
nal, pre 255, not preferred for MED
 Not advertised to any peer yet

Group attribute filtering

The above describes how to set community attributes, and community attribute filtering Community-Filter is like ACL, used to match community attributes.

Like ACL, Community-Filter also has standard (Basic, serial number 1~99) and advanced (Advanced, serial number 100-199).

[AR1]ip community-filter ?
  INTEGER<1-99>     Community-filter number (basic)
  INTEGER<100-199>  Community-filter number (advanced)
  advanced          Advanced community-filter
  basic             Basic community-filter
  
# 可使用序号创建
ip community-filter 1 permit ......

# 可使用名称创建
ip community-filter basic XXXX permit ......

Case configuration 3

• In order to highlight the role of community attributes, the requirements in the figure are put forward to prohibit publishing ISIS routes to AR1.
• By default, all active and optimal BGP routes will be advertised to EBGP neighbors, so you can configure an Export Community-Filter routing policy on the AR1 neighbor to exclude ISIS community routes.
• Currently, I often come into contact with the standard Community-Filter, so I configure it based on this.

• Since I drew the topology myself and the results cannot be seen intuitively, I first disconnected the line between AR2-AR6 so that there are only ISIS routes in the network. At this point, you can see that AR1 can receive ISIS routes by default.

Start configuring the filtering ISIS community attribute routing operation:

• (1) Create group attribute filtering on AR2

[AR2]ip community-filter basic Filter_ISIS_Community permit 100:2

• (2) Create a routing policy, match group attributes and set corresponding actions.

First deny the routes that match the community attribute, and then permit other routes.

[AR2]route-policy Filter_ISIS_Community deny node 10
[AR2-route-policy]if-match community-filter Filter_ISIS_Community
[AR2-route-policy]quit

[AR2]route-policy Filter_ISIS_Community permit node 20
[AR2-route-policy]quit

• (3) Bind the routing policy to EBGP neighbor AR1

[AR2]bgp 100
[AR2-bgp]peer 10.1.12.1 route-policy Filter_ISIS_Community export

• Finally, check the BGP routing information on AR2 and find that no ISIS routes have been learned from AR1.

AS_Path Filter

As the network becomes larger, the BGP network may be interconnected with multiple ASs and service routes may be separated from the local area by multiple AS networks.

AS_Path-Filter (AS path filtering) is a filter that uses the AS_Path attribute in BGP as a matching condition , and uses the AS_Path list carried by BGP routes to filter routes.

• If a router in the network does not want to receive routes from certain ASs , it can use AS_PathFilter to filter the routes carrying these AS numbers to reject certain routes.
• Unlike other filtering functions, AS path filtering uses regular expression matching. For this reason, the scope and flexibility of matching have been greatly improved.

Regarding the introduction of regular expressions, only a few simple basics are used here.

^ 1 # Match AS paths starting with 1, such as 100, 1111, 100 200, etc.

2$ # Match AS paths ending with 2, such as 12, 100 102, etc.

.* # match all

100 # If you directly fill in the number, it will match all AS paths where 100 exists, such as 100, 100 200, 300 100 200.

[100] # Fill in the numbers in the square brackets to indicate that only the AS path 100 will be matched.

Configuration commands

• When creating an AS path filter, it is created with a serial number or name similar to an ACL .

[AR2]ip as-path-filter ?
  INTEGER<1-256>  Specify an access-list number
  STRING<1-51>    Specify an as-path-filter name

• Create a route that matches the AS path through 100 200

[AR2]ip as-path-filter 1 deny "100 200"

• Multiple AS paths can be created for filtering. By default, matching is performed from top to bottom.

# 先放行100 200的，再放行200 300，最后.*拒绝所有
ip as-path-filter 1 permit "100 200"
ip as-path-filter 1 permit "200 300"
[AR2]ip as-path-filter 1 deny .*

Case configuration 4

• As shown in the figure, AR1 and AR3 publish the loopback interfaces into BGP. By default, AR2 can learn the loopback interface routes of AR1 and AR3.
• It is required to filter routes from AS200 (but not filter those from AS300).

• By default, AR2’s BGP routing table information.
• At this time, you can view the AS-Path information of the route from Path/Ogn.

[AR2]dis bgp routing-table 
 Total Number of Routes: 4
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>   192.168.1.0        10.1.12.1       0                     0      200i
 *>   192.168.3.0        10.1.12.1                             0      200 300i

• (1) Create an AS path filter to only match routes originating from AS200 (only match AS200, not AS 200 300).

^200$ means: match the words that start with 200 and end with 200, that is, only match AS200.

[AR2]ip as-path-filter 1 permit ^200$

• (2) Create routing policy

[AR2]route-policy Filter_AS200_AS-path deny node 10
[AR2-route-policy]if-match as-path-filter 1
[AR2-route-policy]quit

[AR2]route-policy Filter_AS200_AS-path permit node 20
[AR2-route-policy]quit

• (3) Bind routing policy

Because the route enters AR2 from AR1, the binding direction is Import.

[AR2-bgp]peer 10.1.12.1 route-policy Filter_AS200_AS-path import 

Although the Export policy was added previously, command override will not occur if the directions do not conflict.

peer 10.1.12.1 route-policy Filter_ISIS_Community export

peer 10.1.12.1 route-policy Filter_AS200_AS-path import

If the directions are the same and only one strategy can be bound, you need to create a new strategy and merge the two strategies together.

• After the configuration is complete, check the BGP routing table information of AR1.

[AR2]dis bgp routing-table 
 Total Number of Routes: 7
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>   192.168.3.0        10.1.12.1                             0      200 300i

ORF

Outbound Route FilteringOutbound Route Filtering

The egress routing policy configured on the local device can be sent to BGP neighbors through route refresh messages.

The BGP neighbor filters the routes when sending them according to the local export policy, and only sends the routes that the local needs . This not only prevents the local device from receiving a large number of useless routes and reduces the CPU usage of the local device, but also effectively reduces the configuration work of BGP neighbors and reduces the link bandwidth occupancy.

Personal note : Use ORF to send specified routes to the peer to avoid sending too many useless routes.

It is mainly used when the local device hopes that the BGP neighbor will only send the required routes , but the BGP neighbor is unwilling to maintain different egress policies for different devices. The BGP ORF feature can be used (simply read: the neighbor creates a policy for a certain device alone).

Case configuration 5

• AR1 is required to use ORF technology to only receive the 192.168.31.0/24 route from AR3.

• Check the current BGP routing status of AR1

<AR1>dis bgp routing-table 

 Total Number of Routes: 6
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>   192.168.3.0        10.1.13.3       0                     0      300i
 *>   192.168.31.0       10.1.13.3       0                     0      300i

• (1) Since ORF uses a prefix list to filter routes, the first step is to create a prefix list.

# 例如：匹配192.168.31.0/24的路由
[AR1]ip ip-prefix 1 permit 192.168.31.0 24

• (2) Create an ORF, allow ORF messages to be sent to the neighbor , and bind the prefix list (serial number 1)

[AR1]bgp 200
[AR1-bgp]peer 10.1.13.3 ip-prefix 1 import 
[AR1-bgp]peer 10.1.13.3 capability-advertise orf ip-prefix send 

peer neighbor capability-advertise orf ip-prefix action

There are three main actions: both, send, and receive.

After binding a prefix list to a neighbor, you need to specify the neighbor's ORF action, such as send to send the local prefix list policy to the peer.

The opposite end needs to be able to receive to complete this ORF function.

• Doubt : The prefix policy has been bound, what will happen if I don’t configure ORF?

After binding the policy, only the specified routes can be received.

However, the peer sends a bunch of routes, but only filters out the required routes, which consumes a lot of link bandwidth.

• At this time, AR1’s BGP routing table:

<AR1>dis bgp routing-table
 Total Number of Routes: 5
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>   192.168.31.0       10.1.13.3       0                     0      300

• But at this time, the routes advertised by AR3 to AR1 are:

<AR3>display bgp routing-table peer 10.1.13.1 advertised-routes 

 Total Number of Routes: 2
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn

 *>   192.168.3.0        10.1.13.3       0                     0      300i
 *>   192.168.31.0       10.1.13.3       0                     0      300i

In order to reduce the large number of useless routes advertised by AR3, the ORF function needs to be enabled for assistance.

• (3) Configure the neighbor router to receive ORF messages .

[AR3]bgp 300
[AR3-bgp]peer 10.1.13.1 capability-advertise orf ip-prefix receive 

• At this time, check the routes advertised by AR3 to AR1 and find that only the routes required by AR1 are advertised.

<AR3>display bgp routing-table peer 10.1.13.1 advertised-routes 

 Total Number of Routes: 2
      Network            NextHop        MED        LocPrf    PrefVal Path/Ogn
 *>   192.168.31.0       10.1.13.3       0                     0      300i

Expand

Since the ORF capability codes of some manufacturers' devices are different from the capability codes specified in RFC, in order to interoperate with other manufacturers' devices , you can configure the non-standard-compatible parameter.

If the non-standard-compatible parameter is not added , ORF negotiation may fail.