From: Michael Snyder (msnyder@xxxxxxx)
Date: Fri Aug 10 2001 - 15:06:29 GMT-3
My question begins two pages down, below transcript of a old thread.
(Darren)
Hi All,
I've been asked a damn good question by a co-worker and I must admit I'm not
exactly sure how to solve it.
Q: Filter BGP advertisements to a neighbour so that only routes that are
/19 or better are advertised WITHOUT using a prefix-list.
A: I know it will be a BGP extended IP access-list using the network/mask
pair but can't figure out the mask section properly.
access-list 100 permit ip 0.0.0.0 255.255.224.0 255.255.224.0 225.255.224.0
Now, I _think_ this means match ANY network where the last 13 bits are all
zero AND the last 13 bits of the netmask are all zeros but allow more zeros
the base 13 bits (greater than /19)
Is this correct?
(Bob)
No sure what you mean by better but if you want to filter /19 or longer
prefixes from a neighbor
then
access-list 101 deny ip 0.0.0.0 255.255.255.255 255.255.224.0 0.0.31.255
access-list 101 permit ip any any
router bgp xx
neighb y.y.y.y remote zz
neighb distribute-list 101 in
(Bob)
Actually. That's right, it depends on what you mean Darren. Is "better"
longer or shorter? "Better" could be a more specific route. But "Better"
could be a larger summary. It's just I can't find a reson why you would want
to get /19 routes. ISPs usually want larger summaries. That's why this
should be correct:
access-list 100 permit ip 0.0.0.0 255.255.224.0 255.255.224.0 225.255.224.0
You basically want the least significant 13 bits (last 13 bits) of the mask
to be 0's. So these masks would match:
255.255.224.0
255.255.192.0
255.255.128.0 and so on...
But this one wouldn't: 255.255.240.0
my 2 cents
(Roman)
just so I can develope a clearer understanding of these types of
access-lists wouldn't
access-list 101 deny ip 0.0.0.0 255.255.224.0 0.0.0.0 255.255.224.0
do the same thing as
access-list 100 permit ip 0.0.0.0 255.255.224.0 255.255.224.0 225.255.224.0
(nobody)
you are correct, that's the same thing. If you show run that's how it will
show up:
access-list 101 deny ip 0.0.0.0 255.255.224.0 0.0.0.0 255.255.224.0
---------------------------------------------------------------------------
--------
Part #1
Lets take a step back here. More importantly, Lets stop using numbers.
In a normal extended access, we have two pieces of data (discounting port
numbers) from the ip packet header.
Source IP; lets call it SA.SB.SC.SD
Destination IP; lets call it DA.DB.DC.DD
Let me point out this is flat data, Source IP and Destination IP have no
effect on each other from the view point of the access list. Also that
these are just numbers, you can convert any a.b.c.d address to a large
decimal number.
Ok, now for the extend access list.
access-list permit ip A1.B1.C1.D1 W1.I1.L1.D1 A2.B2.C2.D2 W2.I2.L2.D2
Without going into binary and logical operands too much. Lets say any
a.b.c.d w.i.l.d will convert to either a range of numbers or a set of ranges
of numbers.
Where
a.b.c.d=first number of range
and
a.b.c.d XOR w.i.l.d = last number of range
So when a router is checking a source ip and a destination ip against a
extended access list. It basically is doing two operations:
Operation one: Is SA.SB.SC.SD within the range or set of ranges represented
by A1.B1.C1.D1 W1.I1.L1.D1
If true, then
Operation two: Is DA.DB.DC.DD within the range or set of ranges represented
by A2.B2.C2.D2 W2.I2.L2.D2
If both are true then the packet is permitted.
----------------------------------------------------------------------------
-------
Part #2
Now, BGP extended IP access-lists look like normal extended lists. I'm
assuming that because we are comparing routes against the access list. The
two things that must be being used are are the network of the route, and the
subnet of the route.
access-list permit ip A1.B1.C1.D1 W1.I1.L1.D1 A2.B2.C2.D2 W2.I2.L2.D2
So instead of
Source IP;
Destination IP;
We have
Network IP; lets call it A.B.C.D
Route Mask; lets call it M.A.S.K
Note, that the route a.b.c.d, m.a.s.k is no longer a flat linear number.
Together they are a range of numbers
I would guess that the first of the two operations remains the same.
Operation one: Is route network ip A.B.C.D within the range or set of
ranges represented by A1.B1.C1.D1 W1.I1.L1.D1
If true, then
Operation two: Is M.A.S.K of the A.B.C.D route ????????????????????? by
A2.B2.C2.D2 W2.I2.L2.D2
I am sorry for using groupstudy bandwidth for asking something everyone
seems to understand, but I have three questions.
Q1. Is the second piece of data being processed against the access list in
fact the mask of the route? I think it's safe to assume it is.
Q2. What is the nature of operation two? Lesser than, Greater than, And,
Or, XOR. within, match, inclusive, exclusive all come to mind. Because a
mask has little meaning by itself, (it's mainly an offset, used to find the
upper limit of a range of numbers) I'm having trouble wrapping my mind
around what a result of operation two could be true, or false.
Q3. Does Operation One and Operation Two effect each other, other than
Operation One has to be true before Operation Two is checked.
Thanks for your time in reading this. Thanks in advance for anyone who can
spread some light on Question 2.
Testing a offset against an other offset really puzzles me.
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:48 GMT-3