BGP Filtering Extended Access-List


Scenario:

Ever since Diablo was defeated Deckard Cain decided to become a network engineer. Two decades have passed and the village of Tristram has upgraded their network for inter-AS connectivity. Recently some security issues have been reported and Deckard asked you to help him to filter some of the prefixes through BGP. Unfortunately the router does not support prefix-lists so you’ll have to use access-lists to accomplish this.

Goal:

  • All IP addresses have been preconfigured for you.
  • Configure EBGP between router Tristram and Sanctuary.
  • Advertise the loopback interfaces on both routers in BGP.
  • Configure a summary that advertises 10.0.0.0/8 towards router Sanctuary.
  • Configure an extended access-list on router Sanctuary that will block the 10.0.0.0/8 prefix but allows all other prefixes.
  • Configure an extended access-list on router Tristram that blocks network 10.2.2.0/24.

It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the routing protocols for CCNP.

Would you like to be a master of routing too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?

I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of routing.

You will learn all the secrets about BGP, access-lists, filtering and more.

Does this sound interesting to you? Take a look here and let me show you how to Master CCNP ROUTE

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

BGP Filtering Access List

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by Renรฉ Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

Renรฉ - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

19 Comments

  1. You’re the man. I have never saw a man that uses (in networking) things from transformers, Diablo etc. ๐Ÿ˜€

  2. Love the naming and all but I’m not seeing the topology file attached. I guessing it’s a work in process. But I’m really looking forward to it.

  3. I just discovered the labs on this site…. This is awesome…Thank you!!! really great for refreshing before the test. I used loopbacks 1.1.1.1 for tristram & 2.2.2.2 for sanctuary; for the ebgp neighborships. and Loopbacks 10.0.0.1/8 & 10.2.2.1/24 for the ACL part.

  4. I have my doubts, I need the video an the final configurations, please Rene put them. I want to tell you that I have learned very much with your laboratories, thak so much.

  5. Please check and explain me where i have gone wrong…

    Tristram#sh run
    Building configuration…

    Current configuration : 1019 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Tristram
    !
    !
    ip subnet-zero
    !
    !
    no ip domain-lookup
    !
    ip audit notify log
    ip audit po max-events 100
    !
    call rsvp-sync
    !
    !
    !
    !
    !
    fax interface-type fax-mail
    mta receive maximum-recipients 0
    !
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.255
    !
    interface Loopback1
    ip address 10.0.0.1 255.0.0.0
    !
    interface FastEthernet0/0
    ip address 192.168.12.1 255.255.255.0
    ip access-group 100 in
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    router bgp 1
    bgp log-neighbor-changes
    network 1.1.1.1 mask 255.255.255.255
    network 10.0.0.0
    aggregate-address 10.0.0.0 255.0.0.0
    neighbor 192.168.12.2 remote-as 2
    !
    ip classless
    no ip http server
    !
    access-list 100 deny ip any 10.2.2.0 0.0.0.255
    access-list 100 permit ip any any
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    line aux 0
    line vty 0 4
    !
    end

    Tristram#
    ———————————————————————————————————————————————————————————————————————————————————-

    Sanctuary#term len 0
    Sanctuary#sh run
    Building configuration…

    Current configuration : 1009 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Sanctuary
    !
    !
    ip subnet-zero
    !
    !
    no ip domain-lookup
    !
    ip audit notify log
    ip audit po max-events 100
    !
    call rsvp-sync
    !
    !
    !
    !
    !
    fax interface-type fax-mail
    mta receive maximum-recipients 0
    !
    !
    !
    interface Loopback0
    ip address 2.2.2.2 255.255.255.255
    !
    interface Loopback1
    ip address 10.2.2.1 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip access-group 100 in
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    router bgp 2
    bgp log-neighbor-changes
    network 2.2.2.2 mask 255.255.255.255
    network 10.2.2.0 mask 255.255.255.0
    neighbor 192.168.12.1 remote-as 1
    !
    ip classless
    no ip http server
    !
    access-list 100 deny ip any 10.0.0.0 0.255.255.255
    access-list 100 permit ip any any
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    line aux 0
    line vty 0 4
    !
    end

    Sanctuary#

  6. I got the answer…

    Trinstram,

    router bgp 1
    bgp log-neighbor-changes
    network 1.1.1.1 mask 255.255.255.255
    network 10.0.0.0
    aggregate-address 10.0.0.0 255.0.0.0
    neighbor 192.168.12.2 remote-as 2
    neighbor 192.168.12.2 distribute-list 100 in
    !
    ip classless
    no ip http server
    !
    access-list 100 deny ip 10.2.2.0 0.0.0.255 any
    access-list 100 permit ip any any
    !
    Sanctuary,,,

    router bgp 2
    bgp log-neighbor-changes
    network 2.2.2.2 mask 255.255.255.255
    network 10.2.2.0 mask 255.255.255.0
    neighbor 192.168.12.1 remote-as 1
    neighbor 192.168.12.1 distribute-list 100 in
    !
    ip classless
    no ip http server
    !
    access-list 100 deny ip 10.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    !
    Thanks Rene!!!

    1. Karan, no, you are wrong. Your access-list check only network part of route. The right answer is, for example if 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
      Extended IP access list 101
      10 deny ip host 10.0.0.0 host 255.0.0.0
      20 permit ip any any

  7. This was a great little exercise. Really enjoying the site, learning alot about BGP and refreshing things I had forgotten. I have put my other colleges on to this too. thanks alot.

  8. hi there ….
    can u please upload the video solution for this lab. cause i really need it for my exam to learn more and to have better degre in my certificate…
    best regards
    mr.o

Comments are closed.