revised ACL 112 ?
Philippe Strauss
philippe.strauss at urbanet.ch
Wed Jun 16 21:37:36 UTC 1999
Hi nanogers,
Recently (today :) I've been playing with configuring Sean
ACL 112 on our transit BGP router.
I'm surprised by the number of routes which have been dropped,
especialy in the 206.0.0.0/7 range.
The exact access list is the one Sean described on this
list in 1995, available at http://www.ianai.net/filters/Sprint-ACL112
Here are the result:
Before:
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
144.85.0.5 4 6893 42 30 687201 0 0 00:22:52 13
194.38.74.206 4 6776 28 37 687201 0 0 00:24:54 21
194.38.74.214 4 65501 26 27 687202 0 0 00:22:15 2
194.38.74.218 4 65402 0 0 0 0 0 never Idle (Admin)
194.148.254.253 4 3334 28 30 687162 0 0 00:23:04 2
195.89.0.85 4 5378 22567 26 687202 0 0 00:20:38 59045
195.141.225.1 4 6730 22398 15 687202 0 0 00:09:00 62345
195.202.192.33 4 8493 1040 1042 687202 0 0 17:17:48 0
195.202.192.41 4 8493 1040 1042 687202 0 0 17:17:53 0
195.202.192.77 4 8493 1040 1042 687202 0 0 17:17:48 0
195.202.192.117 4 8493 89 91 687202 0 0 01:26:17 0
Right after (clear ip bgp (5378|6730) soft in):
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
144.85.0.5 4 6893 45 33 749634 0 0 00:25:43 13
194.38.74.206 4 6776 31 40 749634 0 0 00:27:45 21
194.38.74.214 4 65501 28 30 749634 1 0 00:25:06 2
194.38.74.218 4 65402 0 0 0 0 0 never Idle (Admin)
194.148.254.253 4 3334 30 32 687372 0 0 00:25:56 2
195.89.0.85 4 5378 22669 29 687372 1 0 00:23:30 41236
195.141.225.1 4 6730 22452 17 687372 14 0 00:11:52 42188
195.202.192.33 4 8493 1043 1045 749634 0 0 17:20:40 0
195.202.192.41 4 8493 1043 1045 749634 0 0 17:20:44 0
195.202.192.77 4 8493 1043 1045 749634 0 0 17:20:40 0
195.202.192.117 4 8493 92 94 749634 0 0 01:29:09 0
lsne-br1#sh access-lists 199
Extended IP access list 199
permit ip 192.0.0.0 13.255.255.255 0.0.0.0 255.255.255.0 (35236 matches)
permit ip 194.0.0.0 9.255.255.255 0.0.0.0 255.255.255.0 (20987 matches)
permit ip 198.0.0.0 1.255.255.255 0.0.0.0 255.255.255.0 (15285 matches)
permit ip 206.0.0.0 0.255.255.255 0.0.0.0 255.255.224.0 (894 matches)
permit ip 206.0.0.0 1.255.255.255 0.0.0.0 255.255.192.0 (611 matches)
permit ip 224.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0
permit ip 128.0.0.0 63.255.255.255 0.0.0.0 255.255.0.0 (10520 matches)
permit ip 1.0.0.0 126.0.0.0 0.0.0.0 255.0.0.0 (20 matches)
permit ip 2.0.0.0 125.0.0.0 0.0.0.0 255.0.0.0 (6 matches)
permit ip 4.0.0.0 123.0.0.0 0.0.0.0 255.0.0.0 (10 matches)
permit ip 8.0.0.0 119.0.0.0 0.0.0.0 255.0.0.0 (2 matches)
permit ip 16.0.0.0 111.0.0.0 0.0.0.0 255.0.0.0 (2 matches)
permit ip 32.0.0.0 95.0.0.0 0.0.0.0 255.0.0.0 (2 matches)
permit ip 64.0.0.0 63.0.0.0 0.0.0.0 255.0.0.0
permit ip 9.2.0.0 0.0.255.255 host 255.255.0.0 (2 matches)
permit ip 9.20.0.0 0.0.255.255 host 255.255.192.0
permit ip 39.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0
deny ip 0.0.0.0 127.255.255.255 0.128.0.0 255.127.255.255 (1458 matches)
deny ip 0.0.0.0 127.255.255.255 0.64.0.0 255.191.255.255
deny ip 0.0.0.0 127.255.255.255 0.32.0.0 255.223.255.255
deny ip 0.0.0.0 127.255.255.255 0.16.0.0 255.239.255.255
deny ip 0.0.0.0 127.255.255.255 0.8.0.0 255.247.255.255
deny ip 0.0.0.0 127.255.255.255 0.4.0.0 255.251.255.255
deny ip 0.0.0.0 127.255.255.255 0.2.0.0 255.253.255.255
deny ip 0.0.0.0 127.255.255.255 0.1.0.0 255.254.255.255
deny ip 0.0.0.0 127.255.255.255 0.0.0.0 255.255.0.0
deny ip 0.0.0.0 191.255.255.255 0.0.128.0 255.255.127.255 (4635 matches)
deny ip 0.0.0.0 191.255.255.255 0.0.64.0 255.255.191.255
deny ip 0.0.0.0 191.255.255.255 0.0.32.0 255.255.223.255
deny ip 0.0.0.0 191.255.255.255 0.0.16.0 255.255.239.255
deny ip 0.0.0.0 191.255.255.255 0.0.8.0 255.255.247.255
deny ip 0.0.0.0 191.255.255.255 0.0.4.0 255.255.251.255
deny ip 0.0.0.0 191.255.255.255 0.0.2.0 255.255.253.255
deny ip 0.0.0.0 191.255.255.255 0.0.1.0 255.255.254.255
deny ip 206.0.0.0 1.255.255.255 0.0.32.0 255.255.223.255 (12062 matches)
deny ip 206.0.0.0 1.255.255.255 0.0.16.0 255.255.239.255
deny ip 206.0.0.0 1.255.255.255 0.0.8.0 255.255.247.255
deny ip 206.0.0.0 1.255.255.255 0.0.4.0 255.255.251.255
deny ip 206.0.0.0 1.255.255.255 0.0.2.0 255.255.253.255
deny ip 206.0.0.0 1.255.255.255 0.0.1.0 255.255.254.255
deny ip 224.0.0.0 15.255.255.255 0.0.32.0 255.255.223.255
deny ip 224.0.0.0 15.255.255.255 0.0.16.0 255.255.239.255
deny ip 224.0.0.0 15.255.255.255 0.0.8.0 255.255.247.255
deny ip 224.0.0.0 15.255.255.255 0.0.4.0 255.255.251.255
deny ip 224.0.0.0 15.255.255.255 0.0.2.0 255.255.253.255
deny ip 224.0.0.0 15.255.255.255 0.0.1.0 255.255.254.255
deny ip any host 255.255.255.0 (9567 matches)
deny ip any 0.0.0.128 255.255.255.127 (335 matches)
deny ip any 0.0.0.64 255.255.255.191
deny ip any 0.0.0.32 255.255.255.223
deny ip any 0.0.0.16 255.255.255.239
deny ip any 0.0.0.8 255.255.255.247
deny ip any 0.0.0.4 255.255.255.251
deny ip any 0.0.0.2 255.255.255.253
deny ip any 0.0.0.1 255.255.255.252
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
After reverting order of specific bit masking:
Right after (clear ip bgp (5378|6730) soft in)..
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
144.85.0.5 4 6893 378 366 808741 0 0 05:56:23 88
194.38.74.206 4 6776 364 383 808741 0 0 05:58:25 21
194.38.74.214 4 65501 359 360 808741 0 0 05:55:46 2
194.38.74.218 4 65402 0 0 0 0 0 never Idle (Admin)
194.148.254.253 4 3334 361 377 808741 0 0 05:56:36 2
195.89.0.85 4 5378 81719 362 808741 0 0 05:54:09 40707
195.141.225.1 4 6730 31911 350 808741 0 0 05:42:32 42273
195.202.192.33 4 8493 1374 1376 809317 0 0 22:51:19 0
195.202.192.41 4 8493 1374 1376 809317 0 0 22:51:24 0
195.202.192.77 4 8493 1374 1376 809317 0 0 22:51:19 0
195.202.192.117 4 8493 422 424 809317 0 0 06:59:48 0
lsne-br1#sh access-lists 199
Extended IP access list 199
permit ip 192.0.0.0 13.255.255.255 0.0.0.0 255.255.255.0 (35360 matches)
permit ip 194.0.0.0 9.255.255.255 0.0.0.0 255.255.255.0 (23838 matches)
permit ip 198.0.0.0 1.255.255.255 0.0.0.0 255.255.255.0 (15257 matches)
permit ip 206.0.0.0 0.255.255.255 0.0.0.0 255.255.224.0 (894 matches)
permit ip 206.0.0.0 1.255.255.255 0.0.0.0 255.255.192.0 (612 matches)
permit ip 224.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0
permit ip 128.0.0.0 63.255.255.255 0.0.0.0 255.255.0.0 (10540 matches)
permit ip 1.0.0.0 126.0.0.0 0.0.0.0 255.0.0.0 (20 matches)
permit ip 2.0.0.0 125.0.0.0 0.0.0.0 255.0.0.0 (6 matches)
permit ip 4.0.0.0 123.0.0.0 0.0.0.0 255.0.0.0 (10 matches)
permit ip 8.0.0.0 119.0.0.0 0.0.0.0 255.0.0.0 (2 matches)
permit ip 16.0.0.0 111.0.0.0 0.0.0.0 255.0.0.0 (2 matches)
permit ip 32.0.0.0 95.0.0.0 0.0.0.0 255.0.0.0 (2 matches)
permit ip 64.0.0.0 63.0.0.0 0.0.0.0 255.0.0.0
permit ip 9.2.0.0 0.0.255.255 host 255.255.0.0 (2 matches)
permit ip 9.20.0.0 0.0.255.255 host 255.255.192.0
permit ip 39.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0
deny ip 0.0.0.0 127.255.255.255 0.1.0.0 255.254.255.255 (1434 matches)
means that ~700 networks in the old A class are announced /15
deny ip 0.0.0.0 127.255.255.255 0.2.0.0 255.253.255.255 (12 matches)
deny ip 0.0.0.0 127.255.255.255 0.4.0.0 255.251.255.255 (6 matches)
deny ip 0.0.0.0 127.255.255.255 0.8.0.0 255.247.255.255 (6 matches)
deny ip 0.0.0.0 127.255.255.255 0.16.0.0 255.239.255.255
deny ip 0.0.0.0 127.255.255.255 0.32.0.0 255.223.255.255
deny ip 0.0.0.0 127.255.255.255 0.64.0.0 255.191.255.255
deny ip 0.0.0.0 127.255.255.255 0.128.0.0 255.127.255.255 (4 matches)
deny ip 0.0.0.0 127.255.255.255 0.0.0.0 255.255.0.0
deny ip 0.0.0.0 191.255.255.255 0.0.1.0 255.255.254.255 (2946 matches)
~1500 networks in the old B class are announced /23
deny ip 0.0.0.0 191.255.255.255 0.0.2.0 255.255.253.255 (656 matches)
deny ip 0.0.0.0 191.255.255.255 0.0.4.0 255.255.251.255 (281 matches)
deny ip 0.0.0.0 191.255.255.255 0.0.8.0 255.255.247.255 (156 matches)
deny ip 0.0.0.0 191.255.255.255 0.0.16.0 255.255.239.255 (170 matches)
deny ip 0.0.0.0 191.255.255.255 0.0.32.0 255.255.223.255 (205 matches)
deny ip 0.0.0.0 191.255.255.255 0.0.64.0 255.255.191.255 (123 matches)
deny ip 0.0.0.0 191.255.255.255 0.0.128.0 255.255.127.255 (147 matches)
deny ip 206.0.0.0 1.255.255.255 0.0.1.0 255.255.254.255 (7752 matches)
~3800 nets announced /23 in the supposedely /18 allocated old C space
deny ip 206.0.0.0 1.255.255.255 0.0.2.0 255.255.253.255 (1379 matches)
deny ip 206.0.0.0 1.255.255.255 0.0.4.0 255.255.251.255 (1047 matches)
deny ip 206.0.0.0 1.255.255.255 0.0.8.0 255.255.247.255 (770 matches)
deny ip 206.0.0.0 1.255.255.255 0.0.16.0 255.255.239.255 (676 matches)
deny ip 206.0.0.0 1.255.255.255 0.0.32.0 255.255.223.255 (422 matches)
deny ip 224.0.0.0 15.255.255.255 0.0.1.0 255.255.254.255
deny ip 224.0.0.0 15.255.255.255 0.0.2.0 255.255.253.255
deny ip 224.0.0.0 15.255.255.255 0.0.4.0 255.255.251.255
deny ip 224.0.0.0 15.255.255.255 0.0.8.0 255.255.247.255
deny ip 224.0.0.0 15.255.255.255 0.0.16.0 255.255.239.255
deny ip 224.0.0.0 15.255.255.255 0.0.32.0 255.255.223.255
deny ip any host 255.255.255.0 (9611 matches)
deny ip any 0.0.0.1 255.255.255.252
deny ip any 0.0.0.2 255.255.255.253 (18 matches)
deny ip any 0.0.0.4 255.255.255.251 (28 matches)
deny ip any 0.0.0.8 255.255.255.247 (22 matches)
deny ip any 0.0.0.16 255.255.255.239 (53 matches)
deny ip any 0.0.0.32 255.255.255.223 (102 matches)
deny ip any 0.0.0.64 255.255.255.191 (92 matches)
deny ip any 0.0.0.128 255.255.255.127 (45 matches)
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
I know that some old unused A classe were being reallocated
CIDR. Don't know much about anything else.
Also, old 1995 ACL112 doesn't consider europeean allocation
policy (194/8 at /24, 195/8 at /20 for example), while
today sprint filtering policy take this into consideration.
Anyone clueful on this topic? Is old 1995 ACL112 way to
restrictive? or ISP behavior really really bad (RAM is cheap
nowadays.. except cisco RAM :-)
TIA, cheers.
--
Philippe Strauss, ingenieur reseau/systemes, Urbanet SA
philippe.strauss at urbanet.ch
tel +41 21 623 30 20
--
More information about the NANOG
mailing list