BGP Prevent Transit AS

This is actually a very good question which required wireshark and some musing on my part to figure out.

Here’s the short answer:
If you included R1’s AS in the filter:
R1(config)#ip as-path access-list 1 permit ^4444$
It would indeed stop ISP1 and ISP2 from using R1 as a transit path. However, there is also a negative consequence. R1’s advertisements to ISP1 and ISP2 would also be filter out.

Here’s the long answer:
The interesting question is why does it do this? To answer this question, the first point to understand is what the ip as-path command is saying. It is using regex where the “^” means “beginning of string” and “$” means “end of string.” So, " ^4444$ " means “this string contains exactly 4444.” Since the as-path access list has an implicit deny at the end, everything except 4444 in the as-path is rejected.

To figure out why the R1 is filtering out its own route, you need to look at the BGP Topology table. Here’s what it looks like:

R1#show ip bgp topology *
For address family: IPv4 Unicast

BGP table version is 4, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>                  0         32768 i

Notice the Path field in the table–specifically what is NOT there. It lists only the origin code and no AS-Path. Self-originated routes are not stamped with the AS-Path in the host router’s BGP Topology table. The route is associated with the 4444 AS Path attribute once it leaves R1 (after the filter has already done its work).

Essentially, the reason putting 4444 in the as-path filter will not work comes down the order in which BGP operates: Filter based on Topology table first, then send BGP Update message with added AS-Path attribute to neighbors.

So for the - Filter-list with AS PATH access-list –

R1(config)#ip as-path access-list 1 permit ^$

R1(config-router)#neighbor filter-list 1 out
R1(config-router)#neighbor filter-list 1 out

Does a route-map also need to be configured with this?

A route-map is not needed. Tying the as-path access-list to the neighbor via the filter-list argument is sufficient.

hello Rene, I am a bit confused, No-Export community tells BGP neighbors to advertise a prefix only to iBGP neighbors so why if we use the “no-export” community we still need to use the command “send-community”? it should still export the prefixes to iBGP based on the no-export community… am I wrong?

Hi Cristian,

By default a BGP router will not send any community values, that includes the no-export community. So if you want to send them…you’ll have to enable “send-community” on the router.


oh, now I see, I confused the export of the community with the prefixes :slight_smile: so no export will make sure we won’t expotr the prefix but then we need send community to make sure the “no export” is propagated?

That’s right :slight_smile:

thanks a lot :slight_smile:

Fantastic …it was never so easy to understand “transit AS” issue…many thanks Rene.

Hi Rene,

why should it be inbound and not outbound? Please help in understanding:

R1(config)#router bgp 1
R1(config-router)#neighbor route-map NO-EXPORT in
R1(config-router)#neighbor route-map NO-EXPORT in


Hi Abhishek,

We want to make changes in our AS and we receive prefixes from the ISP routers. When we receive these prefixes, we set the no-export community. This means our AS won’t advertise them to another AS.

Using an outbound route-map in BGP is useful if you want to advertise something to another router or AS.



Hi Rene,

Can you please tell what is the diff. between routing table and global routing table in terms of NEXT HOP.
example :
I am an enterprise and i am peering with ISP thru GP. now i have to go to prefix 202.x.y.z (

So how my outbound traffic will go in above case ?

Now if get global routing table in my internet router - How the outbound traffic will go ?

Thanks in adv

Hi Abhishek,

By default, you have one routing table which is your global routing table. Once you start working with VRFs, that’s when you will have more than one routing table.

Take a look at this lesson to learn more about this:

VRF Lite


19 posts were merged into an existing topic: BGP Prevent Transit AS

Hey Rene,

Thanks for your great lessons and labs you post. I have a question regarding BGP when using 2 ISPs.

I have a muti-homes ISR with two ISPs both advertising a default route via BGP I have manipulated the weight attribute to prefer ISP1 over ISP2. My question is why when I learn the default route through ISP1 my ISR also advertises it to ISP2 becoming a transit AS, even though I didnt manually configure it under my BGP instance ?

Thanks in advance.

Hi @iniguezjuan,

By default, BGP will advertise prefixes that you have learned from one eBGP neighbor to another eBGP neighbor. That’s why you will have to configure your router to prevent this :slight_smile:

HI ’

R1--?   ( I want this in Tansit AS)
router bgp 1
 bgp log-neighbor-changes
 network mask
 neighbor remote-as 2
 neighbor remote-as 3

R2--  (ISP-1)
router bgp 2
 bgp log-neighbor-changes
 network mask
 neighbor remote-as 1

R3--(ISP 2)
router bgp 3
 bgp log-neighbor-changes
 network mask
 neighbor remote-as 1

All loopback IP are reachable from customer router which is placed in Transit AS, however from ISP 1 loopback am unable to ping ISP 2-loopback please help

Hello Kaza

At first glance there doesn’t seem to be an issue with your configs. However, keep in mind that BGP is slow. It’s a good idea to use the clear ip bgp * command to speed things up.

Also, the config you are setting up is similar to that in the lesson. Try duplicating the lesson first and see that that works. You can then adjust your IP addresses accordingly to match the lab you want. Let us know of your results…

I hope this has been helpful!


Hello Laz, I was asking myself why can’t we use route-map with AS-PATH access-list instead of using filter-list in the first example?

ip as-path access-list 1 permit ^$
route-map LAZ permit 10
     match as-path 1
router bgp 1
     neighbor <ip> route-map LAZ out


Hello sales2161

Hmm, that’s an interesting solution that actually looks correct. I don’t see why this wouldn’t work. Can you lab it up and share the results? We can share it with Rene and see what he thinks…


1 Like