BGP Filtering AS Paths

Unanswered Question
Dec 7th, 2007
User Badges:

I have a client that has an eBGP connection with me and uses us as a backup ISP. I also have 2 other eBGP peer connections which we load share for all our internet traffic.


My question is, I am trying to make sure that I never get inbound traffic from one of my AS's to my customers AS. In case thier primary AS fails, and they switch to us as a thier backup, I need to make sure all thier inound traffic comes from a particluar AS on my end.


This is what I have and I think it is fine, but not sure. I want to make sure thier AS never gets advertised to one of my upstream AS's.


neighbor 1.1.1.1 remote-as 111

neighbor 1.1.1.1 description UPSTREAM AS

neighbor 1.1.1.1 remove-private-as

neighbor 1.1.1.1 soft-reconfiguration inbound

neighbor 1.1.1.1 route-map UPSTREAM-AS-IN in

neighbor 1.1.1.1 route-map UPSTREAM-AS-OUT out

neighbor 1.1.1.1 filter-list 3 out


neighbor 2.2.2.2 remote-as 222

neighbor 2.2.2.2 description CLIENT

neighbor 2.2.2.2 ebgp-multihop 2

neighbor 2.2.2.2 soft-reconfiguration inbound

neighbor 2.2.2.2 route-map CLIENT-RECEIVE in

neighbor 2.2.2.2 route-map CLIENT-SEND out


ip as-path access-list 3 deny ^222$

ip as-path access-list 3 permit .*




Will this filter list make sure that AS 222 never gets advertised out to my UPSTREAM-AS that this is a valid path for inbound traffic?


Thanks for your help!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Fri, 12/07/2007 - 10:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ethan


There are some aspects of your situation that I do not understand well, such as if you are the backup ISP for the client why you would not want to advertise their routes to the upstream in the event that they have failed over and are using you as their Internet connection.


But as far as you immediate question is concerned your as path filter list would effectively prevent advertising to neighbor 1.1.1.1 of any route originated by the client and advertised directly from the client to you.


HTH


Rick

eknell Fri, 12/07/2007 - 10:27
User Badges:

Awesome!! That is what I wanted to hear! I just get confused on CISCO's "regular expressions".


I was also thinking this, but wasn't for sure.


ip as-path access-list 3 deny _222_

ip as-path access-list 3 deny ^222$

ip as-path access-list 3 permit .*


A little background on the situation: Thier primary AS, is also one of our AS's, which is the AS they DON'T want to use as a path if thier primary fails. An example would be if thier primary AS is having issues and they switch over to us, we/they don't want thier inbound traffic coming from the same AS they just killed. Otherwise the issues could follow them if they switched over. Make sense?


I apprecaite your help, and if you have a good link or a good explanation of Cisco's "expressions" that would be great. By the way, I will make this change in a few days. If it works, I will rate your "post" then. Thanks Richard!

Actions

This Discussion