BGP Extended Access-List Filtering

Hello Germain

Thanks so much for your kind words! It is a pleasure to help out. I wish you success in your exam and in your career, and as always, we’ll be here to help along the way.

Laz

is it just me or are prefix lists much more clear than this? access-list 105 permit ip 0.0.0.0 255.255.255.255 255.255.255.0 0.0.0.255. I suppose we are trying to match a range of ips, but man this statement makes my eyes hurt. Also, Can someone explain what exactly this means?

I get what is going on. I wish this way didn’t exist. Prefix lists have to be more clear. Is there a conceivable reason this would be used in real life? I mean I am grateful you show it here because knowing it exists is valuable in itself, but yikes!

Hello Justin

Take a look at this post for more details:

This particular behavior exists only when ACLs are called by distribution lists.

It can be difficult to get your head around, however once you get proficient in its use, it becomes clearer and easier to apply.

Note the following comment from Rene’s lesson:

Nowadays we use prefix-lists to filter BGP prefixes. Prefix-lists are very convenient since they allow you to specify a network address with a specific prefix length or a range of prefix lengths. Back in the days, before prefix-lists existed on Cisco IOS you had to use extended access-lists for this.

You really don’t want to use these anymore since the prefix-list does the same thing and the configuration is much easier. However, when you face a CCIE lab it might be possible that a task requires you to filter certain prefixes but you are not allowed to use the prefix-list. The extended access-list will be your only option then…

So don’t use them in a production network, but keep in mind that they exist, and be prepared to use them in a CCIE lab.

I hope this has been helpful!

Laz

This method won’t work, I assume ?

R1(config)#ip access-list  extended ACL-LIMIT-R2-NETWORKS
R1(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 255.255.255.0 0.0.0.0
R1(config-ext-nacl)#router bgp 1
R1(config-router)#distribute-list ACL-LIMIT-R2-NETWORKS IN
% The ACL cannot be created or an ACL with the same name but incompatible type already exists.
R1(config-router)#

Hello Mathew

It seems that distribute-lists do not support named extended ACLs in some IOS versions. I have found that I get the same error as you in my lab as well. My version is:

Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.9(3)M4, RELEASE SOFTWARE (fc3)

I find that I am able to successfully create the distribute-list with a numbered ACL, and also with a standard named ACL, but not an extended named ACL. The same is true for distribute lists for EIGRP and OSPF as well.

This seems to be the case for some versions of IOS while not for others.

I hope this has been helpful!

Laz

Rene Absolutely amazing explanation !

1 Like

It was a great explanantion. Thank you!

Could you please explain Outbound Route Filtering (ORF)?

Hello Sai

Thanks for the question, this is a great one. I have created a NetworkLessons Note on the topic here.

I hope this has been helpful!

Laz

Is there a way to allow an ASA to learn 0.0.0.0/0 using BGP to route all internet traffic down a VPN VTI for a single device or all devices on the Lan?

Hello Brian

BGP can be used to inform the ASA of a default route regardless of whether it is via a VPN VTI or via a normal physical interface.

To find out more about how you can advertise a default route using BGP, take a look at this NetworkLessons note titled “BGP advertising a default route”.

I hope this has been helpful!

Laz

Hi Lazaros,

That is very helpful. Thank you very much. I appreciate it!

1 Like

Hi the lecture is informative, but the explanation of /26 to /32 prefix length and /27 to /32 prefix length are very confusing to me. For /26 to /32 prefix length example, shouldn’t be the 4th octet’s last six bits don’t care, the first two bits have to match? Because the difference between /26 to /32 is the last six bits.
For /27 to /32 prefix length example, wildcard of 0.0.0.31 4th octet has 5 ones and 3 zeros, so I don’t know why we only checked the last four bits (“and the last four bits of the 4th octet”). And why 255.255.255.192 should be included in this example? I thought 255.255.255.192 is mask of /26.

Hello Tracy

When you filter “anything between two different prefix lengths” you have to indicate:

  1. The initial prefix length
  2. The wildcard bits that can change

When we say we want to filter anything with a /24 to /32 prefix length, we must first indicate:

  1. The /24 prefix length. This is indicated using the following subnet mask in binary:

11111111.11111111.11111111.00000000 which is 255.255.255.0

  1. The wildcard bits that will indicate that we can have any value. In this case, we want to indicate that the last 8 bits of the subnet mask can have any value, so we would use a wildcard mask of:

00000000.00000000.00000000.11111111 which is 0.0.0.255

This means that when we match that up with the subnet mask, the bold digits can be anything.

11111111.11111111.11111111.00000000
00000000.00000000.00000000.11111111

This means that we can have any of the following possibilities:

11111111.11111111.11111111.00000000
11111111.11111111.11111111.10000000
11111111.11111111.11111111.11000000
11111111.11111111.11111111.11100000
11111111.11111111.11111111.11110000
11111111.11111111.11111111.11111000
11111111.11111111.11111111.11111100
11111111.11111111.11111111.11111110
11111111.11111111.11111111.11111111

That is a range between /24 and /32.

Similarly, for ranges between /26 and /32 we have the following subnet mask and subnet mask wildcard:

11111111.11111111.11111111.11000000
00000000.00000000.00000000.00111111

In this case we have the following ranges of allowed subnet masks:

11111111.11111111.11111111.11000000
11111111.11111111.11111111.11100000
11111111.11111111.11111111.11110000
11111111.11111111.11111111.11111000
11111111.11111111.11111111.11111100
11111111.11111111.11111111.11111110
11111111.11111111.11111111.11111111

Now for the case where we are filtering to match 172.16.x.x networks with a /27 to /32 prefix length, we do the same thing, where we use a subnet mask of 255.255.255.224, which is /27, and we use a wildcard mask of 0.0.0.31 to indicate a range of /27 to /32. In binary this looks like this:

11111111.11111111.11111111.11100000
00000000.00000000.00000000.00011111

So the actual extended access list will filter the following:

Any network of 172.16.0.0 with a subnet mask that ranges between /27 to /32.

You are correct. That should state, “the first three octets as well as the last five bits of the 4th octet must match.” Also, 255.255.255.192 should not be included. I will let Rene know to make the changes.

I hope this has been helpful!

Laz

Hello

If i remember correclty the OSPF lesson, the dsitribute-list was preventing the router to add certains routes from the LSDB into the RIB.
In this lesson, it seems the distribute-list is preventing some routes to be added into the BGP table.
Is that correct to say dsitribute-list are behaving differently when applied to OSPF compared to BGP?

The matches that we see in show access-lists 100 in the context or route filtering increase when an advertisment for the prefix is received?

Thanks for your help !

Hello David

Distribute lists differ in the way they affect OSPF and BGP. This is because OSPF and BGP themselves operate very differently. BGP uses updates containing prefixes, while OSPF contains LSAs.

For OSPF, there is no way to filter LSA advertisements between routers found in the same area. Only ABRs and ASBRs can do that and only for LSAs transmitted between areas. So the alternative solution is to prevent prefixes contained within the LSDB from entering the routing table. That’s what distribute lists do when applied to OSPF.

Conversely, distribute lists, when applied to BGP are used to filter the actual prefixes from entering the BGP table.

So yes, you are correct in the different way that distribute lists affect BGP and OSPF. The particular OSPF lesson you are referring to is the following:

Yes that is correct.

I hope this has been helpful!

Laz

Hello, everyone!

I have a quick question about ORF. How often is ORF realy used in the real world?

Because I personally find this method a little unscalable, considering that it only works with a prefix list.

Assuming that we only want a subset of the internet routes (our ISP’s customer routes), doesn’t this mean that we would have to write several commands to match all the networks that ISP owns?

And not to mention that the prefix-list would have to be constantly updated as the ISP gains customers or withdrawns networks.

Thank you in advance for your help.

Hello David

Outbound route filtering or ORF is a feature of BGP that helps streamline the advertisement and processing of routes. It’s essentially a mechanism that allows a BGP router to send to its BGP peers a set of conditions (in the form of a filter) for routes that it is interested in receiving, or conversely, not interested in receiving. Take a look at this NetworkLessons note on BGP ORF for more info.

Concerning its use in the real world, it is true that its usage is not as widespread as other routing methods primarily due to the reasons you’ve mentioned: scalability and maintenance.

ORF is typically used in smaller networks or specialized scenarios where the network manager wants to have granular control over the routes that are being advertised. This could be useful for example, in a scenario where you want to limit the routes advertised to a specific customer or peer.

However, in larger networks or with ISPs, the task of maintaining the prefix-list can become quite cumbersome. The constant updating of the list as customers are added or removed can be a significant administrative overhead.

In such scenarios, other methods such as route-maps or BGP communities are often preferred as they can provide a similar level of control but are easier to manage at scale.

The choice of routing method will largely depend on the specific requirements of your network and the administrative resources you have available.

I hope this has been helpful!

Laz

Hi everyone,
I have Q in exam and they need to stop advertise for some subnets remotely by using ACL in BGP.
PS: I don’t have a route reflector and the condition in Q is to use only one router to stop it.
Could you help me with some tips?

Hello Muhanned

There are several ways to do this. One way is to use access lists with a distribute-list to specify which prefixes you want to filter out. You can find out more about how to do that at this lesson:

Another option is to use a route map. This lesson below shows an example of how a route has been filtered using a route-map:

Take a look at these lessons and if you have any further questions, let us know!

I hope this has been helpful!

Laz

1 Like