Route Maps, ACLs, Prefix Lists

Question 1

ACLs

Answer 1

Packet classification starts at the top (lowest sequence) and proceeds down (higher sequence) until a matching pattern is identified. Once a match is found, the appropriate action (permit or deny) is taken, and processing stops. At the end of every ACL is an implicit deny ACE, which denies all packets that did not match earlier in the ACL.

ACLs are classified into two categories:

• Standard ACLs: Define packets based solely on the source network.
• Extended ACLs: Define packets based on the source, destination, protocol, port, or a combination of other packet attributes.

Standard ACLS use a numbered entry 1–99 or 1300–1999 or a named ACL. Extended ACLs use a numbered entry 100–199 or 2000–2699 or a named ACL. Named ACLs provide relevance to the functionality of an ACL, can be used with *standard* or *extended* ACLs, and are generally preferred.

Question 2

Standard ACLs

Answer 2

• permit any : Permits all networks.
• permit 172.16.0.0 0.0.255.255 : Permits all networks in the 172.16.0.0 range (that is, 172.16.0.0 to 172.16.255.255)
• permit host 192.168.1.1 : Permits only the 192.168.1.1/32 network.

Question 3

IGP Network Selection

Answer 3

When ACLS are used for IGP network selection, the source fields of the ACL are used to identify the network, and the destination fields identify the smallest prefix length allowed in the network range.

• permit ip any any : Permits all networks.
• permit ip host 172.16.0.0 host 255.240.0.0 : Permits all networks in the 172.16.0.0 /12 range.
• permit ip host 172.16.0.0 host 255.255.0.0 : Permits all networks in the 172.16.0.0/16 range.
• permit host 192.168.1.1 : Permits only the 192.168.1.1/32 network.

Question 4

BGP Network Selection

Answer 4

Extended ACLs react differently when matching BGP routes than when matching IGP routes. The source fields match against the network portion of the route, and the destination fields match against the network mask. Until the introduction of prefix lists, extended ACLs were the only match criteria used with BGP.

• permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0 : Permits only the 10.0.0.0/16 network
• permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0 : Permits any 10.0.x.0 network with a /24 prefix length
• permit ip 172.16.0.0 0.0.255.255 255.255.255.0 0.0.0.255 : Permits any 172.16.x.x network with a /24 through /32 prefix length
• permit ip 172.16.0.0 0.0.255.255 255.255.255.128 0.0.0.127 : Permits any 172.16.x.x network with a /25 through /32 prefix length

Question 5

Prefix List

Answer 5

A prefix match specification contains two parts: a high-order bit pattern and a high-order bit count, which determines the high-order bits in the bit pattern that are to be matched. Some documentation refers to the high-order bit pattern as the address or network and the high-order bit count as the length or mask length.

The 10.0.0.0/8 prefix does not match because the prefix length is too short. The 10.0.0.0/24 prefix qualifies because the bit pattern matches and the prefix length is between 22 and 26. The 10.0.0.0/30 prefix does not match because the prefix length is too long. Any prefix that starts with 10 in the first octet and has a prefix length between 22 and 26 matches.

Question 6

Prefix List

Answer 6

A prefix list can contain multiple prefix matching specification entries that contain permit or deny actions. Prefix lists process in sequential order in a top-down fashion.

If a sequence is not provided, the sequence number auto-increments by 5, based on the highest sequence number. The first entry is 5.

Notice that sequence 5 permits all /32 prefixes in the 192.168.0.0/13 bit pattern, sequence 10 denies all /32 prefixes in any bit pattern, and sequences 15, 20, and 25 permit routes in the appropriate network ranges. The sequence order is important for the first two entries to ensure that only /32 prefixes exist in the 192.168.0.0 network in the prefix list.

ip prefix-list RFC1918 seq 5 permit 192.168.0.0/13 ge 32
ip prefix-list RFC1918 seq 10 deny 0.0.0.0/0 ge 32
ip prefix-list RFC1918 seq 15 permit 10.0.0.0/8 le 32
ip prefix-list RFC1918 seq 20 permit 172.16.0.0/12 le 32
ip prefix-list RFC1918 seq 25 permit 192.168.0.0/16 le 32

Question 7

Route Maps

Answer 7

Route maps provide many different features to a variety of routing protocols. At the simplest level, route maps can filter networks much the same way as ACLs, but they also provide additional capability through the addition or modification of network attributes. To influence a routing protocol, a route map must be referenced from the routing protocol. Route maps are critical to BGP because they are the main component in modifying a unique routing policy on a neighbor-by-neighbor basis.

route-map route-map-name [permit | deny] [sequence-number]

• If a processing action is not provided, the default value of permit is used.
• If a sequence number is not provided, the sequence number increments by 10 automatically.
• If a matching statement is not included, an implied all prefixes is associated with the statement.
• Processing within a route map stops after all optional actions have been processed (if configured) after matching a matching criterion.

Question 8

Route Maps Examples

Answer 8

route-map EXAMPLE permit 10
match ip address ACL-ONE
! Prefixes that match ACL-ONE are permitted. Route-map completes processing upon a match

route-map EXAMPLE deny 20
match ip address ACL-TWO
! Prefixes that match ACL-TWO are denied. Route-map completes processing upon a match

route-map EXAMPLE permit 30
match ip address ACL-THREE
set metric 20
! Prefixes that match ACL-THREE are permitted and modify the metric. Route-map completes processing upon a match

route-map EXAMPLE permit 40
! Because a matching criteria was not specified, all other prefixes are permitted! If this sequence was not configured, all other prefixes would drop because of the! implicit deny for all route-maps

Question 9

Conditional Matching

Answer 9

match as-path acl-number
Selects prefixes based on a regex query to isolate the ASN in the BGP path attribute (PA) AS_Path. (Allows for multiple match variables.)

match community community-list
Selects prefixes based on the BGP community attribute.

match ip address {acl-number | acl-name}
Selects prefixes based on network selection criteria defined in the ACL. (Allows for multiple match variables.)

match local-preference
Selects prefixes based on the BGP attribute Local Preference. (Allows for multiple match variables.)

match tag tag-value
Selects prefixes based on a numeric tag (0 to 4294967295) that was set by another router. (Allows for multiple match variables.)

Question 10

Multiple Conditional Match Conditions

Answer 10

If multiple variables (ACLs, prefix lists, tags, and so on) are configured for a specific route map sequence, only one variable must match for the prefix to qualify. The Boolean logic uses an or operator for this configuration.

Sequence 10 requires that a prefix pass ACL-ONE or ACL-TWO. Notice that sequence 20 does not have a match statement, so all prefixes that are not passed in sequence 10 qualify and are denied. Sequence 20 is redundant because of the implicit deny for any prefixes that are not matched in sequence 10.

route-map EXAMPLE permit 10
match ip address ACL-ONE ACL-TWO
route-map EXAMPLE deny 20

If multiple match options are configured for a specific route map sequence, both match options must be met for the prefix to qualify for that sequence. The Boolean logic uses an and operator for this configuration.

Sequence 10 requires that the prefix match ACL ACL-ONE and that the metric be a value between 500 and 600.

route-map EXAMPLE permit 10
match ip address ACL-ONE
match metric 550 +- 50

Question 11

Complex Matching

Answer 11

Matching a deny statement in the conditional match criteria excludes the route from that sequence in the route map.

When a route-map references an ACL (standard or extended, and this is true for a prefix-list too), its permit/deny rules don’t determine if the routes are accepted or not, the permit/deny rules of ACL will determine if routes are to be evaluated against the route-map statement in which are defined. If the route will be accepted or discarded will be always determined by the ACTION (permit or deny) defined in the ROUTE-MAP.

ip access-list extended INJECTOR
deny ip 10.0.0.0 0.255.255.255 any
permit ip 0.0.0.0 31.255.255.255 any
!
route-map TEST permit 10
match ip address INJECTOR

• deny : not consider this set of routes, bring them to the next statement
• permit : the routes permitted, match the statement – action of route-map statement is permit so accept these routes
• route-map TEST deny 20 : no match is defined so everything matches the statement, when routes 10.x.x.x are taken to this statement they match it, action of the route-map is DENY so routes will be discarded. In other words is the IMPLICIT DENY STATEMENT of the Route-Map to discard the 10.x.x.x and not the deny of the ACL.

Question 12

Route Map Process

Answer 12

Route maps process in this order: Evaluate the sequence, the conditional match criteria, the processing action, and the optional action. Any deny statements in the match component are isolated from the route map sequence action.

Default route map behavior is to process the route map sequences in order, and upon the first match, execute the processing action, perform any optional action (if feasible), and stop processing. This prevents multiple route map sequences from processing.

Adding the keyword continue to a route map allows the route map to continue processing other route map sequences.