Home » BGP Route Filtering: Prefix Lists, Route Maps และ AS-Path Filters
BGP Route Filtering: Prefix Lists, Route Maps และ AS-Path Filters
BGP Route Filtering: Prefix Lists, Route Maps และ AS-Path Filters
BGP Route Filtering เป็นหัวใจของ BGP operations — ควบคุมว่า routes ไหนจะ advertise ออกไปและ routes ไหนจะ accept เข้ามา ใช้ Prefix Lists สำหรับ filter ตาม network/prefix length, AS-Path Filters สำหรับ filter ตาม AS path และ Route Maps สำหรับ complex policy ที่รวมหลาย conditions + set attributes
BGP เป็น routing protocol ของ internet — ถ้า filter ผิดอาจทำให้ traffic ไปทางที่ไม่ควร หรือ advertise routes ที่ไม่ควร (route leak) ซึ่งสามารถทำให้ส่วนหนึ่งของ internet ใช้งานไม่ได้ การเข้าใจ filtering tools อย่างลึกซึ้งจึงจำเป็นสำหรับทุก network engineer
BGP Filtering Tools
| Tool |
Filter By |
Use Case |
| Prefix List |
Network address + prefix length |
Filter specific prefixes or prefix length ranges |
| AS-Path ACL |
AS path (regex) |
Filter routes based on AS path origin/transit |
| Route Map |
Multiple criteria + set actions |
Complex policy: match + modify attributes |
| Community List |
BGP communities |
Filter/tag routes using community values |
| Distribute List (ACL) |
Network address (legacy) |
Legacy method (prefer prefix-list) |
Prefix List
| Feature |
รายละเอียด |
| Syntax (Cisco) |
ip prefix-list NAME seq N permit/deny NETWORK/LEN [ge MIN] [le MAX] |
| Exact Match |
ip prefix-list PL permit 10.0.0.0/8 (exactly /8) |
| Range Match |
ip prefix-list PL permit 10.0.0.0/8 ge 16 le 24 (subnets /16 to /24 within 10.0.0.0/8) |
| Default Route |
ip prefix-list PL permit 0.0.0.0/0 (match default route only) |
| Match All |
ip prefix-list PL permit 0.0.0.0/0 le 32 (match everything) |
| Implicit Deny |
Entries ที่ไม่ match จะถูก deny (เหมือน ACL) |
Prefix List Examples
| Purpose |
Prefix List |
| Allow only default route |
permit 0.0.0.0/0 |
| Deny default, allow all others |
deny 0.0.0.0/0 → permit 0.0.0.0/0 le 32 |
| Allow 10.0.0.0/8 exact |
permit 10.0.0.0/8 |
| Allow 10.x.x.x /16 to /24 |
permit 10.0.0.0/8 ge 16 le 24 |
| Block RFC1918 + allow rest |
deny 10.0.0.0/8 le 32 → deny 172.16.0.0/12 le 32 → deny 192.168.0.0/16 le 32 → permit 0.0.0.0/0 le 32 |
| Allow only /24 or shorter |
permit 0.0.0.0/0 le 24 |
AS-Path Filters
| Feature |
รายละเอียด |
| Syntax (Cisco) |
ip as-path access-list N permit/deny REGEX |
| Regex: ^$ |
Match empty AS path (locally originated routes) |
| Regex: ^65001$ |
Originated by AS 65001 (single AS in path) |
| Regex: _65001_ |
Transit through AS 65001 (anywhere in path) |
| Regex: ^65001_ |
Received from AS 65001 (first AS) |
| Regex: _65001$ |
Originated by AS 65001 (last AS) |
| Regex: ^[0-9]+$ |
Single AS in path (directly connected peer’s routes) |
| Regex: .* |
Match any AS path (permit all) |
AS-Path Regex Symbols
| Symbol |
ความหมาย |
| ^ |
Start of string |
| $ |
End of string |
| _ |
Any delimiter (space, start, end, comma) |
| . |
Any single character |
| * |
Zero or more of previous |
| + |
One or more of previous |
| ? |
Zero or one of previous |
| [0-9] |
Character class (digit) |
| (65001|65002) |
Alternation (match either) |
Route Maps
| Feature |
รายละเอียด |
| Structure |
route-map NAME permit/deny SEQ → match conditions → set actions |
| Match |
match ip address prefix-list, match as-path, match community, match metric |
| Set |
set local-preference, set weight, set as-path prepend, set community, set metric |
| Permit clause |
If match → apply set actions → permit route |
| Deny clause |
If match → deny route (no set actions) |
| No match |
If no match in clause → check next sequence number |
| Implicit deny |
ถ้าไม่ match clause ใดเลย → deny (implicit deny all) |
| Continue |
continue N → jump to sequence N (for chaining) |
Route Map Examples
| Purpose |
Match |
Set Action |
| Prefer routes from AS 65001 |
match as-path (AS 65001) |
set local-preference 200 |
| De-prefer backup link |
match (applied to neighbor) |
set local-preference 50 |
| Prepend AS outbound |
match prefix-list (customer routes) |
set as-path prepend 65000 65000 65000 |
| Set community for tagging |
match prefix-list |
set community 65000:100 |
| Set MED for inbound traffic |
match prefix-list (primary) |
set metric 100 (primary) / 200 (backup) |
BGP Communities
| Community |
ความหมาย |
| Standard |
ASN:VALUE (e.g., 65000:100) — 32-bit |
| Extended |
Type:ASN:VALUE — 64-bit (used in MPLS VPN, EVPN) |
| Large |
ASN:VALUE1:VALUE2 — 96-bit (for 4-byte ASNs) |
| Well-known: no-export |
Don’t export to eBGP peers |
| Well-known: no-advertise |
Don’t advertise to any peer |
| Well-known: local-AS |
Don’t export outside local AS (confederation) |
Filtering Direction
| Direction |
Applied To |
Purpose |
| Inbound (in) |
neighbor X route-map IN in |
Filter/modify routes received from peer |
| Outbound (out) |
neighbor X route-map OUT out |
Filter/modify routes advertised to peer |
| Redistribute |
redistribute ospf route-map RM |
Filter routes being redistributed into BGP |
Best Practices
| Practice |
รายละเอียด |
| Always filter inbound + outbound |
Never accept or advertise everything (default deny) |
| Filter bogons inbound |
Block RFC1918, RFC5737, default route, too-specific prefixes (> /24) |
| Max-prefix limit |
Set maximum prefixes per neighbor (protection against route leak) |
| Use prefix-list over ACL |
Prefix lists are more efficient and readable |
| Document policies |
Comment every filter rule with purpose and ticket number |
| RPKI/ROA Validation |
Use RPKI to validate route origins (prevent hijacking) |
| IRR Filtering |
Build filters from IRR databases (RADB, RIPE) automatically |
ทิ้งท้าย: BGP Filtering = Control Your Routing
BGP Route Filtering Prefix List = filter by network/prefix length (most common) AS-Path Filter = filter by AS path (regex-based) Route Map = complex policy (match + set attributes) Communities = tag routes for policy signaling Always filter inbound (bogons, max-prefix) + outbound (only your routes) RPKI + IRR = automated origin validation
อ่านเพิ่มเติมเกี่ยวกับ MPLS VPN และ EVPN-VXLAN Fabric ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
