BGP redistribute route-map question.

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View



-------
I have a customer that has the config below.
I would never write it like this, and use a standard ACL or distribute
list instead.
but to my surprise, this is allowing every static route to go be
advertised..
I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
matches and that the explicit deny would deny everything.
But NOOO... the acl is matching everything.

Can someone explain this?


Cisco#
router bgp 65001
redistribute static route-map redist-stat

route-map redist-stat permit 10
 match ip address ALLOW-Default

ip access-list extended ALLOW-Default
 permit ip host 0.0.0.0 host 0.0.0.0

Thorofare#sh ip route 167.219.88.146
Routing entry for 167.219.88.146/32
  Known via "static", distance 1, metric 0
  Redistributing via bgp 65001
  Advertised by bgp 65001 route-map redist-stat
snip


Thorofare#sh access-l ALLOW-Default
Extended IP access list ALLOW-Default
    10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)

Thanks,
Crzzy1
-------

Re: BGP redistribute route-map question.


Quoted text here. Click to load it

Would anyone like to take a stab at how I am getting so many matches
on my ACL?

Thanks,
Crzzy1


Re: BGP redistribute route-map question.



Quoted text here. Click to load it

Would anyone like to take a stab at how I am getting so many matches
on my ACL?

Thanks,
Crzzy1


Beats me. Almost seems that the matches really coincide
with the implicit deny all at the end.
Don't understand why these host matches get a match, either.

I'd like to see what happens with a "deny" on line 10 instead of a permit,
and a "permit any any" at line 20.......





Re: BGP redistribute route-map question.


Quoted text here. Click to load it

It could be that "host 0.0.0.0" actually is the internal coding for "any"
in an access list.
Although I would expect that it would come back as "permit ip any any"
on show running-config.

Re: BGP redistribute route-map question.


Quoted text here. Click to load it

Ah wait a minute!!!  Surely these should be standard ACLs?
What does ANY extended ACL mean in the context of
route filtering? What is the source, what is the dest.?


I have written the stuff below now so I will leave it in
but I can't see that it is relevant given the above.

Might just be a bug, after all who is going to test
such an ACL?

10 permit ip host 0.0.0.0 host 0.0.0.0
  is synonymous with
10 permit ip  0.0.0.0  0.0.0.0    0.0.0.0  0.0.0.0

ie all zeros IP address with no wildcard bits.

I suppose that the BGP process might interpret that
as a default route or something but that would be a bug.

Surely the answer is to get rid of that line in the ACL and
put in what is required?

Usually all routes would be of course
perm ip 0.0.0.0 255.255.255.255  0.0.0.0 255.255.255.255

zeros IP address with all bits wildcarded.



Re: BGP redistribute route-map question.



Quoted text here. Click to load it

Ah wait a minute!!!  Surely these should be standard ACLs?
What does ANY extended ACL mean in the context of
route filtering? What is the source, what is the dest.?


I'm stumped as to why you are seeing so many matches.
But as to your other question.....
Extended ACLs have always ben a tool used in route filtering.

For instance, if I wanted to look for any route at all which had an exact
msk of /19:

access-list 199 permit ip 0.0.0.0 255.255.0.0 255.255.224.0 0.0.0.0

This is saying look for a route which looks like this x.x.0.0    (0.0.0.0
255.255.0.0)

AND has an exact mask of 255.255.224.0   (255.255.224.0  0.0.0.0)

Using extended ACLs for purposes such as this has been around for a while,
before prefix lists, I beleive.
An extended ACL is not always looking for source and destination addresses,
you see......

-ja



Re: BGP redistribute route-map question.


Quoted text here. Click to load it


 I see no reason to use an extended ACL for redistribution. Just a
standard ACL or a distribute list will do.
I agree with Rob (also BOD43), that this is probably a bug, Rob is
right in asking who would ever use it for this purpose, and therefore
test it for this, or even care?

Crzzy1

Re: BGP redistribute route-map question.



Quoted text here. Click to load it






Again, I don't know why all the matches, either.
I was simply pointing out that using an extended ACL for the purpose of
route
filtering is an available tool, and when doing so the commonly understood
idea of
"Source_Add +wcm" / "Dest_Add + wcm" doesn't apply...

-ja



Site Timeline