Scenario:
We have a subnet configured in the “Allowed prefixes,” a /16. You can’t change the size of a subnet after it’s been created. You have to delete and recreate it, which could be a pain.
Let’s say you have a request that requires you not to advertise the /16 because it overlaps with a subnet of a company you just bought out. Or it just overlaps, and you can do it anymore. Instead of deleting and recreating the configuration, you can advertise a more specific route and filter out the other subnets on the “on-prem” WAN routers.
So you have two options:
- Implement another IPv4 CIDR block by designating it as a secondary CIDR within your VPC.
- If applicable, establish a new VPC using the CIDR block of your choice and then transfer the resources from your existing VPC to this new one.
AWS: (add second CIDR block)
AWS Direct Connect > Virtual private gateways
Direct Connect gateway association settings
Allowed prefixes
List of prefixes you want to be allowed to be advertised to the on-premises network through the Direct Connect gateway.
172.16.0.0/16
172.16.22.0/24
Specify up to 200 prefixes, each prefix separated by a comma. Or, put each prefix on separate lines.
If we list both 172.16.0.0/16 and 172.16.22.0/24 in our allowed prefixes, AWS Direct Connect will advertise both routes, as both 172.16.0.0/16 and 172.16.22.0/24 are included in the list of allowed prefixes.
Remember that in BGP, more specific routes are preferred over less specific ones, assuming that all other attributes are equal. This means that for traffic to addresses in the 172.16.22.0 – 172.16.22.255 range, the /24 route will be preferred. For all other addresses in the 172.16.0.0 – 172.16.255.255 range, the /16 route will be used.
However, the final decision also depends on the routing policies of the on-premises network. If the on-premises router receives both routes, it should prefer the /24 for traffic to those addresses, unless there’s a routing policy in place that changes this behavior.
Cisco: (filter out /16 on-prem)
ip prefix-list PL_ALLOWED_ROUTES seq 10 permit 172.16.22.0/24
ip prefix-list PL_ALLOWED_ROUTES seq 20 permit 10.0.0.0/8 le 32
ip prefix-list PL_ALLOWED_ROUTES seq 30 permit 192.168.0.0/16 le 32
route-map RM_WAN_IN permit 10
match ip address prefix-list PL_ALLOWED_ROUTES
The first entry matches exactly on the 172.16.22.0/24 prefix. The next two entries match on the 10.0.0.0/8 and 192.168.0.0/16 networks respectively and any subnets within these ranges because of the “le 32” at the end.
The “le 32” at the end of a prefix in an IP prefix-list in Cisco IOS is used to match routes that have a prefix length that is less than or equal to the value specified, in this case, 32.
For example, ip prefix-list PL_ALLOWED_ROUTES seq 20 permit 10.0.0.0/8 le 32 will match any route that starts with 10.0.0.0/8 and has a prefix length that is less than or equal to 32.