Thursday, June 16, 2011

Prefix List Quiz

Ok, so, think you are a prefix list wiz?

1. ip prefix-list MatchList permit 192.168.0.0/16
192.168.0.0/8 NOT A MATCH
192.168.0.0/24 NOT A MATCH
192.168.0.0/16 MATCH (MUST MATCH SUBNET LENGTH EXACTLY)

2. ip prefix-list MatchListGreater permit 10.0.0.0/8 ge 24
10.0.0.0/8 NOT A MATCH
10.9.9.0/24 MATCH (matches the first 8 bits, matches the subnet length)
10.0.0.0/22 NOT A MATCH
10.0.0.0/28 MATCH
10.0.0.0/24 MATCH

3. ip prefix-list MatchListBetween permit 172.18.0.0/16 ge 20 le 24
172.18.0.0/16 NOT A MATCH
172.18.0.0/30 NOT A MATCH
172.18.1.0/24 MATCH
172.18.1.0/23 MATCH
172.18.0.0/20 MATCH



Remember -
1. If there is no ge or le, the / notation MUST MATCH the subnet mask. (basically must match your route exactly)

2. If there is a ge or le, the / notation only tells you what bits to match in the address, the le and or ge tells you what to look at for the mask.


Need to read the explanation again? Click Here

Wednesday, June 15, 2011

Prefix List in BGP

Ok, so yesterday we took a quick look at prefix lists. Lets try a real world example in BGP. Say your ISP is pushing you hundreds of routes but all you want to receive is a default route.

#Router bgp 65001
#neighbor 1.1.1.1 remote-as 65002
#neighbor 1.1.1.1 route-map RouteFilter in

#route-map RouteFilter permit 10
#match ip address prefix-list defaultOnly

#ip prefix-list defaultOnly seq 10 permit 0.0.0.0/0

So what have I done here.
First we neighbored with AS 65002 and applied a routefilter in (filter routes inbound from our neighbor)
Then we create a route filter that requires matching the prefix list defaultOnly.

Last we create a prefix-list that requires the route to match 0.0.0.0/0 exactly (eg. only default routes)

If we had two+ ISPs, we could add

match as-path ##
set weight 120

then make another filter entree like we did above and set the weight to 110 for any other ISP's default routes. Then we have successfully filtered out all incoming routes except default routes, and weighted our prefered path by setting that AS to a higher weight.

Tuesday, June 14, 2011

Prefix List explanation

A quick touch on prefix lists.

They are for matching, similar to an access list or whatnot, but can match exact subnet mask lengths.

First you just have an IP with slash notation, and you are matching that EXACT prefix. For instance:

#ip prefix-list ListName permit 10.1.0.0/16

would match the first sixteen bits. This will not match 10.1.0.0/18. It must match the subnet length EXACTLY.



But say we are looking to match a bit more than that.

#ip prefix-list ListName permit 10.1.0.0/16 ge 24 le 24

So we need to match the prefix 10.1.0.0 exactly, but we only want to match /24 masks (remember, this is for matching routes, not hosts) So any /24 route that starts with 10.1. will be matched.



So you want a real life example. Say all my loopback addresses start with 10.99.x.x and I want to match them with a filter. Well I know all my loopbacks are a /32 mask, so I can put

#ip prefix-list LoopBackMatch permit 10.99.0.0/16 ge 32 le 32

I matched the 10.99 prefix, then look through those and only match /32 bit masks.

Last example

ge meaning greater than or equal to, le meaning less than or equal to, we can match a range of masks.

Say all my client routes are 10.x.x.x with /22 masks, and all my switch management, wireless APs, security, and other networks are /24 and /25 masks, and my router links are /30.

#ip prefix-list ClientMatchList permit 10.0.0.0/8 ge 22 le 22
#ip prefix-list ManageNetworksList permit 10.0.0.0/8 ge 24 le 25
#ip prefix-list RouterLinksList permit 10.0.0.0/8 ge 30 le 30

Here I matched the /22 in the first line for client networks.

Then I matched greater or equal to /24 and less than or equal to /25 to match the other networks

Lastly I matched /30 subnets for the router links.

As always, let me know if I got something wrong, I am learning!

Try a few examples!

Simple BGP prepending

So, Having a baby seems to suck up a lot of time... Anyway,

Getting back to my CCNP studies, lets look at some simple BGP path selection: prepending.

First lets glance at BGP route selection process.
1. Highest weight (local/cisco proprietary)
2. Highest Local Preference (propagated in IBGP, stripped from EBGP)
3. Originated by Local Router
4. Prefer shortest AS path
5. Lowest Origin Code
6. Prefer lowest MED
7. EBGP over IBGP
8. Closest IGP neighbor
9. Oldest EBGP
10. Lowest BGP neighbor ID
11. Lowest Neighbor IP address


So, down at step four we are looking at how to manipulate traffic coming into our AS.

Patch selection is by AS hops, so if we have two paths into our AS we are going to make it appear to use extra AS hops through one of the paths.

We can use a trusty route map to prepend these extra AS'.

We'll use BGP AS 65000 as us, 65010 (10.1.1.1) as the desired path, and 65020 (10.2.2.2) as the less desirable path.

#router bgp 65000
#neighbor 10.2.2.2 route-map PrependASMapSample out
#
#route-map PrependASMapSample permit 10
#set as-path prepend 65000 65000 65000

Now, lets first notice, you need to prepend your own AS number, don't use someone else's. I have used the neighbor command on the LESS DESIRABLE AS and attached a route-map that adds three extra AS hops. Now when this adjacent AS 65020 wants to send you traffic, you appear as 4 hops instead of just 1. If the path through 65010 is only three hops away, you just directed traffic through the more desirable ISP.