Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2774
Views
18
Helpful
17
Replies

Access-list problem in BGP

bapatsubodh
Level 1
Level 1

‎01-31-2010 08:05 AM - edited ‎03-04-2019 07:21 AM

Hi,

Following access list is used in BGP route filtering with "distribute-list Name_Of_Access_List  out" comand :

ip access-list ex filter

deny ip host 10.10.1.0 host 255.255.255.240 ( /28 subnet )

deny ip host 10.10.2.0 host 255.255.255.0  ( / 24 subnet )

permit ip any any

I didnt undersatnd exact how these lists are filtering the routes ( if they are ) or there is any configuration error.

In my opinion source subnet can be matched by following access-list

ip access-list ex filter

deny ip 10.10.1.0 0.0.0.15 any ( / 28 subnet )

deby ip 10.10.2.0 0.0.0.255 any ( /24 subnet )

permit ip any any

Please share the experience.

Thanks

Subodh

Labels:
0 Helpful
17 Replies 17

bapatsubodh
Level 1
Level 1
In response to Giuseppe Larosa

‎02-01-2010 08:00 AM

Hi,

Thanks guys for so much interest shown in solving my difficulty.

I did configure similar routers in gns3 and configured. And it worked.

Here is how I am trying to remember the login particularly for BGP route filtering.

on router 1

show ip bgp

10.10.1.0 / 30 ( 10.10.1.0 255.255.255.252)

10.10.1.0 /  29   ( 10.10.1.0 255.255.255.248)

If I want to block ONLY 10.10.1.0 /30 from appearing in bgp routes

Here is my logic it may be terribly wrong !!

exact prefix is : 10.10.1.0 how do we match these exactly :

in binary it is

0000 1010 . 00001010 . 0000 0001 . 0000 00000  to match exact this bit pattern we need mask of all zero : 00000000.00000000.0000000.00000000.

similarly if we need to match / 30 mask we need following pattern

255.255.255.255.252 in binary is

1111 1111 . 1111 1111. 1111 1111. 1111 1100  to match this we need all zero 00000000.00000000.0000000.00000000

( still  syntax logic  for source address and destination address is not clear for--> how it applies to this BGP filtering case )

so to exactly match :

we had

access-list 101 permit ip 10.10.1.0 0.0.0.0 255.255.255.252 0.0.0.0 or in other words

access-list 101 permit ip host 10.10.1.0 host  255.255.255.252.0

Prefix list : 10.10.1.0   /   30

10.10.1.0 --> is source subnet which you need to match exactly ( 10.10.1.0 0.0.0.0 )

/30 --> Target or destination subnet : match exactly : 255.255.255.252 0.0.0.0 )

For the time being it is clear to me but quite possible I will forget it and even may  trigger another good thread.

I need to read prefix-list may a while till i digest all this thread replies !! 

Thanks all you friends for all your help.

Subodh

0 Helpful

milan.kulik
Level 10
Level 10
In response to bapatsubodh

‎02-01-2010 08:14 AM

Hi Subodh,

to the syntax logic:

Simply forget source address and destination address in a case of distribution list.

The extended ACL is using prefix part and length (mask) part in this case.

It's just a different usage of  extended ACLs.

And believe us, the prefix-list syntax is much more friendly once you start using it :-)

BR,

Milan

0 Helpful

bapatsubodh
Level 1
Level 1
In response to milan.kulik

‎02-01-2010 08:51 AM

Hi

Yep !

Thanks

Subodh

0 Helpful
Customers Also Viewed These Support Documents