|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical revised ACL 112 ?
Hi nanogers, Recently (today :) I've been playing with configuring Sean ACL 112 on our transit BGP router. I'm surprised by the number of routes which have been dropped, especialy in the 206.0.0.0/7 range. The exact access list is the one Sean described on this list in 1995, available at http://www.ianai.net/filters/Sprint-ACL112 Here are the result: Before: Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 144.85.0.5 4 6893 42 30 687201 0 0 00:22:52 13 194.38.74.206 4 6776 28 37 687201 0 0 00:24:54 21 194.38.74.214 4 65501 26 27 687202 0 0 00:22:15 2 194.38.74.218 4 65402 0 0 0 0 0 never Idle (Admin) 194.148.254.253 4 3334 28 30 687162 0 0 00:23:04 2 195.89.0.85 4 5378 22567 26 687202 0 0 00:20:38 59045 195.141.225.1 4 6730 22398 15 687202 0 0 00:09:00 62345 195.202.192.33 4 8493 1040 1042 687202 0 0 17:17:48 0 195.202.192.41 4 8493 1040 1042 687202 0 0 17:17:53 0 195.202.192.77 4 8493 1040 1042 687202 0 0 17:17:48 0 195.202.192.117 4 8493 89 91 687202 0 0 01:26:17 0 Right after (clear ip bgp (5378|6730) soft in): Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 144.85.0.5 4 6893 45 33 749634 0 0 00:25:43 13 194.38.74.206 4 6776 31 40 749634 0 0 00:27:45 21 194.38.74.214 4 65501 28 30 749634 1 0 00:25:06 2 194.38.74.218 4 65402 0 0 0 0 0 never Idle (Admin) 194.148.254.253 4 3334 30 32 687372 0 0 00:25:56 2 195.89.0.85 4 5378 22669 29 687372 1 0 00:23:30 41236 195.141.225.1 4 6730 22452 17 687372 14 0 00:11:52 42188 195.202.192.33 4 8493 1043 1045 749634 0 0 17:20:40 0 195.202.192.41 4 8493 1043 1045 749634 0 0 17:20:44 0 195.202.192.77 4 8493 1043 1045 749634 0 0 17:20:40 0 195.202.192.117 4 8493 92 94 749634 0 0 01:29:09 0 lsne-br1#sh access-lists 199 Extended IP access list 199 permit ip 192.0.0.0 13.255.255.255 0.0.0.0 255.255.255.0 (35236 matches) permit ip 194.0.0.0 9.255.255.255 0.0.0.0 255.255.255.0 (20987 matches) permit ip 198.0.0.0 1.255.255.255 0.0.0.0 255.255.255.0 (15285 matches) permit ip 206.0.0.0 0.255.255.255 0.0.0.0 255.255.224.0 (894 matches) permit ip 206.0.0.0 1.255.255.255 0.0.0.0 255.255.192.0 (611 matches) permit ip 224.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0 permit ip 128.0.0.0 63.255.255.255 0.0.0.0 255.255.0.0 (10520 matches) permit ip 1.0.0.0 126.0.0.0 0.0.0.0 255.0.0.0 (20 matches) permit ip 2.0.0.0 125.0.0.0 0.0.0.0 255.0.0.0 (6 matches) permit ip 4.0.0.0 123.0.0.0 0.0.0.0 255.0.0.0 (10 matches) permit ip 8.0.0.0 119.0.0.0 0.0.0.0 255.0.0.0 (2 matches) permit ip 16.0.0.0 111.0.0.0 0.0.0.0 255.0.0.0 (2 matches) permit ip 32.0.0.0 95.0.0.0 0.0.0.0 255.0.0.0 (2 matches) permit ip 64.0.0.0 63.0.0.0 0.0.0.0 255.0.0.0 permit ip 9.2.0.0 0.0.255.255 host 255.255.0.0 (2 matches) permit ip 9.20.0.0 0.0.255.255 host 255.255.192.0 permit ip 39.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0 deny ip 0.0.0.0 127.255.255.255 0.128.0.0 255.127.255.255 (1458 matches) deny ip 0.0.0.0 127.255.255.255 0.64.0.0 255.191.255.255 deny ip 0.0.0.0 127.255.255.255 0.32.0.0 255.223.255.255 deny ip 0.0.0.0 127.255.255.255 0.16.0.0 255.239.255.255 deny ip 0.0.0.0 127.255.255.255 0.8.0.0 255.247.255.255 deny ip 0.0.0.0 127.255.255.255 0.4.0.0 255.251.255.255 deny ip 0.0.0.0 127.255.255.255 0.2.0.0 255.253.255.255 deny ip 0.0.0.0 127.255.255.255 0.1.0.0 255.254.255.255 deny ip 0.0.0.0 127.255.255.255 0.0.0.0 255.255.0.0 deny ip 0.0.0.0 191.255.255.255 0.0.128.0 255.255.127.255 (4635 matches) deny ip 0.0.0.0 191.255.255.255 0.0.64.0 255.255.191.255 deny ip 0.0.0.0 191.255.255.255 0.0.32.0 255.255.223.255 deny ip 0.0.0.0 191.255.255.255 0.0.16.0 255.255.239.255 deny ip 0.0.0.0 191.255.255.255 0.0.8.0 255.255.247.255 deny ip 0.0.0.0 191.255.255.255 0.0.4.0 255.255.251.255 deny ip 0.0.0.0 191.255.255.255 0.0.2.0 255.255.253.255 deny ip 0.0.0.0 191.255.255.255 0.0.1.0 255.255.254.255 deny ip 206.0.0.0 1.255.255.255 0.0.32.0 255.255.223.255 (12062 matches) deny ip 206.0.0.0 1.255.255.255 0.0.16.0 255.255.239.255 deny ip 206.0.0.0 1.255.255.255 0.0.8.0 255.255.247.255 deny ip 206.0.0.0 1.255.255.255 0.0.4.0 255.255.251.255 deny ip 206.0.0.0 1.255.255.255 0.0.2.0 255.255.253.255 deny ip 206.0.0.0 1.255.255.255 0.0.1.0 255.255.254.255 deny ip 224.0.0.0 15.255.255.255 0.0.32.0 255.255.223.255 deny ip 224.0.0.0 15.255.255.255 0.0.16.0 255.255.239.255 deny ip 224.0.0.0 15.255.255.255 0.0.8.0 255.255.247.255 deny ip 224.0.0.0 15.255.255.255 0.0.4.0 255.255.251.255 deny ip 224.0.0.0 15.255.255.255 0.0.2.0 255.255.253.255 deny ip 224.0.0.0 15.255.255.255 0.0.1.0 255.255.254.255 deny ip any host 255.255.255.0 (9567 matches) deny ip any 0.0.0.128 255.255.255.127 (335 matches) deny ip any 0.0.0.64 255.255.255.191 deny ip any 0.0.0.32 255.255.255.223 deny ip any 0.0.0.16 255.255.255.239 deny ip any 0.0.0.8 255.255.255.247 deny ip any 0.0.0.4 255.255.255.251 deny ip any 0.0.0.2 255.255.255.253 deny ip any 0.0.0.1 255.255.255.252 deny ip 240.0.0.0 15.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any After reverting order of specific bit masking: Right after (clear ip bgp (5378|6730) soft in).. Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 144.85.0.5 4 6893 378 366 808741 0 0 05:56:23 88 194.38.74.206 4 6776 364 383 808741 0 0 05:58:25 21 194.38.74.214 4 65501 359 360 808741 0 0 05:55:46 2 194.38.74.218 4 65402 0 0 0 0 0 never Idle (Admin) 194.148.254.253 4 3334 361 377 808741 0 0 05:56:36 2 195.89.0.85 4 5378 81719 362 808741 0 0 05:54:09 40707 195.141.225.1 4 6730 31911 350 808741 0 0 05:42:32 42273 195.202.192.33 4 8493 1374 1376 809317 0 0 22:51:19 0 195.202.192.41 4 8493 1374 1376 809317 0 0 22:51:24 0 195.202.192.77 4 8493 1374 1376 809317 0 0 22:51:19 0 195.202.192.117 4 8493 422 424 809317 0 0 06:59:48 0 lsne-br1#sh access-lists 199 Extended IP access list 199 permit ip 192.0.0.0 13.255.255.255 0.0.0.0 255.255.255.0 (35360 matches) permit ip 194.0.0.0 9.255.255.255 0.0.0.0 255.255.255.0 (23838 matches) permit ip 198.0.0.0 1.255.255.255 0.0.0.0 255.255.255.0 (15257 matches) permit ip 206.0.0.0 0.255.255.255 0.0.0.0 255.255.224.0 (894 matches) permit ip 206.0.0.0 1.255.255.255 0.0.0.0 255.255.192.0 (612 matches) permit ip 224.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0 permit ip 128.0.0.0 63.255.255.255 0.0.0.0 255.255.0.0 (10540 matches) permit ip 1.0.0.0 126.0.0.0 0.0.0.0 255.0.0.0 (20 matches) permit ip 2.0.0.0 125.0.0.0 0.0.0.0 255.0.0.0 (6 matches) permit ip 4.0.0.0 123.0.0.0 0.0.0.0 255.0.0.0 (10 matches) permit ip 8.0.0.0 119.0.0.0 0.0.0.0 255.0.0.0 (2 matches) permit ip 16.0.0.0 111.0.0.0 0.0.0.0 255.0.0.0 (2 matches) permit ip 32.0.0.0 95.0.0.0 0.0.0.0 255.0.0.0 (2 matches) permit ip 64.0.0.0 63.0.0.0 0.0.0.0 255.0.0.0 permit ip 9.2.0.0 0.0.255.255 host 255.255.0.0 (2 matches) permit ip 9.20.0.0 0.0.255.255 host 255.255.192.0 permit ip 39.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0 deny ip 0.0.0.0 127.255.255.255 0.1.0.0 255.254.255.255 (1434 matches) means that ~700 networks in the old A class are announced /15 deny ip 0.0.0.0 127.255.255.255 0.2.0.0 255.253.255.255 (12 matches) deny ip 0.0.0.0 127.255.255.255 0.4.0.0 255.251.255.255 (6 matches) deny ip 0.0.0.0 127.255.255.255 0.8.0.0 255.247.255.255 (6 matches) deny ip 0.0.0.0 127.255.255.255 0.16.0.0 255.239.255.255 deny ip 0.0.0.0 127.255.255.255 0.32.0.0 255.223.255.255 deny ip 0.0.0.0 127.255.255.255 0.64.0.0 255.191.255.255 deny ip 0.0.0.0 127.255.255.255 0.128.0.0 255.127.255.255 (4 matches) deny ip 0.0.0.0 127.255.255.255 0.0.0.0 255.255.0.0 deny ip 0.0.0.0 191.255.255.255 0.0.1.0 255.255.254.255 (2946 matches) ~1500 networks in the old B class are announced /23 deny ip 0.0.0.0 191.255.255.255 0.0.2.0 255.255.253.255 (656 matches) deny ip 0.0.0.0 191.255.255.255 0.0.4.0 255.255.251.255 (281 matches) deny ip 0.0.0.0 191.255.255.255 0.0.8.0 255.255.247.255 (156 matches) deny ip 0.0.0.0 191.255.255.255 0.0.16.0 255.255.239.255 (170 matches) deny ip 0.0.0.0 191.255.255.255 0.0.32.0 255.255.223.255 (205 matches) deny ip 0.0.0.0 191.255.255.255 0.0.64.0 255.255.191.255 (123 matches) deny ip 0.0.0.0 191.255.255.255 0.0.128.0 255.255.127.255 (147 matches) deny ip 206.0.0.0 1.255.255.255 0.0.1.0 255.255.254.255 (7752 matches) ~3800 nets announced /23 in the supposedely /18 allocated old C space deny ip 206.0.0.0 1.255.255.255 0.0.2.0 255.255.253.255 (1379 matches) deny ip 206.0.0.0 1.255.255.255 0.0.4.0 255.255.251.255 (1047 matches) deny ip 206.0.0.0 1.255.255.255 0.0.8.0 255.255.247.255 (770 matches) deny ip 206.0.0.0 1.255.255.255 0.0.16.0 255.255.239.255 (676 matches) deny ip 206.0.0.0 1.255.255.255 0.0.32.0 255.255.223.255 (422 matches) deny ip 224.0.0.0 15.255.255.255 0.0.1.0 255.255.254.255 deny ip 224.0.0.0 15.255.255.255 0.0.2.0 255.255.253.255 deny ip 224.0.0.0 15.255.255.255 0.0.4.0 255.255.251.255 deny ip 224.0.0.0 15.255.255.255 0.0.8.0 255.255.247.255 deny ip 224.0.0.0 15.255.255.255 0.0.16.0 255.255.239.255 deny ip 224.0.0.0 15.255.255.255 0.0.32.0 255.255.223.255 deny ip any host 255.255.255.0 (9611 matches) deny ip any 0.0.0.1 255.255.255.252 deny ip any 0.0.0.2 255.255.255.253 (18 matches) deny ip any 0.0.0.4 255.255.255.251 (28 matches) deny ip any 0.0.0.8 255.255.255.247 (22 matches) deny ip any 0.0.0.16 255.255.255.239 (53 matches) deny ip any 0.0.0.32 255.255.255.223 (102 matches) deny ip any 0.0.0.64 255.255.255.191 (92 matches) deny ip any 0.0.0.128 255.255.255.127 (45 matches) deny ip 240.0.0.0 15.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any I know that some old unused A classe were being reallocated CIDR. Don't know much about anything else. Also, old 1995 ACL112 doesn't consider europeean allocation policy (194/8 at /24, 195/8 at /20 for example), while today sprint filtering policy take this into consideration. Anyone clueful on this topic? Is old 1995 ACL112 way to restrictive? or ISP behavior really really bad (RAM is cheap nowadays.. except cisco RAM :-) TIA, cheers. -- Philippe Strauss, ingenieur reseau/systemes, Urbanet SA [email protected] tel +41 21 623 30 20 --
|