Key Issues
1) How does an ACL match route entries with the same subnet and different masks? How do I match entries with the same mask and different subnets?
2) Why does a summary route cause a tumble of BGP peers?
3) Why does the acl fail to match the route entry when attribite-map is used?
4) How to Use advertise-map, suppress-map, unsuppress-map, attribute-map, and route-map routing diagrams? Instance.
5) What are the two routing filtering solutions?
6) Two default routing methods for BGP generation protocol.
Problem 1: Use "Standard ACL" to match entries with the same mask and different subnets; Use "extended ACL" to match route entries with the same subnet and different masks.
Because the standard ACL only compares the network address part, it does not check the network mask length. The extended ACL not only compares the network address part, but also checks the network mask length. Here, the extended ACL is a special extended ACL. Its basic format is:
Access-list-number {deny | permit} ip source-wildcard source-mask-wildcard.
Instance:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/00432342J-0.jpg "title =" 36020130926095235231.jpg" alt = "195730861.jpg"/>
After the basic configuration is complete, you can check a total of six ospf routes on R2:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/004323ME-1.jpg "title =" 36020130926095302291.jpg" alt = "195814925.jpg"/>
Next we will use the distribution list distribute-list on R2 to control the route: Tips: Only one distribution list can be configured under a routing process. Otherwise, the configuration will overwrite the previous configuration)
1) a. Use a standard ACL to match evidence of entries with the same mask and different subnets:
Distribute-list1 in
Access-list 1 deny 172.16.1.0 0.0.2.255 Delete 1.0, 3.0 route
Access-list 1 permit any
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0043236315-2.jpg "title =" 36020130926100946497.jpg" alt = "195910995.jpg"/>
Conclusion: The standard ACL can match all entries with the same mask and different subnets.
B. The standard ACL cannot match route entries with the same subnet and different masks:
Distribute-list 1 in
Access-list 1 deny 1.0.0.0
Access-list 1 permit any
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0043232C9-3.jpg "title =" 36020130926101328160.jpg" alt = "195950501.jpg"/>
Conclusion: If the acl is used to match 1.0.0.0/8, but the actual effect is that the 1.0.0.0/24 and 1.0.0.0/8 routes are rejected, it is not applicable!
2) a. Use extended ACL to match route entries with the same subnet and different masks: unmatched
B. Using extended ACL cannot match the same mask. Evidence of different entries in the subnet: unmatchedThis is prior to the technical level of the author. Currently, it cannot provide matching solutions under multiple protocols. Please forgive me !!!)
Note !!! Experiment failed !!! The extended ACL cannot match multiple routing protocols, such as OSPF, OSPF, and RIP! Currently, it is only used in BGP targeted filtering.
So, try the experiment again!
Change the basic network configuration and use BGP. Try again!
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/004323NF-4.jpg "title =" 36020130926105229313.jpg" alt = "200024376.jpg"/>
On r2
Router bgp 100
Neighbor192.168.12.1 remote-as 100
Neighbor192.168.12.1 distribute-list 100 in
Access-list100 permit ip 1.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/004323H24-5.jpg "title =" 36020130926110820191.jpg" alt = "200052311.jpg"/>
Summary: (currently, only neighbor x. x distribute-list x in is used in advanced configurations with BGP. Other protocols are not explored)
The following two extended ACLs allow routes 192.108.0.0/16, and disable any specific routes, including 192.108.0.0/24.
Access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0! --- Indicates that each bit of the source address and source mask needs to be accurately compared. Only when the source address and source mask are completely the same
Access-list 101 denyip 192.108.0.0 0.0.255.255 255.255.255.0.00.0.255.255! --- Indicates that only the first 16 bits and the last 16 bits of the source address and source mask are accurately compared at the same time. If the first 16 bits are the same, the comparison is performed after the above rule.
The following two extended ACL configurations allow 131.108.0/24 routes, but disable all other subnet routes in route 131.108/16 and route 131.108.0.0.
Access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0! --- Indicates that each bit of the source address and source mask needs to be accurately compared. Only when the source address and source mask are completely the same
Access-list 101 denyip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255! --- Indicates that only the first 16 bits and the last 16 bits of the source address and source mask are accurately compared at the same time. If the first 16 bits are the same, the comparison is performed after the above rule.
Question 2: Why does a summary route cause a tumble of BGP peers?
If the route entries in BGP are transmitted in the federated mode, brackets will be added to the AS-PATH of the summarized route to distinguish them.
Figure:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0043231052-6.jpg "title =" 36020130926151420.24.jpg" alt = "200132559.jpg"/>
Take 172.16.0.0/24 as an example. After aggregate-address 172.16.0.0 255.255.252.0 as-set aggregation is used on R2, the PATH attribute of the summarized route may be
65530), but this command is not supported in the program! Therefore, we need to summarize different federated as on R2 !!! Remember!
Question 3: Why does the acl fail to match the route entry when attribite-map is used? So as to modify the summary attributes?
Note: When we need to change the summary route attributes, we do not need to match the summary route again, but directly modify or set the value of the summary route.
Example: aggregate-address 172.16.0.0 255.255.254.0 as-set-attribute-mapattr1
Route-map attr1 permit 10
Match ipaddress 100 (error: attribute-map is only for summary routing and does not need to be matched with ACL)
Setlocal-preference 99
Question 4:
1) The above explains the use of attribute-map. The use of route-map is the same as that of attribute-map, but the two cannot coexist.
2) suppress-map needs to match the corresponding subnet in the subsequent route graph without setting the attribute value of the route entry. unsuppress-map is similar to this, but the effect is different!
3) advertise-map needs to select the route entry object to be learned in the subsequent route-map, instead of the router-id)
Question 5:
1) filter routes based on AS-PATH
Ip as-pathaccess-list 5 permit _ 200 $ // match route entries originating from 200
Routerbgp 65532
Neighbor192.168.57.7 filter-list 5 in
2) filter distribute-list based on the target route entry
A. Global Filtering
Router bgp 100
Distribute-list1 in
B. Filter a neighbor
Routerbgp 100
Neighbor1.1.1.1 distribute-list 1 in
Question 6:
1) ip route 0.0.0.0 0.0.0.0 null 0
Router bgp 100
Network 0.0.0.0
2) iproute 0.0.0.0 0.0.0.0 null 0
Router bgp 100
Redistribute static
Default-information originate
This article is from the "Man Yu Tian" blog, please be sure to keep this source http://nanjingzhonglei.blog.51cto.com/5890022/1302342