This topic is to discuss the following lesson:
awesome lessons! didnt know you can use extended access-list like this!
correct me if im wrong, the difference i see here is that, its working like a prefix-list but you can only use “greater than or equal to”?
on your examples, it only shows like:
-/24 to /32
-/25 to /32
-/26 to /32
is it possible to have /24 to /30 only? /26 to /29? what will be your subnet and subnet wild card?
Good question, it can’t be done…let’s look at an example:
Let’s say you want to match /26 up to /29, the problem is that they don’t have a lot of bits in common…only the first two bits are the same:
Now if you would use wildcard 00111111 (63 in decimal) then it matches /26, /27, /28, /29 but also /30, /31 and /32.
It can’t be done in one statement but of course you can use multiple statements…just create one for /26, /27, /28 and /29 and you are done.
thanks Rene for the detailed explanation.
— “We want to match all subnet masks from /27 to /32 so we use a wildcard of 0.0.0.31. This means the first three octets have to match and the last four bits of the 4th octet. This will allow subnet mask 255.255.255.192, 255.255.255.224, 255.255.255.240, 255.255.255.248, 255.255.255.252, 255.255.255.254 and 255.255.255.255.”
In the above, 255.255.255.192 should be included? Thanks
Yes it should.
I got Problem for the attached toplogy ,R4 contains Two network 44 and 55 ,R2 at AS2 got to network 44 through R3 in AS1 ,and go to net 55 through R1 in AS1 using AS prepending in R1 and R3 the border AS Router in AS1 ,but the problem all traffic from R4 to network 220.127.116.11 at r2 AS2 ,unsing source address 55 and 44 go out AS1 to AS2 through R1 the lowest Router id , my request when go to 18.104.22.168/32 at r1 As1 with source address 44 go through r3 and to go to 22.214.171.124/32 with sources address 55 go through R1 .,the toplogy attached.
If you want to enforce one path for outgoing traffic from AS 1 to AS 2 then it’s best to influence the attributes. Don’t let the router ID decide it. If you want to do this for the entire AS, it’s best to configure local preference inbound on R1 and/or R3.
I’m replicating this same scenario in GNS3 and even applying the filters to some specific routes, I lose all routes from the routing table and in the BGP table. Why is this so?
It is difficult to tell without seeing your prefix-list or the configuration. There might be an error in your prefix-list or you refer to the wrong one in your BGP configuration (which will deny everything).
can you explain the reason that the result of “show ip bgp” on R1 is giving the symbol ‘r’ beside the received prefixes from R2?
R1#show ip bgp BGP table version is 4, local router ID is 192.168.12.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path r> 126.96.36.199 192.168.12.2 0 0 2 i r> 172.16.0.0/24 192.168.12.2 0 0 2 i r> 192.168.1.0 192.168.12.2 0 0 2 i
I have tried it in a LAB and gave me the same result and these subnets were not reachable from R1.
The r indicates an RIB failure, that is a failure of the Routing Information Base. IN other words, this route was not added to the routing table. The reason for which that network has not been installed can be determined using the
show ip bgp rib-failure on the router. It should give you an idea of why the specific route was not installed in the routing table.
Because it failed to be installed in the routing table it does not stop the BGP process from advertising the route to other BGP peers. It could be that an IGP routing protocol provided a route to the destination, and since all IGP protocols have an administrative distance smaller than that of BGP, these routes failed to be inserted.
I hope this has been helpful!
thanks for clarification, but the matched prefixes in the access-list were already installed in the routing table before applying the access-list which means that it was preferred from the BGP and no other IGP was competing with BGP so my question is why the RIB Failure occurs although it was not appearing before?
I have tried to know the reason behind the RIB Failure by using the command show ip bgp rib-failure and the reason was the input filter as below:
R1#sh ip bgp rib-failure Network Next Hop RIB-failure RIB-NH Matches 188.8.131.52/24 184.108.40.206 Input filter n/a
why the input filter prevents the route from installing it in the routing table?
I just labbed this up again and I’m getting the same RIB failures. If you enable a debug, you can see the reason:
R1#debug ip routing IP routing debugging is on
This shows up when you clear the routing table or clear the BGP neighbor adjacency:
RT: rib validate nexthop return code: 3 RT: rib validate nexthop return code: 3 RT: rib validate nexthop return code: 3
Return code 3 means the prefix is filtered because of an access-list. This one got me scratching my head for a bit…
The weird thing is, the access-list seems to be correct. They use the exact same example here:
After some tests, it seems that R1 denies the next hop IP address. If you add a statement like this:
R1(config)#access-list 100 permit ip host 192.168.12.2 any
Then it works:
R1#show ip bgp BGP table version is 4, local router ID is 192.168.12.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 220.127.116.11 192.168.12.2 0 0 2 i *> 172.16.0.0/24 192.168.12.2 0 0 2 i *> 192.168.1.0 192.168.12.2 0 0 2 i
You can see it in the debug too:
R1#clear ip route * RT: updating bgp 18.104.22.168/8 (0x0) : via 192.168.12.2 0 1048577 RT: add 22.214.171.124/8 via 192.168.12.2, bgp metric [20/0] RT: updating bgp 172.16.0.0/24 (0x0) : via 192.168.12.2 0 1048577 RT: add 172.16.0.0/24 via 192.168.12.2, bgp metric [20/0] RT: updating bgp 192.168.1.0/24 (0x0) : via 192.168.12.2 0 1048577 RT: add 192.168.1.0/24 via 192.168.12.2, bgp metric [20/0]
And a match on the access-list:
R1#show access-lists Extended IP access list 100 10 permit ip host 126.96.36.199 host 255.0.0.0 (3 matches) 20 permit ip host 172.16.0.0 host 255.255.255.0 (3 matches) 30 permit ip host 192.168.1.0 host 255.255.255.0 (3 matches) 40 permit ip host 192.168.12.2 any (9 matches)
It’s strange and this doesn’t seem to be documented. Anyway, after adding it, it works.
thanks for your effort and explanation, it seems to be a software version error as I tried it again on an IOS XE router and it worked fine with your configuration.
Thanks for sharing that. I was wondering if it was related to platform/ IOS version. I originally wrote this article using IOS 12.4T and yesterday I tried it on IOS 15.x. Funny that it’s different on IOS XE.
Seems there is a typo:
R1(config)#access-list 100 permit ip 172.16.0.0 0.0.0.0 255.255.255.0 0.0.0.0
In the text you mention /16 so in the config example the subnet mask is incorrect.
Here’s a screenshot of the text in question:
It seems the text indicates a /24 subnet mask which is what is found in the access list. Unless I’m missing something… Please clarify when you get a chance.
It’s the text right below that screenshot:
“In the second entry we want an exact match for “172.16.0.0” so we use network 172.16.0.0 with wildcard 0.0.0.0. The prefix-length has to be exactly /16 so we use subnet mask 255.255.0.0 with wildcard 0.0.0.0.”
But indeed it would make sense to change that part to /24 and 255.255.255.0 instead so it all matches up.