[c-nsp] bgp route-map or prefix-list

Elmar K. Bins elmi at 4ever.de
Thu Feb 21 10:49:50 EST 2008 

Re Wayne,

linkconnect at googlemail.com (Wayne Lee) wrote:

> I've got a mini lab setup using dynamips so I can practice all
> configs, I'm having a little trouble with my ACL's on BGP.
> If I use a route-map I still get the routes I don't want (bogons) but
> if I use the prefix-list the route-map calls it works as expected.

You have a small thinking error in there. Double negatives are sometimes
easily overlooked.

Your prefix-list matches everything you _permit_ in the prefix-list statements.

> ip prefix-list transit-in seq 1 deny 8x.xxx.x.0/19
> ip prefix-list transit-in seq 2 deny 8x.xxx.0.0/19
> ip prefix-list transit-in seq 3 deny 2xx.xxx.0.0/20
> ip prefix-list transit-in seq 50 deny 0.0.0.0/8 le 32
> ip prefix-list transit-in seq 51 deny 10.0.0.0/8
> ip prefix-list transit-in seq 52 deny 127.0.0.0/8
> ip prefix-list transit-in seq 53 deny 172.16.0.0/16
> ip prefix-list transit-in seq 54 deny 192.168.0.0/16
> ip prefix-list transit-in seq 100 permit 0.0.0.0/0 le 24

This means, it does _not_ match, e.g., 10.0.0.0/8.

> route-map announce permit 10
>  match ip address prefix-list announce

> route-map transit-in deny 5
>  match ip address prefix-list transit-in

Here you deny everything that is being matched by the above
prefix list, which means, that you e.g. permit 10.0.0.0/8
(because it is matched by prefix-list transit-in seq 100).

> The current working/live config is using standard access-lists but I
> would like to migrate over to a route-map/prefix-list based setup

Those are the solutions for your problem, given your kind of setup:

Either (a) invert every statement in the prefix list
Or     (b) change to "route-map transit-in permit 5"
           (and have the last statement deny everything else)

I would go with inverting the prefix-list to have it match
those prefixes I do not want to see and then deny those via
your above route-map statement.

Yours,
	Elmi.

-- 

"Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche
 Eigenschaft von Vergleichen angesehen werden."       (Marius Fränzel in desd)

--------------------------------------------------------------[ ELMI-RIPE ]---

More information about the cisco-nsp mailing list