From: Mohamed M Moustafa (mmma@gawab.com)
Date: Mon Oct 22 2007 - 17:41:12 ART
Hi Benedict,
Nice explaination, but i only have one comment, prefix-list and
distribute-list are mutually exclusive, and only one command (neighbor
prefix-list or neighbor distribute-list) can be applied to each inbound or
outbound direction for a particular neighbor:
Rack1SW2(config-router)#neighbor 1.1.1.1 remote-as 1
Rack1SW2(config-router)#neighbor 1.1.1.1 distribute-list 1 in
Rack1SW2(config-router)#neighbor 1.1.1.1 prefix-list 1 in
Prefix/distribute list can not co-exist
BR,
Mohammed Mahmoud.
Benedict Munyao <bmunyao@gmail.com> wrote on 22 Oct 2007, 09:07 PM:
Subject: Re: BGP Filter Question
>Rich,
>
>My understanding of the BGP processing order for outbound policies is as
>follows.
>
>1. All bgp prefixes in the bgp table will get to be processed by
>"distribute-list" policy.
>2. Only those allowed by "distribute-list" will be processed by
>"prefix-list" policy.
>3. Only those making it past the "prefix-list" will then be checked against
>"filter-list".
>4. Finally, those which survive the first three filtering policies get to
>be
>processed thro the "route-map".
>
>Below is the output from labbing this up:
>
>
>AS1 AS3 AS2
>R1------------------------R3-------------------------------R2
> 155.1.13.0/24 155.1.23.0/24
>
>
>
>R1
>---------------------------------------------------------------------
>Rack1R1(config-router)#do sh ip int bri | e unass
>Interface IP-Address OK? Method Status
>Protocol
>Serial1/1 155.1.13.1 YES manual up
>up
>Loopback0 10.1.1.1 YES manual up
>up
>
>Rack1R1(config-router)#do sh run | s eigrp
>router eigrp 10
> network 10.1.1.1 0.0.0.0
> network 155.1.13.1 0.0.0.0
> no auto-summary
>
>Rack1R1(config-router)#do sh run | s bgp
>router bgp 1
> no synchronization
> bgp log-neighbor-changes
> neighbor 30.3.3.3 remote-as 3
> neighbor 30.3.3.3 ttl-security hops 2
> neighbor 30.3.3.3 update-source Loopback0
> no auto-summary
>
>R3
>-------------------------------------------------------------------------------
>
>Rack1R3(config)#do sh ip int bri | e unass
>Interface IP-Address OK? Method Status
>Protocol
>Serial1/2 155.1.13.3 YES manual up
>up
>Serial1/3 155.1.23.3 YES manual up
>up
>Loopback0 30.3.3.3 YES manual up
>up
>Loopback1 31.3.3.3 YES manual up
>up
>Loopback2 32.3.3.3 YES manual up
>up
>
>Rack1R3(config)#do sh run | s eigrp
>router eigrp 10
> network 30.3.3.3 0.0.0.0
> network 155.1.13.3 0.0.0.0
> network 155.1.23.3 0.0.0.0
> no auto-summary
>
>Rack1R3(config)#do sh run | s bgp
>router bgp 3
> no synchronization
> bgp log-neighbor-changes
> network 30.3.3.0 mask 255.255.255.0
> network 31.3.3.0 mask 255.255.255.0
> network 32.3.3.0 mask 255.255.255.0
> neighbor 10.1.1.1 remote-as 1
> neighbor 10.1.1.1 ttl-security hops 3
> neighbor 10.1.1.1 update-source Loopback0
> neighbor 155.1.23.2 remote-as 2
> no auto-summary
>
>R2
>------------------------------------------------------------------------
>Rack1R2(config-router)#do sh ip int bri | e unass
>Interface IP-Address OK? Method Status
>Protocol
>Serial1/1 155.1.23.2 YES manual up
>up
>Loopback0 20.2.2.2 YES manual up
>up
>
>Rack1R2(config-router)#do sh run | s eigrp
>router eigrp 10
> network 20.2.2.2 0.0.0.0
> network 155.1.23.2 0.0.0.0
> no auto-summary
>
>Rack1R2(config-router)#do sh run | s bgp
>router bgp 2
> no synchronization
> bgp log-neighbor-changes
> network 20.2.2.0 mask 255.255.255.0
> neighbor 155.1.23.3 remote-as 3
> no auto-summary
>
>
>Before adding policies on R3:
>-----------------------------------------------------------------------------------------------------------
>
>Rack1R1(config-router)#do sh ip bgp
>BGP table version is 7, local router ID is 10.1.1.1
>Status codes: s suppressed, d damped, h history, * valid, > best, i -
>internal,
> r RIB-failure, S Stale
>Origin codes: i - IGP, e - EGP, ? - incomplete
>
> Network Next Hop Metric LocPrf Weight Path
>* 20.2.2.0/24 30.3.3.3 0 3 2 i
>* 30.3.3.0/24 30.3.3.3 0 0 3 i
>* 31.3.3.0/24 30.3.3.3 0 0 3 i
>* 32.3.3.0/24 30.3.3.3 0 0 3 i
>Rack1R1(config-router)#
>
>
>With outbound policies on R3
>---------------------------------------------------------------------------------------------------
>
>Rack1R3(config-router)#do sh run | s route-map
>route-map PREPEND permit 10
> set as-path prepend 3 3
>route-map PREPEND permit 20
>
>Rack1R3(config-router)#do sh run | i access-list
>ip as-path access-list 1 permit ^2$
>
>Rack1R3(config)#router bgp 3
>Rack1R3(config-router)#neighbor 10.1.1.1 route-map PREPEND out
>Rack1R3(config-router)#neighbor 10.1.1.1 filter-list 1 out
>Rack1R3(config-router)#do clear ip bgp * soft
>
>
>Rack1R1(config-router)#do sh ip bgp
>BGP table version is 7, local router ID is 10.1.1.1
>Status codes: s suppressed, d damped, h history, * valid, > best, i -
>internal,
> r RIB-failure, S Stale
>Origin codes: i - IGP, e - EGP, ? - incomplete
>
> Network Next Hop Metric LocPrf Weight Path
>* 20.2.2.0/24 30.3.3.3 0 3 3 3 2 i
>Rack1R1(config-router)#
>
>
>Note that after R3 picked only the prefix from AS2, it then went on to
>process the route-map.
>
>Sincerely
>Benedict Munyao
>
>
>
>
>On 10/17/07, Rich Collins <nilsi2002@gmail.com> wrote:
>>
>> The filter list will never see the prepend since it comes before the
>> route-map.
>>
>> For outbound updates the order of preference is:
>>
>> 1. prefix-list, distribute-list
>> 2. filter-list
>> 3. route-map
>>
>>
>> Let's say you were filtering on the inbound. You could use the below
>> statement for filtering one or more prepends of 123. This version _123$
>> is
>> not tight enough.
>>
>> ip as-path access-list 1 permit ^(123_)+$
>>
>>
>> -Rich
>>
>>
>> On 10/17/07, Joe Gagznos <kemphall@yahoo.com> wrote:
>> >
>> > Just want to check this. I have the following bgp
>> > configuration:
>> >
>> > router bgp 123
>> > network 1.2.3.0 mask 255.255.255.0
>> > neighbor 221.122.10.1 remote as 2131
>> > neighbor 221.122.10.1 route-map pathprepend out
>> > neighbor 221.122.10.1 filter-list 1 out
>> >
>> > route-map pathprepend permit 10
>> > set as-path prepend 123 123
>> > route-map pathprepend permit 20
>> >
>> > ip as-path access-list 1 permit ^$
>> > ip as-path access-list 1 permit ^123$
>> > ip as-path access-list 1 deny .*
>> >
>> > Is the as path access list going to fail this route
>> > advertisement? If I changed the access list to the
>> > following would I still only be allowing routes
>> > originating from 123 and allow as much prepending as I
>> > want?
>> >
>> > ip as-path access-list 1 permit ^$
>> > ip as-path access-list 1 permit _123$
>> > ip as-path access-list 1 deny .*
>> >
>> > Thanks for your help!
>> >
>> > __________________________________________________
>> > Do You Yahoo!?
>> > Tired of spam? Yahoo! Mail has the best spam protection around
>> > http://mail.yahoo.com
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
---------------------------------------------
Free POP3 Email from www.Gawab.com
Sign up NOW and get your account @gawab.com!!
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:17 ART