BGP redistribute route-map question.
in [Cisco]
|
From: John Agosta on 27 Apr 2010 15:22 "bod43" <Bod43(a)hotmail.co.uk> wrote in message news:28211d45-e146-4f66-b26f-7b4dcf87c7bf(a)u31g2000yqb.googlegroups.com... On 27 Apr, 08:40, Rob <nom...(a)example.com> wrote: > crzzy1 <cozz...(a)hotmail.com> wrote: > > On Apr 23, 11:27 am, crzzy1 <cozz...(a)hotmail.com> wrote: > >> ------- > >> I have a customer that has the config below. > >> I would never write it like this, and use a standard ACL or distribute > >> list instead. > >> but to my surprise, this is allowing every static route to go be > >> advertised.. > >> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no > >> matches and that the explicit deny would deny everything. > >> But NOOO... the acl is matching everything. > > >> Can someone explain this? > > >> Cisco# > >> router bgp 65001 > >> redistribute static route-map redist-stat > > >> route-map redist-stat permit 10 > >> match ip address ALLOW-Default > > >> ip access-list extended ALLOW-Default > >> permit ip host 0.0.0.0 host 0.0.0.0 > > >> Thorofare#sh ip route 167.219.88.146 > >> Routing entry for 167.219.88.146/32 > >> Known via "static", distance 1, metric 0 > >> Redistributing via bgp 65001 > >> Advertised by bgp 65001 route-map redist-stat > >> snip > > >> Thorofare#sh access-l ALLOW-Default > >> Extended IP access list ALLOW-Default > >> 10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches) > > >> Thanks,Crzzy1 > >> ------- > > > Would anyone like to take a stab at how I am getting so many matches > > on my ACL? > > It could be that "host 0.0.0.0" actually is the internal coding for "any" > in an access list. > Although I would expect that it would come back as "permit ip any any" > on show running-config. Ah wait a minute!!! Surely these should be standard ACLs? What does ANY extended ACL mean in the context of route filtering? What is the source, what is the dest.? I'm stumped as to why you are seeing so many matches. But as to your other question..... Extended ACLs have always ben a tool used in route filtering. For instance, if I wanted to look for any route at all which had an exact msk of /19: access-list 199 permit ip 0.0.0.0 255.255.0.0 255.255.224.0 0.0.0.0 This is saying look for a route which looks like this x.x.0.0 (0.0.0.0 255.255.0.0) AND has an exact mask of 255.255.224.0 (255.255.224.0 0.0.0.0) Using extended ACLs for purposes such as this has been around for a while, before prefix lists, I beleive. An extended ACL is not always looking for source and destination addresses, you see...... -ja
From: crzzy1 on 28 Apr 2010 14:41 On Apr 27, 3:22 pm, "John Agosta" <jago...(a)wideopenwest.com> wrote: > "bod43" <Bo...(a)hotmail.co.uk> wrote in message > > news:28211d45-e146-4f66-b26f-7b4dcf87c7bf(a)u31g2000yqb.googlegroups.com... > On 27 Apr, 08:40, Rob <nom...(a)example.com> wrote: > > > > >crzzy1<cozz...(a)hotmail.com> wrote: > > > On Apr 23, 11:27 am,crzzy1<cozz...(a)hotmail.com> wrote: > > >> ------- > > >> I have a customer that has the config below. > > >> I would never write it like this, and use a standard ACL or distribute > > >> list instead. > > >> but to my surprise, this is allowing every static route to go be > > >> advertised.. > > >> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no > > >> matches and that the explicit deny would deny everything. > > >> But NOOO... the acl is matching everything. > > > >> Can someone explain this? > > > >> Cisco# > > >> router bgp 65001 > > >> redistribute static route-map redist-stat > > > >> route-map redist-stat permit 10 > > >> match ip address ALLOW-Default > > > >> ip access-list extended ALLOW-Default > > >> permit ip host 0.0.0.0 host 0.0.0.0 > > > >> Thorofare#sh ip route 167.219.88.146 > > >> Routing entry for 167.219.88.146/32 > > >> Known via "static", distance 1, metric 0 > > >> Redistributing via bgp 65001 > > >> Advertised by bgp 65001 route-map redist-stat > > >> snip > > > >> Thorofare#sh access-l ALLOW-Default > > >> Extended IP access list ALLOW-Default > > >> 10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches) > > > >> Thanks,Crzzy1 > > >> ------- > > > > Would anyone like to take a stab at how I am getting so many matches > > > on my ACL? > > > It could be that "host 0.0.0.0" actually is the internal coding for "any" > > in an access list. > > Although I would expect that it would come back as "permit ip any any" > > on show running-config. > > Ah wait a minute!!! Surely these should be standard ACLs? > What does ANY extended ACL mean in the context of > route filtering? What is the source, what is the dest.? > > I'm stumped as to why you are seeing so many matches. > But as to your other question..... > Extended ACLs have always ben a tool used in route filtering. > > For instance, if I wanted to look for any route at all which had an exact > msk of /19: > > access-list 199 permit ip 0.0.0.0 255.255.0.0 255.255.224.0 0.0.0.0 > > This is saying look for a route which looks like this x.x.0.0 (0.0..0.0 > 255.255.0.0) > > AND has an exact mask of 255.255.224.0 (255.255.224.0 0.0.0.0) > > Using extended ACLs for purposes such as this has been around for a while, > before prefix lists, I beleive. > An extended ACL is not always looking for source and destination addresses, > you see...... > > -ja I see no reason to use an extended ACL for redistribution. Just a standard ACL or a distribute list will do. I agree with Rob (also BOD43), that this is probably a bug, Rob is right in asking who would ever use it for this purpose, and therefore test it for this, or even care? Crzzy1
From: John Agosta on 30 Apr 2010 00:13 "crzzy1" <cozzmo1(a)hotmail.com> wrote in message news:c9667162-1595-4c6f-ab7e-d1fd8ad342a4(a)i9g2000yqi.googlegroups.com... On Apr 27, 3:22 pm, "John Agosta" <jago...(a)wideopenwest.com> wrote: > "bod43" <Bo...(a)hotmail.co.uk> wrote in message > > news:28211d45-e146-4f66-b26f-7b4dcf87c7bf(a)u31g2000yqb.googlegroups.com... > On 27 Apr, 08:40, Rob <nom...(a)example.com> wrote: > > > > >crzzy1<cozz...(a)hotmail.com> wrote: > > > On Apr 23, 11:27 am,crzzy1<cozz...(a)hotmail.com> wrote: > > >> ------- > > >> I have a customer that has the config below. > > >> I would never write it like this, and use a standard ACL or > > >> distribute > > >> list instead. > > >> but to my surprise, this is allowing every static route to go be > > >> advertised.. > > >> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no > > >> matches and that the explicit deny would deny everything. > > >> But NOOO... the acl is matching everything. > > > >> Can someone explain this? > > > >> Cisco# > > >> router bgp 65001 > > >> redistribute static route-map redist-stat > > > >> route-map redist-stat permit 10 > > >> match ip address ALLOW-Default > > > >> ip access-list extended ALLOW-Default > > >> permit ip host 0.0.0.0 host 0.0.0.0 > > > >> Thorofare#sh ip route 167.219.88.146 > > >> Routing entry for 167.219.88.146/32 > > >> Known via "static", distance 1, metric 0 > > >> Redistributing via bgp 65001 > > >> Advertised by bgp 65001 route-map redist-stat > > >> snip > > > >> Thorofare#sh access-l ALLOW-Default > > >> Extended IP access list ALLOW-Default > > >> 10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches) > > > >> Thanks,Crzzy1 > > >> ------- > > > > Would anyone like to take a stab at how I am getting so many matches > > > on my ACL? > > > It could be that "host 0.0.0.0" actually is the internal coding for > > "any" > > in an access list. > > Although I would expect that it would come back as "permit ip any any" > > on show running-config. > > Ah wait a minute!!! Surely these should be standard ACLs? > What does ANY extended ACL mean in the context of > route filtering? What is the source, what is the dest.? > > I'm stumped as to why you are seeing so many matches. > But as to your other question..... > Extended ACLs have always ben a tool used in route filtering. > > For instance, if I wanted to look for any route at all which had an exact > msk of /19: > > access-list 199 permit ip 0.0.0.0 255.255.0.0 255.255.224.0 0.0.0.0 > > This is saying look for a route which looks like this x.x.0.0 (0.0.0.0 > 255.255.0.0) > > AND has an exact mask of 255.255.224.0 (255.255.224.0 0.0.0.0) > > Using extended ACLs for purposes such as this has been around for a while, > before prefix lists, I beleive. > An extended ACL is not always looking for source and destination > addresses, > you see...... > > -ja > I see no reason to use an extended ACL for redistribution. Just a >standard ACL or a distribute list will do. >I agree with Rob (also BOD43), that this is probably a bug, Rob is >right in asking who would ever use it for this purpose, and therefore >test it for this, or even care? >Crzzy1 Again, I don't know why all the matches, either. I was simply pointing out that using an extended ACL for the purpose of route filtering is an available tool, and when doing so the commonly understood idea of "Source_Add +wcm" / "Dest_Add + wcm" doesn't apply... -ja
First
|
Prev
|
Pages: 1 2 Prev: How can you get an incomplete ARP? Next: Vista Smart Security virus (fake program) |