How you can get top grades, to get a best job.

How you can get top grades, to get a best job.

Sometimes you need advice, Ask a teacher to solve your problems.

Sometimes you need advice, Ask a teacher to solve your problems.

Make a Difference with education, and be the best.

Make a Difference with education, and be the best.

Putting Children First. Preparing Children For Success In Life

Putting Children First. Preparing Children For Success In Life

Latest Posts

Sunday, November 11, 2018

Introduction to IP access lists

ılılılı RouteXP ılılılı ılılılı
Today I am going to talk about the Access lists. An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects or you can say for each rule we have two conditions and that is Permit or Deny.

Types of Access Lists
There are two categories of access lists: numbered and named.

Fig 1.1- IP access Lists
Numbered Access Lists:-
Numbered access lists are broken down into several ranges, each dedicated
to a specific protocol:

1–99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
300-399 DECnet access list
400-499 XNS standard access list
500-599 XNS extended access list
600-699 Appletalk access list
700-799 48-bit MAC address access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list
1100-1199 Extended 48-bit MAC address access list
1200-1299 IPX summary address access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list

Named Access Lists:-
Named access lists provide a bit more flexibility. Descriptive names can be
used to identify your access-lists. Additionally, individual lines can be
removed from a named access-list. However, like numbered lists, all new
entries are still added to the bottom of the access list.

There are two common types of named access lists:
IP standard named access lists
IP extended named access lists
Standard IP Access List

Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to the destination network.

Router(config)# access-list 10 deny 172.18.0.0 0.0.255.255 ( Just for an Example)
Router(config)# access-list 10 permit any

To apply Access Lists we have to configure the Access-Group on the Interface. Likewise we are taking the interface serial 0 as a reference.

Router(config)# int s0
Router(config-if)# ip access-group 10 in

To view all IP access lists configured on the router:
Router# show ip access-list

To view what interface an access-list is configured on:

Router# show ip interface
Router# show running-config
Extended IP Access List
access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask] [destination address] [wildcard mask] [operator [port]] [log]
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80
Router(config)# access-list 101 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 101 permit ip any any

The above ip address is just taken for the example and don’t have real environment existence.

The first line allows the 172.18.x.x network access only to port 80 on the web server. The second line blocks 172.18.x.x from accessing anything else on the 172.16.x.x network. The third line allows 172.18.x.x access to anything else.
To apply this access list, we would configure the following

Router(config)# int e0
Router(config-if)# ip access-group 101 in

Extended IP Access List Port Operators
In the preceding example, we identified TCP port 80 on a specific host use the following syntax:

Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.16.10.10 eq 80

We accomplished this using an operator of eq, which is short for equals. Thus, we are identifying host 172.16.10.10 with a port that equals 80. We can use several other operators for port numbers:
eq        Matches a specific port
gt         Matches all ports greater than the port specified
lt          Matches all ports less than the port specified
neq      Matches all ports except for the port specified
range   Match a specific inclusive range of ports

ICMP Access List
The specific ICMP port that a “ping” uses is echo. To block specific ICMP  parameters, use an extended IP access list. On Router B, we would configure:

Router(config)# access-list 102 deny icmp 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 echo
Router(config)# access-list 102 permit icmp 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)# access-list 102 permit ip any any

The first line blocks only ICMP echo requests (pings). The second line allows all other ICMP traffic. The third line allows all other IP traffic.

To apply the access lists on other router, you need to configure the follwing as:-

Router(config)# int e0

Router(config-if)# ip access-group 102 in

Introduction to BGP override and BGP allow-as-in

ılılılı RouteXP ılılılı ılılılı
Introduction to BGP override and BGP allow-as-in

Today I am going to talk about the difference between BGP override and BGP allow-as-in. many of you already knew that BGP override is generally used in the ISP side while BGP allow-as-in at the client side with the same feature sets.

As i said earlier, both have the same feature under the different subtitle names. They can be used in an environment where a customer is using one AS number for many sites that are connected to an ISP. This is shown in the example below.

In the above mentioned diagram, we have two different AS numbers. The diagram shows that  AS 65001 connects to the ISP at two different locations. So when R2 accepts the prefix 33.33.33.33/32, You can see that the AS path is via 1, 65001. Because of the loop prevention mechanism, NB_R2 will have to reject this prefix because it can see its own AS in the AS_PATH attribute.

Fig 1.1- BGP override and BGP allow-as-in

Configurations on NB_PE1 router

NB_PE1#
ip vrf cisco
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip vrf forwarding Cisco
 ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/1
 ip address 15.15.15.1 255.255.255.0
 mpls ip
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 15.15.15.0 0.0.0.255 area 0
!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 1
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 2.2.2.2 next-hop-self
 no auto-summary
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cisco
  neighbor 10.10.10.11 remote-as 65001
  neighbor 10.10.10.11 activate
  no synchronization
 exit-address-family
!

Configurations on NB_PE2 router

NB_PE2#
ip vrf cisco
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip vrf forwarding cisco
 ip address 20.20.20.20 255.255.255.0
!
interface FastEthernet0/1
 ip address 25.25.25.2 255.255.255.0
 mpls ip
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 0
 network 25.25.25.0 0.0.0.255 area 0
!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 1
 neighbor 1.1.1.1 update-source Loopback0
 neighbor 1.1.1.1 next-hop-self
 no auto-summary
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cisco
  neighbor 20.20.20.21 remote-as 65001
  neighbor 20.20.20.21 activate
  no synchronization
 exit-address-family
!

Now configuring routers ate client Side
Configuration on NB_R1 router

NB_R1#
interface Loopback0
 ip address 33.33.33.33 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.10.10.11 255.255.255.0
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 network 10.10.10.0 mask 255.255.255.0
 network 33.33.33.33 mask 255.255.255.255
 neighbor 10.10.10.10 remote-as 1
 no auto-summary

Configuration on NB_R2 router
NB_R2#
interface FastEthernet0/0
 ip address 20.20.20.21 255.255.255.0
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 network 20.20.20.0 mask 255.255.255.0
 neighbor 20.20.20.20 remote-as 1
 no auto-summary
!
NB_P1#
interface FastEthernet0/0
 ip address 15.15.15.2 255.255.255.0
 mpls ip
!
interface FastEthernet0/1
 ip address 25.25.25.1 255.255.255.0
 mpls ip
!
router ospf 1
 network 15.15.15.0 0.0.0.255 area 0
 network 25.25.25.0 0.0.0.255 area 0
 network 35.35.35.0 0.0.0.255 area 0

So currently, on NB_R2, he is not accepting any prefixes from NB_R1 in the other site; as shown below (we would expect the 10.10.10.0/24 and 33.33.33.33/32 networks to be in the BGP table).

NB_R2#sh ip bgp | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 20.20.20.0/24    0.0.0.0                  0         32768 i
The debug below shows why he’s not accepting these prefixes.
*Mar  1 02:28:03.515: %BGP-5-ADJCHANGE: neighbor 20.20.20.20 Up
*Mar  1 02:28:03.559: BGP(0): 20.20.20.20 rcv UPDATE w/ attr: nexthop 20.20.20.20, origin i, originator 0.0.0.0, path 1 65001, community , extended community
*Mar  1 02:28:03.559: BGP(0): 20.20.20.20 rcv UPDATE about 10.10.10.0/24 -- DENIED due to: AS-PATH contains our own AS;
*Mar  1 02:28:03.559: BGP(0): 20.20.20.20 rcv UPDATE about 33.33.33.33/32 -- DENIED due to: AS-PATH contains our own AS

One way to fix this is to use the allow-as-in command. This allows NB_R2 to override the loop prevention mechanism by allowing an instance of AS 65001 to be in the AS_PATH. Let’s do that now.

NB_R2(config-router)#neighbor 20.20.20.20 allowas-in 1
NB_R2(config-router)#
*Mar  1 02:34:34.927: BGP: 20.20.20.20 sending REFRESH_REQ(5) for afi/safi: 1/1
*Mar  1 02:34:34.927: BGP: 20.20.20.20 send message type 5, length (incl. header) 23
*Mar  1 02:34:35.015: BGP(0): 20.20.20.20 rcvd UPDATE w/ attr: nexthop 20.20.20.20, origin i, path 1 65001
*Mar  1 02:34:35.015: BGP(0): 20.20.20.20 rcvd 10.10.10.0/24
*Mar  1 02:34:35.015: BGP(0): 20.20.20.20 rcvd 33.33.33.33/32
*Mar  1 02:34:35.019: BGP(0): Revise route installing 1 of 1 routes for 10.10.10.0/24 -> 20.20.20.20(main) to main IP table
*Mar  1 02:34:35.019: BGP(0): Revise route installing 1 of 1 routes for 33.33.33.33/32 -> 20.20.20.20(main) to main IP table

NB_R2(config-router)#do sh ip bgp
BGP table version is 4, local router ID is 20.20.20.21
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    20.20.20.20                            0 1 65001 i
*> 20.20.20.0/24    0.0.0.0                  0         32768 i
*> 33.33.33.33/32   20.20.20.20                            0 1 65001 i

So you can see (on NB_R2) that the AS_PATH is 1, 65001 for these prefixes. It keeps all the AS_PATH information and simply just allows 1 occurrence of 65001 to be in the AS_PATH; thus overriding the loop prevention mechanism. We would obviously need to do this on NB_R1 in order for R1 to have reachability to the 20.20.20.0/24 prefix (sitting between NB_PE2 and NB_R2) so that he can have a route back to NB_R2.

NB_R1(config)#router bgp 65001
NB_R1(config-router)#neighbor 10.10.10.10 allowas-in 1
NB_R2#ping 33.33.33.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/83/116 ms

The other way you can complete this task is by getting NB_PE1 & NB_PE2 to just strip AS 65001 from the BGP UPDATE before sending it to the customer edge routers. Let’s do that now.

NB_R1(config-router)#no neighbor 10.10.10.10 allowas-in 1
NB_R2(config-router)#no neighbor 20.20.20.20 allowas-in 1
NB_PE2(config)#router bgp 1
NB_PE2(config-router)#address-family ipv4 unicast vrf google
NB_PE2(config-router-af)#neighbor 20.20.20.21 as-override

NB_PE1(config)#router bgp 1
NB_PE1(config-router)#address-family ipv4 unicast vrf google
NB_PE1(config-router-af)#neighbor 10.10.10.11 as-override

By configuring this command it actually resets the peer, so there’s no need to clear any neighbors. The result of this is shown on NB_R2 below.

NB_R2#sh ip bgp | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    20.20.20.20                            0 1 1 i
*> 20.20.20.0/24    0.0.0.0                  0         32768 i
*> 33.33.33.33/32   20.20.20.20                            0 1 1 i

So the AS_PATH has been overridden by the PE routers to their AS number instead. This is the key difference between the two commands. Allow-as-in allowed the loop prevention to be ignored for the configured amount of instances, and the as-override caused the PE routers to modify the AS_PATH.


Popular Posts