BGP on Cisco IOS XRv - Prefix-Sets and Route-Policies

The goal of this tutorial is to practice BGP configuration and filtering incoming and outgoing updates on Cisco IOS XRv. In order to do it, we configure prefix-sets and route-policy that will be applied to a particular BGP neighbor. Let's have a network topology depicted on the Picture 1. The ISP1 (AS number 64500) has two customers - Customer 1 (AS64501) and Customer 2 (AS64502). Our goal is to configure inbound and outbound filters on ISP1 Provider Edge (PE1) router that provides a default route and a full routing table to AS64502. Similarly, a PE1 router will be configured to provide only a default route to AS64501.

Used Software:
- Host OS Debian GNU/Linux 10 (buster)
- GNS3 2.1.21
- Qemu/kvm 3.1.0
- PE2, PE1 - Cisco IOS XRv Software, Version 6.1.3
- CE2 - Cisco IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T
- CE1 - Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2
- PC1, Server 1 and 2 - LInux Core Pure 6.3

RAM Requirements for Qemu Guests (5888MB):
- Cisco IOS XRv Software - 2 x 2048MB
- Cisco vIOS L3 - 1 x 512MB
- Cisco vIOS L3 - 1 x 512MB
- Lnix Core 6.3 - 3 x 256 MB

Picture 1 - Network Topology with 3 ASes

First, check the initial configuration that provides connectivity for customers.

1. Initial Configuration

1.1 CE2 Configuration

The router CE2 is running Cisco vIOS L3 image.

router bgp 64502
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 neighbor 11.0.0.2 remote-as 64500

address-family ipv4
 network 150.160.0.0 mask 255.255.255.0
 neighbor 11.0.0.2 activate
exit-address-family

1.2 CE1 Configuration

The router CE1 is running Cisco vIOS L2 image. The port Gi0/1 is configured as routed port while ports Gi0/0 and Gi0/2 are switchports connecting Server1 and 2 to our simulated network.

interface GigabitEthernet0/1
 no switchport
 ip address 12.0.0.1 255.255.255.252

interface Vlan1
 ip address 195.165.0.254 255.255.255.0

router bgp 64501
 bgp router-id 4.4.4.4
 bgp log-neighbor-changes
 neighbor 12.0.0.2 remote-as 64500

address-family ipv4
 network 195.165.0.0
 neighbor 12.0.0.2 activate
exit-address-family

1.3 PE1 Configuration

The router PE is running Cisco IOS-XRv image. We need to create a route-policy that will allow BGP updates to pass to BGP neighbors and receive updates from neighbor. The route-policy PASS is attached to eBGP neighbor (CE1). Below is the default configuration that will be modified later.

route-policy PASS
 pass
end-policy

router bgp 64500
 bgp router-id 2.2.2.2
 address-family ipv4 unicast

 neighbor 10.0.0.2
 remote-as 64500
 address-family ipv4 unicast
  next-hop-self

 neighbor 12.0.0.1
 remote-as 64501
 description Router CE1
 address-family ipv4 unicast
  route-policy PASS in
  route-policy PASS out

1.4 PE2 Configuration

The router PE is running Cisco IOS-XRv image.

route-policy PASS
 pass
end-policy

router bgp 64500
 bgp router-id 1.1.1.1
 address-family ipv4 unicast

 neighbor 10.0.0.1
 remote-as 64500
 address-family ipv4 unicast
  next-hop-self

 neighbor 11.0.0.1
 remote-as 64502
 description Router CE2
 address-family ipv4 unicast
  route-policy PASS in
  route-policy PASS out

Picture 2 and 3 depict BGP Table of CE1 and CE2, respectively.

Picture 2 - BPG Table of CE2

Picture 3 - BGP Table of CE1

2. Inbound and Outbound Filtering Configuration

As we have mentioned before, we are going to  configure inbound and outbound filters on ISP1 Provider Edge (PE1) router that provides a default route and a full routing table to AS64502. Similarly, the router PE1 will be configured to provide only a default route to AS64501.

2.1 PE2 Configuration

Firstly, we are going to create a static default route pointing to null0.

router static
 address-family ipv4 unicast
 0.0.0.0/0 Null0

Define prefix-set ps-bogons matching prefixes that should not be routed. Those are special purpose prefixes and reserved prefixes [1].

prefix-set ps-bogons
 0.0.0.0/8 le 32,
 10.0.0.0/8 le 32,
 100.64.0.0/10 le 32,
 127.0.0.0/8 le 32,
 169.254.0.0/16 le 32,
 172.16.0.0/12 le 32,
 192.0.0.0/24 le 32,
 192.0.2.0/24 le 32,
 192.168.0.0/16 le 32,
 198.18.0.0/15 le 32,
 198.51.100.0/24 le 32,
 203.0.113.0/24 le 32,
 224.0.0.0/3 le 32
end-set

Define prefix-set matching the prefix 150.160.0.0/24 which is assigned to Customer 2.

prefix-set ps-as64502-in
 150.160.0.0/24
end-set

Define prefix-set ps-too-specific matching too specific prefixes. Those are the prefixes longer than /24. The statement matches prefixes that are greater than or equal to /25.

prefix-set ps-too-specific
 0.0.0.0/0 ge 25
end-set

Define prefix-set ps-default-route matching a default route 0.0.0.0/0.

prefix-set ps-default-route
 0.0.0.0/0
end-set

Routes matching prefix-set ps-default-route will be dropped, other routes will pass. The route-policy rpl-peer-out will be attached to iBGP peer 10.0.0.1 (PE1). The default route will not be propagated to iBGP peer.

route-policy rpl-peer-out
 if destination in ps-default-route then
 drop
 else
 pass
 endif
end-policy

The route-policy with configured prefix-set ps-as64502-in pass the route 150.160.0.0/24. This is a strict filtering policy that permits only prefix assigned to Customer 2. If other routes not matching prefix-set ps-as64502-in are received from CE2 router, they will be dropped.

route-policy rpl-as64502-in
 if destination in ps-as64502-in then
 pass
 else
 drop
 endif
end-policy

The customer 1 has agreement with ISP1 that they provide a full Internet routing table and a default route, as well. For this reason, we will only filter bogons (ps-bogons) and too specifi routes that are longer than /24 (ps-too-specific). Other router are sent from PE2 to customer's CE2 router.

route-policy rpl-as64502-out
 if destination in ps-bogons or destination in ps-too-specific then
 drop
 else
 pass
 endif
end-policy

router bgp 64500
 bgp router-id 1.1.1.1
 address-family ipv4 unicast
 network 0.0.0.0/0

 neighbor 10.0.0.1
 remote-as 64500
 address-family ipv4 unicast
  route-policy rpl-peer-out out
  next-hop-self

 neighbor 11.0.0.1
 remote-as 64502
 description Router CE2
 address-family ipv4 unicast
  route-policy rpl-as64502-in in
  route-policy rpl-as64502-out out

2.2 PE2 Configuration

PE1 configuration is similar to PE2 configuration except that only a default route will be sent to Customer 1.

router static
 address-family ipv4 unicast
 0.0.0.0/0 Null0

Define prefix-set matching the prefix 150.160.0.0/24 which is assigned to Customer 2.

prefix-set ps-as64501-in
 195.165.0.0/24
end-set

prefix-set ps-default-route
 0.0.0.0/0
 end-set

route-policy rpl-peer-out
 if destination in ps-default-route then
 drop
 else
 pass
 endif
end-policy

route-policy rpl-as64501-in
 if destination in ps-as64501-in then
 pass
 else
 drop
 endif
end-policy

route-policy rpl-as64502-out
if destination in ps-default-route then
 pass
 else
 drop
 endif
end-policy

router bgp 64500
 bgp router-id 2.2.2.2
 address-family ipv4 unicast
 network 0.0.0.0/0

 neighbor 10.0.0.2
 remote-as 64500
 address-family ipv4 unicast
  route-policy rpl-peer-out out
  next-hop-self

 neighbor 12.0.0.1
 remote-as 64501
 description Router CE1
 address-family ipv4 unicast
  route-policy rpl-as64501-in in
  route-policy rpl-as64502-out out

Note: The routers CE1 and CE2 are left in a default configuration, therefore we are not going to show it again.

Note: Alternatively, we can redistribute a static default route into BGP so we do not need advertise the route with network command. In this case, configuration is following.

router bgp 64500
 bgp router-id 1.1.1.1
 default-information originate
 address-family ipv4 unicast
  redistribute static

We can also specify a route-policy matching only a default route otherwise all static route will be redistributed onto BGP.

3. Configuration Testing

Default route received from the 12.0.0.2 (PE1) and the route 195.165.0.0/24 originated on CE1 are installed in the BGP table of CE1 (Picture 4).

Picture 4 - BGP Table of CE1

The BGP table of PE1 contains a route 150.160.0.0/24 received from iBGP peer PE2 (10.0.0.2), the route 195.165.0.0/24 received from eBGP peer CE1 and a locally originated default route (Picture 5).

Picture 5 - BGP Table of PE1

Similarly, they are route 150.160.0.0/24 learned from eBGP peer (AS64502), route 195.165.0.0/24 learned from iBGP peer 10.0.0.1 (PE1) and a locally originated default route (Picture 6).

Picture 6 - BGP Table of PE2

The BGP table of CE2 is depicted on the Picture 7. It contains a full Internet routing table represented by a route 195.165.0.0 learned from 11.0.0.2 (eBGP peer PE2) and a default route, as well. The route 150.160.0.0/24 is a locally originated route.

Picture 7 - BGP Table of CE2

End.