Problem: Standard Access List Fails to Capture Subnets

In IP networks, IP prefixes are sliced in different subnets, and the subnet mask carried in the routing table does identification of these subnets. The current Internet BGP table has many IP prefixes with identical network numbers but different masks. Example 15-98 shows such an example in which R4 has three different masked prefixes of 13.13.0.0. To illustrate this point, static routes are created in R4, as shown by output in Example 15-98. Furthermore, these static routes are advertised in BGP by the highlighted redistribute static command.

Example 15-98 Three Different Masked Static Routes of Same Network and Their Advertisement in BGP

 R4#  show ip route static  13.0.0.0/8 is variably subnetted, 3 subnets, 3 masks S       13.13.0.0/20 is directly connected, Serial 0 S       13.13.0.0/16 is directly connected, Serial 1 S       13.13.1.0/24 is directly connected, Serial 2 R4#  router bgp 2    redistribute static    neighbor 131.108.1.1 remote-as 1  no auto-summary 

R1 is an EBGP neighbor of R4. R1's goal is to receive only 13.13.0.0/16 and to filter any more specific routes of 13.13.0.0. Typically, R1 would use some sort of filtering to block these unwanted, more specific routes. Distribute lists are used commonly to block or allow paths in BGP. A BGP operator might use a standard or extended access list in concert with distribute lists. Standard access list do not allow filtering based on the subnet mask of the route, and this is the most common mistake that BGP operators do when applying standard access lists in distribute lists. Chapter 14 describes in some detail the difference between standard and extended access lists when used with distribute lists or in route maps.

Figure 15-53 shows the flowchart to follow to resolve this problem.

Debugs and Verification

Example 15-99 shows the BGP configuration of R1, with neighbor relationships and the distribute-list command using access list 1.

Example 15-99 BGP Configuration in R1 Using Standard Access List in distribute-list Command

 R1#  router bgp 1   neighbor 131.108.1.2 remote-as 2   neighbor 131.108.1.2    distribute-list 1 in   access-list 1 permit  13.13.0.0 0.0.255.255  

distribute-list 1 means that any BGP updates that come from 131.108.1.2 will be examined by access list 1.

Access list 1 has a permit statement for 13.13.0.0 with an exact match of the first two octets (13.13); it doesn't care about the last two octets (0.0).

Standard access list 1 has no mention of a mask of 13.13.0.0, so all masks are accepted. The out-put in Example 15-100 shows that the BGP table in R1 is receiving all three masks of 13.13.0.0.

Example 15-100 Mask of BGP Update Is Ignored When a Distribute List Uses a Standard Access List

 R1#  show ip bgp  BGP table version is 5, local router ID is 141.108.13.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop          Metric LocPrf Weight Path *> 13.13.0.0/20     131.108.1.2            0             0 2 ? *> 13.13.0.0/16     131.108.1.2            0             0 2 ? *> 13.13.1.0/24     131.108.1.2            0             0 2 ? 

Solution

Use extended access lists or prefix lists that support proper mask check of routes when received in BGP. Example 15-101 shows usage of extended access list 101, which checks not only the network number (13.13.0.0) but also the mask of the update.

Example 15-101 Extended Access List Checks the Subnet Mask of the Prefix

 R1#  router bgp 1   neighbor 131.108.1.2 remote-as 2   neighbor 131.108.1.2    distribute-list 101 in   access-list 101 permit ip   13.13.0.0 0.0.255.255 255.255.0.0 0.0.0.0   

The extended access list has two parts :

• The network part ‚ 13.13.0.0 0.0.255.255, which allows 13.13. x.x, where x can any number between 0 and 255.

• The mask part ‚ 255.255.0.0 0.0.0.0. With all 0s in wildcard, the mask can only be 255.255.0.0, meaning /16.

The output in Example 15-102 shows that R1 is receiving only 13.13.0.0/16 after applying this change.

Example 15-102 Confirming Extended Access List Filters Routes Successfully

 R1 #  show ip bgp  BGP table version is 5, local router ID is 141.108.13.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop          Metric LocPrf Weight Path  *> 13.13.0.0/16     131.108.1.2            0             0 2 ?