Two or more iBGP paths are considered candidates for multipath if the following criteria are met:
• All attributes (weight, localpref, AS-PATH [entire attribute, not just length], Origin, MED, and IGP distance are the same.
• The next hops are different.
The best-path calculation continues until the last step of the BGP path-selection process, so the best path that is advertised will remain the same with and without this feature turned on. Out of the candidate multipaths, the best path is always inserted into the RIB. Other candidate multipaths are inserted depending on the number of paths allowed into the RIB through the maximum-paths ibgp command.
Applying Policy with BGP
The main differentiator between BGP and an IGP is that BGP can be used to apply policies to the exchange of routing information between two neighboring routers.
This section considers the policy options available, from the introduction of prefix list filtering and the application of route maps, to the use of BGP policy accounting to characterize traffic flowing into and out of a network.
Using Prefix Lists in BGP Route Filtering [4]
The prefix list feature offers significant performance improvement (in terms of CPU consumed) over the access list in route filtering of routing protocols. It also provides for faster loading of large lists and support for incremental configuration. In addition,
the command-line interface is much more intuitive. This feature is available in IOS Software versions from 11.1 (17)CC, 11.3(3), and 12.0.
According to one ISP that has done some in-depth performance testing of prefix lists and access lists, a 7507/RSP4 running 11.1(20)CC took more than 15 minutes to boot using extended ACLs for filtering BGP routes. The same test with prefix lists had the router booting and fully operational in less than 5 minutes. The configuration involved around 95,000 lines of ACL (or prefix lists) total for all neighbors, a configuration around 6 MB in total size. Given this type of experience, it is easy to see why most ISPs now are using prefix lists rather than ACLs for prefix filtering on their BGP peering sessions.
The prefix list preserves several key features of the access list:
• Configuration of either permit or deny
• Order dependency—first match wins
• Filtering on prefix length, both exact match and range match
However, prefix lists, or prefix lists in route maps, do not support packet filtering.
This section presents the detailed configuration commands and several applications of the prefix list in route filtering.
Configuration Commands
Three configuration commands are related to the prefix list.
The following command can be used to delete a prefix list:
no ip prefix-list list-name
Here, list-name is the string identifier of a prefix list.
This next command can be used to add or delete a text description for a prefix list:
[no] ip prefix-list list-name description text
The following command can be used to configure or delete an entry of a prefix list:
[no] ip prefix-list list-name [seq seq-value] deny|permit \ network /len [ge ge-value] [le le-value]
Several command attributes exist, as can be seen in the three preceding examples.
These attributes have the following meanings:
• list-name— Mandatory. This is the string identifier of a prefix list.
• seq seq-value— Optional. This attribute can be used to specify the sequence number of an entry of a prefix list. By default, the entries of a prefix list
specified sequence value, the entry would be assigned with a sequence number of (Current_Max+ 5).
• deny|permit — Mandatory. The action is taken once a match is found.
• network/len— Mandatory. This is the prefix (that is, network and prefix length). Multiple policies (exact match or range match) with different sequence numbers can be configured for the same network/len.
• ge ge-value— Optional.
• le le-value— Optional.
Both ge and le are optional. They can be used to specify the range of the prefix length to be matched for prefixes that are more specific than network/len. An exact match is assumed when neither ge nor le is specified. The range is assumed to be from ge-value to 32 if only the ge attribute is specified. The range is assumed to be from len to le-value if only the le attribute is specified.
A specified ge-value or le-value must satisfy the following condition:
len < ge-value < le-value <= 32
Some configuration examples are given in Tables 3-1 and 3-2. They show how simple it is to set up a prefix list. It is left as an exercise to the reader to work out what the equivalent access list might be.
Table 3-1. Specification of Exact Prefixes
Desired Action IOS Software Command
Deny the default route 0.0.0.0/0 ip prefix-list abc deny 0.0.0.0/0 Permit the prefix 35.0.0.0/8 ip prefix-list abc permit 35.0.0.0/8
Table 3-2. Specification of Group of Prefixes
In 192/8, accept up to /24 ip prefix-list abc permit 192.0.0.0/8 le 24 In 192/8, deny /25+ ip prefix-list abc deny 192.0.0.0/8 ge 25 In all address space, permit /8 –
/24 ip prefix-list abc perm it 0.0.0.0/0 ge 8 le 24
In all address space, deny /25+ ip prefix-list abc deny 0.0.0.0/0 ge 25 In 10/8, deny all ip prefix-list abc deny 10.0.0.0/8 le 32 In 204.70.1/24, deny /25+ ip prefix-list abc deny 204.70.1.0/24 ge 25 Permit all ip prefix-list a bc permit 0.0.0.0/0 le 32 Incremental Configuration
A prefix list can be reconfigured incrementally; that is, an entry can be deleted or added individually. For example, to change a prefix list from the initial configuration to a new configuration, only the difference between the two needs to be deployed, as follows.
The initial configuration:
ip prefix-list abc deny 0.0.0.0/0 le 7
ip prefix-list abc deny 0.0.0.0/0 ge 25 ip prefix-list abc permit 35.0.0.0/8 ip prefix-list abc permit 204.70.0.0/15 The new configuration:
ip prefix-list abc deny 0.0.0.0/0 le 7 ip prefix-list abc deny 0.0.0.0/0 ge 25 ip prefix-list abc permit 35.0.0.0/8 ip prefix-list abc permit 198.0.0.0/8 The difference between the two configurations:
no ip prefix-list abc permit 204.70.0.0/15 ip prefix-list abc permit 198.0.0.0/8
The sequence number is used internally to identify the real match (the one with the lowest sequence number) when multiple prefix-list entries match a given prefix. It also can be used to insert an entry in a specific relative position (for example, a sequence number of 7). However, in most cases a prefix list can be structured so that there is no need to specify sequence numbers, and such an approach would make it easier to automate prefix-list generation, configuration difference
generation, and deployment. The sequence numbers can be switched off so that they do not appear in the configuration by using this command:
no ip prefix-list sequence-number
How a Prefix List Match Works
The matching is similar to that of the access-list—more specifically:
• An empty prefix list permits all prefixes.
• An implicit deny is assumed if a given prefix does not match any entries of a prefix list.
• When multiple entries of a prefix list match a given prefix, the one with the smallest sequence is considered as the “real” match. In short, the first match wins!
Here is an example to illustrate the first match rule. Supposed that a prefix list is configured as follows:
ip prefix-list abc deny 10.0.0.0/8 le 32 ip prefix-list abc permit 0.0.0.0/0 le 32
Then the given prefix 10.1.0.0/16 would match both entries. However, the prefix will be denied because the first entry is the real match.
ip prefix-list abc deny 0.0.0.0/0 le 32 ip prefix-list abc permit 10.0.0.0/8
The first line in the prefix list matches all prefixes, so all prefixes will be blocked in the prefix list’s application, even though there is a following line permitting
10.0.0.0/8. Prefix lists are order sensitive when there is more than one possible match—the first match wins.
show and clear Commands
Table 3-3 gives a list of show and clear commands that can be used to control prefix lists and that give the operator more information about what is happening.
Table 3-3. show and clear Commands
IOS Software Command Action
show ip prefix-list [detail
summary] Displays information on all prefix lists show ip prefix-list [detail
summary] [name]
Displays information for a prefix list show ip prefix-list name [seq
seq-num] Displays the prefix list entry with the given sequence number
show ip prefix-list name network/len
Displays the policy associated with the node network/len
show ip prefix-list name
network/len longer Displays all entries of a prefix list that are more specific than the given network/len
show ip prefix-list name
network/len first-match Displays the entry of a prefix list that matches the given network/len
clear ip prefix-list [name]
[network/len] Resets the hit count of prefix list entries Using Prefix Lists with BGP
The prefix list can be used as an alternative to the BGP neighbor x.x.x.x
distribute-list command. The configuration of prefix lists and distribute lists for a BGP peer are mutually exclusive.
router bgp xxx
neighbor x.x.x.x prefix-list name in|out
Using Prefix Lists in a Route Map
The prefix list can be used as an alternative to an access lists used in the command match ip address|next-hop|route-source access-list of a route map. The configurations of prefix lists and access lists are mutually exclusive within the same sequence of a route map.
route-map name permit|deny seq-num
match ip address|next-hop|route-source prefix-list name [name...]
Besides its application in BGP, route maps using prefix-lists can be used for route filtering, default origination, and redistribution in other routing protocols as well. For example, the following configuration can be used to conditionally originate a default route (0.0.0.0/0) when there exists a prefix 10.1.1.0/24 in the routing table:
ip prefix-list cond permit 10.1.1.0/24
!
route-map default-condition permit 10 match ip address prefix-list cond
!
router rip
default-information originate route-map default-condition
!
Using Prefix Lists in Other Routing Protocols
The prefix list can be used to filter inbound and outbound routing updates, as well as to control route redistribution between different routing protocols. Compared with using the access list, prefix list–based filtering offers the capability of prefix length filtering. As usual, access lists and prefix lists are mutually exclusive in one
distribute-list command.
Inbound updates can be filtering on the prefix, the gateway, or both the prefix and the gateway:
router rip | igrp | eigrp
distribute-list {prefix name1} | {gateway name2} |{prefix name1 gateway name2} in
[interface]
Here, name1 is the name of a prefix list to be applied to the prefix being updated, and name2 is the name of a prefix list to be applied to the gateway (that is, the next hop) of a prefix being updated. The filtering also can be specified with a specific interface.
router rip | igrp | eigrp...
distribute-list prefix name1 out [routing_process | interface]
For example, in the following configuration, the RIP process will accept only prefixes with prefix length of /8 to /24:
router rip version 2
network x.x.x.x
distribute-list prefix max24 in
!
Also, the following configuration will make RIP accept routing updates only from 192.1.1.1, besides filtering on prefix length:
router rip
distribute-list prefix max24 gateway allowlist in
!
ip prefix-list allowlist seq 5 permit 192.1.1.1/32
!