[ Pobierz całość w formacie PDF ]
.If you want to prevent Router Cfrom propagating updates for network 160.10.0 to AS 100, you can apply an access list to filter those updates whenRouter C exchanges updates with Router A, as demonstrated by the following configuration for Router C:!Router Crouter bgp 300network 170.10.0neighbor 3.3.3.3 remote-as 200neighbor 2.2.2.2 remote-as 100neighbor 2.2.2.2 distribute-list 1 out!http://www.cisco.com/cpress/cc/td/cpress/ccie/ndcs798/nd2003.htm (49 of 60) [9/16/2000 5:04:31 PM]Designing Large-Scale IP Internetworksaccess-list 1 deny 160.10.0 0.255.255access-list 1 permit 0.0 255.255.255.255In the preceding configuration, the combination of the neighbor distribute-list router configuration command andaccess list 1 prevents Router C from propagating routes for network 160.10.0 when it sends routing updates toneighbor 2.2.2.2 (Router A).Using access lists to filter supernets is a bit trickier.Assume, for example, that Router B in Figure 3-32 has differentsubnets of 160.10.x.x, and you want to advertise 160.0/8 only.The following access list would permit 160.0/8,160.0/9, and so on:access-list 1 permit 160.0 0.255.255.255To restrict the update to 160.0/8 only, you have to use an extended access list, such as the following:access-list 101 permit ip 160.0 0.255.255.255 255.0 0.255.255.255AS_path FilteringYou can specify an access list on both incoming and outgoing updates based on the value of the AS_path attribute.Thenetwork shown in Figure 3-33 demonstrates the usefulness of AS_path filters.Figure 3-33: AS_path filtering.!Router Cneighbor 3.3.3.3 remote-as 200neighbor 2.2.2.2 remote-as 100neighbor 2.2.2.2 filter-list 1 out!ip as-path access-list 1 deny ^200$ip as-path access-list 1 permit.*In this example, access list 1 denies any update whose AS_path attribute starts with 200 (as specified by ^) and endswith 200 (as specified by $).Because Router B sends updates about 160.10.0 whose AS_path attributes start with 200and end with 200, such updates will match the access list and will be denied.By specifying that the update must alsoend with 200, the access list permits updates from AS 400 (whose AS_path attribute is 200, 400).If the access listspecified ^200 as the regular expression, updates from AS 400 would be denied.In the second access-list statement, the period (.) symbol means any character, and the asterisk (*) symbol means arepetition of that character.Together,.* matches any value of the AS_path attribute, which in effect permits any updatethat has not been denied by the previous access-list statement.If you want to verify that your regular expressions workas intended, use the following EXEC command:http://www.cisco.com/cpress/cc/td/cpress/ccie/ndcs798/nd2003.htm (50 of 60) [9/16/2000 5:04:31 PM]Designing Large-Scale IP Internetworksshow ip bgp regexp regular-expressionThe router displays all of the paths that match the specified regular expression.Route Map FilteringThe neighbor route-map router configuration command can be used to apply a route map to incoming and outgoingroutes.The network shown in Figure 3-34 demonstrates using route maps to filter BGP updates.Figure 3-34: BGP route map filtering.Assume that in Figure 3-34, you want Router C to learn about networks that are local to AS 200 only.(That is, you donot want Router C to learn about AS 100, AS 400, or AS 600 from AS 200.) Also, on those routes that Router Caccepts from AS 200, you want the weight attribute to be set to 20.The following configuration for Router Caccomplishes this goal:!Router Crouter bgp 300network 170.10.0neighbor 3.3.3.3 remote-as 200neighbor 3.3.3.3 route-map STAMP in!route-map STAMP permit 10match as-path 1set weight 20!ip as-path access-list 1 permit ^200$In the preceding configuration, access list 1 permits any update whose AS_path attribute begins with 200 and ends with200 (that is, access list 1 permits updates that originate in AS 200).The weight attribute of the permitted updates is setto 20.All other updates are denied and dropped.Community FilteringThe network shown in Figure 3-35 demonstrates the usefulness of community filters.http://www.cisco.com/cpress/cc/td/cpress/ccie/ndcs798/nd2003.htm (51 of 60) [9/16/2000 5:04:31 PM]Designing Large-Scale IP InternetworksFigure 3-35: Community filtering.Assume that you do not want Router C to propagate routes learned from Router B to Router A.You can do this bysetting the community attribute on updates that Router B sends to Router C, as in the following configuration forRouter B:!Router Brouter bgp 200network 160.10.0neighbor 3.3.3.1 remote-as 300neighbor 3.3.3.1 send-communityneighbor 3.3.3.1 route-map SETCOMMUNITY out!route-map SETCOMMUNITY permit 10match ip address 1set community no-export!route-map SETCOMMUNITY permit 20!access list 1 permit 0.0 255.255.255.255For routes that are sent to the neighbor at IP address 3.3.3.1 (Router C), Router B applies the route map namedsetcommunity.The setcommunity route map sets the community attribute of any update (by means of access list 1)destined for 3.3.3.1 to no-export.The neighbor send-community router configuration command is required to includethe community attribute in updates sent to the neighbor at IP address 3.3.3.1.When Router C receives the updates fromRouter B, it does not propagate them to Router A because the value of the community attribute is no-export.Another way to filter updates based on the value of the community attribute is to use the ip community- list globalconfiguration command.Assume that Router B has been configured as follows:!Router Brouter bgp 200network 160.10.0neighbor 3.3.3.1 remote-as 300neighbor 3.3.3.1 send-communityneighbor 3.3.3.1 route-map SETCOMMUNITY out!route-map SETCOMMUNITY permit 10match ip address 2set community 100 200 additiveroute-map SETCOMMUNITY permit 20http://www.cisco [ Pobierz całość w formacie PDF ]