- Configure an extended access-list on R4 so that it does not accept any prefixes with even 3rd octet and with a subnet mask greater than /22 from BB3.
- This list should apply directly to the neighbor.
Extended access-lists add more functionality to BGP prefixes filtering. In addition to matching the subnet numbers they allows for subnet mask matching as well. A typical extended access-list entry in the format
permit {proto} <src-subnet> <src-mask> <dst-subnet> <dstmask> [options]
is treated as follows. First, the protocol field and other options are ignored. Next <src-subnet> <src-mask> pair is used to build an expression for prefix subnet matching. The pair <dst-subnet> <dst-mask> is used as an expression to match prefixes subnet mask.
For example the statement
permit ip 192.168.0.0 0.0.0.255 255.255.255.0 0.0.0.255
would match any prefix with the subnet number in range 192.168.0.0-192.168.0.255 AND having the prefix length of /24 or greater.
It is possible to use more sophisticated constructs based on the wildcard bits logic, but this usually
makes the configuration hard to read and interpret.
Here are more examples:
permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 - matches 10.0.0.0/16 - Only
permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0 - matches 10.0.0.0/24 - Only
permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0 - matches 10.1.1.0/24 - Only
permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0 - matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a /24 subnet mask.
permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0 - matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network with a /24 subnet mask.
permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0 - matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the network with a /28 subnet mask.
permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255 - Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th octet of the network with a /24 to /32 subnet mask.
permit ip 10.0.0.0 0.255.255.255 255.255.255.128 0.0.0.127 - Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th octet of the network with a /25 to /32 subnet mask
configuration:
R4:
ip access-list extended EVEN_3RD_MASK_GT_22
deny ip 0.0.0.0 255.255.254.255 255.255.252.0 0.0.3.255
permit ip any any
!
!
router bgp 100
neighbor 204.12.1.254 distribute-list EVEN_3RD_MASK_GT_22 in
No comments:
Post a Comment