Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Inbound route filtering

A common requirement for BGP configurations is to filter inbound routing announcements from a BGP peer. On the Vyatta router this is accomplished using routing policies that are then applied to the BGP process as “import” policies. In this instance we use prefix lists in conjunction with route maps to accomplish this.

The following table creates the following inbound filtering policies:

  • R1 should only accept network 12.0.0.0/8 from its eBGP peer, and reject everything else.
  • R4 should allow all Internet routes, but reject all RFC 1918 networks from its eBGP peer.

This import policy is shown in the following figure.

Note: We assume that the routers in AS100 have been configured for iBGP and eBGP as shown and that the routers in AS200 and AS300 are configured appropriately as eBGP peers.
Figure 1. Filtering inbound routes

To create this inbound route filter, perform the following steps in configuration mode.

Table 1. Creating an import policy

Router

Step

Commands

R1

Create a list of prefixes to allow. In this case we just have one - 12.0.0.0/8.

vyatta@R1# set policy prefix-list ALLOW-PREFIXES rule 1 action permit
vyatta@R1# set policy prefix-list ALLOW-PREFIXES rule 1 prefix 12.0.0.0/8

R1

Create a route map rule to permit all prefixes in our list.

vyatta@R1# set policy route-map eBGP-IMPORT rule 10 action permit
vyatta@R1# set policy route-map eBGP-IMPORT rule 10 match ip address prefix-list ALLOW-PREFIXES

R1

Create a route map rule to deny all other prefixes.

vyatta@R1# set policy route-map eBGP-IMPORT rule 20 action deny

R1

Assign the route map policy created as the import route map policy for AS 200.

vyatta@R1# set protocols bgp 100 neighbor 88.88.88.2 address-family ipv4-unicast route-map import eBGP-IMPORT

R1

Commit the configuration.

vyatta@R1# commit

R1

Reset the BGP session to the peer so that the new policies are enabled.

vyatta@R1# run reset ip bgp 88.88.88.2

R1

Display the policy configuration.

vyatta@R1# show policy
 prefix-list ALLOW-PREFIXES {
     rule 1 {
         action permit
         prefix 12.0.0.0/8
     }
 }
 route-map eBGP-IMPORT {
     rule 10 {
         action permit
         match {
             ip {
                 address {
                     prefix-list ALLOW-PREFIXES
                 }
             }
         }
     }
     rule 20 {
         action deny
     }
 }
vyatta@R1#

R1

Display the BGP configuration for eBGP neighbor 88.88.88.2.

vyatta@R1# show protocols bgp 100 neighbor 88.88.88.2{
 address-family {
             ipv4-unicast {
                 route-map {
                     import eBGP-IMPORT
                 }
             }
             ipv6-unicast {
             }
         }
         ebgp-multihop 1
         remote-as 200
     }
vyatta@R1#

R4

Create a rule to match any prefix from 10.0.0.0/8 to 32.

vyatta@R4# set policy prefix-list RFC1918PREFIXES rule 1 action permit
vyatta@R4# set policy prefix-list RFC1918PREFIXES rule 1 le 32
vyatta@R4# set policy prefix-list RFC1918PREFIXES rule 1 prefix 10.0.0.0/8

R4

Commit the configuration.

vyatta@R4# commit

R4

Create a route map rule to deny all prefixes in our list.

vyatta@R4# set policy route-map eBGP-IMPORT rule 10 action deny
vyatta@R4# set policy route-map eBGP-IMPORT rule 10 match ip address prefix-list RFC1918PREFIXES

R4

Create a route map rule to permit all other prefixes.

vyatta@R4# set policy route-map eBGP-IMPORT rule 20 action permit

R4

Commit the configuration.

vyatta@R4# commit

R4

Assign the route map policy created as the import route map policy for AS 300.

vyatta@R4# set protocols bgp 100 neighbor 99.99.99.2 route-map import eBGP-IMPORT

R4

Commit the configuration.

vyatta@R4# commit

R4

Reset the BGP session to the peer so that the new policies are enabled.

vyatta@R4# run reset ip bgp 99.99.99.2

R4

Display the policy configuration.

vyatta@R4# show policy
 route {
     prefix-list RFC1918PREFIXES {
         rule 1 {
             action permit
             le 32
             prefix 10.0.0.0/8
         }
     }
     route-map eBGP-IMPORT {
         rule 10 {
             action deny
             match {
                 ip {
                     address {
                         prefix-list RFC1918PREFIXES
                     }
                 }
             }
         }
         rule 20 {
             action permit
         }
     }
 }
vyatta@R4#

R4

Display the BGP configuration for eBGP neighbor 99.99.99.2.

vyatta@R4# show protocols bgp 100 neighbor 99.99.99.2
 address-family {
             ipv4-unicast {
                 route-map {
                     import eBGP-IMPORT
                 }
             }
             ipv6-unicast {
             }
         }
         ebgp-multihop 1
         remote-as 300
     }
vyatta@R4#