ā07-16-2020 10:27 PM - edited ā07-20-2020 10:13 AM
Hello everyone. I am a beginner in BGP configuration. I have a following bgp router file. I need to block network IP 1.0.0.0/8 to directly access that. All other IPs permitted to access. I tried to create an access list but it is not working probably because of my poor knowledge on syntax. If you can help me with this issue with correct syntax it would be a great help. Thank you.
ā07-17-2020 12:00 AM
Hello,
there are numerous ways to accomplish this, below is one of them:
router bgp 5
distribute-list prefix ALLOW_IN in
!
ip prefix-list ALLOW_IN seq 5 deny 1.0.0.0/8
ip prefix-list ALLOW_IN seq 10 permit 2.0.0.0/8
ip prefix-list ALLOW_IN seq 15 permit 3.0.0.0/8
ip prefix-list ALLOW_IN seq 20 permit 4.0.0.0/8
ā07-17-2020 04:49 PM - edited ā07-17-2020 09:18 PM
Thank you for your quick response. I really appreciate that. I tried to insert the line of codes in my bgpd files. I receive the following error now in my stdout log files:
There is no such command.
Error occured during reading below line.
distribute-list prefix ALLOW_IN in
Seems like distribute-list is an unknown command. Please help
Please note that I beleive it has something to do with the version of Quagga. I am using version 0.99.22.4. Thanks
ā07-17-2020 11:43 PM
Hello,
what BGP commands do you have available under the BGP process, and under the neighbor ?
ā07-18-2020 12:20 AM
ā07-18-2020 12:38 AM
Hello,
typically, if you just type the '?' question mark at the prompt, it will list the available options:
router bgp 5
?
neighbor x.x.x.x ?
ā07-18-2020 02:45 AM
Hello,
I think Quagga's BGP implementation supports route maps, so you could use the below. You need to apply the route map to all neighbors from which you want to filter routes:
ip prefix-list ALLOW_IN seq 5 deny 1.0.0.0/8
ip prefix-list ALLOW_IN seq 10 permit 2.0.0.0/8
ip prefix-list ALLOW_IN seq 15 permit 3.0.0.0/8
ip prefix-list ALLOW_IN seq 20 permit 4.0.0.0/8
!
route-map INBOUND_RM permit 10
match ip address prefix-list ALLOW_IN
!
neighbor 9.0.3.1 route-map INBOUND_RM in
ā07-18-2020 11:43 AM - edited ā07-20-2020 10:14 AM
Thank you so much. I see that just putting the lines:
ip prefix-list ALLOW_IN seq 5 deny 1.0.0.0/8
ip prefix-list ALLOW_IN seq 10 permit 2.0.0.0/8
ip prefix-list ALLOW_IN seq 15 permit 3.0.0.0/8
ip prefix-list ALLOW_IN seq 20 permit 4.0.0.0/8
In the show ip bgp not showing 1.0.0.0/8 in the map. That is I want 1.0.0.0/8 (AS1)to access (AS5) through this channel. Not from any other AS for example, I dont want AS 6 to access AS 5 with the same prefix i.e. 1.0.0.0/8 and show ip bgp shows the best path as AS6->AS5 instead of AS1->AS6 (there are few Ases in between).
I noticed that by putting the commands above. It does not show 1.0.0.0/8 in the show ip bgp. It completely removed that from the map. Thank you so much. (Sorry if my explanation is poorly worded)
ā07-19-2020 01:28 PM
Hello,
in that case, you need to match on AS path. I cannot really tell how your ASs are connected, can you provide something like a schematic drawing ?
ā07-19-2020 01:32 PM
yes, I will get back to you with a drawing. I will hand draw and send you a picture.
Thank you so much
ā07-19-2020 01:54 PM
Sorry about that, you already send a drawing by mail. That's all I need for now....
ā07-19-2020 01:56 PM - edited ā07-19-2020 09:07 PM
I though you were asking me to fill in the IP address. I just used random IP addresses. Thank you
ā07-20-2020 01:21 AM
Hello,
I set this up in a lab, and I think you need the below. You apply a route map on R5 to neighbor R6 that matches on the AS PATH and the specific prefix you want to block. Everything else is allowed; you can tweak this as you wish. I hope Quagga supports all these BGP commands...
neighbor 9.0.18.1 route-map ANTI_HIJACK_RM in
!
ip as-path access-list 1 deny ^6$
!
ip prefix-list ANTI_HIJACK_PL seq 5 deny 1.0.0.0/8
!
route-map ANTI_HIJACK_RM deny 10
match ip address prefix-list ANTI_HIJACK_PL
match as-path 1
!
route-map ANTI_HIJACK_RM permit 20
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: