# BGP AS Path Filter Example

Hi Hamood,

There’s a big difference between using _ or \$.

The _ matches on the white space between two AS numbers, the \$ means that it’s the end of the string. If you would use ^10886\$ then you are only matching an AS path that only has 10886 in it and nothing else.

It’s a good exercise to try this on a looking glass server

Rene

Hi Rene,

Great topic! However, I am having trouble understanding the following expressions: ^3257_[0-9]\$
Ok, so far I understand that the ^3257 is the start of the AS path, so this would be a directly connected AS. I also understand that _ represents any AS paths after 3257 and you would have to define the \$ expression to define the last AS path to match on, otherwise all AS paths after 3257 would be considered.
However, i don’t get the [0-9]
at all…Can you clarify this by also using the + and ? in substitution for the *?
I read your BGP Regular Expression topic but its still not clear…

Thanks!
Mario

Hi Mario,

The [0-9] means any number between 0 and 9, this means 0,1,2,3,4,5,6,7,8 and 9 are valid. The * means that we repeat the previous number 0 or multiple times. Basically this means any number from 0 to infinity matches. In our example we have 16 bit AS numbers so that means any AS number from 0 to 65535 will be matched.

The + is similar to the * but it means that we repeat the previous number 1 or multiple times. In practice, there’s a big difference between the two…for example:

When I use ^3257_[0-9]*\$ then I’m matching everything that starts with AS 3257 with none or one AS behind it, which could be any number.

When I use ^3257_[0-9]+\$ then I’m matching everything that starts with AS 3257 but there has to be one additional AS behind it, which could be any number.

The ? means that we repeat the previous number zero or one time, for example when you use [0-9]? it means that we try to match the previous value (anything between 0 and 9) but it’s optional.

Hope this helps! It takes some practice with looking glass servers to get the hang of this.

Rene

Hi Rene,

Need your expertise on this one… I have a regex script to filter prep-pended AS’s. The issue is when I test it with the “sh ip bgp regexp” cmd; no pre-pended routes are tagged (rightly fully so, because they aren’t configured yet…). So my thought is the script is functional, but when I apply the access list w/ as-path filter all of my routes disappear…

``````R1#sh ip bgp | B Net
Network Next Hop Metric LocPrf Weight Path
*&gt; 1.0.0.0 0.0.0.0 0 32768 i
*&gt; 2.0.0.0 12.1.1.2 0 0 200 i
*&gt; 3.0.0.0 12.1.1.2 0 200 300 i
*&gt; 4.0.0.0 12.1.1.2 0 200 300 400 i
``````

TESTED BEFORE SCRIPT APPLIED:

``````R1#sh ip bgp regexp ^([0-9]+)(_\1)+\$
R1#***NO ROUTES***
``````

Applied the as-path acl: “ip as-path access-list 1 permit ^([0-9]+)(_\1)+\$”

``````R1#sh run | s bgp
router bgp 100
bgp log-neighbor-changes
network 1.0.0.0
neighbor 12.1.1.2 remote-as 200
neighbor 12.1.1.2 filter-list 1 in

R1#sh ip bgp | B Net
Network Next Hop Metric LocPrf Weight Path
*&gt; 1.0.0.0 0.0.0.0 0 32768 i
``````

Now all routes are gone, AS200 nor any other AS has been prepened.

Also wanted to add that I’ve tried changing the ACL to deny and added a “permit all” statement at the end. Still no joy…

This one has me stumped, any help would be greatly appreciated!!

Thanks!!

Jon

Hi Jon,

This regex seems to be valid, I tested it on a looking glass server (routeserver.sunrise.ch):

``````RS_AS6730&gt;show ip bgp regexp ^([0-9]+)(_\1)+\$
BGP table version is 1413944297, local router ID is 193.192.254.90
Status codes: s suppressed, d damped, h history, * valid, &gt; best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
&#42;&gt;i1.9.0.0/16 193.192.254.1 20 80 0 4788 4788 4788 i
&#42; i 193.192.254.35 20 80 0 4788 4788 4788 i
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 i
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 i
&#42;&gt;i1.9.21.0/24 193.192.254.1 20 80 0 4788 4788 i
&#42; i 212.161.178.91 20 80 0 4788 4788 i
&#42; i 212.161.178.91 20 80 0 4788 4788 i
&#42;&gt;i1.9.52.0/24 193.192.254.1 20 80 0 4788 4788 4788 ?
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 ?
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 ?
&#42;&gt;i1.9.53.0/24 193.192.254.1 20 80 0 4788 4788 4788 ?
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 ?
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 ?
&#42;&gt;i1.9.54.0/24 193.192.254.1 20 80 0 4788 4788 4788 ?
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 ?
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 ?
&#42;&gt;i1.9.55.0/24 193.192.254.1 20 80 0 4788 4788 4788 ?
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 ?
&#42; i 212.161.178.91 20 80 0 4788 4788 4788 ?
``````

And in my lab it’s working too:

``````hostname R1
!
router bgp 1
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
network 11.11.11.0 mask 255.255.255.0
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 route-map PREPEND out

route-map PREPEND permit 10
match ip address 1
set as-path prepend 1 1 1 1 1
!
route-map PREPEND permit 20
!
access-list 1 permit 1.1.1.0 0.0.0.255
``````

Here’s what R1 is advertising:

``````R1#show ip bgp neighbors 192.168.12.2 advertised-routes
BGP table version is 3, local router ID is 192.168.12.1
Status codes: s suppressed, d damped, h history, * valid, &gt; best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
&#42;&gt; 1.1.1.0/24 0.0.0.0 0 32768 i
&#42;&gt; 11.11.11.0/24 0.0.0.0 0 32768 i

Total number of prefixes 2
``````

And here’s what R2 has:

``````router bgp 2
bgp log-neighbor-changes
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.12.1 filter-list 1 in
!
ip forward-protocol nd
!
ip as-path access-list 1 permit ^([0-9]+)(_\1)+\$
``````

And the result:

``````R2#show ip bgp
BGP table version is 2, local router ID is 192.168.12.2
Status codes: s suppressed, d damped, h history, * valid, &gt; best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
&#42;&gt; 1.1.1.0/24 192.168.12.1 0 0 1 1 1 1 1 1 i
``````

This is the only prefix it’s now accepting.

Rene

Got it!

I simply did not apply the basic rules of ACLs… Once I applied “ip as-path access-list 1 permit ^([0-9]+)(_\1)+\$” any routes advertised by my neighbor that were not prepended with the same AS number were filtered. I did not take into account the foundation rule of ACLs, that the explicit deny is at the end of every ACL. duh

In order to filter advertised routes that are prepended with the same AS:

ip as-path access-list 1 deny ^([0-9]+)(_\1)+\$

ip as-path access-list 1 permit .*

Thanks for taking the time to check it out Rene!

I’ve been a huge fan ever since you wrote, “How To Master Subnetting”; many, many moons ago… lol That was one of the best purchases I’ve ever made in my Cisco studies and you really brought it home for me on that one!!

Thanks Again!!

Jon

Hi Jon,

Good to hear you figured it out!

It’s been awhile since I wrote that book, good to hear it was useful

Rene

Hi Rene,

urgent help…what if your advertising subnet is coming in as /24, however you want to send it out to the customer for argument sake as separate slash /32 addresses?

example:

192.168.1.0/24

want to advertise this via bgp as /32

192.168.1.8

192.168.1.9

and so on?

Normally it’s the other way around, people want to advertise larger prefixes, not smaller

I don’t think there’s an easy answer to this. You can’t summarize from /24 to /32. It would be best if they advertise /32 routes in the first place to you.

If you want to do it on your router then I guess you could use an EEM script that installs /32 routes to the same next hop of your /24 route and then advertise these (with a BGP condition map) to your other neighbor.

Rene

Very nice post, have been struggling in this topic, now problem solved

Rene, I have a question about using the same route-map to both set local preference and match an as-path access-list at the same time. Basically I want to set local pref on a specific neighbor, but also filter the routes they are sending. Could I do this in the same route-map, since they would both have to be in-bound?

Something like this (please let me know if this will work or not)

``````ip as-path access-list 1
permit ^46435_[0-9]*\$
!
route-map filter-and-local-pref permit 10
set local-preference 200
route-map filter-and-local-pref permit 20
match as-path 1
!
neighbor x.x.x.x route-map filter-and-local-pref in``````

I just had a thought… maybe I should use a filter-list inbound on the neighbor and just use the route-map for setting local pref. So, something like this…

``````ip as-path access-list 1
permit ^46435_[0-9]*\$
!
route-map localpref permit 10
set local-preference 200
!
neighbor x.x.x.x route-map localpref in
neighbor x.x.x.x filter-list 1 in``````

It is possible to mix route-maps, filter-lists, distribute-lists etc. but it’s better to stick to a single route-map.

The route-map can do everything you want and it allows you to keep everything in one place. If you want to match on an AS path and set the local preference for those routes, you can do something like this:

``````ip as-path access-list 1
permit ^46435_[0-9]*\$
!
route-map filter-and-local-pref permit 10
match as-path 1
set local-preference 200
!
neighbor x.x.x.x route-map filter-and-local-pref in
``````

Without the empty permit 20 statement, all other prefixes that don’t match your AS path will be denied.

Rene

Hi Rene,

Will BGP AS Path Filter work if I have only one IP transit provider (default) and this provider doesn’t support any BGP communities? I want to announce my routes only to few my providers upstreams and to stop incoming traffic from others.

Hi Mikhail,

The AS path will always be in your BGP updates so yes, you don’t need communities for that.

Rene

Is there a show command for as-paths access-lists, or do you need to filter it out of the running config?

Hello Chris

The command `show ip as-path access-list` displays information about IP AS path access lists.

I hope this has been helpful!

Laz

Hello

please If I have below configuration , what does it do?

``````route-map CC-IN, deny, sequence 2
Match clauses:
as-path (as-path filter): 15
Set clauses:
Policy routing matches: 0 packets, 0 bytes

show ip as-path-access-list 15
AS path access list 15
permit ^39216\$

neighbor 192.168.100.1 route-map CC-IN in
``````

thanks for your support.

Hi Rawaz,

The first statement (sequence 2) denies everything in AS-path 15.

AS path access-list 15 matches only on AS number 39216, nothing else.

Your route-map, however, doesn’t have any permit statements, so because of the implicit (invisible) deny any, everything will be denied.

If your goal is to deny only whatever you have in AS path access-list 15, add an additional sequence number in your route-map. Something like:

`route-map CC-IN permit 10`

The things you then deny in sequence 2 are denied, and everything else will be permitted because of sequence 10 (which is empty which means it matches on everything).

Hope this helps!

Rene