Configuring BGP Filters

BGP filters filter routes to be advertised.

Context

BGP uses the following types of filters to filter routes:

Access Control List
IP-Prefix List
AS_Path filter
Community filter
Extcommunity filter
Route-Policy

Procedure

Configure an AS_Path filter.
An AS_Path filter is used to filter BGP routes based on the AS_Path attributes contained in the BGP routes. If you do not want traffic to pass through an AS, configure an AS_Path filter to filter out the traffic carrying the number of the AS. If the BGP routing table of each device on a network is large, configuring an ACL or an IP prefix list to filter BGP routes may be complicated and make it difficult to maintain new routes.

If the AS_Path information of a summarized route is lost, the AS_Path filter cannot be used to filter the summarized route, but can still be used to filter the specific routes from which the summarized route is derived.

An AS_Path filter can be used as a matching condition of a route-policy or be used in the peer as-path-filter command.
1. Access the system view.
```
system-view
```
2. Configure an AS_Path filter,
```
ip as-path-filter { as-path-filter-number | as-path-filter-name } { permit | deny } regular-expression
```
Configure a community filter.
A BGP community attribute is used to identify a group of routes with the same properties. Routes can be classified by community attribute. This facilitates route management.

Some AS internal routes may not need to be advertised to any other AS, whereas AS external routes need to be advertised to other ASs. These AS external routes have different prefixes (as a result, an IP prefix list is inapplicable) and may come from different ASs (as a result, an AS_Path filter is inapplicable). You can set a community attribute value for these AS internal routes and another community attribute value for these AS external routes on an ASBR to control and filter these routes.
1. Access the system view.
```
system-view
```
2. Configure a community filter.
```
ip community-filter
```
  - To configure a standard community filter, run the ip community-filter { basic comm-filter-name { permit | deny } [ community-number | aa:nn ] ^* &<1-16> | basic-comm-filter-num { permit | deny } [ community-number | aa:nn ] ^* &<1-16> } [ internet | no-export-subconfed | no-advertise | no-export ] ^* command.
  - To configure an advanced community filter, run the ip community-filter { advanced comm-filter-name | adv-comm-filter-num } { permit | deny } regular-expression command.
Configure an extcommunity filter.
Similar to a BGP community filter, a BGP extcommunity filter is used to filter private network routes.
1. Access the system view.
```
system-view
```
2. Perform either of the following operations as required to configure an extcommunity filter:
  - To configure a basic extcommunity filter, run the ip extcommunity-filter { basic-extcomm-filter-num | basic basic-extcomm-filter-name } { deny | permit } { rt { { as-number-plain | as-number-dot }:nn | ipv4-address:nn } } &<1-16> command.
  - To configure an advanced extcommunity filter, run the ip extcommunity-filter { adv-extcomm-filter-num | advanced adv-extcomm-filter-name } { deny | permit } regular-expression command.
  Multiple entries can be defined in an extcommunity filter. The relationship between the entries is "OR". This means that if a route matches one of the rules, the route matches the filter.
Configure a route-policy.
A route-policy is used to match routes or route attributes, and to change route attributes when specific conditions are met. As the preceding filters can be used as matching conditions of a route-policy, the route-policy is powerful in functions and can be used flexibly.
1. Access the system view.
```
system-view
```
2. Configure a node for a route-policy and access the view of the route-policy.
```
route-policy route-policy-name { permit | deny } node node
```
  A route-policy consists of multiple nodes. For example, the route-policy route-policy-example permit node 10 command specifies node 10 and the route-policy route-policy-example deny node 20 command specifies node 20. The two nodes belong to the route-policy specified by route-policy-example. The relationship between the nodes of a route-policy is "OR". The details are as follows:
  - If a route matches one node, the route matches the route-policy and will not be matched with the next node. For example, there are two nodes defined using the route-policy route-policy-example permit node 10 and route-policy route-policy-example deny node 20 commands. If a route matches the node defined using the route-policy route-policy-example permit node 10 command, the route will not be matched with the node defined using the route-policy route-policy-example deny node 20 command.
  - If a route does not match any node, the route fails to match the route-policy.
  When a route-policy is used to filter a route, the route is first matched with the node with the smallest node value. For example, if two nodes are configured using the route-policy route-policy-example permit node 10 and route-policy route-policy-example deny node 20 commands, a route is first matched with the node configured using the route-policy route-policy-example permit node 10 command.
  
  The FW considers that each unmatched route fails to match the route-policy by default. If more than one node is defined in a route-policy, at least one of them must be in permit mode.
3. (Optional) Perform the following operations as needed to configure if-match clauses for current nodes of the route-policy:
  if-match clauses are used to filter routes. If no if-match clause is specified, all routes will match the node in the route-policy.
  - To match an ACL, run the if-match acl acl-number command.
  - To match an IP prefix list, run the if-match ip-prefix ip-prefix-name command.
    
    The if-match acl and if-match ip-prefix commands cannot be used together in the same node of a route-policy, because the latest configuration will override the previous one.
  - To match the AS_Path attribute of BGP routes, run the if-match as-path-filter { as-path-filter-number | as-path-filter-name } &<1-16> command.
  - To match the community attribute of BGP routes, run either of the following commands:
    - if-match community-filter { basic-comm-filter-num [ whole-match ] | adv-comm-filter-num }^* &<1-16>
    - if-match community-filter comm-filter-name [ whole-match ]
  - To match the extended community attribute of BGP routes, run the if-match extcommunity-filter { { basic-extcomm-filter-num | adv-extcomm-filter-num } &<1-16> | basic-extcomm-filter-name | advanced-extcomm-filter-name } command.
  The operations in Step 3 can be performed in any order. A node may have multiple if-match clauses or no if-match clause.
  
  The relationship between the if-match clauses in a node of a route-policy is "AND". A route must match all the rules before the action defined by the apply clause is taken. For example, if two if-match clauses (if-match acl 2003 and if-match as-path-filter 100) are defined in the route-policy route-policy-example permit node 10 command, a route is considered to match node 10 only when it matches the two if-match clauses.
4. (Optional) Perform the following operations as needed to configure apply clauses for current nodes of the route-policy:
  apply clauses can be used to set attributes for routes matching if-match clauses. If this step is not performed, the attributes of routes matching if-match clauses keep unchanged.
  - To replace or add a specified AS number in the AS_Path attribute of a BGP route, run the apply as-path { as-number-plain | as-number-dot } &<1-10> { additive | overwrite } | none overwrite } command.
  - To delete a specified BGP community attribute from a route, run the apply comm-filter comm-filter-number delete command.
    
    The apply comm-filter delete command deletes a specified community attribute from a route. An instance of the ip community-filter command can specify only one community attribute each time. To delete more than one community attribute, run the ip community-filter command multiple times.
  - To delete all community attributes from a BGP route, run the apply community none command.
  - To set community attributes for a BGP route, run the apply community { community-number | aa:nn | internet | no-advertise | no-export | no-export-subconfed } &<1-32> [ additive ] command.
  - To set an extended community attribute (route-target) for a route, run the apply extcommunity { rt { as-number:nn | 4as-number:nn | ipv4-address:nn } } &<1-16> [ additive ] command.
  - To set the local preference for a BGP route, run the apply local-preference preference command.
  - To set the Origin attribute for a BGP route, run the apply origin { igp | egp { as-number-plain | as-number-dot } | incomplete } command.
  - To set a preferred value for a BGP route, run the apply preferred-value preferred-value command.
  - To set dampening parameters for an EBGP route, run the apply dampening half-life-reach reuse suppress ceiling command.
  The operations in Step 4 can be performed in any order. A node may have multiple apply clauses or no apply clause.