BGP Route Filtering on Cisco: Prefix Lists, Route Maps, and Distribute Lists Explained

How to Filter BGP Routes in Cisco — A Deep, Interactive Guide

Welcome! In this blog you’ll learn why route filtering is essential in BGP, how the main techniques work, and how to use them effectively in live Cisco environments. For foundational context, see the Border Gateway Protocol on Wikipedia, where BGP is described as the protocol that exchanges routing and reachability information across autonomous systems.:contentReference[oaicite:0]{index=0}

---

🎯 Why BGP Route Filtering Matters

In BGP, every route a peer advertises can become part of your Internet routing table. Without control, unwanted prefixes can pollute the routing table, causing traffic blackholes, routing loops, or policy violations. Proper filtering ensures *only the prefixes you intend* are accepted or advertised.

---

📚 BGP Route Filtering Methods Overview

There are three primary mechanisms used in Cisco IOS to control which BGP routes are accepted from or advertised to neighbors:

• Route‑maps – Flexible but verbose, can match on prefix plus other attributes.
• Distribute‑lists – Simple filters referencing traditional ACLs.
• Prefix lists – Designed specifically for filtering on networks and subnet masks; the most scalable and readable.:contentReference[oaicite:1]{index=1}

Key takeaway: Prefix lists are almost always cleaner and less error‑prone than ACL‑based distribute lists when filtering BGP network prefixes.:contentReference[oaicite:2]{index=2}

---

📌 How Route Filtering Works — Interactive Examples

Route‑map Filtering (Interactive)

Route‑maps allow granular control using ACLs or prefix lists. Imported (in) or exported (out) updates are compared against your match conditions.

access-list 105 deny ip host 172.25.0.0 host 255.255.0.0
access-list 105 permit ip any any

route-map ACL-RT-FILTER permit 10
 match ip address 105
route-map ACL-RT-FILTER deny 20

router bgp 65500
 neighbor 192.168.1.5 remote-as 65510
 neighbor 192.168.1.5 route-map ACL-RT-FILTER in

This blocks 172.25.0.0/16 from the peer but allows all others.

Distribute‑list Based Filtering

Distribute‑lists reference ACLs to accept or deny BGP updates. The principle is similar to route‑maps, but simpler.

access-list 106 deny ip host 172.25.0.0 host 255.255.0.0
access-list 106 permit ip any any

router bgp 65500
 neighbor 192.168.1.5 remote-as 65510
 neighbor 192.168.1.5 distribute-list 106 in

Prefix‑list Filtering (Recommended)

Prefix lists were designed for matching prefixes and masks. They are easier to read and manage when you have many prefixes to handle.

ip prefix-list PREFIX-FILTER seq 10 deny 172.25.0.0/16
ip prefix-list PREFIX-FILTER seq 20 permit 0.0.0.0/0 le 32

router bgp 65500
 neighbor 192.168.1.5 remote-as 65510
 neighbor 192.168.1.5 prefix-list PREFIX-FILTER in

Best practice: Always include a broad permit after denies so desired routes pass. The le keyword lets you control more specific subnets.:contentReference[oaicite:3]{index=3}

---

📜 Understanding Prefix List Matching

Prefix lists support operators like ge (greater or equal) and le (less or equal) to match specific subnet lengths. For example:

Permit All /24‑/32 Prefixes Only

ip prefix-list EXAMPLE seq 10 permit 0.0.0.0/0 ge 24 le 32

This will allow only prefixes between /24 and /32 and deny everything else.

Block Subnets But Allow Summary

ip prefix-list SUMMARY seq 10 deny 172.25.0.0/16 ge 17
ip prefix-list SUMMARY seq 20 permit 172.25.0.0/16
ip prefix-list SUMMARY seq 30 permit 0.0.0.0/0 le 32

This blocks subnets of 172.25.0.0/16 but permits the summary route itself and all other prefixes.

---

⚙️ BGP Filtering Behavior — Notes You Must Know

• Order matters: When multiple filters are applied, Cisco processes them in a defined sequence (e.g., route‑map > prefix‑list > distribute‑list for inbound).:contentReference[oaicite:4]{index=4}
• Implicit deny: Both prefix lists and ACLs deny anything not explicitly permitted.
• Clarity and scalability: Prefix lists are human‑readable and scale better than complex extended ACLs for routing prefixes.:contentReference[oaicite:5]{index=5}

Best practice: Prefer prefix lists for network prefix filtering, use route‑maps when you need match‑and‑set actions (e.g., community, MED, next‑hop modification).

---

💡 Key Takeaways

• Filtering inbound or outbound BGP routes is vital for policy and stability.
• Prefix lists are generally easier to manage and less error‑prone than distribute‑lists with ACLs.:contentReference[oaicite:6]{index=6}
• Always pair specific denies with general permits so you don’t unintentionally block legitimate prefixes.
• Use route maps when you need granular control beyond simple allow/deny logic.
• Test in a lab (or use soft resets) before applying changes in production.