BGP Extended Access-List Filtering

ReneMolenaar · December 29, 2016, 8:15pm

This topic is to discuss the following lesson:

johnfrades · October 5, 2015, 3:38am

awesome lessons! didnt know you can use extended access-list like this!

correct me if im wrong, the difference i see here is that, its working like a prefix-list but you can only use “greater than or equal to”?

on your examples, it only shows like:

-/24 to /32

-/25 to /32

-/26 to /32

is it possible to have /24 to /30 only? /26 to /29? what will be your subnet and subnet wild card?

thanks!

ReneMolenaar · October 5, 2015, 12:49pm

Hi John,

Good question, it can’t be done…let’s look at an example:

00000000 /24 10000000 /25 11000000 /26 11100000 /27 11110000 /28 11111000 /29 11111100 /30 11111110 /31 11111111 /32

Let’s say you want to match /26 up to /29, the problem is that they don’t have a lot of bits in common…only the first two bits are the same:

11000000 /26 11100000 /27 11110000 /28 11111000 /29

Now if you would use wildcard 00111111 (63 in decimal) then it matches /26, /27, /28, /29 but also /30, /31 and /32.

It can’t be done in one statement but of course you can use multiple statements…just create one for /26, /27, /28 and /29 and you are done.

Rene

ammar.eng100 · December 25, 2015, 4:57pm

thanks Rene for the detailed explanation.

franky04 · April 17, 2016, 5:28pm

— “We want to match all subnet masks from /27 to /32 so we use a wildcard of 0.0.0.31. This means the first three octets have to match and the last four bits of the 4th octet. This will allow subnet mask 255.255.255.192, 255.255.255.224, 255.255.255.240, 255.255.255.248, 255.255.255.252, 255.255.255.254 and 255.255.255.255.”

In the above, 255.255.255.192 should be included? Thanks

ReneMolenaar · April 17, 2016, 10:32pm

Hi Zhenggang,

Yes it should.

Rene

shady.fathy · June 8, 2016, 4:36pm

Hi Rene/All,

I got Problem for the attached toplogy ,R4 contains Two network 44 and 55 ,R2 at AS2 got to network 44 through R3 in AS1 ,and go to net 55 through R1 in AS1 using AS prepending in R1 and R3 the border AS Router in AS1 ,but the problem all traffic from R4 to network 2.2.2.2 at r2 AS2 ,unsing source address 55 and 44 go out AS1 to AS2 through R1 the lowest Router id , my request when go to 2.2.2.2/32 at r1 As1 with source address 44 go through r3 and to go to 2.2.2.2/32 with sources address 55 go through R1 .,the toplogy attached.

Thx

shady.fathy · June 8, 2016, 4:40pm

Topology attached

ReneMolenaar · June 21, 2016, 5:36pm

Hi Shady,

If you want to enforce one path for outgoing traffic from AS 1 to AS 2 then it’s best to influence the attributes. Don’t let the router ID decide it. If you want to do this for the entire AS, it’s best to configure local preference inbound on R1 and/or R3.

Rene

stlourenco · February 20, 2017, 6:54pm

Hi, Rene.

I’m replicating this same scenario in GNS3 and even applying the filters to some specific routes, I lose all routes from the routing table and in the BGP table. Why is this so?

ReneMolenaar · July 7, 2017, 7:37am

Hi @stlourenco,

It is difficult to tell without seeing your prefix-list or the configuration. There might be an error in your prefix-list or you refer to the wrong one in your BGP configuration (which will deny everything).

walidabdullah83 · April 25, 2018, 3:36pm

Hi Rene,

can you explain the reason that the result of “show ip bgp” on R1 is giving the symbol ‘r’ beside the received prefixes from R2?

R1#show ip bgp 
BGP table version is 4, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
r> 20.0.0.0         192.168.12.2             0             0 2 i
r> 172.16.0.0/24    192.168.12.2             0             0 2 i
r> 192.168.1.0      192.168.12.2             0             0 2 i

I have tried it in a LAB and gave me the same result and these subnets were not reachable from R1.

Thanks
Walid

lagapidis · April 30, 2018, 11:57am

Hello Walid

The r indicates an RIB failure, that is a failure of the Routing Information Base. IN other words, this route was not added to the routing table. The reason for which that network has not been installed can be determined using the show ip bgp rib-failure on the router. It should give you an idea of why the specific route was not installed in the routing table.

Because it failed to be installed in the routing table it does not stop the BGP process from advertising the route to other BGP peers. It could be that an IGP routing protocol provided a route to the destination, and since all IGP protocols have an administrative distance smaller than that of BGP, these routes failed to be inserted.

I hope this has been helpful!

Laz

walidabdullah83 · April 30, 2018, 4:02pm

Hi Laz,

thanks for clarification, but the matched prefixes in the access-list were already installed in the routing table before applying the access-list which means that it was preferred from the BGP and no other IGP was competing with BGP so my question is why the RIB Failure occurs although it was not appearing before?

I have tried to know the reason behind the RIB Failure by using the command show ip bgp rib-failure and the reason was the input filter as below:

R1#sh ip bgp rib-failure 
  Network            Next Hop                      RIB-failure   RIB-NH Matches
20.20.20.0/24      2.2.2.2                      Input filter              n/a

why the input filter prevents the route from installing it in the routing table?

Thanks,
Walid

ReneMolenaar · April 30, 2018, 8:32pm

Hi Walid,

I just labbed this up again and I’m getting the same RIB failures. If you enable a debug, you can see the reason:

R1#debug ip routing 
IP routing debugging is on

This shows up when you clear the routing table or clear the BGP neighbor adjacency:

RT: rib validate nexthop return code: 3
RT: rib validate nexthop return code: 3
RT: rib validate nexthop return code: 3

Return code 3 means the prefix is filtered because of an access-list. This one got me scratching my head for a bit…

The weird thing is, the access-list seems to be correct. They use the exact same example here:

After some tests, it seems that R1 denies the next hop IP address. If you add a statement like this:

R1(config)#access-list 100 permit ip host 192.168.12.2 any

Then it works:

R1#show ip bgp
BGP table version is 4, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   20.0.0.0         192.168.12.2             0             0 2 i
 *>   172.16.0.0/24    192.168.12.2             0             0 2 i
 *>   192.168.1.0      192.168.12.2             0             0 2 i

You can see it in the debug too:

R1#clear ip route *

RT: updating bgp 20.0.0.0/8 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 20.0.0.0/8 via 192.168.12.2, bgp metric [20/0]

RT: updating bgp 172.16.0.0/24 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 172.16.0.0/24 via 192.168.12.2, bgp metric [20/0]

RT: updating bgp 192.168.1.0/24 (0x0)  :
    via 192.168.12.2   0 1048577

RT: add 192.168.1.0/24 via 192.168.12.2, bgp metric [20/0]

And a match on the access-list:

R1#show access-lists 
Extended IP access list 100
    10 permit ip host 20.0.0.0 host 255.0.0.0 (3 matches)
    20 permit ip host 172.16.0.0 host 255.255.255.0 (3 matches)
    30 permit ip host 192.168.1.0 host 255.255.255.0 (3 matches)
    40 permit ip host 192.168.12.2 any (9 matches)

It’s strange and this doesn’t seem to be documented. Anyway, after adding it, it works.

Rene

walidabdullah83 · May 1, 2018, 10:00am

Hi Rene,

thanks for your effort and explanation, it seems to be a software version error as I tried it again on an IOS XE router and it worked fine with your configuration.

Thanks,
Walid

ReneMolenaar · May 1, 2018, 10:52am

Hi Walid,

Thanks for sharing that. I was wondering if it was related to platform/ IOS version. I originally wrote this article using IOS 12.4T and yesterday I tried it on IOS 15.x. Funny that it’s different on IOS XE.

Rene

EUNLITManagedService · July 31, 2018, 12:47pm

Seems there is a typo:

R1(config)#access-list 100 permit ip 172.16.0.0 0.0.0.0 255.255.255.0 0.0.0.0

In the text you mention /16 so in the config example the subnet mask is incorrect.

lagapidis · August 3, 2018, 2:58pm

Hello Elias

Here’s a screenshot of the text in question:

It seems the text indicates a /24 subnet mask which is what is found in the access list. Unless I’m missing something… Please clarify when you get a chance.

Thanks!

Laz

EUNLITManagedService · August 8, 2018, 9:26am

Hi Laz,

It’s the text right below that screenshot:

“In the second entry we want an exact match for “172.16.0.0” so we use network 172.16.0.0 with wildcard 0.0.0.0. The prefix-length has to be exactly /16 so we use subnet mask 255.255.0.0 with wildcard 0.0.0.0.”

But indeed it would make sense to change that part to /24 and 255.255.255.0 instead so it all matches up.