Order of preference
For inbound updates:
1. route-map
2. filter-list
3. prefix-list OR distribute-list
For outbound updates:
1. prefix-list OR distribute-list
2. filter-list
3. route-map
Prefix-List:
ip prefix-list <NAME>seq <Num> {permit|deny} <Subnet>/<Prefix > [ge <Length1>] [le
<Length2>]
Can be used in 2 ways.
Way 1:
ip prefix-list BLOCK_222 deny 222.22.2.0/24
ip prefix-list BLOCK_222 permit 0.0.0.0/0 le 32
!
router bgp 200
neighbor 192.10.1.254 prefix-list BLOCK_222 in
Way 2:
ip prefix-list SHORTER_THAN_22 permit 0.0.0.0/0 le 22
!
route-map FROM_R9 permit 100
match ip address prefix-list SHORTER_THAN_22
!
router bgp 300
neighbor 155.1.79.9 route-map FROM_R9 in
Standar Access-List:
Way 1:
R2 so that it does not accept any prefix with the address 222.22.2.0 from R10:
ip access-list standard BLOCK_222
deny 222.22.2.0
permit any
!
router bgp 200
neighbor 192.10.1.254 distribute-list BLOCK_222 in
ip access-list standard ODD_FIRST_OCTET
permit 1.0.0.0 254.255.255.255
!
route-map FROM_R9 permit 100
match ip address ODD_FIRST_OCTET
!
router bgp 300
neighbor 155.1.79.9 route-map FROM_R9 in
Way 2:
Configure a standard access-list on R7 so that it does not accept any prefixes with
an even number in the first octet from R9
R7
ip access-list standard ODD_FIRST_OCTET
permit 1.0.0.0 254.255.255.255
!
route-map FROM_R9 permit 100
match ip address ODD_FIRST_OCTET
!
router bgp 300
neighbor 155.1.79.9 route-map FROM_R9 in
Extended Access-Lists:
Extended access-lists add more functionality to BGP prefixes filtering. In addition to
matching the subnet numbers, they also allow for subnet mask matching. A typical
extended access-list entry in the format permit {proto} <src-subnet> <src-mask> <dstsubnet>
<dst-mask> [options] is treated as follows. First, the protocol field and other
options are ignored. Next, the <src-subnet> <src-mask> pair is used to build an
expression for prefix subnet matching. The pair <dst-subnet> <dst-mask> is used as
an expression to match prefixes subnet mask.
permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 - matches 10.0.0.0/16 - Only
permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 - matches 10.0.0.0/24 - Only
permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 - matches 10.1.1.0/24 - Only
permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0 - matches 10.0.X.0/24 - Any
permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255 - matches 10.X.X.X/24 to
10.X.X.X/32 - Any number in the second, third, and fourth octet of the network with a
/24 to /32 subnet mask
permit ip 10.0.0.0 0.255.255.255 255.255.255.128 0.0.0.127 - matches 10.X.X.X/25 to
10.X.X.X/32 - Any number in the second, third, and fourth octet of the network with a
/25 to /32 subnet mask
Ex:
Configure an extended access-list on R7 as follows:
It does not accept any prefixes with an even third octet and with a subnet mask greater than or equal to /22 from R9.
This list should apply directly to the neighbor
R7:
ip access-list extended EVEN_3RD_MASK_GT_22
deny ip 0.0.0.0 255.255.254.255 255.255.252.0 0.0.3.255
permit ip any any
!
router bgp 300
neighbor 155.1.79.9 distribute-list EVEN_3RD_MASK_GT_22 in
No comments:
Post a Comment