Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Outbound route filtering

Filtering outbound prefixes is another common BGP configuration requirement. On the Vyatta router this is accomplished using routing policies that are then applied to the BGP process as “export” policies.

The example in this section assumes that AS100 does not want to be a transit AS for AS 200 or AS 300. This means that:

  • eBGP routes from R1's eBGP peer (AS 200) should not be sent to R4's eBGP peer.
  • Routes from R4's eBGP peer (AS 300) should not be sent to R1's eBGP peer.

If we did not implement this filtering, AS 300 might send traffic destined for AS 200 to router R4, and this traffic would then be carried across the AS 100 network.

There are several ways that this routing policy could be implemented: two most common are basing the filter on the network prefix or basing it on the AS Path. In this example, we update the existing BGP export policy to add some additional restrictions that will prevent AS 100 from acting as a transit network for AS 200 and AS 300.

This export policy is shown in the following figure.

Note: We assume that the routers in AS100 have been configured for iBGP and eBGP as shown and that the routers in AS200 and AS300 are configured appropriately as eBGP peers.
Figure 1. Filtering outbound routes

To create this export policy, perform the following steps in configuration mode.

Table 1. Creating an export policy

Router

Step

Commands

R1

Create a list of AS paths to deny. In this case we just have one - AS300.

vyatta@R1# set policy route as-path-list AS300 rule 1 action permit
vyatta@R1# set policy route as-path-list AS300 rule 1 regex 300

R1

Create a route map rule to deny all AS paths in our list.

vyatta@R1# set policy route route-map eBGP-EXPORT rule 10 action deny
vyatta@R1# set policy route route-map eBGP-EXPORT rule 10 match as-path AS300

R1

Create a route map rule to permit all other prefixes.

vyatta@R1# set policy route route-map eBGP-EXPORT rule 20 action permit

R1

Assign the route map policy created as the export and import route map policy for AS 200.

vyatta@R1# set protocols bgp 100 neighbor 88.8.88.2 remote-as 200
vyatta@R1# set protocols bgp 100 neighbor 88.88.88.2 address-family ipv4-unicast route-map export eBGP-EXPORT
vyatta@R1# set protocols bgp 100 neighbor 88.88.88.2 address-family ipv4-unicast route-map import eBGP-IMPORT
vyatta@R1# set protocols bgp 100 neighbor 88.88.88.2 ebgp-multihop 1

R1

Commit the configuration.

vyatta@R1# commit

R1

Reset the BGP session to the peer so that the new policies are enabled.

vyatta@R1# run reset ip bgp 88.88.88.2

R1

Display the policy configurations.

vyatta@R1# show policy
 route {
     as-path-list AS300 {
         rule 1 {
             action permit
             regex 300
         }
     }
     route-map eBGP-EXPORT {
         rule 10 {
             action deny
             match {
                 as-path AS300
             }
         }
         rule 20 {
             action permit
         }
     }

R1

Display the BGP configuration for eBGP neighbor 88.88.88.2.

vyatta@R1# show protocols bgp 100 neighbor 88.88.88.2
 address-family {
     ipv4-unicast {
         route-map {
             export eBGP-EXPORT
             import eBGP-IMPORT
         }
}
}
 ebgp-multihop 1
 remote-as 200

R4

Create a list of AS paths to deny. In this case we just have one - AS200.

vyatta@R4# set policy route route-map eBGP-EXPORT rule 20 action permit
vyatta@R4# set policy route as-path-list AS200 rule 1 regex 200
vyatta@R4# commit

R4

Create a route map rule to deny all AS paths in our list.

vyatta@R4# set policy route route-map eBGP-EXPORT rule 10 action deny
vyatta@R4# set policy route route-map eBGP-EXPORT rule 10 match as-path AS200

R4

Create a route map rule to permit all other prefixes.

vyatta@R4# set policy route route-map eBGP-EXPORT rule 20 action permit
vyatta@R4# commit

R4

Assign the route map policy created as the export route map policy for AS 300.

vyatta@R4# set protocol bgp 100 neigh 99.99.99.2 address-family ipv4-unicast  route-map export eBGP-EXPORT

R4

Commit the configuration.

vyatta@R4# commit

R4

Reset the BGP session to the peer so that the new policies are enabled.

vyatta@R4# run reset ip bgp 99.99.99.2

R4

Display the policy configurations.

vyatta@R4# show policy
 route {
     as-path-list AS200 {
         rule 1 {
             action permit
             regex 200
         }
     }
     prefix-list RFC1918PREFIXES {
         rule 1 {
             action permit
             le 32
             prefix 10.0.0.0/8
         }
     }
     route-map eBGP-EXPORT {
         rule 10 {
             action deny
             match {
                 as-path AS200
             }
         }
         rule 20 {
             action permit
         }
     }
     route-map eBGP-IMPORT {
         rule 10 {
             action deny
             match {
                 ip {
                     address {
                         prefix-list RFC1918PREFIXES
                     }
                 }
             }
         }
         rule 20 {
             action permit
         }
     }
 }

R4

Display the BGP configuration for eBGP neighbor 99.99.99.2.

vyatta@R4# show protocols bgp 100 neighbor 99.99.99.2
 address-family {
     ipv4-unicast {
         route-map {
             import eBGP-IMPORT
         }
         soft-reconfiguration {
             inbound
         }
     }
     ipv6-unicast {
     }
 }
 ebgp-multihop 1
 remote-as 300