Solved: show bgp command output

johnlloyd_13 · ‎07-23-2012

hi all,

sorry my BGP is now a bit rusty. i would like to know if the network 203.A.B.0 for the show ip bgp neighbor command

output is a /24.

also, could someone enlighten me on the /21 le 24 for the show ip prefix-list command and if we can write directly as

203.A.B.0/24. thanks in advance!

#sh ip bgp nei 58.145.C.D received-r | i 203.A.B.0

* 203.A.B.0 58.145.C.D 0 0 183xx i

* 203.A.B.0/21 58.145.C.D 0 0 183xx i

#sh ip prefix-list PREFIX | i 203.A.B.0

seq 60 permit 203.A.B.0/21 le 24

Peter Paluch · ‎07-23-2012

Hi John,

Regarding the IP prefix list, to be honest, I have never found any good explanation out there... I'll try to make it more clear here.

Basically, IP prefix list is a mechanism to match network addresses and netmasks in routing protocols. Whenever matching a network, it is always necessary to match both network address and its netmask (or, in other words, the prefix length), not just the network address itself. For example, 10.0.0.0/24 and 10.0.0.0/23 are different networks even though their addresses are identical, because the netmasks (the prefix legths) differ. ACLs have proven to be cumbersome and impractical for network address matching - one one hand, they are too general (allowing to match various L4 protocols, ports and other packet attributes which is useless for network address matching), on the other hand, they allow matching the netmask only if an extended ACL is used (the "source" part of an ACL entry then comprises the match for the network address, the "destination" part comprises the match for the network mask). For example, to match networks 10.0.1.0/24, 172.16.0.0/12 and all possible subnets of 192.0.2.64/27, an ACL would look like

access-list 100 permit ip host 10.0.1.0 host 255.255.255.0

access-list 100 permit ip host 172.16.0.0 host 255.240.0.0

access-list 100 permit ip 192.0.2.64 0.0.0.31 255.255.255.224 0.0.0.31

Confusing? Yeah, it sure is. And I am not even talking about the fact that the ACL is used differently in distribute-lists and differently in route-maps... you don't even want to know.

That is why IP prefix lists were introduced. They allow for very straightforward specification of what networks are to be matched. In the easiest form, without the ge and le operators, they simply match exactly the network that is specified. So for example, a prefix list of the form

ip prefix-list PL permit 10.0.1.0/24

ip prefix-list PL permit 172.16.0.0/12

matches exactly these two networks: 10.0.1.0/24 and 172.16.0.0/12.

Sometimes a more complex scenario is necessary. Suppose that you are providing internet connectivity to a customer which has been assigned the IP prefix 192.0.2.64/27. The customer is allowed to subnet this prefix in any way he wants to and he is allowed to advertise the subnets back to you without summarization. There are obviously lots of ways how this range can be split into subnets of various sizes and counts. Still, you want to perform route filtering so that the only networks you accept in routing updates from this customer are the subnets of the network 192.0.2.64/27.

What is typical for such subnets? Well, obviously, they must be located inside the former prefix 192.0.2.64/27 (i.e. somewhere between 192.0.2.64 and 192.0.2.95), otherwise the customer would be using an address range he was not assigned. And how do we know that the networks are indeed subnets? Their mask must be either /27 (the mask of the original prefix, i.e. no subnetting was done by the customer) or more, i.e. /28, /29, /30, /31, or /32.

In other words, if the customer advertises a network W.X.Y.Z/M, then it is a valid subnet of 192.0.2.64/27 if and only if:

W.X.Y.Z _BITWISE-AND_ /27 = 192.0.2.64 (the address of the network must fall into the range of 192.0.2.64/27)
/M is at least /27 and obviously less or equal to /32

This can be easily written in a prefix-list as

ip prefix-list PL permit 192.0.2.64/27 le 32

This prefix-list entry matches all subnets of 192.0.2.64/27 whose mask is less or equal to /32 (the prefix-list here automatically makes sure that their mask is at least /27). Truly, these are all possible subnets of the 192.0.2.64/27 prefix.

You may also have a different requirement... you have given the customer a prefix of, say, 192.0.2.0/24. The customer is again free to subnet it as he pleases. However, in order not to clutter your routing tables with a number of tiny subnets, you require that the customer advertises the networks summarized to at least /26 - in other words, you are not willing to accept subnetworks of this space with the netmask of /27 and more.

In other words, if the customer advertises a network W.X.Y.Z/M, then it meets your requirements if and only if:

W.X.Y.Z _BITWISE-AND_ /24 = 192.0.2.0 (the address of the network must fall into the range of 192.0.2.0/24)
/M is at least /24 but less or equal to /26

The prefix-list would then contain the following line:

ip prefix-list PL permit 192.0.2.0/24 le 26

Finally, let us assume that for whatever reason, you want to match subnetworks of the 192.0.2.0/24 whose netmask is at least /29 - perhaps you are interested in loopback addresses, addresses on point-to-point links and on smaller networks - doesn't really matter right now.

Again, this requirement is met by a network W.X.Y.Z/M if and only if

W.X.Y.Z _BITWISE-AND_ /24 = 192.0.2.0 (the address of the network must fall into the range of 192.0.2.0/24)
/M is at least /29 and obviously less or equal to /32

The prefix-list would be specified as follows:

ip prefix-list PL permit 192.0.2.0/24 ge 29

This entry would match all possible subnetworks of 192.0.2.0/24 whose netmask is at least /29 or more. The upper limit of /32 on the netmask does not need to be specified - if not specified, it is again automatically enforced by the prefix-list.

So to sum it up: a prefix-list of the form

ip prefix-list PL permit A.B.C.D/P

matches only the exact network A.B.C.D/M.

A prefix-list of the form

ip prefix-list PL permit A.B.C.D/P le L

matches networks W.X.Y.Z/M for which W.X.Y.Z & /P = A.B.C.D and P <= M <= L

A prefix-list of the form

ip prefix-list PL permit A.B.C.D/P ge G

matches networks W.X.Y.Z/M for which W.X.Y.Z & /P = A.B.C.D and G <= M <= /32

A prefix-list of the form

ip prefix-list PL permit A.B.C.D/P ge G le L

matches networks W.X.Y.Z/M for which W.X.Y.Z & /P = A.B.C.D and G <= M <= L. Here, in addition, it is required that P < G (if you wanted P <= G then the ge operator was not necessary at all and should be omitted).

A hard reading, I admit! Please feel welcome to ask further!

Best regards,

Peter

View solution in original post

Peter Paluch · ‎07-23-2012

Hello John,

If the netmask is not explicitly written out in show ip bgp output then the network indeed has a classful mask. In your case, the 203.A.B.0 indeed uses the netmask of /24.

You can confirm that using show ip bgp 203.A.B.0 - the output here should indicate your netmask.

also, could someone enlighten me on the /21 le 24 for the show ip prefix-list command and if we can write directly as 203.A.B.0/24. thanks in advance!

The 203.A.B.0/21 le 24 means "all subnetworks of the 203.A.B.0/21 whose netmask is at most /24". In other words, these networks must be placed somewhere between 203.A.B.0 and 203.A.(B+7).255 (assuming that B is a multiple of 8) and the netmask of these networks must be either /21, /22, /23, or /24.

I am not sure if I was clear here... please feel welcome to ask further!

Best regards,

Peter

johnlloyd_13 · ‎07-23-2012

hi peter,

thanks for your feedback! it was indeed a /24 network.

#sh ip bgp 203.A.B.0

BGP routing table entry for 203.A.B.0/24, version 808312122

Paths: (2 available, best #1, table Default-IP-Routing-Table)

Advertised to update-groups:

1 2

sorry, but i don't get you on the second part. probably my mind is still floating coz i'm still currently doing some troubleshooting.

could you give me a link instead? i've tried to google search earlier but i'm getting poor results. i'll just read it later on after i'm done.

Peter Paluch · ‎07-23-2012

Hi John,

Regarding the IP prefix list, to be honest, I have never found any good explanation out there... I'll try to make it more clear here.

Basically, IP prefix list is a mechanism to match network addresses and netmasks in routing protocols. Whenever matching a network, it is always necessary to match both network address and its netmask (or, in other words, the prefix length), not just the network address itself. For example, 10.0.0.0/24 and 10.0.0.0/23 are different networks even though their addresses are identical, because the netmasks (the prefix legths) differ. ACLs have proven to be cumbersome and impractical for network address matching - one one hand, they are too general (allowing to match various L4 protocols, ports and other packet attributes which is useless for network address matching), on the other hand, they allow matching the netmask only if an extended ACL is used (the "source" part of an ACL entry then comprises the match for the network address, the "destination" part comprises the match for the network mask). For example, to match networks 10.0.1.0/24, 172.16.0.0/12 and all possible subnets of 192.0.2.64/27, an ACL would look like

access-list 100 permit ip host 10.0.1.0 host 255.255.255.0

access-list 100 permit ip host 172.16.0.0 host 255.240.0.0

access-list 100 permit ip 192.0.2.64 0.0.0.31 255.255.255.224 0.0.0.31

Confusing? Yeah, it sure is. And I am not even talking about the fact that the ACL is used differently in distribute-lists and differently in route-maps... you don't even want to know.

That is why IP prefix lists were introduced. They allow for very straightforward specification of what networks are to be matched. In the easiest form, without the ge and le operators, they simply match exactly the network that is specified. So for example, a prefix list of the form

ip prefix-list PL permit 10.0.1.0/24

ip prefix-list PL permit 172.16.0.0/12

matches exactly these two networks: 10.0.1.0/24 and 172.16.0.0/12.

Sometimes a more complex scenario is necessary. Suppose that you are providing internet connectivity to a customer which has been assigned the IP prefix 192.0.2.64/27. The customer is allowed to subnet this prefix in any way he wants to and he is allowed to advertise the subnets back to you without summarization. There are obviously lots of ways how this range can be split into subnets of various sizes and counts. Still, you want to perform route filtering so that the only networks you accept in routing updates from this customer are the subnets of the network 192.0.2.64/27.

What is typical for such subnets? Well, obviously, they must be located inside the former prefix 192.0.2.64/27 (i.e. somewhere between 192.0.2.64 and 192.0.2.95), otherwise the customer would be using an address range he was not assigned. And how do we know that the networks are indeed subnets? Their mask must be either /27 (the mask of the original prefix, i.e. no subnetting was done by the customer) or more, i.e. /28, /29, /30, /31, or /32.

In other words, if the customer advertises a network W.X.Y.Z/M, then it is a valid subnet of 192.0.2.64/27 if and only if:

W.X.Y.Z _BITWISE-AND_ /27 = 192.0.2.64 (the address of the network must fall into the range of 192.0.2.64/27)
/M is at least /27 and obviously less or equal to /32

This can be easily written in a prefix-list as

ip prefix-list PL permit 192.0.2.64/27 le 32

This prefix-list entry matches all subnets of 192.0.2.64/27 whose mask is less or equal to /32 (the prefix-list here automatically makes sure that their mask is at least /27). Truly, these are all possible subnets of the 192.0.2.64/27 prefix.

You may also have a different requirement... you have given the customer a prefix of, say, 192.0.2.0/24. The customer is again free to subnet it as he pleases. However, in order not to clutter your routing tables with a number of tiny subnets, you require that the customer advertises the networks summarized to at least /26 - in other words, you are not willing to accept subnetworks of this space with the netmask of /27 and more.

In other words, if the customer advertises a network W.X.Y.Z/M, then it meets your requirements if and only if:

W.X.Y.Z _BITWISE-AND_ /24 = 192.0.2.0 (the address of the network must fall into the range of 192.0.2.0/24)
/M is at least /24 but less or equal to /26

The prefix-list would then contain the following line:

ip prefix-list PL permit 192.0.2.0/24 le 26

Finally, let us assume that for whatever reason, you want to match subnetworks of the 192.0.2.0/24 whose netmask is at least /29 - perhaps you are interested in loopback addresses, addresses on point-to-point links and on smaller networks - doesn't really matter right now.

Again, this requirement is met by a network W.X.Y.Z/M if and only if

W.X.Y.Z _BITWISE-AND_ /24 = 192.0.2.0 (the address of the network must fall into the range of 192.0.2.0/24)
/M is at least /29 and obviously less or equal to /32

The prefix-list would be specified as follows:

ip prefix-list PL permit 192.0.2.0/24 ge 29

This entry would match all possible subnetworks of 192.0.2.0/24 whose netmask is at least /29 or more. The upper limit of /32 on the netmask does not need to be specified - if not specified, it is again automatically enforced by the prefix-list.

So to sum it up: a prefix-list of the form

ip prefix-list PL permit A.B.C.D/P

matches only the exact network A.B.C.D/M.

A prefix-list of the form

ip prefix-list PL permit A.B.C.D/P le L

matches networks W.X.Y.Z/M for which W.X.Y.Z & /P = A.B.C.D and P <= M <= L

A prefix-list of the form

ip prefix-list PL permit A.B.C.D/P ge G

matches networks W.X.Y.Z/M for which W.X.Y.Z & /P = A.B.C.D and G <= M <= /32

A prefix-list of the form

ip prefix-list PL permit A.B.C.D/P ge G le L

matches networks W.X.Y.Z/M for which W.X.Y.Z & /P = A.B.C.D and G <= M <= L. Here, in addition, it is required that P < G (if you wanted P <= G then the ge operator was not necessary at all and should be omitted).

A hard reading, I admit! Please feel welcome to ask further!

Best regards,

Peter

johnlloyd_13 · ‎07-23-2012

Peter,

Thanks again for a detailed explanation! I'll admin I do get some parts of it but will definitely read your post again tomorrow to fully understand your post.

It's been a looong BGP day for me and actually I've got 1 more topic I'm considering to discuss here regarding route reflectors.

Sent from Cisco Technical Support iPhone App

Peter Paluch · ‎07-23-2012

Hello John,

You are welcome. The prefix lists are easy - don't try to "block" yourself by expecting some intricate things behind them. I understand very well that after fixing a BGP issue for the whole day, a rest is more than deserved - and I sincerely hope you'll have it.

Regarding the route reflectors, I am sure that there are many people around on CSC eager to discuss it with you, including me Please create a new thread for that when you'll get to it.

Thank you!

Best regards,

Peter