BGP IPv6 Route Filtering on Cisco IOS

ReneMolenaar · December 29, 2016, 5:39pm

This topic is to discuss the following lesson:

https://networklessons.com/bgp/bgp-ipv6-route-filtering-on-cisco-ios/

dmsanch1 · December 7, 2015, 6:25pm

Hi Rene,

I think that it is a errata:

This prefix-list checks the entire 2001::/16 range and permits subnets with a /64 or larger.

It should be:

This prefix-list checks the entire 2001::/16 range and permits subnets with a /64 o smaller

Thanks you

ReneMolenaar · December 7, 2015, 7:53pm

Hi Diego,

Thanks for the message, this sentence is correct though. Take a look at the prefix-list:

ipv6 prefix-list SMALL_NETWORKS permit 2001::/16 le 64

The “le 64” part means that it will match /64, /63, /62, /61, /60, etc. All of these are “larger” subnets than /64.

Rene

jorotz · March 20, 2016, 3:49am

Hi Rene
Great lesson!
you might want to fix the BGP configuration for R2

R2(config)#router bgp 1
R2(config-router)#bgp router-id 2.2.2.2
R2(config-router)#neighbor 2001:db8:0:12::1 remote-as 2
R2(config-router)#address-family ipv6
R2(config-router-af)#neighbor 2001:db8:0:12::2 activate

Thank you

ReneMolenaar · March 20, 2016, 12:11pm

Thanks Georgi! Just fixed it.

ethel_13mx · April 10, 2016, 10:19pm

Hello Rene,

I was doing a LAB and I discovered something interesting and I wanted to ask you why:

which is the difference to have the next route-map here:

router bgp 21
 no synchronization
 bgp router-id 15.15.15.15
 bgp log-neighbor-changes
 neighbor 2001:DB8:12::1 remote-as 20
 neighbor 2001:DB8:12::1 route-map BLOCK_MAP in &lt;------------
 no auto-summary
 !
 address-family ipv6
  neighbor 2001:DB8:12::1 activate
  neighbor 2001:DB8:12::1 prefix-list NET64 in
 exit-address-family

OR HERE

router bgp 21
 no synchronization
 bgp router-id 15.15.15.15
 bgp log-neighbor-changes
 neighbor 2001:DB8:12::1 remote-as 20
 no auto-summary
 !
 address-family ipv6
  neighbor 2001:DB8:12::1 activate
  neighbor 2001:DB8:12::1 prefix-list NET64 in
  neighbor 2001:DB8:12::1 route-map BLOCK_MAP in &lt;------

Both, the router accept the commands but only with the second one works perfectly.

ReneMolenaar · April 17, 2016, 10:10pm

Hi Diana,

I’d have to test this to confirm it but when you configure it under the main BGP process then it only applies to the IPv4 address family, even though you can establish a neighbor adjacency through IPv6.

The IPv6 address family is where you configure everything…including route-maps.

If you want to confirm this, you can advertise some IPv4 prefixes…see if the route-map matches your IPv4 routes. I think it will.

Rene

hengsovandara1345 · March 7, 2018, 8:38am

Hello Rene
Is this order of operation apply on with IP6 filtering only?

lagapidis · March 9, 2018, 8:07am

Hello Heng.

The order of operation is the same for IPv4 as well.

I hope this has been helpful.

Laz

mailofdaniell · May 20, 2018, 7:51pm

Cisco documentation from 2016 provides different order for outbound filtering:

For inbound updates the order of preference is:
route-map
filter-list
prefix-list, distribute-list

For outbound updates the order of preference is:

filter-list
route-map | unsuppress-map
advertise-map (conditional-advertisement)
prefix-list|distribute-list
ORF prefix-list (a prefix-list the neighbor sends us)

ReneMolenaar · May 22, 2018, 3:10pm

Thanks for sharing this Danil, These things sometimes change, depending on the platform and/or IOS version

mayorade2000 · April 15, 2019, 5:37pm

@ReneMolenaar @lagapidis have a question concerning the filter-list filtering. This may sound like a silly question. Why did you do the configurations to add AS 11 to the AS path out going 2001:db8:0:1::/64 traffic on R1. Why didn’t you do it on router R2?.

R1(config)#router bgp 1
R1(config-router)#address-family ipv6
R1(config-router-af)#**neighbor 2001:db8:0:12::2** route-map PREPEND out

Since we are using the neighbor command. Shouldn’t the command be affecting the neighbor router and not the local router. Please, i need clarification.

lagapidis · April 16, 2019, 5:13pm

Hello Mayowa

The PREPEND command will add AS 11 to the AS path when R1 advertises the specific route to R2. So if R1 tells R2 that the path to the destination is through AS1 and AS11, then these two ASs will be added to the BGP table of R2 which is what we want to do.

I hope this has been helpful!

Laz

mayorade2000 · April 17, 2019, 1:55pm

@lagapidis I understand. I am just a little bit confuse because when you use the neighbor command, it is most time used to configure things on neighbor router. But in this case, it is used to configure AS-PATH on the local Router (R1). What if instead of doing:

R1(config)#neighbor 2001:db8:0:12::2 route-map PREPEND out

i do the configurations from R2. I configure the ipv6 prefix-list and route-map on R2 and then use the command;

R2(config)#neighbor 2001:db8:0:12::1 route-map PREPEND out

Will this also work?.

lagapidis · April 18, 2019, 5:18pm

Hello Mayowa

I understand your confusion. When you implement the neighbor command, it is used to create the neighbor relationship. It is also used to configure parameters that pertain to the relationship. But it is never used to configure anything on the neighboring router. Whenever a route map is used in a network command, it always filters the advertisements on that relationship. The in or out keywords indicate which direction is filtered.

Now if you were to implement the command you state above, it would enable filtering for the advertisement of routes from R2 to R1. It does not affect the local BGP table, but it affects what information is sent to R1.

Now one option would be to use the same command but use the in keyword instead. This would work, but is not best practice, because it requires that the advertisement be sent, (which uses both CPU and bandwidth) and that it be filtered locally, (which uses CPU). It’s always better to filter closer to the source.

I hope this has been helpful!

Laz

mayorade2000 · April 19, 2019, 5:19pm

@lagapidis thank you for clearing that out. That helped me a lot. Now i have a better understanding.

Giovanni · August 19, 2019, 3:31am

Hi,

There is an error in your last configuration on R1.

hostname R1
!
ipv6 unicast-routing
!
interface FastEthernet0/0
 ipv6 address 2001:DB8:0:12::1/64
!
interface Loopback0
 ipv6 address 2001:DB8:0:1::1/64
!
interface Loopback1
 ipv6 address 2001:DB8:0:11::1/64
!
interface Loopback2
 ipv6 address 2001:DB8:0:111::1/64
!
interface Loopback3
 ipv6 address 2001:DB8:0:1111::1/64
!
router bgp 1
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 2001:DB8:0:12::2 remote-as 2
 !
 address-family ipv4
  neighbor 2001:DB8:0:12::2 activate
  neighbor 2001:DB8:0:12::2 route-map PREPEND out
 exit-address-family
 !
 address-family ipv6
  network 2001:DB8:0:1::/64
  network 2001:DB8:0:11::/64
  network 2001:DB8:0:111::/64
  network 2001:DB8:0:1111::/96

---

interface Loopback3
 ipv6 address 2001:DB8:0:1111::1/64

must be /96 to be advertised by MP-BGP.

ReneMolenaar · August 21, 2019, 1:35pm

Thank you Giovanni, I just fixed this.

Rene

bvesel · September 19, 2019, 5:59pm

Hello Rene.
There is a little typo in configuration example (lost “ipv6”).

ReneMolenaar · September 23, 2019, 10:08am

Hi Boris,

It’s not a requirement to type it. Here’s an example:

Router(config)#ipv6 access-list THIRD_LOOPBACK
Router(config-ipv6-acl)#permit 2001:db8:0:11::/64 any

The router adds ipv6 automatically:

Router#show access-lists THIRD_LOOPBACK
IPv6 access list THIRD_LOOPBACK
    permit ipv6 2001:DB8:0:11::/64 any sequence 10

Rene