BGP Route Filtering - Access Lists Vs Prefix Lists - Networks Baseline - Cisco Engineers Live

10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>
Privacy Policy
BGP route filtering – Access lists vs Prefix lists

UNDEFINED
UNDEFINEDNo comments
UNDEFINED
categories: access Lists, BGP
Share This:  Facebook  Twitter  Google+  Stumble  Digg
When filtering routes with BGP it’s very probable which you’ve used prefix lists. all over again, this is
simply some thing that we’ve been taught to do and don't forget accurate exercise. at the flip aspect,
there's the choice within BGP to clear out prefixes using each fashionable and prolonged ACLs. let’s
review all three options to make certain we have a terrific manage on how each of them paintings.
We’ll start with this easy lab.
http://www.networksbaseline.in/2014/06/bgproutefilteringaccesslistsvs.html 1/20
Fig 1.1 BGP route filtering – Access lists vs. Prefix lists
Let us assume that router1 and router2 are eBGP peered. In addition, router1 has the above listed
networks available in it’s BGP table to advertise to router2.
Fig 1.2 BGP route filtering – Access lists vs Prefix lists
Assuming all is working in default manner, we should see these routes on router2 as well…
Looks like things are working as expected.

Side Note: Do you notice that the prefixes for 192.1.1.0, 192.1.2.0, and 192.2.3.0 do not list a subnet
mask in either BGP table? Care to wager why that is? If you recall from our classful network post
earlier, the mask of /24 is the natural or classful mask for all three of those networks. Since this is
implied, there’s no need to display it.
Now let’s take a look at filtering the advertisements to router2 using all three methods. We’ll start
with the most common method
Prefix Lists Let’s assume that we only want to advertise the 192 networks to router2. This could be
accomplished in several ways using prefix lists. Naturally, we could define a prefix list that has 4
entries, one that matches each exact prefix. However, that’s not a lot of fun. Let’s start off with this
prefix list to make sure we’re all on the same page.
The prefix list in this case is permitting prefixes that match…

192.128.0.0 /9 GE 24
The resulting BGP prefixes that get sent to router2 are…
let’s quick evaluation prefix list syntax. The prefix listing is damaged into 3 sections. The prefix (or
community), the masks (frequently known as LEN), and the non-compulsory mask variety (GE and LE).
when GE (greater than or equal to) and/or LE (less than or same to) are added to a prefix list entry
they cause the conduct of the prefix listing to trade. without a GE or LE, the mask is used to decide
the precise masks length for the prefix to suit. Take as an instance the following prefixes.
172.64.32.0 /24
172.64.0.0 /16
Given the above two prefixes, the prefix list entry of…
ip prefix-list test permit 172.64.0.0/16
will ONLY match the exact prefix of 172.64.0.0 /16. However, when you add a GE, LE, or both, the
mask now turns into how much of the prefix you want to examine. For instance, the prefix list entry
of.
ip prefix-list test permit 172.64.0.0/15 ge 16
would now match both of those prefixes. The prefix and mask tell you that you are only interested in
the first 15 bits of any prefix matching your defined network. The GE tells you that the prefix also has
to have a subnet mask greater than or equal to 16.
In our lab example, we told the prefix list to match the first 9 bits of the prefix. In other words, the ‘/9’
tells the router to look at all of the prefixes, and find the ones whose first 9 bits match the prefix
specified. Looking at just the 192 prefixes, we can see that only the 192.129 and 192.128 prefixes are
a match on the first 9 bits.
Since we specified the prefix was 192.128.0.0 that implies that the first bit of the second octet needs
to be a 1. Only two prefixes match that so we only advertise two prefixes. Let’s modify the prefix list
slightly to see how it changes…
Fig 1.7 BGP route filtering – Access lists vs. Prefix lists
Right here we’ve modified the prefix listing to most effective care about the primary eight bits of the
prefix. this can suit all of the 192 prefixes. however, we’ve also told it that the subnet masks has to
be much less than or identical to 24 bits in period. that means that the following prefixes get
marketed to router2.
Let’s make one more change to the prefix list to show one final point…
The first thing we do is add three more routes. Then we delete the prefix list and recreate it using the
following statements…
DENY 192.0.0.0 /8
PERMIT 172.64.1.0 /24 GE 25
PERMIT 192.0.0.0 /8 GE 30
Looking at router2, we see the following prefixes arriving…
Let’s walk through all of the prefixes and see how this happened…
After the primary access is processed the results table looks as if what is proven above. if you are
wondering why the table is blank it’s because the first entry in the prefix list does noting. recall that
when you don’t specify GE or LE the mask (or LEN) subject applies directly to the subnet masks of the
unique prefix. In this situation, we don’t have a route for 192.0.0.0 /8 so nothing happens.
After the second entry is parsed we see that we now have three matches. Since the 2nd entry
specifies GE we know that the LEN of the prefix list entry should be used to determine how much of
the prefix we want to match. In this case, the LEN was 24 which is saying that the first 3 octets of
the prefix (172.64.1) need to match. In our case, there were 4 prefixes that meet that requirement.
However, only 3 of them have a subnet mask that was greater than or equal to 25.
The third entry again uses GE and the LEN tells us to examine only the first octet (or first 8 bits) of the
prefix to see if it’s a match. There are 5 prefixes that match that requirement but only 2 of them
match the GE requirement of having a mask longer than or equal to 30.
What isn't shown in the prefix list is the implicit deny that happens after the closing permit collection.
be aware that no other prefixes confirmed up in router2’s BGP desk.
in order that was a form of long evaluate of prefix lists however it’s crucial that you recognize how
they work.
Preferred get admission to Lists widespread ACLs are a more accepted method to copy the LEN
feature while it is used with GE or LE. that is, using a widespread ACL to filter routes simply tells the
router how tons of the prefix bits to take a look at. allows test a short instance.
Here I configure a standard ACL that’s looking for 172.64.1.X. I then it as a distribute list to the BGP
neighbor and do a soft clear on the BGP peering. The result on router2 is shown below.
As stated, it looked at all of the prefixes and sent the ones whose first three octets match 172.64.1.
In that case, that was all four of these.
You can see that in this case, we weren’t at all interested in the subnet mask length. Only the first
three octets of the prefix. Let’s do another quick example to prove the point.
Now if we look at router2, we see these prefixes in the BGP table.
Confused? Let’s walk through it on the graph so you can see.
Let’s break down the ACL. The first chunk was 128.0.0.0. Let’s focus on the first octet. In binary,
that would be
10000000
The second part of the ACL is the mask which is 127.255.255.255. As I recall from my early days of
networking, the wild card mask is sometimes called the ”don’t care bits”. In this case the 2nd through
4th octet is all 1’s so we don’t care at all about any of those octets. The first octet though is a
decimal 127 which in Binary would be…
01111111
So what we’re showing here is that because of this standard ACL we ONLY care whether or not the
first bit of the first octet is a 1 which would include any number from 128 to 255. Put together you see
that the only bit we care about is the ‘128’ bit in the first octet…
10000000.00000000.00000000.0000000001111111.11111111.11111111.11111111
Since the prefix has a 1 in the only ‘I care spot’ any prefix that is going to match this ACL also has to
have a binary 1 in the 128 spot.
This sort of matching can be sort of interesting. Take for instance this example.


Here I add another route and then change the standard ACL to permit 192.1.1.0 0.0.254.255.
Comparing the prefix and mask we can tell that the prefix needs to start with 192.1. The fourth octet
can be anything and the third octet tells us that we don’t care about anything except for the last bit of
the third octet which happens to be the spot for ‘1’.
This ACL will give us all of the prefixes that start with 192.1 and have an odd number in the third
octet.

Taken a step further, we could say something like this.
Can you work out what this will give us? Any prefix that has an odd number in the third octet
regardless of what’s in the 1st, 2nd, or 4th octet.
To make it more clear, let’s change it to an even number in the 2nd octet.
And router2 sees.
Pretty cool huh? Not sure where you’d ever need to redistribute odd or even prefixes but it is certainly
another way to filter prefixes.
Extended Access Lists

Extended ACLs allow you a little more granularity over standard ACLs since you can once again
specify the mask you are looking for. In fact, you can specify a range of masks as well. Let’s do
something similar to what we did above with the standard ACLs by specifying we only want routes
with an odd third octet. I’m going to add some more static routes to give us more to play with.
I started by adding three more static routes to use later on. Then I removed the distribute list for ACL
1 and replaced it with the extended ACL 100. Lastly, I created the extended ACL 100 and used the
following syntax.
PERMIT IP 172.64.1.0 0.0.254.255 HOST 255.255.255.0
Let’s break this down. Much like we did on the standard ACL, the first chunk of the extended ACL
tells us to look for the ‘1’ bit being marked in the third octet. This would imply that the third octet is
odd. The second part of the extended ACL tells us what kind of mask to look for. In this case, we
only want ones that have a mask of /24. Looking at our chart, I would then expect to see the
following routes on router2.
Note: I hope you’ve caught on but each time I use this table I highlight the pieces of the table that
were used to make the permit decision in red. It may be confusing to you as to why the first two
octets above are all red but then the third octet has the far right bit red with the rest black. Keep in
mind that we are using wild card masks here. Wildcards are essentially the inverse of the actual
mask specifying which bits should not be taking into account. In this case, we don’t want to account
for anything except the ‘1’ bit so we specify 254 which equates to 11111110 in binary.
Taking a look at router2, we can see that our assumptions are correct.
At this point, the extended ACL has given us the same ability as the standard ACL but also allowed
us to check the subnet mask of the prefix. Let’s change things up a bit to see what else we can do.
The result on router2 is.
Our table now looks like this.
Did you catch what happened? Let’s walk through it once again to make sure. The extended access
list entry looked like this.
PERMIT IP 172.64.1.0 0.0.54.255 255.255.255.0 0.0.0.243
The first half of the ACL functions just like the standard ACL allowing us to find prefixes that have an
odd third octet. The second half of the ACL (255.255.255.0 0.0.0.243) requires a little more
explaining.
As we saw in the first extended ACL example, you can simply specify the mask you want the
matching prefixes to have. In this case, that would be /24 or 255.255.255.0. So far so good. Now
what’s going on with the 0.0.0.243 piece of this? Much like how you can wild card the prefix, you can
also wild card the subnet mask. In this case, we specify that the first three octets of the mask need
to match by using 0.0.0. AKA, 255.255.255 will be the first three mask octets. The fourth octet, we
say that we want the decimal of 243. In binary, that gives us.
243 = 11110011
So let’s look at the fourth octet for some of the other prefixes.

0 = 00000000
243 = 11110011248 = 11111000
240 = 11110000

Recall that with wild cards masks the ‘1’s are the “don’t care” bits. As you can see, the 0’s are the
“care” bits. The mask itself has a decimal 0 for the fourth octet which would be ‘00000000’ in binary.
This wild card mask is saying that this extended ACL needs the fourth octet to have binary 0s in the 4
and 8 bit positions. Since the mask for a /29 is 255.255.255.248, the 8 bit position in the fourth octet is
a 1. So as you can see, the /28 networks pass just fine since there 4 and 8 bits are already ‘0’. The
/29 networks have an issue since their ’8 bit is a ‘1’.
If we change the ACL to say.

PERMIT IP 172.64.1.0 0.0.54.255 255.255.255.0 0.0.0.251

we would start seeing the /29 prefixes on router2.
+1 Recommend this on Google
Related Posts:
ACL Poster
Access-Lists Short Map mind … Read More
BGP route filtering – Access lists vs Prefix lists
When filtering routes with BGP it’s very probable which you’ve used prefix lists. all over
again, this is simply some thing that we’ve been taught … Read More
IP ACCESS LISTS
An access control list (ACL), with respect to a computer file system, is a list of
permissions attached to an object. An ACL specifies which users o… Read More
Newer Post Home Older Post
0 comments:
Post a Comment
Enter your comment...
Comment as: Unknown (Google) Sign out
Publish Preview Notify me
Links to this post

Create a Link
Subscribe to: Post Comments (Atom)

Popular Posts
OSI Model
The Open Systems Interconnection model ( OSI )is a conceptual model that characterizes
and standardizes the inner functions of a communica...
Secure Socket Layer ( SSL) Connection Setup

SSL (Secure Sockets Layer) is a standard security technology for establishing an
encrypted link between a server and a client—typically a w...
Traceroute
Traceroute, by default, sends a sequence of User Datagram Protocol (UDP) packets
addressed to a destination host; ICMP Echo Request or TCP ...
F5 Load Balancers: LTM vs GTM

F5® BIG-IP® Global Traffic Manager™ (GTM) distributes DNS and user application
requests based on business policies, data center and cloud s...
Comparison of Routers Cisco, Juniper and Huawei

Comparison of Routers Cisco, Juniper and Huawei # Cisco , Juniper and Huawei Router
comparison # CCI E Candidates only # MPLS requireme...
OSPF : "34 Things to remember"

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link
state routing algorithm and fal...
Cisco ASR 1002-X Basics

Cisco ASR 1002-X # Cisco Routers #CCIE Candidates # ASR Routers Specifications #
Capacity and Utilization # RP and ESP Processors ...
Interview questions for Networking Engineer's( CCNA/CCNP and CCIE candidates )

Please find some of the questions who are preparing for the interviews ( CCNA/CCNP) These are the
questions for the Network Engineer bas...
CISCO-JUNIPER COMMANDS REF

Cisco Command Juniper Command Co-Ordinating Definition show ip interface brief show interface
terse displays the status of interface...
LACP and PAgP

Hi so we have the Following descriptions of all these what is LACP and PAgP. What is Ether Channel?
Ether Channel links shaped while or...

Search Search
TOTAL PAGEVIEWS
1,561,320
BLOG ARCHIVE
Blog Archive
LIKE US !!
NetworksBaseline
82,630 likes
Liked Sign Up
You like this
CATEGORIES
access Lists (3) ADSL (3) Alcatel-Lucent (2) ARP (4) ASA (8) ATM (2) Basic Commands (3) Basics (13)
BGP (31) Brocade (1) Cables (1) CatOS (1) CCIE (3) CCIE Datacenter (22) CCNA (7)
CCNP (1) Checkpoint (3) Cisco (4) Cisco ASR (7) Cisco Icons (1) Cisco MDS Switch Cisco Routers (12)
(1)
Cisco Switches (7) Cisco Wireless (2) Cloud Computing (2) Data Center (17) DHCP (4) DWDM (1)
EIGRP (7) Etherchannel (3) F5 (2) Fiber Optics (1) Firewall (2) Fortinet (1) GLBP (5) GNS3 (2) Huawei (4)
interview Questions (1) IOS (1) IOS Upgradation (3) IoT (1) IP Addressing (2) IPV6 (2) Juniper (13) LABS (2)
MPLS (21) MPLS Traffic Engg. (3) MTU (5) Multicast (3) Nexus (20) OSI
Load Balancing (5)
Model (1) OSPF (22) OTV (2) Palo-Alto (2) Password Recovery (1) Physical (1) PPP (2) Riverbed (3) RSTP
(2) SDN & NFV (2) SSL (1) Stack (1) subnetting (3) Switching (9) TACACS (1) TCP (2) TCP and UDP ports (2)
Technology (1) Terminal Server (1) Topologies (5) Traceroute (2) VLAN (4) VPN (3) VRRP (4) WAN
optimization (4)
FEEDJIT
Live Traffic Feed
A visitor from Islamabad
arrived 3 mins ago
A visitor from Stockton,
California viewed "Pointto
Point Protocol (PPP), the
Link Control Protocol (LCP)
and CHAP (Challenge
A visitor from Lansing,
Handshake Authentication
Michigan viewed "The
Protocol) ~" 7 mins ago
Concept of PHP (Penultimate
Hop Popping) MPLS ~" 7
A visitor from United States
mins ago
viewed "F5 Load Balancers:
LTM vs GTM ~" 11 mins ago
A visitor from La Paz viewed
"BGP: Path Selection Criteria
Path Vector Protocol ~" 12
A visitor from Ramsis, Al
mins ago
Buhayrah viewed ": BGP" 12
mins ago
A visitor from Pune,
Maharashtra viewed "F5 Load
Balancers: LTM vs GTM ~"
16 mins ago
A visitor from Karachi, Sindh
viewed "OSPF Area and LSAs
Propagation. ~" 26 mins ago
A visitor from Doha, Ad
Dawhah viewed "25 Things to
remember about EIGRP:
Short and Simple ~" 29 mins
A visitor from San Diego,
ago
California viewed "Pointto
Point Protocol (PPP), the
Link Control Protocol (LCP)
and CHAP (Challenge
Realtime view · Get Feedjit
ALEXA
Copyright@ 2006-2015 Networks-Baseline. Powered by Blogger.
Copyright © 2016 << Networks Baseline - Cisco Engineers Live >> | Powered by Blogger
Design by BluChic | Blogger Theme by Lasantha - PremiumBloggerTemplates.com | BTheme.net | Distributed
By Gooyaabi Templates

BGP Route Filtering - Access Lists Vs Prefix Lists - Networks Baseline - Cisco Engineers Live

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BGP Route Filtering - Access Lists Vs Prefix Lists - Networks Baseline - Cisco Engineers Live

Hochgeladen von

Copyright:

Verfügbare Formate

10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline ­ Cisco Engineers Live >>

BGP route filtering – Access lists vs Prefix lists

Share This:  Facebook  Twitter  Google+  Stumble  Digg

Fig 1.2 BGP route filtering – Access lists vs Prefix lists

Fig 1.3 BGP route filtering – Access lists vs Prefix lists

Looks like things are working as expected.

Fig 1.4 BGP route filtering – Access lists vs Prefix lists

The prefix list in this case is permitting prefixes that match…

Fig 1.5 BGP route filtering – Access lists vs Prefix lists

ip prefix-list test permit 172.64.0.0/15 ge 16

Fig 1.6 BGP route filtering – Access lists vs Prefix lists

Fig 1.8 BGP route filtering – Access lists vs Prefix lists

Fig 1.9 BGP route filtering – Access lists vs Prefix lists

Fig 1.10 BGP route filtering – Access lists vs Prefix lists

Fig 1.11 BGP route filtering – Access lists vs Prefix lists

Fig 1.12 BGP route filtering – Access lists vs Prefix lists

Fig 1.13 BGP route filtering – Access lists vs Prefix lists

Fig 1.14 BGP route filtering – Access lists vs Prefix lists

Fig 1.15 BGP route filtering – Access lists vs Prefix lists

Fig 1.16 BGP route filtering – Access lists vs Prefix lists

Fig 1.17 BGP route filtering – Access lists vs Prefix lists

Fig 1.18 BGP route filtering – Access lists vs Prefix lists

Now if we look at router2, we see these prefixes in the BGP table.

Fig 1.19 BGP route filtering – Access lists vs Prefix lists

Confused? Let’s walk through it on the graph so you can see.

Fig 1.20 BGP route filtering – Access lists vs Prefix lists

Fig 1.21 BGP route filtering – Access lists vs Prefix lists

Fig 1.22 BGP route filtering – Access lists vs Prefix lists

Taken a step further, we could say something like this.

Fig 1.24 BGP route filtering – Access lists vs Prefix lists

Fig 1.25 BGP route filtering – Access lists vs Prefix lists

And router2 sees.

Fig 1.26 BGP route filtering – Access lists vs Prefix lists

Extended Access Lists

Fig 1.27 BGP route filtering – Access lists vs Prefix lists

PERMIT IP 172.64.1.0 0.0.254.255 HOST 255.255.255.0

Fig 1.28 BGP route filtering – Access lists vs Prefix lists

Fig 1.29 BGP route filtering – Access lists vs Prefix lists

Fig 1.30 BGP route filtering – Access lists vs Prefix lists

The result on router2 is.

Fig 1.31 BGP route filtering – Access lists vs Prefix lists

Our table now looks like this.

Fig 1.32 BGP route filtering – Access lists vs Prefix lists

PERMIT IP 172.64.1.0 0.0.54.255 255.255.255.0 0.0.0.243

Fig 1.33 BGP route filtering – Access lists vs Prefix lists

Fig 1.34 BGP route filtering – Access lists vs Prefix lists

+1 Recommend this on Google

BGP route filtering – Access lists vs Prefix lists

Newer Post Home Older Post

Comment as: Unknown (Google) Sign out

Publish Preview Notify me

Links to this post

Subscribe to: Post Comments (Atom)

Secure Socket Layer ( SSL) Connection Setup

F5 Load Balancers: LTM vs GTM

Comparison of Routers Cisco, Juniper and Huawei

OSPF : "34 Things to remember"

Cisco ASR 1002-X Basics

Interview questions for Networking Engineer's( CCNA/CCNP and CCIE candidates )

CISCO-JUNIPER COMMANDS REF

LACP and PAgP

Copyright@ 2006-2015 Networks-Baseline. Powered by Blogger.

Das könnte Ihnen auch gefallen

10/24/2016 BGP route filtering – Access lists vs Prefix lists ~ << Networks Baseline Cisco Engineers Live >>