CISCO download all in one» Blog Archive » 8-7 neighbor {ip-address | peer-group-name} distribute-list {ip-access-list-number-or-name

SIDEBAR

»
S
I
D
E
B
A
R
«

CCIE RS Workbook | CCIE Security Workbook | CCIE SP Workbook| CCIE Voice Workbook

8-7 neighbor {ip-address | peer-group-name} distribute-list {ip-access-list-number-or-name | prefix-list-name}out

Comments Feed

< Free Open Study >

Syntax Description:

ip-address— Neighbor’s IP address.
peer-group-name— Name of the peer group. See section 8-19.
ip-access-list-number-or-name— Standard, extended, or named IP access list number.

Purpose: To filter outgoing route updates to a particular BGP neighbor. Only one distribute list can be used per neighbor. The operation of the output distribute list is identical for both IBGP and EBGP neighbors.

Cisco IOS Software Release: 10.0. Peer group support was added in Release 11.0, support for named access lists was added in Release 11.2, and prefix list support was added in Release 12.0.

Configuration Example 1: Block a Particular Route

In Figure 8-9, Router B is advertising four network prefixes to Router A. Router B filters the route update to Router A in order to reject the 172.16.2.0 network. Loopbacks are used on Router B to simulate the advertised networks, as shown in the following configuration.

Figure 8-9. Scenario for the Use of the neighbor distribute-list out Command

Router A

!

interface Serial0

 ip address 10.1.1.1 255.255.255.252

!

router bgp 1

 neighbor 10.1.1.2 remote-as 2

___________________________________________________________________________

Router B

ip subnet-zero

!

interface Loopback0

 ip address 172.16.0.1 255.255.255.0

!

interface Loopback1

 ip address 172.16.1.1 255.255.255.0

!

interface Loopback2

 ip address 172.16.2.1 255.255.255.0

!

interface Loopback3

 ip address 172.16.3.1 255.255.255.0

!

interface Serial0

 ip address 10.1.1.2 255.255.255.252

 clockrate 64000

!

router bgp 2

 network 172.16.0.0 mask 255.255.255.0

 network 172.16.1.0 mask 255.255.255.0

 network 172.16.2.0 mask 255.255.255.0

 network 172.16.3.0 mask 255.255.255.0

 neighbor 10.1.1.1 remote-as 1

Before proceeding to the distribute list example, verify that Router A is receiving the routes from Router B:

rtrA#show ip bgp

BGP table version is 5, local router ID is 172.17.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete



   Network          Next Hop            Metric LocPrf Weight Path

*> 172.16.0.0/24    10.1.1.2                 0             0 2 i

*> 172.16.1.0/24    10.1.1.2                 0             0 2 i

*> 172.16.2.0/24    10.1.1.2                 0             0 2 i

*> 172.16.3.0/24    10.1.1.2                 0             0 2 i

Modify the BGP configuration on Router B to filter the 172.16.2.0 prefix that is being sent on Router A:

Router B

router bgp 2

 neighbor 10.1.1.1 remote-as 2

 neighbor 10.1.1.1 distribute-list 1 out

access-list 1 deny   172.16.2.0 0.0.0.255

access-list 1 permit any

The distribute list always references an IP access list. For this example, the access list number is 1. The first statement in access list 1 rejects the 172.16.2.0/24 network. The second line in the access list is necessary because there is an implicit deny any at the end of every IP access list. Without the permit any statement, all routes to Router A would be rejected.

Verification

Verify that Router B is using the access list:

rtrB#show ip bgp n

BGP neighbor is 10.1.1.1,  remote AS 1, external link

 Index 1, Offset 0, Mask 0x2

  BGP version 4, remote router ID 172.17.1.1

  BGP state = Established, table version = 6, up for 00:00:25

  Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds

  Minimum time between advertisement runs is 30 seconds

  Received 47 messages, 3 notifications, 0 in queue

  Sent 63 messages, 0 notifications, 0 in queue

  Prefix advertised 32, suppressed 0, withdrawn 1

  Outgoing update network filter list is 1

  Connections established 7; dropped 6

  Last reset 00:00:50, due to User reset

  0 accepted prefixes consume 0 bytes

  0 history paths consume 0 bytes

Connection state is ESTAB, I/O status: 1, unread input bytes: 0

Local host: 10.1.1.2, Local port: 11054

Foreign host: 10.1.1.1, Foreign port: 179

Check the BGP routing table on Router A to ensure that the 172.16.2.0/24 network has been filtered:

rtrA#show ip bgp

BGP table version is 4, local router ID is 172.17.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete



   Network          Next Hop            Metric LocPrf Weight Path

*> 172.16.0.0/24    10.1.1.2                 0             0 2 i

*> 172.16.1.0/24    10.1.1.2                 0             0 2 i

*> 172.16.3.0/24    10.1.1.2                 0             0 2 i

Configuration Example 2: Allow a Particular Route and Block All Others

For this example, we will allow network 172.16.2.0/24 and block all other route advertisements to Router A. The access list required on Router B is

access-list 1 permit 172.16.2.0 0.0.0.255

The BGP router configuration on Router B remains unchanged. Because there is an implicit deny any at the end of every access list, we will let this implicit statement block the remaining routes.

Verification

As in the previous example, check the BGP table on Router A to verify that only network 172.16.2.0/24 is in the BGP table:

rtrA#show ip bgp

BGP table version is 2, local router ID is 172.17.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete



   Network          Next Hop            Metric LocPrf Weight Path

*> 172.16.2.0/24    10.1.1.2                 0             0 2 I

Configuration Example 3: Allow an Aggregate Route and Block the More-Specific Routes

Assume that Router B is advertising an aggregate advertisement for 172.16.0.0/22 and the four more-specific routes 172.16.0.0/24, 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24. The BGP configuration for Router B would become

router bgp 2

 network 172.16.0.0 mask 255.255.255.0

 network 172.16.1.0 mask 255.255.255.0

 network 172.16.2.0 mask 255.255.255.0

 network 172.16.3.0 mask 255.255.255.0

 aggregate-address 172.16.0.0 255.255.252.0

 neighbor 10.1.1.1 remote-as 1

The BGP table on Router A would contain

rtrA#show ip bgp

BGP table version is 5, local router ID is 172.17.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete



   Network          Next Hop            Metric LocPrf Weight Path

*> 172.16.0.0/24    10.1.1.2                 0             0 2 i

*> 172.16.1.0/24    10.1.1.2                 0             0 2 i

*> 172.16.2.0/24    10.1.1.2                 0             0 2 i

*> 172.16.3.0/24    10.1.1.2                 0             0 2 i

*> 172.16.0.0/22    10.1.1.2                 0             0 2 i

If we want to allow only the aggregate route and block the more-specific routes, a standard IP access won’t work. To allow the aggregate using a standard IP access list while blocking the more-specific routes, we could try the following access list:

access-list 1 deny 172.16.0.0 0.0.0.255

access-list 1 deny 172.16.1.0 0.0.0.255

access-list 1 deny 172.16.2.0 0.0.0.255

access-list 1 deny 172.16.3.0 0.0.0.255

access-list 1 permit 172.16.0.0 0.0.255.255

Unfortunately, the first statement also blocks the aggregate route. If we rearrange the statements, we could try this:

access-list 1 permit 172.16.0.0 0.0.255.255.

access-list 1 deny 172.16.0.0 0.0.0.255

access-list 1 deny 172.16.1.0 0.0.0.255

access-list 1 deny 172.16.2.0 0.0.0.255

access-list 1 deny 172.16.3.0 0.0.0.255

Now the first statement allows all the routes. The only way to permit the aggregate and reject the specific routes is to use an extended IP access list. Normally, the second address/mask pair in an extended IP access list signifies the destination address and mask. For a distribute list, the second address/mask pair indicates the mask size. Therefore, we can use this:

Router B

router bgp 2

 neighbor 10.1.1.1 distribute-list 100 out

access-list 100 permit 172.16.0.0 0.0.3.255 255.255.252.0 0.0.0.0

Verification

By examining the BGP table on Router A, we can verify that the extended access list has permitted only the aggregate address.

rtrA#show ip bgp

BGP table version is 2, local router ID is 172.17.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete



   Network          Next Hop            Metric LocPrf Weight Path

*> 172.16.0.0/22    10.1.1.2                               0 2 i

Troubleshooting

Verify that the BGP neighbors are in the Established state using the show ip bgp neighbors command.

If the neighbor relationship is not in the Established state, see section 8-23.
Verify that the advertising router has the routes in the BGP table using the show ip bgp command. If the routes are not in the BGP table, see sections 9-1 and 9-2 for the proper use of the network command.
Verify that the routes are in the receiving router’s BGP table. If they are not, check the syntax of the access list associated with the distribute list.
If the routes are not in the BGP table on Router A, and you are sure that there are no errors in the configuration for Router B, clear and restart the BGP connection using clear ip bgp *. This command can be used on either Router A or B. This command clears all BGP connections. To clear a particular neighbor, use the neighbor’s IP address in place of the *. After clearing the connection, you can monitor the BGP route exchange using debug ip bgp updates, which should produce output similar to the following for the first configuration:
```
6d15h: BGP: 10.1.1.1 computing updates, neighbor version 1, table version 5,

starting at 0.0.0.0

6d15h: BGP: 10.1.1.1 send UPDATE 172.16.0.0/24, next 10.1.1.2, metric 0, path 2

6d15h: BGP: 10.1.1.1 send UPDATE 172.16.1.0/24 (chgflags: 0x8), next 10.1.1.2, path

(before routemap/aspath update)

6d15h: BGP: 10.1.1.1 send UPDATE 172.16.3.0/24 (chgflags: 0x8), next 10.1.1.2, path

(before routemap/aspath update)
```
For the second configuration, the debug output will be similar to this:
```
6d15h: BGP: 10.1.1.1 computing updates, neighbor version 1, table version 5,

starting at 0.0.0.0

6d15h: BGP: 10.1.1.1 send UPDATE 172.16.2.0/24, next 10.1.1.2, metric 0, path 2
```

< Free Open Study >

Free cisco study workbook download.

As cisco instructors we provide this free offer to help any one who is interested in being a cisco certificate engineer .
All the below tips are FREE!!!.