BGP using as-path filtering

Unanswered Question
Jul 17th, 2009
User Badges:

Hi,


I'm recieving the full routing table from my ISP, and then I'm trying to control what routes we have in our routing table using an ip as-path access-list (ideally I only want routes orginated in the ISP's AS or directly attached). But it looks like we're receiving the full routing table, regardless of my prefix-list. Here's my config:


router bgp 1234

no synchronization

bgp log-neighbor-changes

network 1.1.1.0

neighbor 1.1.1.1 remote-as 1234

neighbor 1.1.1.1 next-hop-self

neighbor 1.1.1.1 timers 5 15

neighbor 1.1.1.1 soft-reconfiguration inbound

neighbor 1.1.1.1 password xxx

neighbor 2.2.2.2 remote-as 5678

neighbor 2.2.2.2 soft-reconfiguration inbound

neighbor 2.2.2.2 prefix-list transit out

neighbor 2.2.2.2 route-map allow-from-isp in

no auto-summary


ip as-path access-list 18 permit ^5678_[0-9]*$

!

ip prefix-list transit seq 5 deny 1.1.1.0/24 <-----------this is just for testing purposes before we go live


route-map allow-from-isp permit 10

match as-path 18


With this set up, I was getting the following:


BGP router identifier 2.2.2.2, local AS number 1234

BGP table version is 21988, main routing table version 21988

284942 network entries using 28779142 bytes of memory

284940 path entries using 13677120 bytes of memory

49179 BGP path attribute entries using 2951400 bytes of memory

44072 BGP AS-PATH entries using 1137420 bytes of memory

185 BGP community entries using 7282 bytes of memory

49 BGP route-map cache entries using 980 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 46553344 total bytes of memory

263363 received paths for inbound soft reconfiguration

BGP activity 285248/306 prefixes, 285333/393 paths, scan interval 60 secs


Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

1.1.1.1 4 1234 0 0 0 0 0 never Active

2.2.2.2 4 5678 50353 26 21988 0 0 00:22:45 21577


I also tried these regular expressions to see if that altered the number of entries, but it didn't:


ip as-path access-list 19 permit _5678$

ip as-path access-list 20 permit ^5678$


I then dropped the incoming filtering and accepted all routes, and it was again approx 284,000.


Any ideas on why this isn't working? We are using this exact set up with 2 other ISPs, so I'm not sure what is different in this case.


Any help would be much appreciated.


J


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
Giuseppe Larosa Fri, 07/17/2009 - 01:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello J,


you are receiving


2.2.2.2 4 5678 50353 26 21988 0 0 00:22:45 21577


21577 ip prefixes with the filters so they are doing something


have you verified with a sh ip bgp that there are AS paths that should have been filtered?



Hope to help

Giuseppe


jigsaw2026 Fri, 07/17/2009 - 03:02
User Badges:

Hi Guiseppe,


What should I be looking for with a sh ip bgp? That the path contains only 5678 plus 2 others?


Thanks,

J

Jon Marshall Fri, 07/17/2009 - 01:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

J


^5678_[0-9]*$ will not just accept routes with only 5678 AS in them. It will accept routes with 2 AS paths.


Your other regex should work tho ie. ^5678$. Not sure whether you need to soft reset the connection if you apply a different filter.


Jon

k.hariharan1 Fri, 07/17/2009 - 02:22
User Badges:

Reason for getting more number of routes

========================================


If you want your AS to get networks originated from AS 5678 and all directly attached ASs of AS 5678, then only you have to apply the following inbound filter on your Router.


ip as-path access-list 1 permit^5678_[0-9]*$


If you would like for your Router to receive only the routes originated from AS 5678 (and no Internet routes), you can apply an inbound access list on your Router as follows:


ip as-path access-list 1 permit ^5678$

and then give

clear ip bgp 2.2.2.2 soft in prefix-filter


hi guys,

correct me if am wrong


Regards,

Hariharan k

Jon Marshall Fri, 07/17/2009 - 02:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Harihan


"If you want your AS to get networks originated from AS 5678 and all directly attached ASs of AS 5678, then only you have to apply the following inbound filter on your Router.


ip as-path access-list 1 permit^5678_[0-9]*$"


Correct, looks like you read the question better than me :-)


J, apologies as i misread your original post. I didn't realise you wanted AS 5678 + any directly attached ASs.


Jon

jigsaw2026 Fri, 07/17/2009 - 02:38
User Badges:

Many thanks for your responses everyone.


The thing is I did apply ip as-path access-list 1 permit^5678_[0-9]*$ as an inbound filter (see config above), and it didn't make any difference! That's my problem - but I seem to get 280,000 routes in my routing table no matter what regex I use....

Marwan ALshawi Fri, 07/17/2009 - 03:33
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

can you please post your bgp config including

the route-map, as-path and part of the show ip bgp



jigsaw2026 Fri, 07/17/2009 - 05:23
User Badges:

Hi Marwanshawi, my config is in my first post.

Thank you,

J

Pavel Bykov Fri, 07/17/2009 - 04:22
User Badges:
  • Silver, 250 points or more

J, It looks like you have created an ACL that allows all routes that are transiting through your ISP, which are all of them.


Change your AS_PATH acl to this:

ip as-path access-list 18 permit ^5678(_[0-9]+)?$


Also, try turning on and off deterministic regexp. This also can make a difference in interpreting regexp.



As a side note, do not rush into route-maps without a need. If your requirement is only to filter paths, use "neighbor x.x.x.x filter-list YYY in"


Do not necessarily overcomplicate things

jigsaw2026 Fri, 07/17/2009 - 05:22
User Badges:

Thank you Slidersv. I will give your suggestion a try.


I referred to http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml#t5 to get the regexp ^5678_[0-9]*$ - this is also what we're using happily on 2 other devices.


Also I will remove the route-map.


Can you explain how to turn on/off deterministic regexp? I've not come across this before.

hemscott_support Mon, 07/20/2009 - 02:15
User Badges:

Hariharan is correct: you need ip as-path access-list 20 permit ^5678$


And don't use the route-map.


You need to look at State/PfxRcd for how many routes you are getting.

Pavel Bykov Mon, 07/20/2009 - 03:46
User Badges:
  • Silver, 250 points or more

Deterministic regexp:


(config)#router bgp XXX

(config-router)#bgp regexp deterministic

ANAND VALMIKI Tue, 07/21/2009 - 15:06
User Badges:

Just want to make sure that you 'soft in' the bgp session after making changes to your filters.

Actions

This Discussion