Prefix-List

This scenario demonstrates how to configure prefix-list filtering for IPv6 BGP neighbors. The prefix-list command applies prefix-list filters to routes sent to or received from a neighbor. Options include import (filter incoming routes) and export (filter outgoing routes).

Test iBGP IPv6 - No prefix-list filter

Description

Baseline test showing that without prefix-list, all routes are received. DUT1 advertises two routes and DUT0 receives both.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address '2001:db8:1::100/64'
set protocols bgp 20 neighbor peer address-family ipv6-unicast activate
set protocols bgp 20 neighbor peer remote-address '2001:db8:1::200'
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 parameters router-id 1.1.1.100
set protocols ipv6 prefix-list IMPORT-FILTER rule 10 action permit
set protocols ipv6 prefix-list IMPORT-FILTER rule 10 prefix '2001:db8:10::/64'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address '2001:db8:10::1/64'
set interfaces dummy dum1 address '2001:db8:20::1/64'
set interfaces ethernet eth0 address '2001:db8:1::200/64'
set protocols bgp 20 address-family ipv6-unicast redistribute connected
set protocols bgp 20 neighbor peer address-family ipv6-unicast activate
set protocols bgp 20 neighbor peer remote-address '2001:db8:1::100'
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 parameters router-id 1.1.1.200
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify iBGP session establishes between DUT0 and DUT1.

Step 3: Run command protocols bgp show ipv6 summary at DUT0 and check if output matches the following regular expressions:

2001:db8:1::200.*Established

Show output

IPv6 Unicast Summary:
BGP router identifier 1.1.1.100, local AS number 20 VRF default vrf-id 0
BGP table version 0
RIB entries 0, using 0 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
2001:db8:1::200 0.0.0.0         4         20         5         3        0    0    0 00:00:00  Established        0        0 FRRouting/10.4.1

Total number of neighbors 1

Attention

Verify that DUT0 receives both routes 2001:db8:10::/64 and 2001:db8:20::/64.

Step 4: Run command protocols bgp show ipv6 at DUT0 and check if output matches the following regular expressions:

2001:db8:10::/64 [\s\S]*2001:db8:20::/64

Show output

BGP table version is 3, local router ID is 1.1.1.100, vrf id 0
Default local pref 100, local AS 20
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 2001:db8:1::/64  fe80::dcad:beff:feef:6c10
                                             0    100      0 ?
 *>i 2001:db8:10::/64 fe80::dcad:beff:feef:6c10
                                             0    100      0 ?
 *>i 2001:db8:20::/64 fe80::dcad:beff:feef:6c10
                                             0    100      0 ?

Displayed 3 routes and 3 total paths

---

Test iBGP IPv6 - Prefix-list import filter

Description

Test to verify that prefix-list import filters incoming routes. DUT0 has a prefix-list that only permits 2001:db8:10::/64. DUT1 advertises two routes but DUT0 should only receive 2001:db8:10::/64.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address '2001:db8:1::100/64'
set protocols bgp 20 neighbor peer address-family ipv6-unicast activate
set protocols bgp 20 neighbor peer address-family ipv6-unicast prefix-list import IMPORT-FILTER
set protocols bgp 20 neighbor peer remote-address '2001:db8:1::200'
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 parameters router-id 1.1.1.100
set protocols ipv6 prefix-list IMPORT-FILTER rule 10 action permit
set protocols ipv6 prefix-list IMPORT-FILTER rule 10 prefix '2001:db8:10::/64'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address '2001:db8:10::1/64'
set interfaces dummy dum1 address '2001:db8:20::1/64'
set interfaces ethernet eth0 address '2001:db8:1::200/64'
set protocols bgp 20 address-family ipv6-unicast redistribute connected
set protocols bgp 20 neighbor peer address-family ipv6-unicast activate
set protocols bgp 20 neighbor peer remote-address '2001:db8:1::100'
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 parameters router-id 1.1.1.200
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify iBGP session establishes between DUT0 and DUT1.

Step 3: Run command protocols bgp show ipv6 summary at DUT0 and check if output matches the following regular expressions:

2001:db8:1::200.*Established

Show output

IPv6 Unicast Summary:
BGP router identifier 1.1.1.100, local AS number 20 VRF default vrf-id 0
BGP table version 0
RIB entries 0, using 0 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
2001:db8:1::200 0.0.0.0         4         20         3         5        0    0    0 00:00:00  Established        0        0 FRRouting/10.4.1

Total number of neighbors 1

Attention

Verify that DUT0 receives only 2001:db8:10::/64 (permitted by prefix-list).

Step 4: Run command protocols bgp show ipv6 at DUT0 and check if output matches the following regular expressions:

2001:db8:10::/64

Show output

BGP table version is 1, local router ID is 1.1.1.100, vrf id 0
Default local pref 100, local AS 20
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 2001:db8:10::/64 fe80::dcad:beff:feef:6c10
                                             0    100      0 ?

Displayed 1 routes and 1 total paths

Note

DUT0 should NOT receive 2001:db8:20::/64 because it is filtered by the prefix-list.

Step 5: Run command protocols bgp show ipv6 at DUT0 and check if output does not match the following regular expressions:

2001:db8:20::/64

Show output

BGP table version is 1, local router ID is 1.1.1.100, vrf id 0
Default local pref 100, local AS 20
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 2001:db8:10::/64 fe80::dcad:beff:feef:6c10
                                             0    100      0 ?

Displayed 1 routes and 1 total paths

---

Test iBGP IPv6 - Prefix-list export filter

Description

Test to verify that prefix-list export filters outgoing routes. DUT1 has a prefix-list that only permits 2001:db8:10::/64 for export. DUT1 has two routes but only exports 2001:db8:10::/64 to DUT0.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address '2001:db8:1::100/64'
set protocols bgp 20 neighbor peer address-family ipv6-unicast activate
set protocols bgp 20 neighbor peer remote-address '2001:db8:1::200'
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 parameters router-id 1.1.1.100
set protocols ipv6 prefix-list IMPORT-FILTER rule 10 action permit
set protocols ipv6 prefix-list IMPORT-FILTER rule 10 prefix '2001:db8:10::/64'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address '2001:db8:10::1/64'
set interfaces dummy dum1 address '2001:db8:20::1/64'
set interfaces ethernet eth0 address '2001:db8:1::200/64'
set protocols bgp 20 address-family ipv6-unicast redistribute connected
set protocols bgp 20 neighbor peer address-family ipv6-unicast activate
set protocols bgp 20 neighbor peer address-family ipv6-unicast prefix-list export EXPORT-FILTER
set protocols bgp 20 neighbor peer remote-address '2001:db8:1::100'
set protocols bgp 20 neighbor peer remote-as 20
set protocols bgp 20 parameters router-id 1.1.1.200
set protocols ipv6 prefix-list EXPORT-FILTER rule 10 action permit
set protocols ipv6 prefix-list EXPORT-FILTER rule 10 prefix '2001:db8:10::/64'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify iBGP session establishes between DUT0 and DUT1.

Step 3: Run command protocols bgp show ipv6 summary at DUT0 and check if output matches the following regular expressions:

2001:db8:1::200.*Established

Show output

IPv6 Unicast Summary:
BGP router identifier 1.1.1.100, local AS number 20 VRF default vrf-id 0
BGP table version 0
RIB entries 0, using 0 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
2001:db8:1::200 0.0.0.0         4         20         3         5        0    0    0 00:00:00  Established        0        0 FRRouting/10.4.1

Total number of neighbors 1

Attention

Verify that DUT0 receives only 2001:db8:10::/64 (permitted by export prefix-list).

Step 4: Run command protocols bgp show ipv6 at DUT0 and check if output matches the following regular expressions:

2001:db8:10::/64

Show output

BGP table version is 1, local router ID is 1.1.1.100, vrf id 0
Default local pref 100, local AS 20
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 2001:db8:10::/64 fe80::dcad:beff:feef:6c10
                                             0    100      0 ?

Displayed 1 routes and 1 total paths

---