BGP redistribute route-map question.

Discussion in 'Cisco' started by crzzy1, Apr 23, 2010.

  1. crzzy1

    crzzy1 Guest

    -------
    I have a customer that has the config below.
    I would never write it like this, and use a standard ACL or distribute
    list instead.
    but to my surprise, this is allowing every static route to go be
    advertised..
    I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
    matches and that the explicit deny would deny everything.
    But NOOO... the acl is matching everything.

    Can someone explain this?


    Cisco#
    router bgp 65001
    redistribute static route-map redist-stat

    route-map redist-stat permit 10
    match ip address ALLOW-Default

    ip access-list extended ALLOW-Default
    permit ip host 0.0.0.0 host 0.0.0.0

    Thorofare#sh ip route 167.219.88.146
    Routing entry for 167.219.88.146/32
    Known via "static", distance 1, metric 0
    Redistributing via bgp 65001
    Advertised by bgp 65001 route-map redist-stat
    snip


    Thorofare#sh access-l ALLOW-Default
    Extended IP access list ALLOW-Default
    10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)

    Thanks,
    Crzzy1
    -------
     
    crzzy1, Apr 23, 2010
    #1
    1. Advertising

  2. crzzy1

    crzzy1 Guest

    On Apr 23, 11:27 am, crzzy1 <> wrote:
    > -------
    > I have a customer that has the config below.
    > I would never write it like this, and use a standard ACL or distribute
    > list instead.
    > but to my surprise, this is allowing every static route to go be
    > advertised..
    > I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
    > matches and that the explicit deny would deny everything.
    > But NOOO... the acl is matching everything.
    >
    > Can someone explain this?
    >
    > Cisco#
    > router bgp 65001
    > redistribute static route-map redist-stat
    >
    > route-map redist-stat permit 10
    >  match ip address ALLOW-Default
    >
    > ip access-list extended ALLOW-Default
    >  permit ip host 0.0.0.0 host 0.0.0.0
    >
    > Thorofare#sh ip route 167.219.88.146
    > Routing entry for 167.219.88.146/32
    >   Known via "static", distance 1, metric 0
    >   Redistributing via bgp 65001
    >   Advertised by bgp 65001 route-map redist-stat
    > snip
    >
    > Thorofare#sh access-l ALLOW-Default
    > Extended IP access list ALLOW-Default
    >     10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)
    >
    > Thanks,Crzzy1
    > -------


    Would anyone like to take a stab at how I am getting so many matches
    on my ACL?

    Thanks,
    Crzzy1
     
    crzzy1, Apr 26, 2010
    #2
    1. Advertising

  3. crzzy1

    Rob Guest

    crzzy1 <> wrote:
    > On Apr 23, 11:27 am, crzzy1 <> wrote:
    >> -------
    >> I have a customer that has the config below.
    >> I would never write it like this, and use a standard ACL or distribute
    >> list instead.
    >> but to my surprise, this is allowing every static route to go be
    >> advertised..
    >> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
    >> matches and that the explicit deny would deny everything.
    >> But NOOO... the acl is matching everything.
    >>
    >> Can someone explain this?
    >>
    >> Cisco#
    >> router bgp 65001
    >> redistribute static route-map redist-stat
    >>
    >> route-map redist-stat permit 10
    >>  match ip address ALLOW-Default
    >>
    >> ip access-list extended ALLOW-Default
    >>  permit ip host 0.0.0.0 host 0.0.0.0
    >>
    >> Thorofare#sh ip route 167.219.88.146
    >> Routing entry for 167.219.88.146/32
    >>   Known via "static", distance 1, metric 0
    >>   Redistributing via bgp 65001
    >>   Advertised by bgp 65001 route-map redist-stat
    >> snip
    >>
    >> Thorofare#sh access-l ALLOW-Default
    >> Extended IP access list ALLOW-Default
    >>     10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)
    >>
    >> Thanks,Crzzy1
    >> -------

    >
    > Would anyone like to take a stab at how I am getting so many matches
    > on my ACL?


    It could be that "host 0.0.0.0" actually is the internal coding for "any"
    in an access list.
    Although I would expect that it would come back as "permit ip any any"
    on show running-config.
     
    Rob, Apr 27, 2010
    #3
  4. crzzy1

    bod43 Guest

    On 27 Apr, 08:40, Rob <> wrote:
    > crzzy1 <> wrote:
    > > On Apr 23, 11:27 am, crzzy1 <> wrote:
    > >> -------
    > >> I have a customer that has the config below.
    > >> I would never write it like this, and use a standard ACL or distribute
    > >> list instead.
    > >> but to my surprise, this is allowing every static route to go be
    > >> advertised..
    > >> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
    > >> matches and that the explicit deny would deny everything.
    > >> But NOOO... the acl is matching everything.

    >
    > >> Can someone explain this?

    >
    > >> Cisco#
    > >> router bgp 65001
    > >> redistribute static route-map redist-stat

    >
    > >> route-map redist-stat permit 10
    > >>  match ip address ALLOW-Default

    >
    > >> ip access-list extended ALLOW-Default
    > >>  permit ip host 0.0.0.0 host 0.0.0.0

    >
    > >> Thorofare#sh ip route 167.219.88.146
    > >> Routing entry for 167.219.88.146/32
    > >>   Known via "static", distance 1, metric 0
    > >>   Redistributing via bgp 65001
    > >>   Advertised by bgp 65001 route-map redist-stat
    > >> snip

    >
    > >> Thorofare#sh access-l ALLOW-Default
    > >> Extended IP access list ALLOW-Default
    > >>     10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)

    >
    > >> Thanks,Crzzy1
    > >> -------

    >
    > > Would anyone like to take a stab at how I am getting so many matches
    > > on my ACL?

    >
    > It could be that "host 0.0.0.0" actually is the internal coding for "any"
    > in an access list.
    > Although I would expect that it would come back as "permit ip any any"
    > on show running-config.


    Ah wait a minute!!! Surely these should be standard ACLs?
    What does ANY extended ACL mean in the context of
    route filtering? What is the source, what is the dest.?


    I have written the stuff below now so I will leave it in
    but I can't see that it is relevant given the above.

    Might just be a bug, after all who is going to test
    such an ACL?

    10 permit ip host 0.0.0.0 host 0.0.0.0
    is synonymous with
    10 permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

    ie all zeros IP address with no wildcard bits.

    I suppose that the BGP process might interpret that
    as a default route or something but that would be a bug.

    Surely the answer is to get rid of that line in the ACL and
    put in what is required?

    Usually all routes would be of course
    perm ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

    zeros IP address with all bits wildcarded.
     
    bod43, Apr 27, 2010
    #4
  5. crzzy1

    crzzy1 Guest

    On Apr 27, 3:22 pm, "John Agosta" <> wrote:
    > "bod43" <> wrote in message
    >
    > news:...
    > On 27 Apr, 08:40, Rob <> wrote:
    >
    >
    >
    > >crzzy1<> wrote:
    > > > On Apr 23, 11:27 am,crzzy1<> wrote:
    > > >> -------
    > > >> I have a customer that has the config below.
    > > >> I would never write it like this, and use a standard ACL or distribute
    > > >> list instead.
    > > >> but to my surprise, this is allowing every static route to go be
    > > >> advertised..
    > > >> I would think that "permit ip host 0.0.0.0 host 0.0.0.0" would get no
    > > >> matches and that the explicit deny would deny everything.
    > > >> But NOOO... the acl is matching everything.

    >
    > > >> Can someone explain this?

    >
    > > >> Cisco#
    > > >> router bgp 65001
    > > >> redistribute static route-map redist-stat

    >
    > > >> route-map redist-stat permit 10
    > > >> match ip address ALLOW-Default

    >
    > > >> ip access-list extended ALLOW-Default
    > > >> permit ip host 0.0.0.0 host 0.0.0.0

    >
    > > >> Thorofare#sh ip route 167.219.88.146
    > > >> Routing entry for 167.219.88.146/32
    > > >> Known via "static", distance 1, metric 0
    > > >> Redistributing via bgp 65001
    > > >> Advertised by bgp 65001 route-map redist-stat
    > > >> snip

    >
    > > >> Thorofare#sh access-l ALLOW-Default
    > > >> Extended IP access list ALLOW-Default
    > > >> 10 permit ip host 0.0.0.0 host 0.0.0.0 (1492680 matches)

    >
    > > >> Thanks,Crzzy1
    > > >> -------

    >
    > > > Would anyone like to take a stab at how I am getting so many matches
    > > > on my ACL?

    >
    > > It could be that "host 0.0.0.0" actually is the internal coding for "any"
    > > in an access list.
    > > Although I would expect that it would come back as "permit ip any any"
    > > on show running-config.

    >
    > Ah wait a minute!!!  Surely these should be standard ACLs?
    > What does ANY extended ACL mean in the context of
    > route filtering? What is the source, what is the dest.?
    >
    > I'm stumped as to why you are seeing so many matches.
    > But as to your other question.....
    > Extended ACLs have always ben a tool used in route filtering.
    >
    > For instance, if I wanted to look for any route at all which had an exact
    > msk of /19:
    >
    > access-list 199 permit ip 0.0.0.0 255.255.0.0 255.255.224.0 0.0.0.0
    >
    > This is saying look for a route which looks like this x.x.0.0    (0.0..0.0
    > 255.255.0.0)
    >
    > AND has an exact mask of 255.255.224.0   (255.255.224.0  0.0.0.0)
    >
    > Using extended ACLs for purposes such as this has been around for a while,
    > before prefix lists, I beleive.
    > An extended ACL is not always looking for source and destination addresses,
    > you see......
    >
    > -ja



    I see no reason to use an extended ACL for redistribution. Just a
    standard ACL or a distribute list will do.
    I agree with Rob (also BOD43), that this is probably a bug, Rob is
    right in asking who would ever use it for this purpose, and therefore
    test it for this, or even care?

    Crzzy1
     
    crzzy1, Apr 28, 2010
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    4
    Views:
    1,222
  2. Replies:
    1
    Views:
    5,275
    Barry Margolin
    Aug 13, 2005
  3. Jarek Jarzebowski

    BGP - route-map matching clients IP.

    Jarek Jarzebowski, Sep 5, 2006, in forum: Cisco
    Replies:
    2
    Views:
    736
    Jarek Jarzebowski
    Sep 6, 2006
  4. Replies:
    2
    Views:
    3,643
    Vincent C Jones
    Jun 5, 2007
  5. Replies:
    12
    Views:
    13,743
Loading...

Share This Page