This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Albin_Petersson
Contributor
a week ago
Jump to solution

BGP Route imports, Route filter vs Route maps?

Helloes.

 

Could I get som enlightenment on the differences between these two?

We set up peering with one AS about 2 years ago, and then we used route filtering to handle route imports. I don't really remember why we chose filtering and I don't have that much knowledge about BGP.

This week we set up peering with a different AS, but I felt that it was easier to use route maps.

 

That led me to 3 questions.

It says in the documentation that you cannot use both at the same, time because route maps will "win".

1. Can you add a route map for an AS that have route filtering and then remove the filtering, keeping the imported routes? (converting filtering to routemap)

2. Will that restat the routed daemon, or reset the BGP session?

3. They both do the same thing from what I can tell? Which is the better one to use?

0 Kudos
3 Solutions

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a week ago
Jump to solution

If your routemaps accomplish the same as the filters, then you can apply the routemap and then remove the filters and it shouldn't break anything. I don't believe it would break the peering, but restarting the BGP session would be good to do in your maintenance window to make sure the routemap config is applied and is working properly.

As for which one is better to use, it's mostly around what will work for what you want to do and what you're comfortable with. Routemaps offer more options and granularity so it's not unusual for them to be the only choice available, which often leads to them being peoples' default way of going about things. It's also generally a good idea to keep things consistent rather than doing filtering/redist for some peers and routemaps for others. That way lies confusion.. hence another good reason to just always do routemaps.

View solution in original post

the_rock
MVP Gold
MVP Gold
Friday
Jump to solution

hey @Albin_Petersson 

Just remember that routemaps would ALWAYS take precedence, something to keep in mind.

Best,

Andy

View solution in original post

0 Kudos
the_rock
MVP Gold
MVP Gold
Friday
Jump to solution

Here are answers to your Qs.

Andy

***************************************

1. Can you add a route-map for an AS that has route filtering, then remove filtering, keeping the imported routes?
Yes.
You can attach a route-map to the neighbor, then remove the old filter (prefix-list, distribute-list, etc.). The route-map can replicate the filtering logic by just having match ip prefix-list <name> and permit.
→ This is effectively “converting” filtering to route-maps. Nothing bad happens, as long as your route-map enforces the same policy.

2. Will that restart the routed daemon, or reset the BGP session?
It depends on your platform (Cisco, Juniper, Fortigate, Check Point, etc.), but generally:

  • Changing a route-map or prefix-list does not reset the BGP session.

  • The routes will just be re-evaluated against the new policy (soft reconfiguration).

  • If your platform doesn’t support automatic re-eval, you might need a manual clear ip bgp <neighbor> soft in/out. But still, this is not a hard reset — the TCP session stays up, only routes are reprocessed.

So no daemon restart, and not usually a full BGP session flap.

3. They both do the same thing? Which is better?

  • Filtering (prefix-lists/distribute-lists) = simple, binary, quick. Use it if all you need is “import/export only these prefixes.”

  • Route-maps = flexible, industry standard, future-proof. Use them if you need to filter and/or manipulate attributes (local-pref, prepend, communities, etc.).

In practice, most operators standardize on routemaps, even for simple filters, because:

  • They consolidate filtering + attribute control in one place.

  • They’re more readable if your policy gets complex later.

  • They give you consistency across neighbors.

The only “advantage” of plain filters is simplicity — one line instead of a route-map stanza.

View solution in original post

0 Kudos
3 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a week ago
Jump to solution

If your routemaps accomplish the same as the filters, then you can apply the routemap and then remove the filters and it shouldn't break anything. I don't believe it would break the peering, but restarting the BGP session would be good to do in your maintenance window to make sure the routemap config is applied and is working properly.

As for which one is better to use, it's mostly around what will work for what you want to do and what you're comfortable with. Routemaps offer more options and granularity so it's not unusual for them to be the only choice available, which often leads to them being peoples' default way of going about things. It's also generally a good idea to keep things consistent rather than doing filtering/redist for some peers and routemaps for others. That way lies confusion.. hence another good reason to just always do routemaps.

the_rock
MVP Gold
MVP Gold
Friday
Jump to solution

hey @Albin_Petersson 

Just remember that routemaps would ALWAYS take precedence, something to keep in mind.

Best,

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
Friday
Jump to solution

Here are answers to your Qs.

Andy

***************************************

1. Can you add a route-map for an AS that has route filtering, then remove filtering, keeping the imported routes?
Yes.
You can attach a route-map to the neighbor, then remove the old filter (prefix-list, distribute-list, etc.). The route-map can replicate the filtering logic by just having match ip prefix-list <name> and permit.
→ This is effectively “converting” filtering to route-maps. Nothing bad happens, as long as your route-map enforces the same policy.

2. Will that restart the routed daemon, or reset the BGP session?
It depends on your platform (Cisco, Juniper, Fortigate, Check Point, etc.), but generally:

  • Changing a route-map or prefix-list does not reset the BGP session.

  • The routes will just be re-evaluated against the new policy (soft reconfiguration).

  • If your platform doesn’t support automatic re-eval, you might need a manual clear ip bgp <neighbor> soft in/out. But still, this is not a hard reset — the TCP session stays up, only routes are reprocessed.

So no daemon restart, and not usually a full BGP session flap.

3. They both do the same thing? Which is better?

  • Filtering (prefix-lists/distribute-lists) = simple, binary, quick. Use it if all you need is “import/export only these prefixes.”

  • Route-maps = flexible, industry standard, future-proof. Use them if you need to filter and/or manipulate attributes (local-pref, prepend, communities, etc.).

In practice, most operators standardize on routemaps, even for simple filters, because:

  • They consolidate filtering + attribute control in one place.

  • They’re more readable if your policy gets complex later.

  • They give you consistency across neighbors.

The only “advantage” of plain filters is simplicity — one line instead of a route-map stanza.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events