cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1236
Views
0
Helpful
8
Replies

BGP prefix list question

jrhofman
Level 1
Level 1

Do bgp prefix-list sget exicuted in sequence and is there an explicit deny after a permit statment. I saw an example the lead me to believe this. We have one on our router with the last statment being a deny yet the routes we want to see are coming in. Below is an example;

ip prefix-list blockSTP seq 75 deny 192.1.2.0/24

ip prefix-list blockSTP seq 80 deny 192.1.3.0/24

ip prefix-list blockSTP seq 85 deny 192.168.6.0/24

ip prefix-list blockSTP seq 90 deny 192.168.240.0/24

ip prefix-list blockSTP seq 95 deny 192.168.4.0/24

ip prefix-list blockSTP seq 99 permit 0.0.0.0/0 le 32

neighbor 136.237.0.2 prefix-list blockSTP in

The specified networks are getting blocked but many of are other remote sites are coming through.

8 Replies 8

vijayendran
Level 1
Level 1

Hi

Why don't you try removing prefix-list with sequence number 99 ?

This might permit any route to be advertised or received. Route updates might not the statements with seq no 75-99 but still 99 would permit such an update.........

Thanks and regards

S. Vijayendran

I was thinking that the last statement was only allowing a default route to come in (0.0.0.0/0 le 32). But it now makes sense that this statement is saying "allow any routes with a mask of 32bits or less to come in and thats why I see our other routes.

am I thinking correctly?

This is correct.... The right filter would just be:

ip prefix-list blockSTP seq 99 permit 0.0.0.0/0

without the ge or le at all, if you want to permit the specific route.

Russ

Hi

ip prefix-list blockSTP seq 99 permit 0.0.0.0/0 le 32

In the command above, what you have effectively done is, instructed the router to consider bit 0 to bit 32 as don't mind bits. That is how prefix-lists behave. Hence you have allowed all routing updates to enter your router.

Change the command to -

ip prefix-list blockSTP seq 99 permit 0.0.0.0/0

Now, the router would look for a perfect match, which would be none other than the default route you want to permit.

I trust this should work.

Thanks and regards

S. Vijayendran

vijayendran
Level 1
Level 1

Hi

Pardon me......missed responding to your first quesry........

Yes, BGP prefix lists get executed as per the sequence..........

:)

Thanks and regards

S. Vijayendran

I've been trying to find the docs that explain the notation used at the end of these prefix list statements. I came across it in the Halabi Internet routing book but cannot understand them from the examples he gave. Anyone have a link that explains these?

ip prefix-list blockSTP seq 95 deny 192.168.4.0/24

ip prefix-list blockSTP seq 99 permit 0.0.0.0/0 le 32

Hi

the logic behind Prefix-lists is as follows:

Prefix-lists are executed in sequence.

ip prefix-list blockSTP seq 95 deny 192.168.4.0/24

The value 24 at the end of the command is called "len", short for prefix-length.

If there is no ge or le mentioned, then a perfect match is looked for.

ip prefix-list blockSTP seq 95 deny 192.168.4.0/24 le 32

In this case, le is mentioned. So, bits from len to le will not be checked (they are don't care bits), only other bits will be tried to match.

ip prefix-list blockSTP seq 95 deny 192.168.4.0/0 le 32

To have further clarity, in this case, you would ask the router to consider bit 0 to bit 32 as don't care and hence any route update would match this prefix-list.

ip prefix-list blockSTP seq 95 deny 192.168.4.0/16 ge 24

In this case, bits from 24 to 32 would become don't care bits and only bits from 0 to 24 would be looked for a matching. The presence of len value of 16 is ignored.

ip prefix-list blockSTP seq 95 deny 192.168.4.0/16 ge 16 le 24

In this case, bits from 16 to 24 would be considered don't care bits. The rest of the bits should match. Aghain the len value is ignored here. It has no role to play.

And also remember that prefix-lists are matched with the contents (route updates) of a update packet and not the destination/source address of the update packet, which is the case with an Access Control List.

The other point to be noted is that prefix-lists can be used to control route updates from Distance vector routing protocols, but not link-state routing protocols updates. Because, link state routing protocols exchange link states and not reday to use route updates. That is different ball-game altogether.

You should try and read Building Scalable Cisco Networks authored by Catherine Paquet and Diane Teare.

Thanks and regards

S. Vijayendran

I just found your response. It is very helpful.

Thank you

Richard

Review Cisco Networking for a $25 gift card