BGP Peer with multiple out filters

operat0r · July 5, 2017, 1:12pm

Hello,

I have 1 BGP peer that i want to announce two prefixes lets say 10.10.10.0/24 and 10.10.11.0/24 and discard the rest. How will i do that since i can only put only one filter in the OUT Filter.

mrz · July 5, 2017, 1:19pm

You can put multiple filter rules in one chain.

operat0r · July 6, 2017, 5:43am

Where can i do that? In the GUI i only see one option for 1 entry for out filter. Is it different if i do it in the CLI ?

mrz · July 6, 2017, 5:49am

/routing filter
add chain=isp2-out prefix=10.10.10.0/24 action=accept
add chain=isp2-out prefix=10.10.11.0/24 action=accept
add chain=isp2-out action=discard

operat0r · July 6, 2017, 5:50am

Thank you very much

ZeroByte · July 6, 2017, 3:45pm

If you want to do it in one rule, you could allow:
prefix=10.10.10.0/23 prefix-length=24

That’s a one-rule solution that does what you want as well. (just offering this as a food-for-thought item to help you increase your knowledge of how things work)

The reason this works is as follows:
prefix=10.10.10.0/23 means that any prefix falling completely within the range 10.10.10.0 through 10.10.11.255 will be matched by this criteria. Thus 10.10.10.192/29 would match…
But you only want the /24 sub-prefixes of the master range to be allowed, which is what the prefix-length=24 does. BOTH conditions must be true, and since only 10.10.10.0/24 and 10.10.11.0/24 meet both criteria, only those two prefixes will be allowed.

One other thing to note about the prefix=x.x.x.x/n matching behavior:
Suppose you specified 10.10.8.0/23 as the prefix to match. Any prefix which fits completely within it will be matched. So 10.10.8.64/26 would match, 10.10.9.64/26 would match, etc. 10.10.8.0/23 obviously matches… but 10.10.8.0/22 does NOT match because it covers addresses outside of the specified prefix - e.g. 10.10.10.0/24 would be INSIDE the /22 range, but OUTSIDE the /23 range, thus 10.10.8.0/22 would not match a rule with prefix=10.10.8.0/23, even though it starts at the same spot in IP space… This would be the case even if you stated prefix-length=22-24 on the same rule because while the prefix length of 22 is acceptable, the prefix itself doesn’t fit inside the designated 10.10.8.0/23

Hope that didn’t muddy things up too much for you.