Beruflich Dokumente
Kultur Dokumente
Privacy Policy
When filtering routes with BGP it’s very probable which you’ve used prefix lists. all over again, this is
simply some thing that we’ve been taught to do and don't forget accurate exercise. at the flip aspect,
there's the choice within BGP to clear out prefixes using each fashionable and prolonged ACLs. let’s
review all three options to make certain we have a terrific manage on how each of them paintings.
We’ll start with this easy lab.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 1/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Fig 1.1 BGP route filtering – Access lists vs. Prefix lists
Let us assume that router1 and router2 are eBGP peered. In addition, router1 has the above listed
networks available in it’s BGP table to advertise to router2.
Assuming all is working in default manner, we should see these routes on router2 as well…
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 2/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Now let’s take a look at filtering the advertisements to router2 using all three methods. We’ll start
with the most common method
Prefix Lists Let’s assume that we only want to advertise the 192 networks to router2. This could be
accomplished in several ways using prefix lists. Naturally, we could define a prefix list that has 4
entries, one that matches each exact prefix. However, that’s not a lot of fun. Let’s start off with this
prefix list to make sure we’re all on the same page.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 3/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
let’s quick evaluation prefix list syntax. The prefix listing is damaged into 3 sections. The prefix (or
community), the masks (frequently known as LEN), and the non-compulsory mask variety (GE and LE).
when GE (greater than or equal to) and/or LE (less than or same to) are added to a prefix list entry
they cause the conduct of the prefix listing to trade. without a GE or LE, the mask is used to decide
the precise masks length for the prefix to suit. Take as an instance the following prefixes.
172.64.32.0 /24
172.64.0.0 /16
Given the above two prefixes, the prefix list entry of…
ip prefix-list test permit 172.64.0.0/16
will ONLY match the exact prefix of 172.64.0.0 /16. However, when you add a GE, LE, or both, the
mask now turns into how much of the prefix you want to examine. For instance, the prefix list entry
of.
would now match both of those prefixes. The prefix and mask tell you that you are only interested in
the first 15 bits of any prefix matching your defined network. The GE tells you that the prefix also has
to have a subnet mask greater than or equal to 16.
In our lab example, we told the prefix list to match the first 9 bits of the prefix. In other words, the ‘/9’
tells the router to look at all of the prefixes, and find the ones whose first 9 bits match the prefix
specified. Looking at just the 192 prefixes, we can see that only the 192.129 and 192.128 prefixes are
a match on the first 9 bits.
Since we specified the prefix was 192.128.0.0 that implies that the first bit of the second octet needs
to be a 1. Only two prefixes match that so we only advertise two prefixes. Let’s modify the prefix list
slightly to see how it changes…
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 4/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Fig 1.7 BGP route filtering – Access lists vs. Prefix lists
Right here we’ve modified the prefix listing to most effective care about the primary eight bits of the
prefix. this can suit all of the 192 prefixes. however, we’ve also told it that the subnet masks has to
be much less than or identical to 24 bits in period. that means that the following prefixes get
marketed to router2.
Let’s make one more change to the prefix list to show one final point…
The first thing we do is add three more routes. Then we delete the prefix list and recreate it using the
following statements…
DENY 192.0.0.0 /8
PERMIT 172.64.1.0 /24 GE 25
PERMIT 192.0.0.0 /8 GE 30
Looking at router2, we see the following prefixes arriving…
Let’s walk through all of the prefixes and see how this happened…
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 5/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
After the primary access is processed the results table looks as if what is proven above. if you are
wondering why the table is blank it’s because the first entry in the prefix list does noting. recall that
when you don’t specify GE or LE the mask (or LEN) subject applies directly to the subnet masks of the
unique prefix. In this situation, we don’t have a route for 192.0.0.0 /8 so nothing happens.
After the second entry is parsed we see that we now have three matches. Since the 2nd entry
specifies GE we know that the LEN of the prefix list entry should be used to determine how much of
the prefix we want to match. In this case, the LEN was 24 which is saying that the first 3 octets of
the prefix (172.64.1) need to match. In our case, there were 4 prefixes that meet that requirement.
However, only 3 of them have a subnet mask that was greater than or equal to 25.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 6/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
The third entry again uses GE and the LEN tells us to examine only the first octet (or first 8 bits) of the
prefix to see if it’s a match. There are 5 prefixes that match that requirement but only 2 of them
match the GE requirement of having a mask longer than or equal to 30.
What isn't shown in the prefix list is the implicit deny that happens after the closing permit collection.
be aware that no other prefixes confirmed up in router2’s BGP desk.
in order that was a form of long evaluate of prefix lists however it’s crucial that you recognize how
they work.
Preferred get admission to Lists widespread ACLs are a more accepted method to copy the LEN
feature while it is used with GE or LE. that is, using a widespread ACL to filter routes simply tells the
router how tons of the prefix bits to take a look at. allows test a short instance.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 7/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Here I configure a standard ACL that’s looking for 172.64.1.X. I then it as a distribute list to the BGP
neighbor and do a soft clear on the BGP peering. The result on router2 is shown below.
As stated, it looked at all of the prefixes and sent the ones whose first three octets match 172.64.1.
In that case, that was all four of these.
You can see that in this case, we weren’t at all interested in the subnet mask length. Only the first
three octets of the prefix. Let’s do another quick example to prove the point.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 8/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Let’s break down the ACL. The first chunk was 128.0.0.0. Let’s focus on the first octet. In binary,
that would be
10000000
The second part of the ACL is the mask which is 127.255.255.255. As I recall from my early days of
networking, the wild card mask is sometimes called the ”don’t care bits”. In this case the 2nd through
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 9/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
4th octet is all 1’s so we don’t care at all about any of those octets. The first octet though is a
decimal 127 which in Binary would be…
01111111
So what we’re showing here is that because of this standard ACL we ONLY care whether or not the
first bit of the first octet is a 1 which would include any number from 128 to 255. Put together you see
that the only bit we care about is the ‘128’ bit in the first octet…
10000000.00000000.00000000.0000000001111111.11111111.11111111.11111111
Since the prefix has a 1 in the only ‘I care spot’ any prefix that is going to match this ACL also has to
have a binary 1 in the 128 spot.
This sort of matching can be sort of interesting. Take for instance this example.
Here I add another route and then change the standard ACL to permit 192.1.1.0 0.0.254.255.
Comparing the prefix and mask we can tell that the prefix needs to start with 192.1. The fourth octet
can be anything and the third octet tells us that we don’t care about anything except for the last bit of
the third octet which happens to be the spot for ‘1’.
This ACL will give us all of the prefixes that start with 192.1 and have an odd number in the third
octet.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 10/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Fig 1.23 BGP route filtering – Access lists vs Prefix lists
Can you work out what this will give us? Any prefix that has an odd number in the third octet
regardless of what’s in the 1st, 2nd, or 4th octet.
To make it more clear, let’s change it to an even number in the 2nd octet.
Pretty cool huh? Not sure where you’d ever need to redistribute odd or even prefixes but it is certainly
another way to filter prefixes.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 11/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
specify the mask you are looking for. In fact, you can specify a range of masks as well. Let’s do
something similar to what we did above with the standard ACLs by specifying we only want routes
with an odd third octet. I’m going to add some more static routes to give us more to play with.
I started by adding three more static routes to use later on. Then I removed the distribute list for ACL
1 and replaced it with the extended ACL 100. Lastly, I created the extended ACL 100 and used the
following syntax.
Let’s break this down. Much like we did on the standard ACL, the first chunk of the extended ACL
tells us to look for the ‘1’ bit being marked in the third octet. This would imply that the third octet is
odd. The second part of the extended ACL tells us what kind of mask to look for. In this case, we
only want ones that have a mask of /24. Looking at our chart, I would then expect to see the
following routes on router2.
Note: I hope you’ve caught on but each time I use this table I highlight the pieces of the table that
were used to make the permit decision in red. It may be confusing to you as to why the first two
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 12/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
octets above are all red but then the third octet has the far right bit red with the rest black. Keep in
mind that we are using wild card masks here. Wildcards are essentially the inverse of the actual
mask specifying which bits should not be taking into account. In this case, we don’t want to account
for anything except the ‘1’ bit so we specify 254 which equates to 11111110 in binary.
Taking a look at router2, we can see that our assumptions are correct.
At this point, the extended ACL has given us the same ability as the standard ACL but also allowed
us to check the subnet mask of the prefix. Let’s change things up a bit to see what else we can do.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 13/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Did you catch what happened? Let’s walk through it once again to make sure. The extended access
list entry looked like this.
The first half of the ACL functions just like the standard ACL allowing us to find prefixes that have an
odd third octet. The second half of the ACL (255.255.255.0 0.0.0.243) requires a little more
explaining.
As we saw in the first extended ACL example, you can simply specify the mask you want the
matching prefixes to have. In this case, that would be /24 or 255.255.255.0. So far so good. Now
what’s going on with the 0.0.0.243 piece of this? Much like how you can wild card the prefix, you can
also wild card the subnet mask. In this case, we specify that the first three octets of the mask need
to match by using 0.0.0. AKA, 255.255.255 will be the first three mask octets. The fourth octet, we
say that we want the decimal of 243. In binary, that gives us.
243 = 11110011
So let’s look at the fourth octet for some of the other prefixes.
0 = 00000000
243 = 11110011248 = 11111000
240 = 11110000
Recall that with wild cards masks the ‘1’s are the “don’t care” bits. As you can see, the 0’s are the
“care” bits. The mask itself has a decimal 0 for the fourth octet which would be ‘00000000’ in binary.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 14/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
This wild card mask is saying that this extended ACL needs the fourth octet to have binary 0s in the 4
and 8 bit positions. Since the mask for a /29 is 255.255.255.248, the 8 bit position in the fourth octet is
a 1. So as you can see, the /28 networks pass just fine since there 4 and 8 bits are already ‘0’. The
/29 networks have an issue since their ’8 bit is a ‘1’.
If we change the ACL to say.
PERMIT IP 172.64.1.0 0.0.54.255 255.255.255.0 0.0.0.251
we would start seeing the /29 prefixes on router2.
Related Posts:
ACL Poster
Access-Lists Short Map mind … Read More
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 15/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
When filtering routes with BGP it’s very probable which you’ve used prefix lists. all over
again, this is simply some thing that we’ve been taught … Read More
IP ACCESS LISTS
An access control list (ACL), with respect to a computer file system, is a list of
permissions attached to an object. An ACL specifies which users o… Read More
0 comments:
Post a Comment
Enter your comment...
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 16/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
OSI Model
The Open Systems Interconnection model ( OSI )is a conceptual model that characterizes
and standardizes the inner functions of a communica...
Traceroute
Traceroute, by default, sends a sequence of User Datagram Protocol (UDP) packets
addressed to a destination host; ICMP Echo Request or TCP ...
Search Search
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 17/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
TOTAL PAGEVIEWS
1,561,320
BLOG ARCHIVE
Blog Archive
LIKE US !!
NetworksBaseline
82,630 likes
Liked Sign Up
You like this
CATEGORIES
access Lists (3) ADSL (3) Alcatel-Lucent (2) ARP (4) ASA (8) ATM (2) Basic Commands (3) Basics (13)
BGP (31) Brocade (1) Cables (1) CatOS (1) CCIE (3) CCIE Datacenter (22) CCNA (7)
CCNP (1) Checkpoint (3) Cisco (4) Cisco ASR (7) Cisco Icons (1) Cisco MDS Switch Cisco Routers (12)
(1)
Cisco Switches (7) Cisco Wireless (2) Cloud Computing (2) Data Center (17) DHCP (4) DWDM (1)
EIGRP (7) Etherchannel (3) F5 (2) Fiber Optics (1) Firewall (2) Fortinet (1) GLBP (5) GNS3 (2) Huawei (4)
interview Questions (1) IOS (1) IOS Upgradation (3) IoT (1) IP Addressing (2) IPV6 (2) Juniper (13) LABS (2)
MPLS (21) MPLS Traffic Engg. (3) MTU (5) Multicast (3) Nexus (20) OSI
Load Balancing (5)
Model (1) OSPF (22) OTV (2) Palo-Alto (2) Password Recovery (1) Physical (1) PPP (2) Riverbed (3) RSTP
(2) SDN & NFV (2) SSL (1) Stack (1) subnetting (3) Switching (9) TACACS (1) TCP (2) TCP and UDP ports (2)
Technology (1) Terminal Server (1) Topologies (5) Traceroute (2) VLAN (4) VPN (3) VRRP (4) WAN
optimization (4)
FEEDJIT
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 18/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Live Traffic Feed
A visitor from Islamabad
arrived 3 mins ago
A visitor from Stockton,
California viewed "Pointto
Point Protocol (PPP), the
Link Control Protocol (LCP)
and CHAP (Challenge
A visitor from Lansing,
Handshake Authentication
Michigan viewed "The
Protocol) ~" 7 mins ago
Concept of PHP (Penultimate
Hop Popping) MPLS ~" 7
A visitor from United States
mins ago
viewed "F5 Load Balancers:
LTM vs GTM ~" 11 mins ago
A visitor from La Paz viewed
"BGP: Path Selection Criteria
Path Vector Protocol ~" 12
A visitor from Ramsis, Al
mins ago
Buhayrah viewed ": BGP" 12
mins ago
A visitor from Pune,
Maharashtra viewed "F5 Load
Balancers: LTM vs GTM ~"
16 mins ago
A visitor from Karachi, Sindh
viewed "OSPF Area and LSAs
Propagation. ~" 26 mins ago
A visitor from Doha, Ad
Dawhah viewed "25 Things to
remember about EIGRP:
Short and Simple ~" 29 mins
A visitor from San Diego,
ago
California viewed "Pointto
Point Protocol (PPP), the
Link Control Protocol (LCP)
and CHAP (Challenge
Realtime view · Get Feedjit
ALEXA
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 19/20
10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Copyright © 2016 << Networks Baseline - Cisco Engineers Live >> | Powered by Blogger
Design by BluChic | Blogger Theme by Lasantha - PremiumBloggerTemplates.com | BTheme.net | Distributed
By Gooyaabi Templates
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 20/20