![BGP Prefix Filtering – Control What You Advertise and Accept [ CCNP ENTERPRISE ]_networkjourney](https://networkjourney.com/wp-content/uploads/2025/06/BGP-Prefix-Filtering-–-Control-What-You-Advertise-and-Accept-CCNP-ENTERPRISE-.png)
One small misstep in BGP advertisement can lead to a network disaster — and yes, it has happened to many top companies (some even made the news!). That’s why today, we’re talking about a life-saving skill: BGP Prefix Filtering.
I still remember an incident where a misconfigured route map leaked the entire internet routing table into an internal environment. The BGP session didn’t flap — the network did. After that, prefix filtering became not just a best practice, but a rule I live by when designing or auditing any BGP configuration. So, let’s deep dive into it with real-world examples, CLI tricks, and a hands-on EVE-NG lab.
Table of Contents
Theory in Brief: What is BGP Prefix Filtering?
The Concept
BGP Prefix Filtering is all about controlling the flow of routes between BGP neighbors. You can choose which prefixes to advertise, accept, or deny using tools like prefix-lists, route-maps, and distribute-lists.
Why is this important?
Because BGP operates on trust, and by default, it will accept and advertise anything — unless told otherwise.
Why Use BGP Prefix Filtering?
- Prevent unwanted route leaks
- Block bogus routes (like 0.0.0.0/0 from being advertised to upstream ISPs)
- Improve security and stability
- Save memory and CPU by filtering unnecessary routes
In essence, prefix filtering gives you fine-grained control over what BGP is allowed to process and forward.
How Prefix Filtering Works
Prefix filtering is typically implemented using:
- Prefix-lists: Match specific IP prefixes or ranges.
- Route-maps: Combine multiple conditions and actions.
- Distribute-lists: Older method, based on access-lists.
Most enterprise networks use prefix-lists + route-maps for scalable control.
Comparision – Prefix Filtering Techniques, Pros & Cons
| Filtering Method | Description | Common Use Case | Pros | Cons |
|---|---|---|---|---|
| Prefix-list | Matches prefixes with exact/mask length | Filter exact routes during IN/OUT | Lightweight, simple syntax | Limited matching logic |
| Route-map | Applies logic to accept/deny prefixes using lists | More complex policy-based control | Flexible, can set metrics/tags | Slightly complex configuration |
| Distribute-list | Legacy method using ACLs | Simple filtering in older IOS versions | Easy to understand | Not as scalable |
Essential CLI Commands (Cisco IOS)
| Purpose | Command Example | Description |
|---|---|---|
| Create a Prefix-List | ip prefix-list BLOCK-BAD seq 5 deny 0.0.0.0/0 | Deny default route |
| Permit Specific Prefix | ip prefix-list ALLOW-SUBNET seq 10 permit 192.168.10.0/24 | Allow one subnet |
| Apply Inbound Filter to Neighbor | neighbor X.X.X.X prefix-list ALLOW-SUBNET in | Filters incoming prefixes |
| Apply Outbound Filter | neighbor X.X.X.X prefix-list BLOCK-BAD out | Filters outgoing prefixes |
| Route-Map Using Prefix-List | route-map RM-FILTER permit 10match ip address prefix-list ALLOW-SUBNET | Match routes via prefix-list |
| Apply Route-Map | neighbor X.X.X.X route-map RM-FILTER in | Apply route-map to neighbor |
| Show Prefix-List | show ip prefix-list | Displays all configured prefix-lists |
| Show BGP Advertised Routes | show ip bgp neighbors X.X.X.X advertised-routes | Verifies outbound filtering |
| Show BGP Received Routes | show ip bgp neighbors X.X.X.X received-routes | Verifies inbound filtering |
| Debug BGP Filtering | debug ip bgp updates | See real-time update activity |
Real-World Use Cases – Prefix Filtering in Practice
| Scenario | Filtering Type | Description |
|---|---|---|
| ISP Preventing Default Route Export | Outbound Prefix-List | Prevents sending 0.0.0.0/0 to customers |
| Enterprise Receiving Only Specific CIDRs | Inbound Prefix-List | Accepts only 10.0.0.0/8 and 172.16.0.0/12 from the ISP |
| BGP Route Reflector Filtering Clients | Route-Map | Controls which prefixes are reflected to which clients |
| MPLS VPN Route Import Control | Prefix-List + Route-Map | Matches and filters VPNv4 prefixes before importing into routing table |
| Cloud Network Gateway Filtering | Inbound Filtering | Accepts only defined public IPs from the cloud peer |
EVE-NG LAB – BGP Prefix Filtering Hands-On
Topology:
- R1 peers with R2
- R2 peers with R3
- R2 is the central router applying prefix filtering
CONFIGURATION STEPS
Router R1
interface lo0
ip address 10.1.1.1 255.255.255.255
router bgp 65001
network 10.1.1.1 mask 255.255.255.255
neighbor 192.168.12.2 remote-as 65002
Router R3
interface lo0
ip address 30.1.1.1 255.255.255.255
router bgp 65003
network 30.1.1.1 mask 255.255.255.255
neighbor 192.168.23.2 remote-as 65002
Router R2 – Prefix Filtering
ip prefix-list BLOCK-DEFAULT seq 5 deny 0.0.0.0/0
ip prefix-list BLOCK-DEFAULT seq 10 permit 10.0.0.0/8
ip prefix-list BLOCK-DEFAULT seq 20 permit 30.1.1.1/32
router bgp 65002
neighbor 192.168.12.1 remote-as 65001
neighbor 192.168.23.3 remote-as 65003
neighbor 192.168.12.1 prefix-list BLOCK-DEFAULT in
neighbor 192.168.23.3 prefix-list BLOCK-DEFAULT out
Troubleshooting Tips
| Symptom | Cause | Troubleshooting Steps |
|---|---|---|
| Route not appearing in BGP table | Prefix-list blocking the route | Use show ip prefix-list, check seq deny/permit |
| Advertised route missing at peer | Outbound filter applied | Verify with show ip bgp neighbors advertised-routes |
| Prefix-list not matching as expected | Mask length mismatch | Check le or ge options in prefix-list |
| Full internet table received unexpectedly | No inbound filter | Apply prefix-list inbound on neighbor |
| Filtering not working | Prefix-list not applied properly | Use `show run |
FAQ – BGP Prefix Filtering
1. What is BGP prefix filtering and why is it important?
Answer:
BGP prefix filtering is the process of controlling which prefixes (routes) a BGP router advertises or accepts using filtering tools like prefix-lists, route-maps, or distribute-lists. It is important for:
- Preventing route leaks
- Improving network security
- Controlling routing policy
- Ensuring compliance with peering agreements
Prefix filtering gives you full control over route exchange.
2. What tools are used for prefix filtering in BGP on Cisco IOS?
Answer:
The most commonly used tools are:
- Prefix-lists – Filter based on network prefix and mask.
- Route-maps – Provide more granular control (can match prefix-list, AS-path, communities, etc.).
- Distribute-lists – Apply filtering using ACLs, prefix-lists, or route-maps (less flexible).
Typically, prefix-list + route-map combination is used for clean, scalable configurations.
3. What is the syntax for creating a basic prefix-list to filter a subnet?
Answer:
Here’s an example that permits only 192.168.10.0/24:
ip prefix-list FILTER-OUT seq 5 permit 192.168.10.0/24
To deny everything else:
ip prefix-list FILTER-OUT seq 10 deny 0.0.0.0/0 le 32
Always explicitly deny unwanted prefixes — BGP does not implicitly deny all.
4. How do I apply a prefix-list to a BGP neighbor?
Answer:
You apply it using the neighbor command with in or out direction:
router bgp 65001
neighbor 10.1.1.2 prefix-list FILTER-OUT out
- in – Filters incoming routes
- out – Filters routes you advertise
Best Practice: Filter both incoming and outgoing based on your routing policy.
5. How can I filter multiple subnet sizes with a single prefix-list?
Answer:
Use ge (greater than or equal to) and le (less than or equal to):
ip prefix-list FILTER-IN seq 5 permit 10.0.0.0/8 ge 16 le 24
This allows subnets from /16 to /24 within the 10.0.0.0/8 space — very useful in large-scale networks.
6. What’s the difference between a prefix-list and a route-map?
Answer:
| Feature | Prefix-list | Route-map |
|---|---|---|
| Purpose | Match prefixes and masks | Policy control using various match conditions |
| Granularity | Limited (prefix + mask) | High (can match AS-path, communities, etc.) |
| Use With | neighbor x.x.x.x prefix-list | neighbor x.x.x.x route-map |
| Common Use Case | Prefix filtering | Conditional routing and advanced policies |
Prefix-lists are often used within route-maps to match networks.
7. How can I filter routes based on AS-path instead of prefix?
Answer:
Use AS-path access-lists with route-maps:
ip as-path access-list 10 permit ^65002$
route-map FILTER-AS-PATH deny 10
match as-path 10
Then apply the route-map to a neighbor:
router bgp 65001
neighbor 192.0.2.2 route-map FILTER-AS-PATH in
This blocks all routes originated by AS 65002.
8. How do I verify if prefix filtering is working correctly?
Answer:
Use the following commands:
show ip prefix-list
show ip bgp neighbors x.x.x.x advertised-routes
show ip bgp neighbors x.x.x.x received-routes
- Check whether desired routes are allowed or blocked.
- Confirm whether filters are applied correctly in the config.
Always test in a lab before deploying in production.
9. What are the risks of incorrect prefix filtering?
Answer:
Misconfigured prefix filters can cause:
- Route leakage (advertising internal routes to external peers)
- Loss of connectivity (blocking legitimate routes)
- Sub-optimal routing
- Routing table pollution
Always include a deny-all fallback, review filters regularly, and apply prefix filtering best practices.
10. Can you give a real-world use case for outbound prefix filtering?
Answer:
Scenario:
You’re a small ISP peering with an upstream Tier-1 provider. You want to advertise only your assigned public blocks (e.g., 203.0.113.0/24 and 198.51.100.0/24).
Solution:
ip prefix-list MY-ROUTES seq 5 permit 203.0.113.0/24
ip prefix-list MY-ROUTES seq 10 permit 198.51.100.0/24
ip prefix-list MY-ROUTES seq 15 deny 0.0.0.0/0 le 32
router bgp 65010
neighbor 192.0.2.1 prefix-list MY-ROUTES out
YouTube Link
Watch the Complete CCNP Enterprise: BGP Prefix Filtering – Control What You Advertise and Accept [ CCNP ENTERPRISE ] Demo & Explanation on our channel:
Final Note
Understanding how to differentiate and implement BGP Prefix Filtering – Control What You Advertise and Accept! [ CCNP ENTERPRISE ] is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.
If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:
CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!
Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088
Upskill now and future-proof your networking career!
![Mastering Layer 2 Troubleshooting Commands: A Complete Guide with CLI & EVE-NG Labs [CCNP Enterprise]](https://networkjourney.com/wp-content/uploads/2025/06/Mastering-Layer-2-Troubleshooting-Commands_networkjourney.png)
![AAA Authentication with TACACS+ and RADIUS – Step-by-Step Cisco Guide [CCNP ENTERPRISE]](https://networkjourney.com/wp-content/uploads/2025/07/nj-blog-post-AAA-TACACS-RADIUS.jpg)
![Mastering BGP Peering and Authentication – A Complete Guide [ CCNP ENTERPRISE ]_networkjourney](https://networkjourney.com/wp-content/uploads/2025/06/Mastering-BGP-Peering-and-Authentication-–-A-Complete-Guide.png)