WB1 7.44 BGP Filtering with Standard Access-Lists

7.44 BGP Filtering with Standard Access-Lists

• Remove the filters applied in the previous task.
• Configure a standard access-list on R2 so that it does not accept any prefix with the address 222.22.2.0 from BB2; this access-list should be applied directly to the neighbor.
• Configure a standard access-list on R4 so that it does not accept any prefixes with an even number in the first octet; this access-list should be applied through a route-map to the neighbor.
 
-----------------------------------------------
 
R2不接受學習到prefix 222.22.2.0，直接用access-list設定在neighbor上
R4不接受學習到prefix第一位為偶數---使用route-map
 
-----------------------------------------------
 
Using standard access-list for BGP filtering is not as performance-effective as using prefix lists.
 
Since the wildcard mask does not represent the prefix subnet mask, you may make it discontinuous. This allows for some “oddball” filtering, such as permitting odd/even prefixes.
 
the following combination “23.0.1.0 14.0.0.255” would match 8x256 subnets (3 bits set to one in the first octet and 8 bits set to 1 in the last octet) such as 23.0.1.64, 21.0.1.128, 17.0.1.32 and so on.
 
17.0.1.X ~ 23.0.1.X
 
In this scenario we create an access-list that matches all prefixes with the odd first octet. This means the first octet must always have the lowest-significant bit set to one. This results in the corresponding wildcard bit set to 0 all the time. All other bits don’t matter, so we can set the remaining wildcard bits to ones. The
resulting combination is “1.0.0.0 254.255.255.255”.

1.0.0.0 254.255.255.255 是允許單數
0.0.0.0 254.255.255.255 是允許複數

In order to associate the access-list with a BGP peer use the command neighbor <IP> distribute-list {in|out}. Notice that you cannot use prefix-list based and access-list based filtering at the same time, i.e. you cannot apply the distribute-list/prefix-list commands at the same time for the same peer. However, you may freely mix those command in a route-map.

-----------------------------------------------
 
R2:
ip access-list standard BLOCK_222
 deny 222.22.2.0
 permit any
!
router bgp 200
 no neighbor 192.10.1.254 prefix-list BLOCK_222 in
 neighbor 192.10.1.254 distribute-list BLOCK_222 in

R4:
ip access-list standard ODD_FIRST_OCTET
 permit 1.0.0.0 254.255.255.255
!
no route-map FROM_BB3
!
route-map FROM_BB3 permit 100
 match ip address ODD_FIRST_OCTET
!
router bgp 100
 neighbor 204.12.1.254 route-map FROM_BB3 in
 
我的R4的另外一種解法:
ip access-list standard EVEN
 deny   0.0.0.0 254.255.255.255
 permit any
!
route-map NOT_EVEN_MAP permit 10
 match ip address EVEN
!
router bgp 100
 neighbor 204.12.1.254 route-map NOT_EVEN_MAP in

-------------------------------
 
R2變更前

Rack1R2#show ip bgp regexp 254$
*> 205.90.31.0      192.10.1.254             0             0 254 ?
*> 220.20.3.0       192.10.1.254             0             0 254 ?
*> 222.22.2.0       192.10.1.254             0             0 254 ?
Rack1R2#

R2變更後

Rack1R2#show ip bgp regexp 254$
*> 205.90.31.0      192.10.1.254             0             0 254 ?
*> 220.20.3.0       192.10.1.254             0             0 254 ?
Rack1R2#

R4變更前
 
Rack1R4#show ip bgp
BGP table version is 79, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
* i10.0.0.0/22      155.1.13.3               0    100      0 200 i
*>                  155.1.45.5                             0 200 i
*> 10.0.1.0/24      155.1.45.5                             0 i
* i                 155.1.13.3                             0 i
*> 28.119.16.0/24   204.12.1.254             0             0 54 i
*> 28.119.17.0/24   204.12.1.254             0             0 54 i
*> 112.0.0.0        204.12.1.254                           0 54 50 60 i
*> 113.0.0.0        204.12.1.254                           0 54 50 60 i
*> 114.0.0.0        204.12.1.254                           0 54 i
*> 115.0.0.0        204.12.1.254                           0 54 i
*> 116.0.0.0        204.12.1.254                           0 54 i
*> 117.0.0.0        204.12.1.254                           0 54 i
*> 118.0.0.0        204.12.1.254                           0 54 i
*> 119.0.0.0        204.12.1.254                           0 54 i
 
R4變更後
 
Rack1R4#show ip bgp        
BGP table version is 103, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
* i10.0.0.0/22      155.1.13.3               0    100      0 200 i
*>                  155.1.45.5                             0 200 i
*> 10.0.1.0/24      155.1.45.5                             0 i
* i                 155.1.13.3                             0 i
*>i28.119.16.0/24   54.1.1.254               0    100      0 54 i
*>i28.119.17.0/24   54.1.1.254               0    100      0 54 i
*>i112.0.0.0        54.1.1.254               0    100      0 54 50 60 i
*> 113.0.0.0        204.12.1.254                           0 54 50 60 i
*>i114.0.0.0        54.1.1.254               0    100      0 54 i
*> 115.0.0.0        204.12.1.254                           0 54 i
*>i116.0.0.0        54.1.1.254               0    100      0 54 i
*> 117.0.0.0        204.12.1.254                           0 54 i
*>i118.0.0.0        54.1.1.254               0    100      0 54 i
*> 119.0.0.0        204.12.1.254                           0 54 i