BGP Conditional Advertisement and Filtering
BGP Conditional Advertisement and Filtering
Introduction
BGP is the backbone protocol of the internet and enterprise WAN, and controlling which routes are advertised to which neighbors is a critical operational skill. Without proper filtering and conditional advertisement, a network can leak routes unintentionally, attract traffic it cannot handle, or create suboptimal forwarding paths. This lesson focuses on how BGP uses route maps, prefix filtering, and conditional logic to control route advertisement behavior.
By the end of this lesson, you will understand how route maps are applied to BGP neighbors to filter and modify route advertisements, how redistribution into BGP interacts with route type keywords to control which prefixes enter the BGP table, and how next-hop manipulation through outbound route maps gives you precise control over forwarding behavior. These skills are essential for the CCNP ENARSI exam and for day-to-day enterprise routing operations.
Key Concepts
Route Maps in BGP
A route map is a powerful policy tool that allows you to match specific traffic or routes and then apply actions to them. In the context of BGP, route maps serve two primary purposes: filtering which routes are advertised to or accepted from a neighbor, and modifying route attributes such as the next-hop address before advertisement.
Route maps use a permit/deny logic with sequence numbers. When a route map is applied outbound on a BGP neighbor, only routes that match a permit statement are advertised. Routes matching a deny statement, or routes that do not match any statement at all, are suppressed.
Redistribution Filtering into BGP
When redistributing routes from another protocol such as OSPF into BGP, the type of OSPF route matters. OSPF intra-area and inter-area routes (internal routes) are redistributed by default if no additional keyword is specified with the redistribute ospf command. However, OSPF external routes must be explicitly defined in the redistribute command using the appropriate keyword. This distinction acts as a built-in filter that prevents unintended external route leaking into BGP unless the administrator consciously enables it.
Next-Hop Manipulation
One of the most common uses of outbound route maps in BGP is next-hop manipulation. When BGP advertises routes, the next-hop attribute tells the receiving router where to forward traffic. In environments where IPv6 routes are advertised over IPv4-based peerings, the next hop can become unreachable if not properly set. Route maps provide the mechanism to override the default next-hop behavior and set a reachable address.
| Concept | Purpose | Mechanism |
|---|---|---|
| Route map filtering | Control which routes are advertised | Match/permit or match/deny on BGP neighbor |
| Redistribution keywords | Control which OSPF route types enter BGP | Keywords in the redistribute command |
| Next-hop manipulation | Ensure advertised routes have reachable next hops | set commands within outbound route maps |
| Policy-Based Routing | Forward specific traffic through non-default paths | Route map applied on ingress interface |
How It Works
Route Map Application to BGP Neighbors
When you apply a route map to a BGP neighbor using the route-map keyword in the outbound direction, every route update sent to that neighbor passes through the route map logic. The router evaluates each prefix against the route map's match conditions. If a prefix matches a permit clause, the route is advertised (with any attribute modifications defined by set commands). If a prefix matches a deny clause, it is filtered out and not sent to the neighbor.
This process happens at the time of route advertisement. The local BGP table is not affected; only the updates sent to the specific neighbor are modified. This means you can apply different route maps to different neighbors, giving you granular control over what each peer sees.
Conditional Advertisement with Redistribute Filtering
When OSPF routes are redistributed into BGP, the router conditionally includes routes based on their OSPF route type. By default, only OSPF intra-area and inter-area routes are redistributed. This means that if a router learns an OSPF external route (Type 5 or Type 7 LSA), that route will not appear in the BGP table unless the redistribute command explicitly includes the external keyword. This conditional behavior protects the BGP domain from inheriting potentially unstable or redundant external routes from the OSPF domain.
Next-Hop Resolution in Dual-Stack Environments
A specific and important application of conditional route advertisement involves IPv6 routes advertised over IPv4-based BGP peerings. When two BGP peers communicate over IPv4, but the IPv6 address family is activated between them, IPv6 routes are exchanged. However, the next hop for those IPv6 routes is set to an IPv4-mapped IPv6 address (for example, ::ffff:192.0.2.1), which is unreachable in a native IPv6 forwarding plane.
According to RFC 2545, the BGP next hop for IPv6 routes can carry either a global IPv6 address only, or both a global and link-local IPv6 address if the peers share a common subnet. The next-hop address installed in the routing table depends on the peering method used.
| BGP Peer Configuration | Advertised Next Hop | Next Hop Installed in RIB |
|---|---|---|
| IPv6 global address on-link (eBGP) | Global + Link Local | Link Local |
| IPv6 global address off-link (eBGP) | Global | Global |
| IPv6 global address (iBGP) | Global | Global |
| IPv6 link-local address | Link Local | Link Local |
There are three main approaches to solve this next-hop problem for IPv6 routes advertised over IPv4 peerings:
- Configure an outbound route map to explicitly set the IPv6 next hop to a reachable global IPv6 address
- Enable automatic IPv6 next-hop address selection for IPv4 peers, which uses the global IPv6 address of the update-source interface
- Use multiple sessions with an IPv6-based session for the IPv6 address family and an IPv4-based session for IPv4
Each approach has trade-offs. Sharing a single session conserves system resources but creates a single point of failure. Manually setting next hops on each peering is tedious and error-prone. Multiple sessions consume somewhat more resources but provide clean separation.
Configuration Example
Applying a Route Map to Set IPv6 Next Hop
Consider two routers, R1 and R2, peered over IPv4 addresses 192.0.2.1 and 192.0.2.2 respectively. Each router also has IPv6 global addresses 2001:db8::1 (R1) and 2001:db8::2 (R2). To ensure IPv6 routes have a reachable next hop, an outbound route map is applied on each side.
R1 Configuration:
route-map NH permit 10
set ipv6 next-hop 2001:db8::1
!
router bgp 64512
no bgp default ipv4-unicast
neighbor 192.0.2.2 remote-as 64513
!
address-family ipv6 unicast
neighbor 192.0.2.2 activate
neighbor 192.0.2.2 route-map NH out
R2 Configuration:
route-map NH permit 10
set ipv6 next-hop 2001:db8::2
!
router bgp 64513
no bgp default ipv4-unicast
neighbor 192.0.2.1 remote-as 64512
!
address-family ipv6 unicast
neighbor 192.0.2.1 activate
neighbor 192.0.2.1 route-map NH out
In this configuration, the route-map NH out command applies the route map in the outbound direction on each neighbor. Every IPv6 route advertised from R1 to R2 will have its next hop set to 2001:db8::1, and every IPv6 route from R2 to R1 will have its next hop set to 2001:db8::2. Without this route map, the next hop would default to an IPv4-mapped address like ::ffff:192.0.2.1, which would be unreachable.
The no bgp default ipv4-unicast command disables automatic activation of the IPv4 address family for all neighbors, which is a best practice in dual-stack environments where you want explicit control over which address families are active per neighbor.
Automatic IPv6 Next-Hop Selection
As an alternative to manual route maps, automatic IPv6 next-hop address selection works when two BGP peers communicate over IPv4 but their update-source interfaces also have global IPv6 addresses. The selection follows this order:
- Use the next hop set by the outbound route map, if configured
- Use the global IPv6 address of the
neighbor update-sourceinterface, if available - Use the global and link-local IPv6 address of the local interface directly connected to the peer
This automatic method reduces configuration overhead but requires that the update-source interfaces have globally reachable IPv6 addresses assigned.
Policy-Based Routing for Traffic Steering
While not a BGP-specific feature, Policy-Based Routing (PBR) complements BGP filtering by allowing traffic to be routed based on criteria other than the destination address. PBR identifies specific traffic and forwards it through a path different from the default CEF exit.
ip policy route-map map-tag
This command is applied on the ingress interface. Within the route map, the next hop is set using one of two commands:
set ip next-hop ip-addresscauses the system to first use policy routing and then fall back to the routing tableset ip default next-hop ip-addresscauses the system to first use the routing table and then fall back to the policy-specified next hop
Important: The difference between
set ip next-hopandset ip default next-hopis the order of operation. Withset ip next-hop, policy routing takes priority. Withset ip default next-hop, the routing table takes priority and the policy next hop is used only when no routing table entry exists for the destination.
Real-World Application
Service Provider Peering
In service provider networks, route maps on BGP neighbors are essential for controlling which prefixes are announced to upstream providers and peers. Advertising too many specific routes can violate peering agreements, while advertising too few can cause traffic blackholes. Outbound route maps with prefix-list matching give operators surgical control over advertisement.
Enterprise Multi-Homing
Enterprises connected to multiple ISPs use BGP conditional advertisement to influence inbound traffic. By selectively advertising prefixes to different providers and manipulating attributes through route maps, an enterprise can steer traffic toward a preferred link while maintaining the backup path.
Dual-Stack Transition Networks
The IPv6 next-hop problem is a real-world challenge during IPv4-to-IPv6 transitions. Many networks run dual-stack but maintain IPv4-based BGP peerings for operational simplicity. Using outbound route maps to set correct IPv6 next hops ensures that IPv6 reachability is maintained without requiring a separate IPv6 BGP session.
Redistribution Boundaries
When redistributing OSPF into BGP at the network edge, filtering OSPF external routes by default prevents route feedback loops and keeps the BGP table clean. Administrators must consciously decide to include external routes, which is a sound security and stability practice.
Best Practice: Always apply route maps on BGP neighbors in production environments, even if the initial policy is to permit everything. Having the route map structure in place makes future filtering changes non-disruptive.
Summary
- Route maps applied to BGP neighbors in the outbound direction control which prefixes are advertised and allow attribute modification before advertisement.
- OSPF redistribution into BGP conditionally includes only intra-area and inter-area routes by default; external routes require explicit keywords.
- IPv6 next-hop manipulation through outbound route maps solves the unreachable next-hop problem when IPv6 routes are advertised over IPv4-based BGP peerings.
- The difference between
set ip next-hopandset ip default next-hopin PBR determines whether policy routing or the routing table is consulted first. - Automatic IPv6 next-hop selection provides a lower-maintenance alternative to manual route maps when update-source interfaces have global IPv6 addresses.
In the next lesson, we will explore BGP path selection and advanced attribute tuning, building on the filtering and advertisement control techniques covered here.