400-101 CCIE Routing and Switching 108 IPExpert BGP Filtering Using ACL and Prefix Lists

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] let's modify this outbound filter here so this filter here that we have on our four I want it to be configured so so in the outbound direction advertise loopback zero of our nine look back zero of our one and four that use a prefix list and advertise loopback 103 this network 103 that we have configured here and use access list for that feature make sense so what I want to do is I want to modify this outbound filter on our for to advertise only loop backs of our one and our line and for that purpose I want to use the prefix list you can use multiple prefixes or one prefixes it doesn't matter but for loopback 103 you need to use the access list now let's write that filter so we already have a filter in place now I cannot have more than one route map added here but I can add distribute lists I can add prefix lists I can add other stuff but then I have to worry what is the order of preference what is the order in which they are processed so now I'm going to use the route map so let's say here that the restriction was use the outbound route map now let's create that prefix list that we need so it is going to be IP prefix list then let's call it our for our line permit and it's going to be 1 2 168 0 1/32 and it's going to be 0 9/32 so this prefix list will cover that then I'm going to have another route map entry soul this was here let's say permit 10 and then I'm going to have permit 20 and I'm going to say match IP prefix list match IP address for this prefix list are 4 - r9 ok so let's see what happens when I apply this on our form so if I go to my R for now and I say clear IP bgp star soft out if I go to our one show IP BGP this is the list of route that I'm receiving okay I'm receiving this which is what I wanted to receive and I'm receiving this which is what I wanted to receive and I'm receiving this but why am I getting these rods oh they might be stale routes you know what let me just clear the BGP so I'm now hard clearing the BGP and if I do show IP BGP they are back in why are these routes back in that is interesting why is this routing why is this routing well these are the routes that I don't want them well the problem lies in my route map because take a look at what my route map does it says route map basically match everything set community additive now if you have a match in a route map the processing over out map ends at that point that means that this entry here will never actually be touched it will never be hit so I do have an option here to take this and copy paste it multiple times in my route map every time I need it or I can actually use an interesting feature of the route map which is continue now with the continue keyword what I'm telling my iOS is if you match this entry instead of exiting the processing you know what carry on and in this case I'm going to have a match for these two I'm going to add an access list later on but for now I just want to show you this behavior but now what's going to happen at the end there is going to be that implicit deny so let's see if this changes the behavior in any way so if I go to our 4 here and if I simply add this continue keyword let's clear the session again one hour one okay maybe that was a bit too much like Missy 192 168 oh it's actually four and one not I used the wrong one so let me correct that but did that that shouldn't be the problem let me just quickly correct that so it's four here and let me see there we go so I can each beam well we still have the same problem what did I do wrong let me take a look now there is trouble reading marker now needs to troubleshoot his own mess show run pipe section let's see what I did wrong so I'm saying much everything continued and here I'm matching this address prefix so what I need here now is actually I need but see if this will help maybe this is not doable the way I wanted this is the first time I'm actually doing this example so let's do it like this so clear at which be soft in that should work maybe a PHP star out ah much better yes that was it I needed to clear it I was pretty sure this is going to work so I just need to clear it from our four so now this is what happened so let me explain what is going on right now so going to my notepad here what is happening is I hopefully you can see my mouse what is happening is we have this first route map entry and here we are matching everything so this route map entry will match everything we are going to set community internet additive on all routes as required by the previous task then we are going to say instead of just exiting the processing because we had a successful match let's just continue with the processing and here we are now hitting this match this prefix list so if I have these two routes actually we change this one so it will fix it so if we have these two routes present allow them but then we are simply going to exit processing the next route map entry so all other routes that were actually permitted by this entry are now being explicitly denied so in a sense with this solution here we are only allowing these two routes to be advertised and if we take a look these are the only two routes that we are actually receiving this route here this is our local one there is nothing we can do about this route but these are the only two that are being allowed so this takes care of the first part of the task it takes care of this part here advertise the loopback of sorry and there was a tiny little error here so this is not our one it should be our for loop back of our nine and our four to our one in use the prefix list check now loopback 103 we have to use an access list there so going back to our notepad here what we need to do is add a route map entry here so our one out let's say permit 20 30 and I'm going to say match IP address so this needs to be an access list so let's add that one access list so I'm going to say access list let's say one permit what I need here is 1001 o30 so and let's say because it slash 24 I want to use this wildcard mask okay so here I'm going to match IP address 1 so let me add this to our configuration so if I add this to our forth and again I do clear IP bgp star soft out what I'm getting now is oops ok maybe I need to clear it again why did these routes suddenly leak in this is just pretty a pretty annoying I have to admit this is not expected this is not exactly what I'm expecting to see so oh did I forget to add the access list oh yes oh yes I forgot to add the access list that's right so I just add I just copied the route map so oh yeah so I'm basically matching everything yeah mad cow ok see it can happen to anyone so let's add nope not here let's add the access list a very good I was just about to declare a bug and you see how easy it is to declare your own mistake a bug in iOS a simple oversight I headed here in notepad I tapped her and I was thinking ok I typed out the access list of course it's there but when I copied into the terminal this was the only thing that I copied so it basically matches everything so let's take a look at this now Oh much better out but now so basically what I'm having is this network here and I'm having this now let me go to our line and do something that I have not been asked to do but I'm going to need it now just to show you a problem why this solution that I just implemented is actually an incorrect solution so I'm going to go to our lines or have not been asked to do this but this is just a test so I'm going to go here and I'm going to go to router bgp 900 address family ipv4 and I'm going to say released a bit static now there are no static routes yet but I'm just going to add one so I'm going to say IP route 1001 or 3 128 so I'm going to create a null route for 1001 on 3 128 slash 25 now if I do show IP DGP this route is now being injected into our BGP if I go to our 4 if I do show IP BGP I am now seeing this route in my BGP table if I go to our 1 show IP BGP take a look at this this route now made it through now my task here was very explicit advertise loopback of our line loopback of our 4 and loopback of 103 use the prefix list here and use the access list here now does this route the highlighted route match any of those routes that I'm supposed to match no it doesn't this is the route that was installed there just for testing purposes and it actually breaks the requirements the problem is here in this access list so with this access list what I'm telling my routers is advertise this network that matches this matching pattern that matches this wildcard mask and here I'm telling it because all the bits in the first three octets are zero that means that the first three octet must match exactly but the fourth octet I don't care about why because all the bits in the fourth octet are set to one so whatever is here in the fourth octet I don't care about okay so I know how to fix this instead of using this access list I'm going to use this access list so now this network here must match exactly let's give this a try so I'm going to go to our four going to add this access list and instead of using access list 1 I'm going to use access list 2 in this roadmap so let's clear the BGP process and let's go to our one if I do show IP BGP success that slash twenty five route is now gone okay let me try one more thing so on our for now or actually let's do it on our one I'm going to add one more static route let's say well this is going to be a tricky one because one of three here hmm how can I show you this I completely wrong Network for this I needed something that is even numbered because now I what I'm trying to do is I need a super net of this I need something that is larger then slash 24 but with 103 I cannot do it so for this particular case it works let's add another task I want to add another loop back here look back one of four on our nine and I want this to be 10010 for 0/24 and i want this to be allowed as well there are no restrictions on this loop back simply just advertise it so for 103 this access list here worked so for loop back 104 use ACL as well okay so let me add that so on our nine interface look back 104 IP address 1001 o40 actually need to give it an IP address sorry about that it's good that I made this mistake because I can actually use this in a second so router bgp 900 address family ipv4 ipv4 Network I can use this now there we go so if I go to our for show IP BGP I should be getting this last 24 but right now it is not being advertised because we don't have the route map entry for it so let's fix that let's add entry 40 and here let's say match IP address 10 so I'm going to add access list 10 permit 1001 0 4 0 we learn from previous mistake so I'm just going to add it like this so this access list goes on r4 and this route map entry 40 goes in here clear IP bgp star soft out if I go to r1 there is our network 104 success let me go back to our 9 and now what I'm going to do is I'm going to say IP route actually let me be even more creative so router bgp 900 address family ipv4 I'm going to say aggregate address slash 16 actually not / 16 can't do that let's do slash 22 so now if I don't show ie BGP I will see that here I have 2 104 networks 1 is 10 0 104 0/24 and the other one is 1001 Oh 4 0 / 22 so these parts of the network and this is why I needed an even-numbered one are exactly the same so if I go to our four if I do show IP BGP here are my two networks one is less 24 the other one is / 22 if I go to r1 here are my two networks / 24 which I'm supposed to have in my table and 104 / 22 which are not supposed to have so how do I fix this problem mind you I have to use an access list now if this was a requirement to use a prefix list here this would have been just fine I would have used the prefixes / 24 and I'm done but with access list what's the problem here well the problem is that with access list with the standard access list you cannot match the netmask as we have seen here this is not an inverted netmask this basically tells me which bits from the actual network part I care about but it doesn't talk about the prefix length I can match the prefix or the range of prefixes or even odd prefixes those that have bit number 6 set or don't set this is what the network card mask does but what I cannot do I cannot match the prefix length I cannot say that this is last 24 not with the standard access list but when used in context of bgp filters and there is only one other case so let me emphasize this so what's coming up next is available only when you are using extended access list for bgp filtering and for is is level 2 to level one route leaking in no other cases can you use access lists in this fashion so this feature that I'm going to show you now works only as far as you are concerned for bgp filtering so that said oh did I mention that this works only in BGP this thing that is coming up that works only in BGP is a special feature of extended access lists where you can use the destination part so what is coming up now this is the source address of what we usually have here is the source address and source mask what is coming up next is usually destination address and destination wildcard mask so you can use the destination part to actually match the net mask so when you throw bgp filtering whatever is the source part of IP address is going to match against the prefix whatever is the destination part will be matched against the net mask now I'm using all zeros here because my net mask must be slash 24 but I can do something like this in which case I'm telling my router that it should match 1001 o40 exactly and then the net mask should be a subnet of that slash 24 why because these bits here need to match exactly but I don't care what in the last prefix so if I use this I'm going to have a very unusual effect let me show you that so instead of access list n here I'm going to use access list 100 and let me paste this access list 100 on r4 and let me paste this in and then clear IP DGP star soft out so if I go to r1 what I'm having now is my slash 24 Network which is exactly what I wanted but take a look at this we want to go to our nine and I'm going to say IP route 10 0 104 128 okay let's see if it was already it might take a little bit there it is 104 128 oh sorry sorry of course this won't work so this route now even though okay case in point so this route now 104 128 / 25 we can see that it it is now on our 4 but if I take a look at our 1 it's not actually making it in the routing table why and this is expected I just wasn't thinking straight because this part here needs to match exactly so I need to have this 0 here this 0 must match exactly but if I go to our 9 and I create for example this route so show IP BGP so this route now is slash 25 but it has 0 here when I go to our 1 this route has made it through why did it make through because I'm telling this router that this part here must match exactly but I don't care what in the last octet of the mask so it could be 1 10 0 1 0 4 / 24/25 / 26/27 up to / 32 that's fine but if I have 128 here that won't make it through so if I want this to be truly all subnets of that 1/24 I can do something like this so let's try this access list here so if I paste this in and use access-list 101 now what I will have in my r1 you will see that I have all the subnets of 104 Network but this doesn't solve my task my task says that one network exactly so to make that work let's use the access list 104 this needs to match exactly and this needs to match exactly so this will be what goes in r4 here and the route map needs to be 104 so now if I clear the route what I will have in my r1 is just one o 4/24 so if you are asked to use access lists for BGP filtering this is something that you should know how to do and I know that this may look like very very complex and very very unusual trust me when I tell you once you get the logic of how this works once you have actually watched this maybe explanation one or two more times you will realize that using access lists for BGP filtering is actually more powerful than using prefix lists because you can actually do more stuff with access lists that you can with prefix lists the question I have is if in the lab we come up with the situation in which there is a problem in the order in which the route map is being processed is it better to use the the continue statement or to actually reorder the route map my recommendation is the ordered Road map continue statement is really just a gimmick that has very limited use I've shown it to you just so you can see how you can you know if you carefully plan the use of it you can you can use it but my recommendation is unless you are restricted from reordering the route map and you think that's the problem just reorder the route map or you are going to be far more in control with that then you would be using the continue statement

Info

Channel: Networking Lessons

Views: 727

Rating: undefined out of 5

Keywords: configrouter.com, Cisco, Cisco Networking Videos, Cisco Networking

Id: 0JNc5AGynko

Channel Id: undefined

Length: 27min 9sec (1629 seconds)

Published: Thu Oct 12 2017