BGP Route Filtering and

Manipulation
This chapter covers the following content:

BGP Route Filtering and Manipulation - This section expands on how conditional matching and route maps work by
applying real-world use cases to demonstrate the filtering or manipulation of BGP routes.

Understanding BGP Path Selection - This section describes the logic used by BGP to identify the best path when multiple
routes are installed in the BGP table.
BGP Route Filtering and Manipulation
BGP Route Filtering Concepts
Route filtering selectively identifies routes that are advertised or received from neighbor routers. Route filtering may be
used to manipulate traffic flows, reduce memory utilization, or improve security.

ISPs commonly deploy route filters on BGP peerings to customers. Ensuring that only the customer routes are allowed
over the peering link prevents the customer from accidentally becoming a transit AS on the internet.

IOS XE has four methods of filtering routes inbound or outbound for a specific BGP peer:
• Distribute list - This filters network prefixes based on a standard or extended ACL. An implicit deny implied for any
prefix not permitted.
• Prefix list - The prefix-matching specifications permit or deny network prefixes in a top-down fashion. An implicit
deny for any prefix not permitted.
• AS path ACL/filtering - A list of regex commands allow for the permit or deny of a network prefix based on the
current AS path values. An implicit deny for any prefix not permitted.
• Route maps - These provide a method of conditional matching on a variety of prefix attributes and taking a variety of
actions. Actions could be a simple permit or deny; or could include the modification of BGP path attributes. An
implicit deny for any prefix that is not permitted.
BGP Route Filtering and Manipulation
BGP Route Filtering Concepts (begin routing table reference)
The following slides explain each of the route filtering techniques in more detail. Imagine a simple scenario with R1 (AS
65100) that has a single eBGP peering with R2 (AS 65200), which then may peer with other autonomous systems (such as
AS 65300). The relevant portion of the topology is that R1 peers with R2 and focuses on R1’s BGP table, as shown in
Example 12-8, with an emphasis on the network prefix and the AS path.
BGP Route Filtering and Manipulation
BGP Distribute List Filtering
Distribute lists allow the filtering of network prefixes on a neighbor-by-neighbor basis, using standard or extended ACLs.
Configuring a distribute list requires using the BGP address family configuration command neighbor ip-address
distribute-list {acl-number | acl-name} {in|out}.

Remember that extended ACLs for BGP use the source fields to match the network portion and the destination fields to
match against the network mask.
BGP Route Filtering and Manipulation
BGP Distribute List Filtering (routing table result)
Example 12-10 displays the routing table of R1 after BGP distribute list filtering.

Two local routes are injected into the BGP table by R1 (10.12.1.0/24 and 192.168.1.1/32). The two loopback networks from
R2 (AS 65200) and R3 (AS 65300) are allowed because they are within the first ACL-ALLOW entry, and two of the networks
in the 100.64.x.0 pattern (100.64.2.0/25 and 100.64.3.0/25) are accepted. The 100.64.2.192/26 network is rejected
because the prefix length does not match the second ACL-ALLOW entry.
BGP Route Filtering and Manipulation
BGP Prefix List Filtering and Routing Table Result
Prefix lists allow the filtering of network
prefixes on a neighbor-by-neighbor basis,
using a prefix list. Configuring a prefix list
involves using the BGP address family
configuration command neighbor ip-address
prefix-list prefix-list-name {in | out}.

Example 12-11 demonstrates the use of a

prefix list filter to allow only routes within the
RFC 1918 space. The prefix-list is applied on
R1’s peering to R2 (AS 65200).

The BGP table can be examined on R1, as

shown in Example 12-12. Notice that the
100.64.2.0/25, 100.64.2.192/26, and
100.64.3.0/25 networks were filtered as they
did not fall within the prefix list matching
criteria.
BGP Route Filtering and Manipulation
BGP AS Path ACL Filtering
Selecting routes from a BGP neighbor by
using the AS path requires the definition
of an AS path access control list (AS path
ACL).

Regular expressions, introduced earlier

in this chapter, are a component of
AS_Path filtering.

Example 12-13 shows the routes that R2

(AS 65200) is advertising toward R1 (AS
65100).

R2 is advertising the routes learned from R3 (AS 65300) to R1. In essence, R2 provides transit connectivity between the
autonomous systems. If this were an Internet connection and R2 were an enterprise, it would not want to advertise routes
learned from other ASs.

Using an AS path access list to restrict the advertisement of only AS 65200 routes is recommended.
BGP Route Filtering and Manipulation
BGP AS Path ACL Filtering (Cont.)
IOS supports up to 500 AS path ACLs and
uses the command ip as-path access-list
acl-number {deny | permit} regex-query
for creating an AS path ACL. The ACL is
then applied with the command
neighbor ip-address filter-list acl-
number {in|out}.
Example 12-14 shows the configuration
on R2 using an AS path ACL to restrict
traffic to only locally originated traffic,
using the regex pattern ^$ to ensure
completeness, the AS path ACL is applied
on all eBGP neighborships.
Example 12-15 displays the routes being advertised to R1. Notice that
all the routes do not have an AS path, confirming that only locally
originating routes are being advertised externally.
BGP Route Filtering and Manipulation
BGP Route Map Filtering
Route maps provide additional functionality over pure filtering. Route maps can manipulate BGP path attributes as well.
Route maps are applied on a BGP neighbor for routes that are advertised or received. A different route map can be used
for each direction. The route map is associated with the BGP neighbor under the specific address family, with the
command neighbor ip-address route-map route-map-name {in|out}.

Example 12-16 shows the BGP

routing table of R1, which is used
here to demonstrate the power of
a route map.
BGP Route Filtering and Manipulation
BGP Route Map Filtering (Cont.)
This route map consists of four steps:

1. Deny any routes that are in the 192.168.0.0/16

network by using a prefix list.

2. Match any routes originating from AS 65200 that

are within the 100.64.0.0/10 network range and set
the BGP local preference to 222.

3. Match any routes originating from AS 65200 that

did not match step 2 and set the BGP weight to
65200.

4. Permit all other routes to process.

Example 12-17 demonstrates R1’s configuration,

where multiple prefix lists are referenced along with
an AS path ACL.
BGP Route Filtering and Manipulation
BGP Route Map Filtering (routing table result)
Example 12-18 displays R1’s BGP routing table. The
following actions have occurred:
• The 192.168.2.2/32 and 192.168.3.3/32 routes
were discarded. The 192.168.1.1/32 route is a
locally generated route.
• The 100.64.2.0/25 and 100.64.2.192/26
networks had the local preference modified to
222 because they originated from AS 65200 and
are within the 100.64.0.0/10 network range.
• The 10.12.1.0/24 and 10.23.1.0/24 routes from It is considered a best practice to use a different route policy
R2 were assigned the locally significant BGP for inbound and outbound prefixes for each BGP neighbor.
attribute weight 65200.
• All other routes were received and not modified.
BGP Route Filtering and Manipulation
Clearing BGP Connections
Depending on the change to the BGP route manipulation technique, a BGP session may need to be refreshed in order
to take effect.

BGP supports two methods of clearing a BGP session:

1. Hard reset tears down the BGP session, removes BGP routes from the peer, and is the most disruptive.

2. Soft reset invalidates the BGP cache and requests a full advertisement from its BGP peer.

Routers initiate a hard reset with the command: clear ip bgp ip-address [soft] and a soft reset by using the optional
soft keyword. All of a router’s BGP sessions can be cleared by using an asterisk * in lieu of the peer’s IP address.

Soft resets can be performed for a specific address family with the command clear bgp afi safi {ip-address|*} soft [in |
out]

Soft resets reduce the number of routes that must be exchanged if multiple address families are configured with a
single BGP peer.
Understanding BGP Path
Selection
• The BGP best-path selection algorithm influences how traffic enters or leaves an AS.
• Some router configurations modify the BGP attributes to influence inbound traffic, outbound
traffic, or inbound and outbound traffic, depending on the network design requirements.
• This section explains the logic used by a router that uses BGP when forwarding packets.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Understanding BGP Path Selection
Routing Path Selections Using Longest Match
Routers always select the path by examining the prefix length of a network The Figure shows R1 advertising the
entry. The path selected is chosen where the longest prefix length is always 100.64.1.0/24 prefix, R2 advertising the
preferred. 100.64.2.0/24 prefix, and both routers
advertising the 100.64.0.0/16 summary
This logic can be used to influence path selection in BGP. Assume that an prefix.
organization owns the 100.64.0.0/16 network range but only needs to advertise
two subnets (100.64.1.0/24 and 100.64.2.0/24). It could advertise both prefixes
(100.64.1.0/24 and 100.64.2.0/24) from all its routers, but how can it distribute
the load for each subnet if all traffic comes in on one router (such as R1)?

The organization could modify various BGP path attributes (PAs) that are
advertised externally, but an SP could have a BGP routing policy that ignores
path attributes, resulting in random receipt of network traffic.

A way that guarantees that paths are selected deterministically outside the
organization is to advertise a summary prefix (100.64.0.0/16) out both routers.
Then the organization can advertise a longer matching prefix out the router that
should receive network traffic for that prefix.
Understanding BGP Path Selection
BGP Best-Path Algorithm
In BGP, route advertisements consist of Network Layer Reachability Information (NLRI) and path attributes (PAs). The NLRI
consists of the network prefix and prefix length, and the BGP attributes such as AS_Path, origin, and so on are stored in
the PAs.

A BGP route may contain multiple paths to the same destination network. Every path’s attributes impact the desirability of
the route. A BGP router advertises only the best path to the neighboring routers.

The best path is installed in the RIB. If the best path is no longer available, the router can use the existing paths to identify
a new best path. BGP recalculates the best path for a prefix upon four possible events:
• BGP next-hop reachability change
• Failure of an interface connected to an eBGP peer
• Redistribution change
• Reception of new or removed paths for a route

BGP automatically installs the first received path as the best path. When additional paths are received for the same
network prefix length, the newer paths are compared against the current best path. If there is a tie, processing continues
until a best-path winner is identified.
Understanding BGP Path Selection
BGP Best-Path Algorithm
The BGP best-path algorithm uses the following attributes, in the order shown, for best-path selection:

1. Weight – BGP weight is a Cisco-defined attribute. The path with the higher weight is preferred. Influences only
outbound routes from a router or an AS. Not advertised to peers.

2. Local preference – (LOCAL_PREF) is a well-known path attribute included with path advertisements within the
AS. Not advertised between eBGP peers.

3. Local originated (network statement, redistribution, or aggregation) – determination as to whether the route
originated within the AS. Preference is given to routes advertised or aggregated locally.

4. Accumulated Interior Gateway Protocol (AIGP) – provides the ability for BGP to make routing decisions based
on IGP path metrics.

5. Shortest AS_Path – AS path length typically correlates to the AS hop count. A shorter AS path is preferred over
a longer AS path.

6. Origin type - The next best-path decision factor is the well-known mandatory BGP attribute named origin.
Routes with IGP origin are preferred over those with EGP or incomplete origin (least preferred).
Understanding BGP Path Selection
BGP Best-Path Algorithm (Cont.)
7. Lowest MED - The next BGP best-path decision factor is the non-transitive BGP attribute named multiple-exit
discriminator (MED). A lower MED is preferred over a higher MED.

8. eBGP over iBGP – The best path selection route source preference order is: eBGP peers (most desirable),
confederation member AS peers, and iBGP peers (less desirable)..

9. Lowest IGP next hop- The next decision step is to use the lowest IGP cost to the BGP next-hop address.

10. Oldest eBGP Path - BGP maintains stability in a network by preferring the path from the oldest (established) BGP
session. The downfall of this technique is that it does not lead to a deterministic method of identifying the BGP best
path from a design perspective.

11. Router ID - Prefer the route that comes from the BGP peer with the lower router ID (RID)

12. Minimum Cluster List Length - Prefer the route with the minimum cluster list length. In simplest terms, this step
locates the path that has traveled the lowest number of iBGP advertisement hops.

13. Lowest neighbor address - The last step is to use the path that comes from the lowest BGP neighbor address. This
step is limited to iBGP peerings because eBGP peerings used the oldest received path as the tie breaker.
Understanding BGP Path Selection
Weight Attribute (Cisco-defined)
Weight - BGP weight is a Cisco-defined attribute and the first step for selecting the BGP best path. Weight is a 16-bit value
(0 to 65,535) assigned locally on the router; it is not advertised to other routers.

The path with the higher weight is preferred. Weight can be set for specific routes with an inbound route map or for all
routes learned from a specific neighbor.

Weight is not advertised to peers and only influences outbound traffic from a router or an AS. Because it is the first step in
the best-path algorithm, it should be used when other attributes should not influence the best path for a specific
network.
Understanding BGP Path Selection
Local Preference Attribute
Local Preference - (LOCAL_PREF) is a discretionary path attribute included with path advertisements throughout an AS.
The local preference attribute is a 32-bit value (0 to 4,294,967,295) that indicates the preference for exiting the AS to the
destination network.

The local preference is not advertised between eBGP peers and is typically used to influence the next-hop address for
outbound traffic leaving an autonomous system.

A higher value is preferred over a lower value. The default local preference value of 100 is used during best-path
calculation, and is included in advertisements to other iBGP peers.

Local preference can influence path selection on other iBGP peers without impacting eBGP peers because local
preference is not advertised outside the autonomous system.

Example 12-29 shows the BGP table for the 172.16.1.0/24 network
prefix on R2. On the third line of the output, the router indicates
that two paths exist, and the first path is the best path. The BGP
weight does not exist, so then the local preference is used. The
path learned through AS 65300 is the best path because it has a
local preference of 333.
Understanding BGP Path Selection
Locally Originated Attribute
The third decision point in the best-path algorithm is to determine whether the route originated locally.
Preference is given in the following order:
1. Routes that were advertised locally
2. Networks that have been aggregated locally
3. Routes received by BGP peers
Understanding BGP Path Selection
Accumulated Interior Gateway Protocol (AIGP) Attribute
Accumulated Interior Gateway Protocol (AIGP) - is an optional
nontransitive path attribute that is included with advertisements
throughout an AS.

BGP does not use path metric due to scalability issues combined with
the notion that each AS may use a different routing policy to calculate
metrics. The ability for BGP to make routing decisions based on a path
metric is a viable option because all the ASs are under the control of a
single domain, with consistent routing policies for BGP and IGPs. IGPs
are redistributed into BGP.

• A path with an AIGP metric is preferred to a path without an AIGP metric.

• If the next-hop address requires a recursive lookup, the AIGP path needs to calculate a derived metric to include the
distance to the next-hop address. The formula is: Derived AIGP metric = (Original AIGP metric + Next-hop AIGRP
metric)
• If multiple AIGP paths exist and one next-hop address contains an AIGP metric and the other does not, the non-
AIGP path is not used.
• The next-hop AIGP metric is recursively added if multiple lookups are performed.
Understanding BGP Path Selection
Shortest AS Path Attribute
The path length typically correlates to the AS hop count. A shorter AS path is preferred over a longer AS path.
Prepending ASNs to the AS path makes it longer, thereby making that path less desirable compared to other
paths. Typically, the AS path is prepended with the network owner’s ASN.
In general, a path that has had the AS path prepended is not selected as the BGP best path because the AS path
is longer than the non-prepended path advertisement.
Inbound traffic is influenced by prepending AS path length in advertisements to other ASs, and outbound traffic
is influenced by prepending advertisements received from other ASs.

Example 12-30 shows the BGP table for the 172.16.1.0/24

network prefix on R2. The second route learned through AS
65100 is the best path. There is not a weight set on either
path, and the local preference is identical. The second path
has an AS path length of 1, while the first path has an AS
path length of 2 (65300 and 65300).
Understanding BGP Path Selection
Origin Type Path Attribute
The next BGP best-path decision factor is the well-
known mandatory BGP attribute named origin.

By default, networks that are advertised through the

network statement are set with the IGP or i origin,
and redistributed networks are assigned the
Incomplete or ? origin attribute.

The origin preference order is:

1. IGP origin (most)

2. EGP origin Example 12-31 shows the BGP table for the
172.16.1.0/24 network prefix on R2. The second path
3. Incomplete origin (least)
learned through AS 65100 is the best path because it
has an origin of IGP, while first path has an origin of
incomplete, which is the least preferred.
Understanding BGP Path Selection
Multi-Exit Discriminator (MED) Path Attribute
Multiple-Exit discriminator (MED) - is a non-transitive BGP
attribute. MED uses a 32-bit value called a metric. BGP sets the
MED automatically to the IGP path metric during network
advertisement or redistribution.

If the MED is received from an eBGP session, it can be advertised

to other iBGP peers, but it should not be sent to other eBGP
peers outside the AS that received it.

A lower MED is preferred over a higher MED. For MED to be an

effective decision factor, the paths being decided upon must
come from the same ASN.
RFC 4451 guidelines state that a prefix without a MED value
should be given priority and, in essence, should be compared
with a value of 0.
If the MED is missing from a prefix learned from an eBGP peer,
devices use a MED of 0 for the best-path calculation. IOS routers
advertise a MED of 0 to iBGP peers.
Example 12-32 shows the BGP table for the
172.16.1.0/24 network prefix on R2. Notice that R2
is peering only with AS 65300 for MED to be
eligible for the best-path selection process. The
first path has a MED of 0, and the second path has
a MED of 33. The first path is preferred as the MED
is lower.
Understanding BGP Path Selection
eBGP over iBGP
The next BGP best-path decision factor is whether the route comes from an iBGP, eBGP, or confederation member AS
(sub-AS) peering. The best-path selection order is:

1. eBGP peers (most desirable)

2. Confederation member AS peers

3. iBGP peers (least desirable)

Note: BGP confederations are beyond the scope of the CCNP and CCIE Enterprise Core
Understanding BGP Path Selection
Lowest IGP Metric
The next decision step is to use the lowest IGP cost to the
BGP next-hop address.

Figure 12-12 illustrates a topology where R2, R3, R4, and R5

are in AS 400.

AS 400 peers in a full mesh and establishes BGP sessions using

Loopback 0 interfaces. R1 advertises the 172.16.0.0/24
network prefix to R2 and R4.

R3 prefers the path from R2 compared to the iBGP path from

R4 because the metric to reach the next-hop address is lower.

R5 prefers the path from R4 compared to the iBGP path from

R2 because the metric to reach the next-hop address is lower.
Understanding BGP Path Selection
Oldest eBGP Path, Router ID, and Minimum Cluster List Length
Oldest eBGP Path - BGP can maintain large routing tables, and unstable sessions result in the BGP best-path calculation
executing frequently. BGP maintains stability in a network by preferring the path from the oldest (established) BGP
session. The downfall of this technique is that it does not lead to a deterministic method of identifying the BGP best
path from a design perspective.

Router ID - The next step for the BGP best-path algorithm is to select the best path using the lowest router ID of the
advertising eBGP router. If the route was received by a route reflector, then the originator ID is substituted for the router
ID.

Minimum Cluster List Length - The next step in the BGP best-path algorithm is to select the best path using the lowest
cluster list length. The cluster list is a non-transitive BGP attribute that is appended (not overwritten) by a route reflector
with its cluster ID. Route reflectors use the cluster ID attribute as a loop-prevention mechanism. The cluster ID is not
advertised between ASs and is locally significant. In simplest terms, this step locates the path that has traveled the
lowest number of iBGP advertisement hops.
Understanding BGP Path Selection
Lowest Neighbor Address
The last step of the BGP best-path algorithm is to select the path that comes from the lowest BGP neighbor address.

This step is limited to iBGP peerings because eBGP peerings use the oldest received path as the tie breaker.

Figure 12-13 demonstrates the concept of choosing the router with the lowest neighbor address. R1 is advertising the
172.16.0.0/24 network prefix to R2. R1 and R2 have established two BGP sessions using the 10.12.1.0/24 and
10.12.2.0/24 networks. R2 selects the path advertised from 10.12.1.1 as it is the lower IP address.