A request arrived on your MPLS-vpn-bgp group. Due to a security breach, your customer is
experiencing DoS attacks coming from specific subnets (200.0.10.0/24, 200.0.12.0/24). You have
checked all MPLS-EBGP routes being advertised to BHK from other VPN sites and found four
subnets listed: 200.0.10.0/24, 200.0.11.0/24, 200.0.12.0/24, 200.0.13.0/24. You immediately apply
an outbound ACL filter using the appropriate MPLS-EBGP tool: access-list 1 deny 200.0.10.0
255.255.254.0 access-list 1 permit any What happens when you apply this ACL on the MPLSEBGP connection to BHK?
A.
It blocks all routes.
B.
B. It blocks the routes 200.0.12.0/24, 200.0.10.0/24 only.
C.
It blocks the routes 200.0.12.0/24, 200.0.13.0/24 only.
D.
It blocks the routes 200.0.10.0/24, 200.0.13.0/24 only.
E.
Nothing happens, no routes are blocked.
Explanation:
Remember, for the wild card mask, 1s are I DON’T CARE, and 0s are I CARE.In the access-list we put an 0.0.0.0 255.255.254.255 network; of course 255 means “1111 1111.
This means we don’t care about any of the bits in the first, second & 4th octets.
In fact, the number 0 (in 0.0.0.0) is just smallest numbers we can throw there and it is easy to type
but we can use any number, it wouldn’t matter, since I DON’T CARE about them except the third
octet as the wild card mask is not all “255.
Now let’s extract the 0 in the third octet in binary form (so easy, right?)
0 = 0000 0000
With the 254 in the wildcard mask, we only care about the last bit of the third octet because 254 is
“1111 1110.
That means, if the third octet is in the form of xxxx xxx0 then it will match my access-list (x can be
0 or 1 because I DON’T CARE).
Now let’s write the third octet of 4 above subnets in binary form:
10 = 0000.1010
11 = 0000.1011
12 = 0000.1100
13 = 0000.1101
So, only 10 & 12 satisfy my access list -> I will only block the routes to 200.0.12.0/24,
200.0.10.0/24 -> B is correct.
Here is a simple configuration example explaining the question above. Connect to Routers R1 and
BHK via FastEthernet 0/0
Router R1
interface Loopback0
ip address 200.0.10.1 255.255.255.0
!
interface Loopback1
ip address 200.0.11.1 255.255.255.0
!
interface Loopback2
ip address 200.0.12.1 255.255.255.0
!
interface Loopback3
ip address 200.0.13.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.252
router bgp 65500
no synchronization
bgp log-neighbor-changesnetwork 10.0.1.0 mask 255.255.255.252
network 200.0.10.0
network 200.0.11.0
network 200.0.12.0
network 200.0.13.0
neighbor 10.0.1.1 remote-as 65525
no auto-summary
Router BHK
router bgp 65525
no synchronization
bgp log-neighbor-changes
network 10.0.1.0 mask 255.255.255.252
neighbor 10.0.1.2 remote-as 65500
neighbor 10.0.1.2 route-map 1 in
distribute-list list in
no auto-summary
access-list 1 deny 0.0.0.0 255.255.254.255
access-list 1 permit any
Note: You may need to clear the BGP process on Router BHK after applying the route-map