Prefix List filtering and Local Pref at bottom:
- Route matching system better than ACLs. Improved processor utilization., Better subnet mask matching.
- a TWO stage matching: Match network first, then match mask.
example:
ip prefix-list NEWLIST permit 172.30.0.0/16 le 20
(Network) (mask)
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 24 == exactly 24.
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 30 == between 24-30 subnet mask.
ip prefix-list NEWLIST permit 0.0.0.0/0 === This does NOT match everything. ONLY match exactly that route. The default route.
ip prefix-list NEWLIST permit 0.0.0.0/0 le 32 ===This match all. Permit any.
ip prefix-list NEWLIST permit 0.0.0.0/0 ge 32 ===This match only Host routes. all hosts /32.
ip prefix-list NEWLIST permit 0.0.0.0/1 ge 24 le 24 === Any class A address, and subnet mask is a /24. The first octet is 0000000.------- in the network section.
class A: 0-127 (bit 0----)
class B: 128-192 (bit 10---)
class C: 192-223 (bit 110--)
ip prefix-list NEWLIST-PF permit 128.0.0.0/2 ge 16 === Any class B network with mask of /16.
128 = 1000000 = class B.
Example:
conf t
router bgp 500
neighbor 1.1.1.1 prefix-list NEWLIST in ===routes coming in filtered.
show ip prefix-list
clear ip bgp 1.1.1.1
example 2:
route-map SET-LP
match ip add prefix-list NEWLIST-PF
st local-pre 9000
route-map SET-LP 20 ==== THIS NEEDS TO BE IN to do permit all at end. else routes not match for this route-map will be filtered.
neighbor 1.1.1.1 route-map SET-LP in ==as route come in from neighbor, change Localpref.
9/24/2015
BGP AS Path Access-list / filtering
AS Path Access-list / filtering
permit .....
deny ....
permit ....
permit .* ===permit all at the end.
Example 1:
conf t
ip as-path access-list 1 deny ^300_ -- match everything from 300 most recently. or _300_ anywhere there's 300, deny.
ip as-path access-list 1 permit .* === need this, else there's a implicit deny all.
route-map FILTER_300 permit 10
match as-path 1 ===if want "or" 1 2 3 4: match as-path 1 or 2 or 3 or 4.
router bgp 500
neighbor 1.1.1.1 route-map FILTER_300 out
Example 2:
match as-path 500 and set weight 1000, so prefer that route from that neighbor.
ip as-path access-list 10 permit _500_
route-map INFLUENCE
match as-path 10
set weight 1000
router bgp 200
neighbor 199.9.9.2 route-map INFLUENCE in == Routes from that neighbor pass to the route map and set weight to 1000...so, routes outbound will prefer path to the neighbor.
permit .....
deny ....
permit ....
permit .* ===permit all at the end.
Example 1:
conf t
ip as-path access-list 1 deny ^300_ -- match everything from 300 most recently. or _300_ anywhere there's 300, deny.
ip as-path access-list 1 permit .* === need this, else there's a implicit deny all.
route-map FILTER_300 permit 10
match as-path 1 ===if want "or" 1 2 3 4: match as-path 1 or 2 or 3 or 4.
router bgp 500
neighbor 1.1.1.1 route-map FILTER_300 out
Example 2:
match as-path 500 and set weight 1000, so prefer that route from that neighbor.
ip as-path access-list 10 permit _500_
route-map INFLUENCE
match as-path 10
set weight 1000
router bgp 200
neighbor 199.9.9.2 route-map INFLUENCE in == Routes from that neighbor pass to the route map and set weight to 1000...so, routes outbound will prefer path to the neighbor.
BGP Regular Expression hints
RegEX:
^ Matches the beginning of input.
$ matches the end of input
| (pipe) A logical "or" statement.
. (period) matches a SINGLE character.
+ matches the character to the left 1 or more times.
* matches the character to the left 0 or more times.
? matches the character to the left 0 or 1 times.
\ removes special meanings.
( ) affects order of operations
[ ] creates a group of characters.
_ white space.
Examples:
150.1.1.0/24
AS Path: 6733 982 43 239 852 4439 10295 6010 10
1. only match 43: _43_
2. only match 43 or 10: _43_|_10_
3. only match the last previous 6733: ^6733 ---begins with 6733, it reads left to right.
4. only match AS originated 10: _10$ --match end of the string, which is 10 orginated AS.
(_33_|_44_)_982_
match EITHER 33 OR 44 FOLLOW BY 982.
^6733_. ====matches most recent AS and anything behind, but not originated from 6733. The period is 1 charater, so matches any AS, no matter how many, after 6733, since 1 character after.
^[0-9]+$ ====match to the left of + one or more times. just match one AS.
[300]+ === match 300 one or more times.
AS 300 300 300 300
to match 300 again and again:
^(300)+$
$([0-9]+)(_\1)*$ ===0-9 one or more times. AS 1234, 555, etc. To match ANY AS that has been prepended.
5. Match stuff originated from my AS. Match internal routes only. Inside our AS. Only when leaves our AS, do we put the AS on it.
^$
6. ^\(64512) ==removes special meaning from the parentheses.
If in AS Path: (6733 982) 43 239 852 4439
The AS inside the AS path with parentheses is Confederation.
7. Match everything: .*
Subscribe to:
Posts (Atom)