RE: BGP route filter

From: tan (tan@dia.janis.or.jp)
Date: Thu Feb 20 2003 - 09:31:54 GMT-3

• Next message: OhioHondo: "RE: Custom Queuing byte count calculation"
• Previous message: Brian McGahan: "RE: switc-to-switch port security"
• Maybe in reply to: balaji.balakrishnan: "BGP route filter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The filter was an extended ACL, but with "any" in second part, so route's
mask is ignored. So, if you received the route in A below, and the permit
statement is B, /23 would match just as /24 or /25, /26...

A 172.12.00001010.0 (mask doesn't matter, including /23, because ignored by
acl)
B 172.12.00001010.0 0.0.0.255

172.12.10.0/23 is a valid route and the permit 172.12.10.0 0.0.0.255 matches
it.

The only reason shorter masks than /23 don't count is because advertising
router would never send such a route out, not because of the access list.
Such a route would have bits on in host portion, and this is not allowed
with a route table entry.

> -----Original Message-----
> From: Herve Bruyere [mailto:hbruyere@cisco.com]
> Sent: Thursday, February 20, 2003 5:44 PM
> To: tan
> Cc: 'balaji.balakrishnan'; ccielab@groupstudy.com
> Subject: Re: BGP route filter
>
>
>
>
> tan wrote:
> >>>deny ip 172.12.10.0 0.0.0.255 any
> >>
> >>
> >>matches 172.12.10.0/24 /25 /26 /27 ....
> >
> >
> > I think this would also match the /23 of same prefix as well.
>
>
> Why /23? We say 172.12.10.x with all the masks that can cover "x"...
>
>
>
>
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> >>Herve Bruyere
> >>Sent: Wednesday, February 19, 2003 7:16 PM
> >>To: balaji.balakrishnan
> >>Cc: ccielab@groupstudy.com
> >>Subject: Re: BGP route filter
> >>
> >>
> >>balaji.balakrishnan wrote:
> >>
> >>>Hi Group,
> >>>
> >>>This is about using extended access-list to filter bgp
> >>
> >>routes instead of prefix-list . For example, if you want to
> >>
> >>>permit only 10.132.0.0/16 and filter more specific routes,
> >>
> >>I believe the access-list should be
> >>
> >>>permit ip 10.132.0.0 0.0.255.255 host 255.255.0.0
> >>>
> >>>But, can anyone explain me, how to interpret the following
> >>
> >>access-list entries,
> >>
> >>
> >>In my opinion:
> >>
> >>
> >>>permit ip 10.0.0.0 0.255.255.255 host 255.255.255.255
> >>
> >>matches all 10.x.x.x routes having /32 mask
> >>
> >>
> >>
> >>>permit ip host 172.12.10.208 host 255.255.255.252
> >>
> >>matches 172.12.10.208/30
> >>
> >>
> >>>deny ip 172.12.10.0 0.0.0.255 any
> >>
> >>
> >>matches 172.12.10.0/24 /25 /26 /27 ....
> >>
> >>
> >>
> >>
> >>>Rgds,
> >>>Bala.
> >>>
> >>
> >>-
> >
> >
>
> --
> .. .. |
> || || | Herve Bruyere Phone :
> +32(0)2 704 5765
> || || | e-mail:
> hbruyere@cisco.com
> |||| |||| | Customer Support
> ..:||||||:...:||||||:.. | Engineering
> |
> C i s c o S y s t e m s |

• Next message: OhioHondo: "RE: Custom Queuing byte count calculation"
• Previous message: Brian McGahan: "RE: switc-to-switch port security"
• Maybe in reply to: balaji.balakrishnan: "BGP route filter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:31 GMT-3