cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6300
Views
15
Helpful
3
Replies

BGP route filtering using Extended Access-List

Steph1963
Level 1
Level 1

Hi to All,

I am presently looking at BGP route filtering and I have some difficulty to understand the syntax when using Extended Access-list

A) I have found this definition with the following example regarding extended access-list:

To filter classless routing updates, you can use extended ACLs. The source address, together with wildcard bits, specifies the prefix number. The field of destination address in an extended ACL is used to represent the actual netmask, and the field of destination wildcard bits is used to denote how the netmask should be interpreted. In other words, the fields of destination address and wildcard masks indicate the range's prefix lengths.

This denies the prefix 172.16.0.0/24 only (not a range):

access-list 100 deny ip host 172.16.0.0 host 255.255.0.0

Question 1) I have some difficulty to understand what means the “host 255.255.0.0” as destination/wildcard address. If host means a netmask why should not used 0.0.255.255 as a wildcard to indicate the prefix range? Found also strange that 172.16.0.0/ 24 does not corresponds to “ip host 172.16.0.0 host 255.255.0.0”

Question 2) Can I interpret “access-list 100 deny ip 172.16.0.0 0.0.255.255” as deny any routes starting with 172.16?

B) Found in one Manual, the following  extended access list example will permit the sending of route 147.19.1.0/24 but deny 147.19.0.0/16

router bgp 65010

network 147.19.0.0

neighbor 100.100.100.1 distribute-list 110 out

!

access-list 110 permit ip 147.19.0.0 0.0.0.255 any

access-list 110 deny ip 147.19.0.0 0.0.255.255 any

Question: What does the any at the end of the access-list means?

Thanks for your help

Stephane

2 Accepted Solutions

Accepted Solutions

Roman Rodichev
Level 7
Level 7

Stephane,

access-list 100 deny ip host 172.16.0.0 host 255.255.0.0

can also be written as

access-list 100 deny ip 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0

This filter says that the prefix must be 172.16.0.0, and the mask must be 255.255.0.0, and this applies to prefix 172.16.0.0/16, not 172.16.0.0/24, so that must be a mistake.

Example, let's say I want to deny all 172.16.0.0 prefixes with a mask /16 through /24, the ACE would be:

access-list 100 deny ip 172.16.0.0 0.0.255.0 255.255.0.0 0.0.255.0

in other words, the prefix can be 172.16..0, and the mask can be 255.255..0

Roman

View solution in original post

milan.kulik
Level 10
Level 10

Hi,

I think Roman answered your first question.

ad  Question 2) Can I interpret “access-list 100 deny ip 172.16.0.0 0.0.255.255” as deny any routes starting with 172.16?

YES!

ad B) Found in one Manual, the following  extended access list example will permit the sending of route 147.19.1.0/24 but deny 147.19.0.0/16

router bgp 65010

network 147.19.0.0

neighbor 100.100.100.1 distribute-list 110 out

!

access-list 110 permit ip 147.19.0.0 0.0.0.255 any

access-list 110 deny ip 147.19.0.0 0.0.255.255 any


Question: What does the any at the end of the access-list means?

any is the same as  255.255.255.255  255.255.255.255.

Again, in your example

access-list 110 permit ip 147.19.0.0 0.0.0.255 any

means: permit  any prefix starting with 147.19.0., i.e., 147.19.0.0/24 and any longer prefixes.

access-list 110 deny ip 147.19.0.0 0.0.255.255 any

means: deny  any prefix starting with 147.19., i.e., 147.19.0.0/16 and any longer prefixes.

Generally, why don't you use ip prefix-lists which are much more user  friendly instead of extended ACLs with the syntax totally confusing here?

The prefix-list replacing ACL 110 in your example would look like:

ip prefix-list test permit 147.19.1.0/24 le 32
ip prefix-list test permit 147.19.0.0/16 le 32

and if you would like to permit  147.19.1.0/24 only and deny any other subnet of 147.19.0.0/16, you would just use

p prefix-list test permit 147.19.1.0/24
ip prefix-list test permit 147.19.0.0/16 le 32

Easy, isn't it?

HTH,

Milan

View solution in original post

3 Replies 3

Roman Rodichev
Level 7
Level 7

Stephane,

access-list 100 deny ip host 172.16.0.0 host 255.255.0.0

can also be written as

access-list 100 deny ip 172.16.0.0 0.0.0.0 255.255.0.0 0.0.0.0

This filter says that the prefix must be 172.16.0.0, and the mask must be 255.255.0.0, and this applies to prefix 172.16.0.0/16, not 172.16.0.0/24, so that must be a mistake.

Example, let's say I want to deny all 172.16.0.0 prefixes with a mask /16 through /24, the ACE would be:

access-list 100 deny ip 172.16.0.0 0.0.255.0 255.255.0.0 0.0.255.0

in other words, the prefix can be 172.16..0, and the mask can be 255.255..0

Roman

You're confusing Steph1963 more... In BGP filtering the Extended Access List it is a bit different than the normal one. 

And specifically the difference is here: We are now matching the network address and the subnet mask. I know it sounds confusing, be bear with me, you'll get it.

Let say we have a interface on our Router with the IP address of 10.10.10.10/32, yes it'a Loopback Interface. We are currently sitting on R1 (1.1.1.1) and we got eBGP with R2 (2.2.2.2) which is in another AS. We want to filter all the routes and advertise to R2 only 10.10.10.10/32 address.

This is how our configuration should look like:

conf t

access-list 101 permit ip 10.10.10.10 0.0.0.0 255.255.255.255 0.0.0.0

OR

access-list 101 permit ip host 10.10.10.10 host 255.255.255.255

!

router bgp 1

neighbor 2.2.2.2 distribute-list 101 out

end

!

 

And that's it, we are now advertising to R2 (2.2.2.2) the exact 10.10.10.10/32 address and nothing else.

Just remember that we have to define the Network Address (Ex: 10.0.0.0/8) and the Subnet Mask Address (Ex: 255.0.0.0) and that would be: access-list 100 permit ip 10.0.0.0 0.255.255.255 host 255.255.255.0 We are now advertising any network that starts with "10." and has a Subnet Mask of /24.

Kind regards, 

Stefan 

milan.kulik
Level 10
Level 10

Hi,

I think Roman answered your first question.

ad  Question 2) Can I interpret “access-list 100 deny ip 172.16.0.0 0.0.255.255” as deny any routes starting with 172.16?

YES!

ad B) Found in one Manual, the following  extended access list example will permit the sending of route 147.19.1.0/24 but deny 147.19.0.0/16

router bgp 65010

network 147.19.0.0

neighbor 100.100.100.1 distribute-list 110 out

!

access-list 110 permit ip 147.19.0.0 0.0.0.255 any

access-list 110 deny ip 147.19.0.0 0.0.255.255 any


Question: What does the any at the end of the access-list means?

any is the same as  255.255.255.255  255.255.255.255.

Again, in your example

access-list 110 permit ip 147.19.0.0 0.0.0.255 any

means: permit  any prefix starting with 147.19.0., i.e., 147.19.0.0/24 and any longer prefixes.

access-list 110 deny ip 147.19.0.0 0.0.255.255 any

means: deny  any prefix starting with 147.19., i.e., 147.19.0.0/16 and any longer prefixes.

Generally, why don't you use ip prefix-lists which are much more user  friendly instead of extended ACLs with the syntax totally confusing here?

The prefix-list replacing ACL 110 in your example would look like:

ip prefix-list test permit 147.19.1.0/24 le 32
ip prefix-list test permit 147.19.0.0/16 le 32

and if you would like to permit  147.19.1.0/24 only and deny any other subnet of 147.19.0.0/16, you would just use

p prefix-list test permit 147.19.1.0/24
ip prefix-list test permit 147.19.0.0/16 le 32

Easy, isn't it?

HTH,

Milan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: