'[zebra 11017] Re: Translate commands form Cisco to Zebra'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       zebra
Subject:    [zebra 11017] Re: Translate commands form Cisco to Zebra
From:       John Fraizer <zebra () EnterZone ! Net>
Date:       2001-10-31 7:53:31
[Download RAW message or body]




On Tue, 30 Oct 2001, John Narron wrote:

> Try using something like this:
> 
>    access-list 1 permit 0.0.0.0/1
>    access-list 2 permit 0.0.0.0/1



Shouldn't that be 0.0.0.0/1 and 128.0.0.0/1?

And BTW: Zebra did allow me to specify those two as access lists.  I
personally use prefix-lists generally vs access lists but, I suppose it's
a matter of perference.

Here is one that IMHO, everyone should apply to their peers:

ip prefix-list PEERS seq 5 deny 0.0.0.0/0
ip prefix-list PEERS seq 10 deny 0.0.0.0/0 ge 25
ip prefix-list PEERS seq 15 deny 10.0.0.0/8 le 32
ip prefix-list PEERS seq 20 deny 127.0.0.0/8 le 32
ip prefix-list PEERS seq 25 deny 128.0.0.0/16 le 32
ip prefix-list PEERS seq 30 deny 172.16.0.0/12 le 32
ip prefix-list PEERS seq 35 deny 191.255.0.0/16 le 32
ip prefix-list PEERS seq 40 deny 192.0.2.0/24 le 32
ip prefix-list PEERS seq 45 deny 192.168.0.0/16 le 32
ip prefix-list PEERS seq 50 deny 223.255.255.0/24 le 32
ip prefix-list PEERS seq 55 deny 224.0.0.0/3 le 32
ip prefix-list PEERS seq 60 permit any

Additionally, I have my own PI space included in the prefix list.  There
should be no case where my best route (or ANY route) to myself would be
via a peer so, we don't accept announcements from our peers for our own
address space.

> (Don't need to do 127.0.0.0/8 - localhost after all, and
>  you can probably skip 0.0.0.0/8 and 10.0.0.0/8)
> 

How about this:

router bgp [yourasn]
network [your network(s)]
neighbor a.a.a.a remote-as AAAA
neighbor a.a.a.a description PEER A
neighbor a.a.a.a prefix-list PEERS in
neighbor a.a.a.a route-map PREF-BOTTOM-HALF in
neighbor b.b.b.b route-as BBBB
neighbor b.b.b.b description PEER B
neighbor b.b.b.b prefix-list PEERS in
neighbor b.b.b.b route-map PREF-TOP-HALF in
!
! prefix-list PEERS is a sanity-check.  You shouldn't see these from
! any peer if you run in the default-free zone.
!
ip prefix-list PEERS seq 5 deny 0.0.0.0/0
ip prefix-list PEERS seq 10 deny 0.0.0.0/0 ge 25
ip prefix-list PEERS seq 15 deny 10.0.0.0/8 le 32
ip prefix-list PEERS seq 20 deny 127.0.0.0/8 le 32
ip prefix-list PEERS seq 25 deny 128.0.0.0/16 le 32
ip prefix-list PEERS seq 30 deny 172.16.0.0/12 le 32
ip prefix-list PEERS seq 35 deny 191.255.0.0/16 le 32
ip prefix-list PEERS seq 40 deny 192.0.2.0/24 le 32
ip prefix-list PEERS seq 45 deny 192.168.0.0/16 le 32
ip prefix-list PEERS seq 50 deny 223.255.255.0/24 le 32
ip prefix-list PEERS seq 55 deny 224.0.0.0/3 le 32
ip prefix-list PEERS seq 60 permit any
!
!prefix-list PREF-BOTTOM-HALF allows the bottom half of 0/0 in providing
!it is announcements for /24's or larger.
!
ip prefix-list PREF-BOTTOM-HALF seq 5 permit 0.0.0.0/1 le 24
ip prefix-list PREF-BOTTOM-HALF seq 10 deny any
!
!prefix-list PREF-TOP-HALF allows the top half of 0/0 in providing it
!is announcements for /24's or larger.
ip prefix-list PREF-TOP-HALF seq 5 permit 128.0.0.0/1 le 24
ip prefix-list PREF-TOP-HALF seq 10 deny any
!
ip as-path access-list PEER-A permit ^AAAA
ip as-path access-list PEER-B permit ^BBBB
! 
route-map PREF-BOTTOM-HALF permit 5
 match as-path AAAA
 match ip address prefix-list PREF-BOTTOM-HALF
 set local-preference 200
!
route-map PREF-BOTTOM-HALF permit 10
 match as-path AAAA
 set local-preference 150
!
route-map PREF-TOP-HALF permit 5
 match as-path BBBB
 match ip address prefix-list PREF-TOP-HALF
 set local-preference 200 
!
route-map PREF-TOP-HALF permit 10
 match as-path BBBB
 set local-preference 150
!


OK.  The above config is "functional" but has NO filtering on your
announcements to the world.  (That is an exercise for the reader -- or I
do consulting as well [shameless plug].)

It does pretty much the same thing as the cisco config you specified in
your original post with acception that it also filters BOGONS and anything
more specific than /24 from the announcements you accept from your
peers.  It also uses prefix-lists (which as I stated earlier, I like
better than access-lists) for the route-map filters vs
access-lists.  Something else different is that we're doing as-path
checking on the route-maps as well.  This just keeps your peers honest and
IMHO, it's a good idea to apply this type of filter to all of your peers.


Note: This,(0.0.0.0/1 and 128.0.0.0/1) IMHO, is the worst way to attempt
load balancing of circuits.  It rarely results in anything more than
wasted time entering configs.


---
John Fraizer
EnterZone, Inc

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic