bgp and extended access-list

Answered Question
Apr 5th, 2007

hi

i am having difficulty understanding the following:

please consider the configuration as under:

routerA(config) access-list 1 deny 198.198.198.0 0.0.0.255

access-list 1 permit any.

routerA(config-router)bgp neighbor 1.1.1.1 remote-as 20

neighbor 1.1.1.1 distribute-list 1 out

------------------------------------------------


the above configuration will cause router A no to send any update about 198.198.198.0 to neighbor 1.1.1.1

so the network number specified in access-list 1 will be checked against the the network being advertised in update. incase of match, specified action deny or permit will be carried out.

correct me please if i am wrong

second scenario:

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 168.168.168.0 0.0.0.255

router A(config-router)nighbor 1.1.1.1 distribute-list 102 out

now which network number is being checked against the network number in the update? is it 198.198.198.0 or 168.168.168.0 ?

thanks


Correct Answer by mheusinger about 9 years 10 months ago

Hi,


Afaik the behaviour is different. Remember this ACL describes routing updates and not IP packets crossing an interface. As such a routing update consists of a network and a mask. The first section in the ACL describes the network and the second section the mask portion of a routing update. The ACL 102 describes thus networks within 198.198.198.0 0.0.0.255 and the mask is in the range from 168.168.168.0 to 168.168.168.255 - which obviously does not make any sense in a normal routing environment.


So a working example would be

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 host 255.255.255.255

routerA(config)access-list 102 permit ip any any

This would not announce any host route (/32) in the range from 198.198.198.0 to 198.198.198.255 but everything else.


Hope this helps! Please rate all posts.


Regards, Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
brispin Wed, 04/11/2007 - 10:19

Your first part of understanding is right.In the second part source if the souce is 198.198.198.0 and if destination is 168.168.168.0 network it will not be sent out.

Correct Answer
mheusinger Tue, 04/24/2007 - 08:56

Hi,


Afaik the behaviour is different. Remember this ACL describes routing updates and not IP packets crossing an interface. As such a routing update consists of a network and a mask. The first section in the ACL describes the network and the second section the mask portion of a routing update. The ACL 102 describes thus networks within 198.198.198.0 0.0.0.255 and the mask is in the range from 168.168.168.0 to 168.168.168.255 - which obviously does not make any sense in a normal routing environment.


So a working example would be

routerA(config)access-list 102 deny ip 198.198.198.0 0.0.0.255 host 255.255.255.255

routerA(config)access-list 102 permit ip any any

This would not announce any host route (/32) in the range from 198.198.198.0 to 198.198.198.255 but everything else.


Hope this helps! Please rate all posts.


Regards, Martin

Actions

This Discussion