How would I be able to filter out R3’s loopback address on R2 using a as-path access-list?
Here’s what I did:
r2
ip as-path access-list 1
deny 3$
router bgp 2
neighbor 192.168.12.1 filter-list 1 in
The above filtered out both R1’s & R3’s loopbacks. I assume it was due to an implicit deny. I then tried creating a route-map calling the as-path access-list 1 along with a second sequence number permitting all. This filtered nothing. Any thoughts?
Hello Bruce
First of all, I’m assuming your R2 is the R1 in the lesson, and R1 and R3 are ISP2 and ISP2 respectively.
The neighbor 192.168.12.1 filter-list 1 in command should only filter BGP routes that are being received from the neighbor on which they were configured, namely ISP1 (192.168.12.1). This command should not filter out the routes received from ISP2, so something else is taking place in your topology.
As for the deny 3$ statement, this would deny any AS that ends in 3, that is the AS of ISP2.
If you want to deny this you would have to apply it as neighbor 192.168.13.1 filter-list 1 in so that you can filter the advertisements coming from ISP2. I also suggest you use the ^3$ argument in order to match exactly that AS.
Try this out and let us know…
I hope this has been helpful!
Laz
Hello,
A very stupid question 
But if any providers creates filters to prevent becoming a transit AS, what would happen on the Internet?
I think an ISP wants to do BGP filtering to save its routers from overload, but what should happen if all ISPs do the same?
The Internet would become inconsistent, right?
Thanks
Hello Giovanni
You are correct, that if a provider does not allow its own network to become a transit network, then this can potentially cause problems to routing on the Internet.
Remember that the Internet has a hierarchical structure. Within its structure, we have Tier 1, Tier 2, and Tier three networks. The following diagram shows an example of how these interconnect:
Tier 1 networks must route all traffic that they receive, to any other connected network.
Tier 2 networks must route all traffic that they receive, to any other connected network, except from one Tier 1 network to another Tier 1 network.
Tier 3 networks must route all traffic that they receive to any other connected network, except from one Tier 2 or 1 network to another Tier 2 or 1 network.
So, if you have a Tier 3 network (your ISP for example), and it is connected to two or more Tier 2 networks, then your ISP should not be responsible for routing traffic from one Tier 2 network to another Tier 2 network. This will overload the ISP’s network with traffic it was never designed to carry.
Now that is the architecture of the Internet. For this specific lesson, the concept focuses on the edge of an enterprise network. If you connect to two ISPs, and you are exchanging BGP routes, you may end up advertising BGP routes from one ISP into the other, thus becoming a transit AS. This will result in the enterprise network carrying public Internet traffic, a load that it was not designed for, and for which it is not responsible. This is where the feature described in this lesson comes in handy.
I hope this has been helpful! Stay healthy and safe!
Laz
Hi,
I’m not sure if I completly understand
can you explain how classificate a network as Tier 1 or Tier 2 or Tier 3.
Does IANA do something to decide who work as transit network?
Thanks
Hello Giovanni
There is no official designation of the three Tiers of networks, but they are generally well-accepted as entities with somewhat varying definitions. Their definitions have to do with how they peer with other networks, who they provide services to, and who has to pay who fees for access.
Generally speaking, Tier 1 networks (planet-wide backbones), are the highest level networks on the Internet. They are the backbone. These networks can exchange traffic (peer) with other Tier 1 networks in both directions without paying any fees.
Tier 2 networks (regional backbones) can connect with other Tier 2 networks (peering) and exchange traffic for free, but must pay fees for transit traffic exchanged with Tier 1 networks.
Tier 3 networks (your ISP for example) must pay for all of their transit and peering services to Tier 2 networks.
These are general guidelines, but this ecosystem has developed as a viable business plan for the infrastructure of the Internet. Even though I don’t usually link to Wikipedia, it does have a good article about this infrastructure, with some useful reference links. You can take a look at the link below:
No, there are no restrictions enforced by any entity as far as transient traffic goes. It is something that has simply developed as a financial model for the routing of traffic between networks, and how those are costed.
I hope this has been helpful! Stay healthy and safe!
Laz
Need to either update configs or change network command. Configs show interface lo0 in each router as a /32. Router bgp <AS#> network command is a /24.
Hi Rene,
In your example shown below:
I would personally add in an explanation like the one i have included below as it was confusing as to why it allowed locally significant AS’s.
The string “^$” says to match the beginning of the string (“^”), and then immediately match the end of the string (“$”) this means that the string is null.
Within the scope of BGP the only time that the AS-Path is null is when you are looking at a route within your own AS that you or one of your iBGP peers has originated. Hence this matches locally originated routes
Hello Matthew
Thanks for the valuable suggestion, I will forward this to Rene for consideration and modification.
Thanks again!
Laz
Hello Rene,
In that case, as we mention in the no export, how will the neighbors know as we are not telling them?
I mean when we use OUT it tells ISP that you can know these prefixes from me, but when we use IN it only tell the prefixes inside the AS how to go out.
Can you please elaborate on your explanation?
Hello Kaza
In this particular case, we want to ensure that the prefixes that are being sent from the ISP routers to R1 will not be advertised again by R1. In other words, prefixes received from ISP1 should not be re-advertised to ISP2, and those received from ISP2 should not be advertised back to ISP1.
By using the in direction, the prefix learned from ISP1 (in an inward direction) is placed in the BGP table, but it is also associated with the no-export community, therefore, it is not re-advertised to ISP2. The opposite is also true. This is confirmed by looking at the BGP tables of ISP1 and ISP2.
I hope this has been helpful!
Laz
I would like to filter out this 8.8.8.8/32 route that my friend is advertising. Is there a way to filter incoming routes?
I’ve tried using an access-list, a prefix-list, and a route-map to filter out the 8.8.8.8/32 route, but none have worked so I’d like to know if I’m doing something wrong or if filtering incoming routes is not possible. I understand that my friend could use a prefix-list to filter out the routes he’s advertising to me, but I’m curious to see if I can do it on my end. Thank you.
Example:
show ip bgp neighbors 172.16.71.1 received-routes
Network Next Hop Metric LocPrf Weight Path
*> 8.8.8.8/32 172.16.71.1 0 65000 65515 i
*> 10.80.0.0/16 172.16.71.1 0 65000 65515 i
Hello Brian
You can indeed use prefix list filtering as well as distribute list filtering to achieve what you want. Take a look at the prefix-list section of this lesson:
Now in the lesson, the prefix list is applied on an outbound direction from the remote router. In order to apply it on your local device, you must apply it in an inbound direction.
For example, you can do this:
R1(config)#ip prefix-list NO-GoogleDNS deny 8.8.8.8/32
R1(config)#router bgp 1
R1(config-router)#neighbor 172.16.71.1 prefix-list NO-GoogleDNS in
This should filter out the specific prefix.
I hope this has been helpful!
Laz
Thank you @lagapidis. I used the suggested prefix-list IN and that suppressed the 8.8.8.8/32 route.
The option with no-export community can be a problem if AS 1 (R1 in this case) itself is a small ISP and has customers who need partial/full internet feed. One would argue that why would a customer of a small ISP need full internet feed. But there can be times when they do. For example:
AS path filtering option seems to be a good option.
Other option is to use send community only with uplink routers.
Hello Muhammad
Yes, you are correct, and thanks for sharing your thoughts. These methods that are depicted in this lesson, including the no-export community method, are primarily used for preventing an enterprise’s edge routers from becoming transit ASes. Such devices are deployed specifically for serving an enterprise’s traffic needs, are should never route transit traffic.
Of course, if you are an ISP, even a small one, it is only logical that you will have some transit traffic in your network. If that is the case, then you should choose a method that is able to correctly filter out the transit traffic you want to block, and allow the traffic you want to serve. In such a case, the other three options, with the appropriate configuration, should be sufficient to employ this.
I hope this has been helpful!
Laz
Hi Rene,
Many thanks for explaining BGP Transit AS topic very well.
I have a query other than transit AS, can’t we use Filter AS path access list instead of prefix list creation in eBGP for routes export or import, where there are thousnads of routes we need to import
BR//
Nitin Arora
Hello Nitin
As stated in the lesson:
There are 4 methods how you can prevent becoming a transit AS:
- Filter-list with AS PATH access-list.
- No-Export Community.
- Prefix-list Filtering
- Distribute-list Filtering
Prefix-lists or distribute-lists will work but it’s not a very scalable solution if you have thousands of prefixes in your BGP table. The filter-list and no-export community work very well since you only have to configure them once and it will not matter if new prefixes show up.
So yes, you can use either Filter lists with AS PATH access lists or use the no-export community when you have thousands of routes that need to be imported. These two solutions are more scalable than prefix-lists and distribute-lists.
I hope this has been helpful!
Laz
Hello Laz
As you guys explain we want to influence our local AS to do not advertise prefixes from the other ISP, why on the filter-list 1 out as i know we want to influence our AS why is not in inbound direction ?I still get confused sometimes on this things :((
Regards
Meto
Hello Metodija
Remember that when you apply filter lists or route lists as part of a BGP neighbor command, the “in” or “out” does not refer to the direction of user traffic (data plane), but it refers to the direction of the BGP messages shared between BGP peers (control plane). In this particular case, the goal of the filter list is to ensure that only prefixes of the local AS are advertised with the ISP.
The filter list is applied in an outbound direction because it filters the ASes included in the BGP update messages sent out from the Fa0/0 and Fa0/1 interfaces of R1 to ISP1 and ISP2.
That way, ISP1 and ISP2 will only be informed of the prefixes found in R1’s AS, and will not learn about the ASes advertised by the other ISP router.
Take a look at this NetworkLessons note on the direction with which route maps (and filter maps) are applied to BGP neighbors.
I hope this has been helpful!
Laz