BGP Extended Access-List Filtering

This topic is to discuss the following lesson:

awesome lessons! didnt know you can use extended access-list like this!

correct me if im wrong, the difference i see here is that, its working like a prefix-list but you can only use “greater than or equal to”?

on your examples, it only shows like:

-/24 to /32

-/25 to /32

-/26 to /32

is it possible to have /24 to /30 only? /26 to /29? what will be your subnet and subnet wild card?

 

thanks!

Hi John,

Good question, it can’t be done…let’s look at an example:

00000000 /24
10000000 /25
11000000 /26
11100000 /27
11110000 /28
11111000 /29
11111100 /30
11111110 /31
11111111 /32

Let’s say you want to match /26 up to /29, the problem is that they don’t have a lot of bits in common…only the first two bits are the same:

11000000 /26
11100000 /27
11110000 /28
11111000 /29

Now if you would use wildcard 00111111 (63 in decimal) then it matches /26, /27, /28, /29 but also /30, /31 and /32.

It can’t be done in one statement but of course you can use multiple statements…just create one for /26, /27, /28 and /29 and you are done.

Rene

thanks Rene for the detailed explanation.

— “We want to match all subnet masks from /27 to /32 so we use a wildcard of 0.0.0.31. This means the first three octets have to match and the last four bits of the 4th octet. This will allow subnet mask 255.255.255.192, 255.255.255.224, 255.255.255.240, 255.255.255.248, 255.255.255.252, 255.255.255.254 and 255.255.255.255.”

In the above, 255.255.255.192 should be included? Thanks

Hi Zhenggang,

Yes it should.

Rene

Hi Rene/All,

I got Problem for the attached toplogy ,R4 contains Two network 44 and 55 ,R2 at AS2 got to network 44 through R3 in AS1 ,and go to net 55 through R1 in AS1 using AS prepending in R1 and R3 the border AS Router in AS1 ,but the problem all traffic from R4 to network 2.2.2.2 at r2 AS2 ,unsing source address 55 and 44 go out AS1 to AS2 through R1 the lowest Router id , my request when go to 2.2.2.2/32 at r1 As1 with source address 44 go through r3 and to go to 2.2.2.2/32 with sources address 55 go through R1 .,the toplogy attached.

Thx

Topology attached

Hi Shady,

If you want to enforce one path for outgoing traffic from AS 1 to AS 2 then it’s best to influence the attributes. Don’t let the router ID decide it. If you want to do this for the entire AS, it’s best to configure local preference inbound on R1 and/or R3.

Rene

Hi, Rene.

I’m replicating this same scenario in GNS3 and even applying the filters to some specific routes, I lose all routes from the routing table and in the BGP table. Why is this so?

Hi @stlourenco,

It is difficult to tell without seeing your prefix-list or the configuration. There might be an error in your prefix-list or you refer to the wrong one in your BGP configuration (which will deny everything).

Hi Rene,

can you explain the reason that the result of “show ip bgp” on R1 is giving the symbol ‘r’ beside the received prefixes from R2?

R1#show ip bgp 
BGP table version is 4, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
r> 20.0.0.0         192.168.12.2             0             0 2 i
r> 172.16.0.0/24    192.168.12.2             0             0 2 i
r> 192.168.1.0      192.168.12.2             0             0 2 i

I have tried it in a LAB and gave me the same result and these subnets were not reachable from R1.

Thanks
Walid

Hello Walid

The r indicates an RIB failure, that is a failure of the Routing Information Base. IN other words, this route was not added to the routing table. The reason for which that network has not been installed can be determined using the show ip bgp rib-failure on the router. It should give you an idea of why the specific route was not installed in the routing table.

Because it failed to be installed in the routing table it does not stop the BGP process from advertising the route to other BGP peers. It could be that an IGP routing protocol provided a route to the destination, and since all IGP protocols have an administrative distance smaller than that of BGP, these routes failed to be inserted.

I hope this has been helpful!

Laz

Hi Laz,

thanks for clarification, but the matched prefixes in the access-list were already installed in the routing table before applying the access-list which means that it was preferred from the BGP and no other IGP was competing with BGP so my question is why the RIB Failure occurs although it was not appearing before?

I have tried to know the reason behind the RIB Failure by using the command show ip bgp rib-failure and the reason was the input filter as below:

R1#sh ip bgp rib-failure 
  Network            Next Hop                      RIB-failure   RIB-NH Matches
20.20.20.0/24      2.2.2.2                      Input filter              n/a

why the input filter prevents the route from installing it in the routing table?

Thanks,
Walid

Hi Walid,

I just labbed this up again and I’m getting the same RIB failures. If you enable a debug, you can see the reason:

R1#debug ip routing 
IP routing debugging is on

This shows up when you clear the routing table or clear the BGP neighbor adjacency:

RT: rib validate nexthop return code: 3
RT: rib validate nexthop return code: 3
RT: rib validate nexthop return code: 3

Return code 3 means the prefix is filtered because of an access-list. This one got me scratching my head for a bit…

The weird thing is, the access-list seems to be correct. They use the exact same example here:

After some tests, it seems that R1 denies the next hop IP address. If you add a statement like this:

R1(config)#access-list 100 permit ip host 192.168.12.2 any

Then it works:

R1#show ip bgp
BGP table version is 4, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   20.0.0.0         192.168.12.2             0             0 2 i
 *>   172.16.0.0/24    192.168.12.2             0             0 2 i
 *>   192.168.1.0      192.168.12.2             0             0 2 i

You can see it in the debug too:

R1#clear ip route *

RT: updating bgp 20.0.0.0/8 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 20.0.0.0/8 via 192.168.12.2, bgp metric [20/0]

RT: updating bgp 172.16.0.0/24 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 172.16.0.0/24 via 192.168.12.2, bgp metric [20/0]

RT: updating bgp 192.168.1.0/24 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 192.168.1.0/24 via 192.168.12.2, bgp metric [20/0]

And a match on the access-list:

R1#show access-lists 
Extended IP access list 100
    10 permit ip host 20.0.0.0 host 255.0.0.0 (3 matches)
    20 permit ip host 172.16.0.0 host 255.255.255.0 (3 matches)
    30 permit ip host 192.168.1.0 host 255.255.255.0 (3 matches)
    40 permit ip host 192.168.12.2 any (9 matches)

It’s strange and this doesn’t seem to be documented. Anyway, after adding it, it works.

Rene

Hi Rene,

thanks for your effort and explanation, it seems to be a software version error as I tried it again on an IOS XE router and it worked fine with your configuration.

Thanks,
Walid

Hi Walid,

Thanks for sharing that. I was wondering if it was related to platform/ IOS version. I originally wrote this article using IOS 12.4T and yesterday I tried it on IOS 15.x. Funny that it’s different on IOS XE.

Rene

Seems there is a typo:

R1(config)#access-list 100 permit ip 172.16.0.0 0.0.0.0 255.255.255.0 0.0.0.0

In the text you mention /16 so in the config example the subnet mask is incorrect.

Hello Elias

Here’s a screenshot of the text in question:

image

It seems the text indicates a /24 subnet mask which is what is found in the access list. Unless I’m missing something… Please clarify when you get a chance.

Thanks!

Laz

Hi Laz,

It’s the text right below that screenshot:

“In the second entry we want an exact match for “172.16.0.0” so we use network 172.16.0.0 with wildcard 0.0.0.0. The prefix-length has to be exactly /16 so we use subnet mask 255.255.0.0 with wildcard 0.0.0.0.”

But indeed it would make sense to change that part to /24 and 255.255.255.0 instead so it all matches up.