BGP AS Path Filter Example


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(system) #2

Very helpful, thanks!


(system) #3

Using a route-map is perfectly correct, but to be more complete you can always show that:

neighbor x.x.x.x filter-list 1 in

would do the same work. (Of course, the filter could be applied outbound if required by some design)

Router(config-router-af)#neighbor 1.1.1.1 filter-list ?
    AS path access list

(Hamood R) #4

Rene,

Very helpful in understanding these complex expressions. However, I do have question about the following which is configured on our internet hubs by our senior engineers.

AS path access list 20
     deny ^10886_209_
     permit ^10886_

^10886_209_ It means deny prefixes from 10886 and any prefixes passes through 209
is that correct?
permit ^10886_ it means permit prefixes from 10886 and what does _ means at the end.
Please clarify

Thanks
Hamood


(Rene Molenaar) #5

Hi Hamood,

The _ matches the white space between the AS numbers. For example take a look at this output of a BGP table:

Network Next Hop Metric LocPrf Weight Path
* 1.0.0.0/24 203.202.143.34 0 7474 15169 i
* 202.139.124.130 1 0 7474 15169 i
* 203.13.132.29 0 7474 15169 i

In the AS path there’s a space between the AS numbers, we need to use the _ to match this.

Let’s look at your example:

deny ^10886_209_

The ^ indicates the beginning of the AS path, so AS 10886 is an AS that is directly connected to yours. Behind 10886 there is AS 209.

This statement denies prefixes that you learn from AS 10886 and that AS 10886 has learned from AS 209. It doesn’t matter where AS 209 learned it from…

The permit ^10886_ statement means that you permit everything else that you learn from AS 10886.

Does that help?

Rene


(Hamood R) #6

Rene,

Thanks and it clears my concept. I just wanted to make sure if ^10886_
can be written as permit ^10886$ and if it does the same thing?
This is based on your first example in the lesson.
^10886_ permit everything from AS10886 but what is the purpose of _ at the end?

Thanks
Hamood


(Rene Molenaar) #7

Hi Hamood,

There’s a big difference between using _ or $.

The _ matches on the white space between two AS numbers, the $ means that it’s the end of the string. If you would use ^10886$ then you are only matching an AS path that only has 10886 in it and nothing else.

It’s a good exercise to try this on a looking glass server :slight_smile:

Rene


(Mario R) #8

Hi Rene,

Great topic! However, I am having trouble understanding the following expressions: ^3257_[0-9]$
Ok, so far I understand that the ^3257 is the start of the AS path, so this would be a directly connected AS. I also understand that _ represents any AS paths after 3257 and you would have to define the $ expression to define the last AS path to match on, otherwise all AS paths after 3257 would be considered.
However, i don’t get the [0-9]
at all…Can you clarify this by also using the + and ? in substitution for the *?
I read your BGP Regular Expression topic but its still not clear…

Thanks!
Mario


(Rene Molenaar) #9

Hi Mario,

The [0-9] means any number between 0 and 9, this means 0,1,2,3,4,5,6,7,8 and 9 are valid. The * means that we repeat the previous number 0 or multiple times. Basically this means any number from 0 to infinity matches. In our example we have 16 bit AS numbers so that means any AS number from 0 to 65535 will be matched.

The + is similar to the * but it means that we repeat the previous number 1 or multiple times. In practice, there’s a big difference between the two…for example:

When I use ^3257_[0-9]*$ then I’m matching everything that starts with AS 3257 with none or one AS behind it, which could be any number.

When I use ^3257_[0-9]+$ then I’m matching everything that starts with AS 3257 but there has to be one additional AS behind it, which could be any number.

The ? means that we repeat the previous number zero or one time, for example when you use [0-9]? it means that we try to match the previous value (anything between 0 and 9) but it’s optional.

Hope this helps! It takes some practice with looking glass servers to get the hang of this.

Rene


(Jonathan O) #10

Hi Rene,

Need your expertise on this one… I have a regex script to filter prep-pended AS’s. The issue is when I test it with the “sh ip bgp regexp” cmd; no pre-pended routes are tagged (rightly fully so, because they aren’t configured yet…). So my thought is the script is functional, but when I apply the access list w/ as-path filter all of my routes disappear…

R1#sh ip bgp | B Net
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i
*> 2.0.0.0 12.1.1.2 0 0 200 i
*> 3.0.0.0 12.1.1.2 0 200 300 i
*> 4.0.0.0 12.1.1.2 0 200 300 400 i

TESTED BEFORE SCRIPT APPLIED:

R1#sh ip bgp regexp ^([0-9]+)(_\1)+$
R1#***NO ROUTES***

Applied the as-path acl: “ip as-path access-list 1 permit ^([0-9]+)(_\1)+$”

R1#sh run | s bgp
router bgp 100
bgp log-neighbor-changes
network 1.0.0.0
neighbor 12.1.1.2 remote-as 200
neighbor 12.1.1.2 filter-list 1 in

R1#sh ip bgp | B Net
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 0 32768 i

Now all routes are gone, AS200 nor any other AS has been prepened.

 

 

 


(Jonathan O) #11

Also wanted to add that I’ve tried changing the ACL to deny and added a “permit all” statement at the end. Still no joy…

This one has me stumped, any help would be greatly appreciated!!

Thanks!!

Jon


(Rene Molenaar) #12

Hi Jon,

This regex seems to be valid, I tested it on a looking glass server (routeserver.sunrise.ch):

RS_AS6730>show ip bgp regexp ^([0-9]+)(_\1)+$
BGP table version is 1413944297, local router ID is 193.192.254.90
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*>i1.9.0.0/16 193.192.254.1 20 80 0 4788 4788 4788 i
* i 193.192.254.35 20 80 0 4788 4788 4788 i
* i 212.161.178.91 20 80 0 4788 4788 4788 i
* i 212.161.178.91 20 80 0 4788 4788 4788 i
*>i1.9.21.0/24 193.192.254.1 20 80 0 4788 4788 i
* i 212.161.178.91 20 80 0 4788 4788 i
* i 212.161.178.91 20 80 0 4788 4788 i
*>i1.9.52.0/24 193.192.254.1 20 80 0 4788 4788 4788 ?
* i 212.161.178.91 20 80 0 4788 4788 4788 ?
* i 212.161.178.91 20 80 0 4788 4788 4788 ?
*>i1.9.53.0/24 193.192.254.1 20 80 0 4788 4788 4788 ?
* i 212.161.178.91 20 80 0 4788 4788 4788 ?
* i 212.161.178.91 20 80 0 4788 4788 4788 ?
*>i1.9.54.0/24 193.192.254.1 20 80 0 4788 4788 4788 ?
* i 212.161.178.91 20 80 0 4788 4788 4788 ?
* i 212.161.178.91 20 80 0 4788 4788 4788 ?
*>i1.9.55.0/24 193.192.254.1 20 80 0 4788 4788 4788 ?
* i 212.161.178.91 20 80 0 4788 4788 4788 ?
* i 212.161.178.91 20 80 0 4788 4788 4788 ?

And in my lab it’s working too:

hostname R1
!
router bgp 1
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
network 11.11.11.0 mask 255.255.255.0
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 route-map PREPEND out

route-map PREPEND permit 10
match ip address 1
set as-path prepend 1 1 1 1 1
!
route-map PREPEND permit 20
!
access-list 1 permit 1.1.1.0 0.0.0.255

Here’s what R1 is advertising:

R1#show ip bgp neighbors 192.168.12.2 advertised-routes
BGP table version is 3, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 0.0.0.0 0 32768 i
*> 11.11.11.0/24 0.0.0.0 0 32768 i

Total number of prefixes 2

And here’s what R2 has:

router bgp 2
bgp log-neighbor-changes
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.12.1 filter-list 1 in
!
ip forward-protocol nd
!
ip as-path access-list 1 permit ^([0-9]+)(_\1)+$

And the result:

R2#show ip bgp
BGP table version is 2, local router ID is 192.168.12.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 192.168.12.1 0 0 1 1 1 1 1 1 i

This is the only prefix it’s now accepting.

Rene


(Jonathan O) #13

Got it!

I simply did not apply the basic rules of ACLs… Once I applied “ip as-path access-list 1 permit ^([0-9]+)(_\1)+$” any routes advertised by my neighbor that were not prepended with the same AS number were filtered. I did not take into account the foundation rule of ACLs, that the explicit deny is at the end of every ACL. duh :slight_smile:

In order to filter advertised routes that are prepended with the same AS:

ip as-path access-list 1 deny ^([0-9]+)(_\1)+$

ip as-path access-list 1 permit .*

Thanks for taking the time to check it out Rene!

I’ve been a huge fan ever since you wrote, “How To Master Subnetting”; many, many moons ago… lol That was one of the best purchases I’ve ever made in my Cisco studies and you really brought it home for me on that one!!

Thanks Again!!

Jon

 


(Rene Molenaar) #14

Hi Jon,

Good to hear you figured it out!

It’s been awhile since I wrote that book, good to hear it was useful :slight_smile:

Rene


(adil k) #15

Hi Rene,

 

urgent help…what if your advertising subnet is coming in as /24, however you want to send it out to the customer for argument sake as separate slash /32 addresses?

example:

192.168.1.0/24

want to advertise this via bgp as /32

192.168.1.8

192.168.1.9

and so on?


(Rene Molenaar) #16

Hi Adil,

Normally it’s the other way around, people want to advertise larger prefixes, not smaller :slight_smile:

I don’t think there’s an easy answer to this. You can’t summarize from /24 to /32. It would be best if they advertise /32 routes in the first place to you.

If you want to do it on your router then I guess you could use an EEM script that installs /32 routes to the same next hop of your /24 route and then advertise these (with a BGP condition map) to your other neighbor.

Rene


(Jie C) #17

Very nice post, have been struggling in this topic, now problem solved


(Mitchell M) #18

Rene, I have a question about using the same route-map to both set local preference and match an as-path access-list at the same time. Basically I want to set local pref on a specific neighbor, but also filter the routes they are sending. Could I do this in the same route-map, since they would both have to be in-bound?

Something like this (please let me know if this will work or not)

ip as-path access-list 1
 permit ^46435_[0-9]*$
!
route-map filter-and-local-pref permit 10
 set local-preference 200
route-map filter-and-local-pref permit 20
 match as-path 1 
!
neighbor x.x.x.x route-map filter-and-local-pref in

(Mitchell M) #19

I just had a thought… maybe I should use a filter-list inbound on the neighbor and just use the route-map for setting local pref. So, something like this…

ip as-path access-list 1
permit ^46435_[0-9]*$
!
route-map localpref permit 10
 set local-preference 200
!
neighbor x.x.x.x route-map localpref in
neighbor x.x.x.x filter-list 1 in

(Rene Molenaar) #20

Hi @cradlepoint,

It is possible to mix route-maps, filter-lists, distribute-lists etc. but it’s better to stick to a single route-map.

The route-map can do everything you want and it allows you to keep everything in one place. If you want to match on an AS path and set the local preference for those routes, you can do something like this:

ip as-path access-list 1
 permit ^46435_[0-9]*$
!
route-map filter-and-local-pref permit 10
  match as-path 1
 set local-preference 200
!
neighbor x.x.x.x route-map filter-and-local-pref in

Without the empty permit 20 statement, all other prefixes that don’t match your AS path will be denied.

Rene