Posts Tagged ‘extended’
The leading question:
“Is it possible (and if so, how) to redistribute or originate a default route based on time of day?”
The short answer is “Sure, why not?”… But the longer answer has to do with how do we warp the forces of the universe to make that happen???
Well, start with what we know. We know we can do time-ranges in access-lists, right? Can we do them in standard access-lists (what we see used for redistribution all the time)?
Rack1R1(config-if)#exit Rack1R1(config)#access-list 1 permit 172.16.0.0 0.15.255.255 ? log Log matches against this entry <cr> Rack1R1(config)#
Nope. There’s a bummer. So we will need to use EXTENDED ACL’s in order to make this work. So now we are reaching the point of “Yes, it can be done, but it will make my head hurt.” as the answer.
First, as a little review, check out a blog we did last year providing some information on that sort of thing in conjunction with a distribute-list in different routing protocols.
Prior to the support of prefix-lists in the IOS advanced filtering for BGP needed to be done using extended ACLs. The syntax for using extended ACLs is shown below:
access-list <ACL #> permit ip <network> <wildcard mask of network> <subnet mask> <wildcard mask of subnet mask>
The source portion of the extended ACL is used to match the network portion of the BGP route and the destination portion of the ACL is used to match the subnet mask of the BGP route. Here are some examples:
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
Matches 10.0.0.0/16 – Only
access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches 10.0.0.0/24 – Only
access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches 10.1.1.0/24 – Only
access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
Matches 10.0.X.0/24 – Any number in the 3rd octet of the network with a /24 subnet mask.
access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
Matches 10.X.X.0/24 – Any number in the 2nd & 3rd octet of the network with a /24 subnet mask.
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
Matches 10.X.X.X/28 – Any number in the 2nd, 3rd & 4th octet of the network with a /28 subnet mask.
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
Matches 10.X.X.X/24 to 10.X.X.X/32 – Any number in the 2nd, 3rd & 4th octet of the network with a /24 to /32 subnet mask.
access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128 0.0.0.127
Matches 10.X.X.X/25 to 10.X.X.X/32 – Any number in the 2nd, 3rd & 4th octet of the network with a /25 to /32 subnet mask
I’m trying to create a distribute-list in RIP to allow only even routes to be received. I can do it successfully with a standard ACL, however if I use an extended ACL I can’t get any routes at all. I’ve heard that extended ACLs are better because they also check the netmask. What am I doing wrong?
Using an extended access-list with a distribute-list is supported, however the syntax can be a little confusing because it means different things for different applications. When using an extended ACL for a distribute-list in BGP it acts like a prefix-list. This means that you can match on both the address of the prefix and the subnet mask. In other words if you have prefixes 10.0.0.0/8 and 10.0.0.0/16 you can distinguish between them by saying not only must the address be 10.0.0.0 but the subnet mask must be /8. In prefix-list syntax this is very straightforward, as to match this prefix we would use the following:
ip prefix-list PREFIX1 permit 10.0.0.0/8
When using an extended access-list in BGP the syntax of the list changes in that we are not matching source and destination pairs, but instead are matching the address and netmask. In extended ACL syntax the above prefix-list would read:
access-list 100 permit ip host 10.0.0.0 host 255.0.0.0
This means that the address must be exactly 10.0.0.0 and the subnet mask must be exactly 255.0.0.0. By changing the “host” keyword to a wildcard mask we can do fuzzy binary matches. For example the following syntax means check any address that starts with “192.168” and has a subnet mask of /24:
access-list 101 permit ip 192.168.0.0 0.0.255.255 host 255.255.255.0
In other words this list matches 192.168.0.0/24, 192.168.100.0/24, 192.168.200.0/24, etc.
This extended access-list syntax can also be used in a route-map for redistribution filtering in both IGP and BGP. For example if we took the previous access-list 101 and matched it in a route-map as follows:
route-map OSPF_TO_RIP permit 10 match ip address 100 ! router rip redistribute ospf 1 metric 1 route-map OSPF_TO_RIP
This syntax would say that we want to redistribute OSPF routes into RIP, but only those which are 192.168.X.X/24.
The confusion for this extended access-list implementation is that when it is called as a distribute-list in IGP the syntax changes. In the previous examples the normal “source” field in the ACL represents the network address, where the “destination” field represents the subnet mask. In IGP distribute-list application the “source” field in the ACL matches the update source of the route, and the “destination” field represents the network address. This implementation allows us to control which networks we are receiving, but more importantly who we are receiving them from. Take the following topology:
R1, R2, and R3 share an Ethernet network 188.8.131.52/8 that is running RIP. Both R1 and R2 are advertising the identical prefixes 10.0.0.0/8 and 184.108.40.206/8 to R3. Their configurations are as follows:
R1#show ip int brief | exclude unassigned Interface IP-Address OK? Method Status Protocol FastEthernet0/0 220.127.116.11 YES manual up up Loopback0 10.0.0.1 YES manual up up Loopback1 18.104.22.168 YES manual up up R1#show run | begin router rip router rip version 2 network 10.0.0.0 network 22.214.171.124 network 126.96.36.199 R2# show ip int brief | exclude unassigned Interface IP-Address OK? Method Status Protocol FastEthernet0/0 188.8.131.52 YES manual up up Loopback0 10.0.0.1 YES manual up up Loopback1 184.108.40.206 YES manual up up R2#sh run | begin router rip router rip version 2 network 10.0.0.0 network 220.127.116.11 network 18.104.22.168 R3#show ip route rip R 22.214.171.124/8 [120/1] via 126.96.36.199, 00:00:00, Ethernet0/0 [120/1] via 188.8.131.52, 00:00:00, Ethernet0/0 R 10.0.0.0/8 [120/1] via 184.108.40.206, 00:00:00, Ethernet0/0 [120/1] via 220.127.116.11, 00:00:00, Ethernet0/0
From this output we can see that R3 has the two prefixes installed twice, once from R1 and once from R2. Now let’s suppose that prefix 10.0.0.0/8 we only want to receive from R1, while prefix 18.104.22.168/8 we only want to receive from R2. We can accomplish this with an extended access-list as follows:
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#access-list 100 permit ip host 22.214.171.124 host 10.0.0.0 R3(config)#access-list 100 permit ip host 126.96.36.199 host 188.8.131.52 R3(config)#router rip R3(config-router)#distribute-list 100 in Ethernet0/0 R3(config-router)#end R3#clear ip route * R3#show ip route rip R 184.108.40.206/8 [120/1] via 220.127.116.11, 00:00:00, Ethernet0/0 R 10.0.0.0/8 [120/1] via 18.104.22.168, 00:00:00, Ethernet0/0
We can see now R3 only has one entry for each prefix, with the 10.0.0.0/8 coming only from R1 and the 22.214.171.124/8 coming only from R2. The disadvantage of this application however is that we cannot distinguish prefixes based on their netmask. For example we could not say that we want to receive prefix 172.16.0.0/16 from only R1 and prefix 172.16.0.0/24 only from R2. For this implementation in IGP we would use a prefix-list that is called from a distribute-list with the “distribute-list prefix” syntax under the routing process.