WB1 7.45 BGP Filtering with Extended Access-Lists

7.45 BGP Filtering with Extended Access-Lists

• Modify the filtering configuration in R4 as follows.
• Configure an extended access-list on R4 so that it does not accept any prefixes with even 3rd octet and with a subnet mask greater than /22 from BB3.
• This list should apply directly to the neighbor.
 
---------------------------------------------------------
 
設定R4使用extended access-list讓任何R4從BB3學到的prefix，不包含第三位為偶數且subnet mask大於/22

permit ip 0.0.0.0 255.255.254.255 255.255.252.0 0.0.3.255

---------------------------------------------------------
 
Extended access-lists add more functionality to BGP prefixes filtering. In addition to matching the subnet numbers they allows for subnet mask matching as well. A typical extended access-list entry in the format

permit {proto} <src-subnet> <src-mask> <dst-subnet> <dstmask>
[options]
 
is treated as follows.
 
First, the protocol field and other options are ignored.
 
Next, <src-subnet> <src-mask> pair is used to build an expression for prefix subnet matching.
 
The pair <dst-subnet> <dst-mask> is used as an expression to match prefixes subnet mask.
 
For example the statement

permit ip 192.168.0.0 0.0.0.255 255.255.255.0 0.0.0.255
would match any prefix with the subnet number in range 192.168.0.0-
192.168.0.255 AND having the prefix length of /24 or greater.
 
It is possible to use more sophisticated constructs based on the wildcard bits logic, but this usually makes the configuration hard to read and interpret.
 
permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 - matches 10.0.0.0/16 - Only
permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 - matches 10.0.0.0/24 - Only
permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 - matches 10.1.1.0/24 - Only
permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0 - matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a /24 subnet mask.

permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0 - matches
10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network with a /24 subnet mask.

permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0 -
matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the network with a /28 subnet mask.

permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255 -
Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th octet of the network with a /24 to /32 subnet mask.

permit ip 10.0.0.0 0.255.255.255 255.255.255.128 0.0.0.127 -
Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th octet of the network with a /25 to /32 subnet mask.

In this scenario, we create a special entry that matches only the prefixes with the even 3rd octet AND have the mask length greater than or equal than 22. The second requirement is accomplished by translating the prefix length of 22 into binary and then into the decimal form: 255.255.252.0. Now we construct the wildcard mask that permits the remaining bit to take any value and end up with 255.255.252.0 0.0.3.255.

---------------------------------------------------------

no ip access-list extended EVEN_3RD_MASK_GT_22
ip access-list extended EVEN_3RD_MASK_GT_22
 deny ip 0.0.0.0 255.255.254.255 255.255.252.0 0.0.3.255
 permit ip any any
!
no route-map FROM_BB3
!
router bgp 100
 no neighbor 204.12.1.254 route-map FROM_BB3 in
 neighbor 204.12.1.254 distribute-list EVEN_3RD_MASK_GT_22 in 

---------------------------------------------------------

R4 變更前

Rack1R4#show ip bgp       
BGP table version is 127, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
* i10.0.0.0/22      155.1.13.3               0    100      0 200 i
*>                  155.1.45.5                             0 200 i
*> 10.0.1.0/24      155.1.45.5                             0 i
* i                 155.1.13.3                             0 i
*> 28.119.16.0/24   204.12.1.254             0             0 54 i*> 28.119.17.0/24   204.12.1.254             0             0 54 i
*> 112.0.0.0        204.12.1.254                           0 54 50 60 i
*> 113.0.0.0        204.12.1.254                           0 54 50 60 i
*> 114.0.0.0        204.12.1.254                           0 54 i
*> 115.0.0.0        204.12.1.254                           0 54 i
*> 116.0.0.0        204.12.1.254                           0 54 i
*> 117.0.0.0        204.12.1.254                           0 54 i
*> 118.0.0.0        204.12.1.254                           0 54 i
*> 119.0.0.0        204.12.1.254                           0 54 i

R4 變更後

Rack1R4#show ip bgp
BGP table version is 129, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
* i10.0.0.0/22      155.1.13.3               0    100      0 200 i
*>                  155.1.45.5                             0 200 i
*> 10.0.1.0/24      155.1.45.5                             0 i
* i                 155.1.13.3                             0 i
*>i28.119.16.0/24   54.1.1.254               0    100      0 54 i
*> 28.119.17.0/24   204.12.1.254             0             0 54 i
*> 112.0.0.0        204.12.1.254                           0 54 50 60 i
*> 113.0.0.0        204.12.1.254                           0 54 50 60 i
*> 114.0.0.0        204.12.1.254                           0 54 i
*> 115.0.0.0        204.12.1.254                           0 54 i
*> 116.0.0.0        204.12.1.254                           0 54 i
*> 117.0.0.0        204.12.1.254                           0 54 i
*> 118.0.0.0        204.12.1.254                           0 54 i
*> 119.0.0.0        204.12.1.254                           0 54 i