BGP filter processing order
I've found many different results from various places regarding the bgp filter processing order, apparently the order changed at some point in ios history etc etc..
Anyway the results i've seen, tally up against what was seen in this thread BGP incoming routes processing. - IEOC - INE's Online Community .
Lots of wrong info out there, even in "BGP Design and Implementation" .
I was trying to think of a practical way to verify this order, all i could think of doing was using as prepend vs an as-path list, but that won't work as the prepend isn't going to be matched against in any case due to the following rule.
The AS-path filters always match the actual AS-path received from the BGP neighbor (when applied in the inbound direction) or the AS-path of the entry in the BGP table (when applied in the outbound direction).
All i could do was look at the bgp update debug on ingress to workout which got processed first. The main thing to know here is that once any of the filters block a prefix it gets blocked regardless of the other filters.
Inbound filter processing order:
1) Filter-list
2) prefix-list/distribute-list
3) Route-map
Since there was no practical way of testing this, i cant see a reason is need to know the order hence this info is useless, but still nice to know .
The kind of irrelevant info that you might need to know for the written exam, hoping that whoever wrote the exam actually knows the correct answer.
Below are the log results to prove the order using 12.4 code.
Cisco IOS Software, Solaris Software (UNIX-ADVENTERPRISEK9-M), Version 12.4(24)T4, DEVELOPMENT TEST SOFTWARE
Rack1R3#
Inbound Filtering
Rack1R3#sh ip bgp 15.15.1.0/24
BGP routing table entry for 15.15.1.0/24, version 108
Paths: (3 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
2 3 4
100
155.1.13.1 from 155.1.13.1 (150.1.1.1)
Origin IGP, localpref 100, valid, external, best
100
155.1.45.4 (metric 27309056) from 155.1.0.5 (150.1.5.5)
Origin IGP, metric 0, localpref 100, valid, internal
Community: 200:200 400:400 600:600
300 100
155.1.37.7 from 155.1.37.7 (150.1.7.7)
Origin IGP, localpref 100, valid, external
Rack1R3#
ip prefix-list Block_subnet_1 seq 5 deny 15.15.1.0/24
ip prefix-list Block_subnet_1 seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list Allow_subnet_1 seq 5 permit 15.15.1.0/24
!
route-map From_R1 deny 10
match ip address prefix-list Allow_subnet_1
route-map From_R1 permit 20
!
ip as-path access-list 1 deny ^100$
ip as-path access-list 1 permit .*
!
router bgp 200
neighbor 155.1.13.1 route-map From_R1 in
neighbor 155.1.13.1 filter-list 1 in
neighbor 155.1.13.1 prefix-list Block_subnet_1 in
!
Rack1R3#sh ip bgp neigh 155.1.13.1 | i coming
Incoming update prefix filter list is Block_subnet_1
Incoming update AS path filter list is 1
Route map for incoming advertisements is From_R1
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 1
Rack1R3#
Rack1R3#sh ip prefix-list Block_subnet_1
ip prefix-list Block_subnet_1: 2 entries
seq 5 deny 15.15.1.0/24
seq 10 permit 0.0.0.0/0 le 32
Rack1R3#sh ip as-path-access-list 1
AS path access list 1
deny ^100$
permit .*
Rack1R3#show route-map From_R1
route-map From_R1, deny, sequence 10
Match clauses:
ip address prefix-lists: Allow_subnet_1
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map From_R1, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Rack1R3#
Rack1R3(config)#access-list 1 permit host 15.15.1.0
Rack1R3(config)#exit
Rack1R3#debug ip bgp 155.1.13.1 updates 1
BGP updates debugging is on for access list 1 for neighbor 155.1.13.1 for address family: IPv4 Unicast
Rack1R3#
Rack1R3#clear ip bgp 155.1.13.1 in
Rack1R3#
*Aug 30 10:06:06.990: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:06:06.990: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: filter-list;
*Aug 30 10:06:07.002: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x9C0) 15.15.1.0/24, next 155.1.13.3, metric 0, AS_PATH 100, extended community
*Aug 30 10:06:07.014: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
*Aug 30 10:06:07.018: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
Rack1R3#
Rack1R3#sh runn | sec router bgp
router bgp 200
no synchronization
bgp log-neighbor-changes
network 16.16.1.0 mask 255.255.255.0
neighbor 155.1.0.5 remote-as 200
neighbor 155.1.13.1 remote-as 100
neighbor 155.1.13.1 prefix-list Block_subnet_1 in
neighbor 155.1.13.1 route-map From_R1 in
neighbor 155.1.13.1 filter-list 1 in
neighbor 155.1.23.2 remote-as 200
neighbor 155.1.23.2 route-reflector-client
neighbor 155.1.37.7 remote-as 300
neighbor 155.1.58.8 remote-as 200
neighbor 155.1.58.8 route-reflector-client
neighbor 155.1.108.10 remote-as 200
neighbor 155.1.108.10 route-reflector-client
no auto-summary
Rack1R3#
Rack1R3(config)#router bgp 200
Rack1R3(config-router)#no neighbor 155.1.13.1 filter-list 1 in
Rack1R3(config-router)#end
Rack1R3#cle
*Aug 30 10:07:00.562: %SYS-5-CONFIG_I: Configured from console by d365131 on console
Rack1R3#clear ip bgp 155.1.13.1 in
Rack1R3#
*Aug 30 10:07:22.074: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:07:22.074: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: distribute/prefix-list;
*Aug 30 10:07:22.086: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
Rack1R3#
Rack1R3(config)#router bgp 200
Rack1R3(config-router)#no neighbor 155.1.13.1 prefix-list Block_subnet_1 in
Rack1R3(config-router)#end
Rack1R3#clear ip bgp 155.1.13.1 in
*Aug 30 10:08:12.518: %SYS-5-CONFIG_I: Configured from console by d365131 on console
Rack1R3#clear ip bgp 155.1.13.1 in
Rack1R3#
Rack1R3#
*Aug 30 10:08:22.134: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:08:22.134: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: route-map;
Rack1R3#
Rack1R3#config t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R3(config)#router bgp 200
Rack1R3(config-router)#neighbor 155.1.13.1 prefix-list Block_subnet_1 in
Rack1R3(config-router)#end
Rack1R3#clear ip bgp 155.1.13.1 in
*Aug 30 10:11:28.986: %SYS-5-CONFIG_I: Configured from console by d365131 on console
Rack1R3#clear ip bgp 155.1.13.1 in
Rack1R3#
*Aug 30 10:11:37.354: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:11:37.354: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: distribute/prefix-list;
Rack1R3#
Rack1R3(config)#router bgp 200
Rack1R3(config-router)#neighbor 155.1.13.1 filter-list 1 in
Rack1R3(config-router)#do clear ip bgp 155.1.13.1 in
Rack1R3(config-router)#
*Aug 30 10:13:22.474: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:13:22.474: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: filter-list;
*Aug 30 10:13:22.502: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
*Aug 30 10:13:22.514: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
Rack1R3(config-router)#
Rack1R3(config-router)#neighbor 155.1.13.1 route-map From_R1 in
Rack1R3(config-router)#do clear ip bgp 155.1.13.1 in
Rack1R3(config-router)#
*Aug 30 10:14:22.546: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:14:22.546: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: filter-list;
Rack1R3(config-router)#
Rack1R3(config-router)#do sh ip bgp neigh 155.1.13.1 | i coming
Incoming update prefix filter list is Block_subnet_1
Incoming update AS path filter list is 1
Route map for incoming advertisements is From_R1
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 1
Rack1R3(config-router)#
Anyway the results i've seen, tally up against what was seen in this thread BGP incoming routes processing. - IEOC - INE's Online Community .
Lots of wrong info out there, even in "BGP Design and Implementation" .
I was trying to think of a practical way to verify this order, all i could think of doing was using as prepend vs an as-path list, but that won't work as the prepend isn't going to be matched against in any case due to the following rule.
The AS-path filters always match the actual AS-path received from the BGP neighbor (when applied in the inbound direction) or the AS-path of the entry in the BGP table (when applied in the outbound direction).
All i could do was look at the bgp update debug on ingress to workout which got processed first. The main thing to know here is that once any of the filters block a prefix it gets blocked regardless of the other filters.
Inbound filter processing order:
1) Filter-list
2) prefix-list/distribute-list
3) Route-map
Since there was no practical way of testing this, i cant see a reason is need to know the order hence this info is useless, but still nice to know .
The kind of irrelevant info that you might need to know for the written exam, hoping that whoever wrote the exam actually knows the correct answer.
Below are the log results to prove the order using 12.4 code.
Cisco IOS Software, Solaris Software (UNIX-ADVENTERPRISEK9-M), Version 12.4(24)T4, DEVELOPMENT TEST SOFTWARE
Rack1R3#
Inbound Filtering
Rack1R3#sh ip bgp 15.15.1.0/24
BGP routing table entry for 15.15.1.0/24, version 108
Paths: (3 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
2 3 4
100
155.1.13.1 from 155.1.13.1 (150.1.1.1)
Origin IGP, localpref 100, valid, external, best
100
155.1.45.4 (metric 27309056) from 155.1.0.5 (150.1.5.5)
Origin IGP, metric 0, localpref 100, valid, internal
Community: 200:200 400:400 600:600
300 100
155.1.37.7 from 155.1.37.7 (150.1.7.7)
Origin IGP, localpref 100, valid, external
Rack1R3#
ip prefix-list Block_subnet_1 seq 5 deny 15.15.1.0/24
ip prefix-list Block_subnet_1 seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list Allow_subnet_1 seq 5 permit 15.15.1.0/24
!
route-map From_R1 deny 10
match ip address prefix-list Allow_subnet_1
route-map From_R1 permit 20
!
ip as-path access-list 1 deny ^100$
ip as-path access-list 1 permit .*
!
router bgp 200
neighbor 155.1.13.1 route-map From_R1 in
neighbor 155.1.13.1 filter-list 1 in
neighbor 155.1.13.1 prefix-list Block_subnet_1 in
!
Rack1R3#sh ip bgp neigh 155.1.13.1 | i coming
Incoming update prefix filter list is Block_subnet_1
Incoming update AS path filter list is 1
Route map for incoming advertisements is From_R1
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 1
Rack1R3#
Rack1R3#sh ip prefix-list Block_subnet_1
ip prefix-list Block_subnet_1: 2 entries
seq 5 deny 15.15.1.0/24
seq 10 permit 0.0.0.0/0 le 32
Rack1R3#sh ip as-path-access-list 1
AS path access list 1
deny ^100$
permit .*
Rack1R3#show route-map From_R1
route-map From_R1, deny, sequence 10
Match clauses:
ip address prefix-lists: Allow_subnet_1
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map From_R1, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Rack1R3#
Rack1R3(config)#access-list 1 permit host 15.15.1.0
Rack1R3(config)#exit
Rack1R3#debug ip bgp 155.1.13.1 updates 1
BGP updates debugging is on for access list 1 for neighbor 155.1.13.1 for address family: IPv4 Unicast
Rack1R3#
Rack1R3#clear ip bgp 155.1.13.1 in
Rack1R3#
*Aug 30 10:06:06.990: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:06:06.990: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: filter-list;
*Aug 30 10:06:07.002: BGP(0): 155.1.13.1 send UPDATE (prepend, chgflags: 0x9C0) 15.15.1.0/24, next 155.1.13.3, metric 0, AS_PATH 100, extended community
*Aug 30 10:06:07.014: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
*Aug 30 10:06:07.018: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
Rack1R3#
Rack1R3#sh runn | sec router bgp
router bgp 200
no synchronization
bgp log-neighbor-changes
network 16.16.1.0 mask 255.255.255.0
neighbor 155.1.0.5 remote-as 200
neighbor 155.1.13.1 remote-as 100
neighbor 155.1.13.1 prefix-list Block_subnet_1 in
neighbor 155.1.13.1 route-map From_R1 in
neighbor 155.1.13.1 filter-list 1 in
neighbor 155.1.23.2 remote-as 200
neighbor 155.1.23.2 route-reflector-client
neighbor 155.1.37.7 remote-as 300
neighbor 155.1.58.8 remote-as 200
neighbor 155.1.58.8 route-reflector-client
neighbor 155.1.108.10 remote-as 200
neighbor 155.1.108.10 route-reflector-client
no auto-summary
Rack1R3#
Rack1R3(config)#router bgp 200
Rack1R3(config-router)#no neighbor 155.1.13.1 filter-list 1 in
Rack1R3(config-router)#end
Rack1R3#cle
*Aug 30 10:07:00.562: %SYS-5-CONFIG_I: Configured from console by d365131 on console
Rack1R3#clear ip bgp 155.1.13.1 in
Rack1R3#
*Aug 30 10:07:22.074: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:07:22.074: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: distribute/prefix-list;
*Aug 30 10:07:22.086: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
Rack1R3#
Rack1R3(config)#router bgp 200
Rack1R3(config-router)#no neighbor 155.1.13.1 prefix-list Block_subnet_1 in
Rack1R3(config-router)#end
Rack1R3#clear ip bgp 155.1.13.1 in
*Aug 30 10:08:12.518: %SYS-5-CONFIG_I: Configured from console by d365131 on console
Rack1R3#clear ip bgp 155.1.13.1 in
Rack1R3#
Rack1R3#
*Aug 30 10:08:22.134: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:08:22.134: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: route-map;
Rack1R3#
Rack1R3#config t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R3(config)#router bgp 200
Rack1R3(config-router)#neighbor 155.1.13.1 prefix-list Block_subnet_1 in
Rack1R3(config-router)#end
Rack1R3#clear ip bgp 155.1.13.1 in
*Aug 30 10:11:28.986: %SYS-5-CONFIG_I: Configured from console by d365131 on console
Rack1R3#clear ip bgp 155.1.13.1 in
Rack1R3#
*Aug 30 10:11:37.354: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:11:37.354: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: distribute/prefix-list;
Rack1R3#
Rack1R3(config)#router bgp 200
Rack1R3(config-router)#neighbor 155.1.13.1 filter-list 1 in
Rack1R3(config-router)#do clear ip bgp 155.1.13.1 in
Rack1R3(config-router)#
*Aug 30 10:13:22.474: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:13:22.474: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: filter-list;
*Aug 30 10:13:22.502: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
*Aug 30 10:13:22.514: BGP(0): updgrp 4 - 155.1.13.1 updates replicated for neighbors: 155.1.37.7
Rack1R3(config-router)#
Rack1R3(config-router)#neighbor 155.1.13.1 route-map From_R1 in
Rack1R3(config-router)#do clear ip bgp 155.1.13.1 in
Rack1R3(config-router)#
*Aug 30 10:14:22.546: BGP(0): 155.1.13.1 rcvd UPDATE w/ attr: nexthop 155.1.13.1, origin i, merged path 100, AS_PATH
*Aug 30 10:14:22.546: BGP(0): 155.1.13.1 rcvd 15.15.1.0/24 -- DENIED due to: filter-list;
Rack1R3(config-router)#
Rack1R3(config-router)#do sh ip bgp neigh 155.1.13.1 | i coming
Incoming update prefix filter list is Block_subnet_1
Incoming update AS path filter list is 1
Route map for incoming advertisements is From_R1
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 1
Rack1R3(config-router)#
Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
Comments
-
powmia Users Awaiting Email Confirmation Posts: 322So to remember it, we could use "In here... Furry Plums Distribute Rabies"? Other way around going outbound.
The order of filters is exactly the type of trap that the lab exam would try to walk you into. I wouldn't write it off so easily.
And it's impressive to actually see someone lab it up properly, instead of just seeing conflicting information and saying "whatever".... props. -
instant000 Member Posts: 1,745Are you running IOU? (Yes, the most tangential thing to find in the entire post, I'm asking about.)
There is a difference between reading what the docs say and proving it for yourself.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)