Tuesday, April 12, 2011

Lab 105 - BGP Filtering using Extended ACL

Prerequisites: CCNP level skills.

Topology

Personal Note!
I'm physically exhausted today. If you can't run, try to walk. One post must do today.

Pic. 1 - Topology Diagram.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task 1
On R5 add the following loopbacks and advertise them into BGP.
  • Loopback 1 = 10.55.55.1 255.255.255.240
  • Loobpack 2 = 10.55.55.17 255.255.255.240
  • Loopback 3 = 10.55.20.1 255.255.255.240
  • Loobpack 4 = 10.55.20.17 255.255.255.240
Task 2
On R4 use an extended ACL to filter out all prefixes with an odd third octet using /28 or longer network mask.

Solution

Task 1
On R5 add the following loopbacks and advertise them into BGP.
  • Loopback 1 = 10.55.55.1 255.255.255.240
  • Loobpack 2 = 10.55.55.17 255.255.255.240
  • Loopback 3 = 10.55.20.1 255.255.255.240
  • Loopback 4 = 10.55.20.17 255.255.255.240
R5 Configuration:
!
interface Loopback1
 ip address 10.55.55.1 255.255.255.240
!
interface Loopback2
 ip address 10.55.55.17 255.255.255.240
!
interface Loopback3
 ip address 10.55.20.1 255.255.255.240
!
interface Loopback4
 ip address 10.55.20.17 255.255.255.240
!    

router bgp 50
 no synchronization
 bgp router-id 172.16.105.5
 bgp log-neighbor-changes
 network 10.55.20.0 mask 255.255.255.240
 network 10.55.20.16 mask 255.255.255.240
 network 10.55.55.0 mask 255.255.255.240
 network 10.55.55.16 mask 255.255.255.240
 network 172.16.105.0 mask 255.255.255.0
 neighbor 10.1.35.3 remote-as 30
 no auto-summary
!

Verification:
Pic. 2 - R4 Receives New Subnets.

Task 2
On R4 use an extended ACL to filter out all prefixes with an odd third octet using /28 or longer network mask.

R4 Configuration:
!
access-list 100 deny ip 0.0.1.0 255.255.254.255 255.255.255.240 0.0.0.15
access-list 100 permit ip any any
!
router bgp 124
 no synchronization
 bgp router-id 172.16.104.4
 bgp log-neighbor-changes
 network 172.16.104.0 mask 255.255.255.0
 network 172.16.144.0 mask 255.255.255.0
 neighbor 10.1.14.1 remote-as 124
 neighbor 10.1.14.1 route-reflector-client
 neighbor 10.1.14.1 distribute-list 100 in
 neighbor 10.1.24.2 remote-as 124
 neighbor 10.1.24.2 route-reflector-client
 neighbor 10.1.24.2 distribute-list 100 in
 no auto-summary
!

Notice!
Even though extended ACLs are not easy to accomplish complex matches it is possible to use them this way. The destination address/wildcard pair match on the prefix length (highlighted portion of the ACL).

Verification:
Pic. 3 - BGP Table on R4.

Notice!
10.55.55.0/24 and 10.55.55.16/24 have been filtered out because their third octet are odd numbers AND their network mask length is /28.