BGP using as-path filtering

Unanswered Question
Jul 17th, 2009

Hi,

I'm recieving the full routing table from my ISP, and then I'm trying to control what routes we have in our routing table using an ip as-path access-list (ideally I only want routes orginated in the ISP's AS or directly attached). But it looks like we're receiving the full routing table, regardless of my prefix-list. Here's my config:

router bgp 1234

no synchronization

bgp log-neighbor-changes

network 1.1.1.0

neighbor 1.1.1.1 remote-as 1234

neighbor 1.1.1.1 next-hop-self

neighbor 1.1.1.1 timers 5 15

neighbor 1.1.1.1 soft-reconfiguration inbound

neighbor 1.1.1.1 password xxx

neighbor 2.2.2.2 remote-as 5678

neighbor 2.2.2.2 soft-reconfiguration inbound

neighbor 2.2.2.2 prefix-list transit out

neighbor 2.2.2.2 route-map allow-from-isp in

no auto-summary

ip as-path access-list 18 permit ^5678_[0-9]*$

!

ip prefix-list transit seq 5 deny 1.1.1.0/24 <-----------this is just for testing purposes before we go live

route-map allow-from-isp permit 10

match as-path 18

With this set up, I was getting the following:

BGP router identifier 2.2.2.2, local AS number 1234

BGP table version is 21988, main routing table version 21988

284942 network entries using 28779142 bytes of memory

284940 path entries using 13677120 bytes of memory

49179 BGP path attribute entries using 2951400 bytes of memory

44072 BGP AS-PATH entries using 1137420 bytes of memory

185 BGP community entries using 7282 bytes of memory

49 BGP route-map cache entries using 980 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 46553344 total bytes of memory

263363 received paths for inbound soft reconfiguration

BGP activity 285248/306 prefixes, 285333/393 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

1.1.1.1 4 1234 0 0 0 0 0 never Active

2.2.2.2 4 5678 50353 26 21988 0 0 00:22:45 21577

I also tried these regular expressions to see if that altered the number of entries, but it didn't:

ip as-path access-list 19 permit _5678$

ip as-path access-list 20 permit ^5678$

I then dropped the incoming filtering and accepted all routes, and it was again approx 284,000.

Any ideas on why this isn't working? We are using this exact set up with 2 other ISPs, so I'm not sure what is different in this case.

Any help would be much appreciated.

J

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
Giuseppe Larosa Fri, 07/17/2009 - 01:07

Hello J,

you are receiving

2.2.2.2 4 5678 50353 26 21988 0 0 00:22:45 21577

21577 ip prefixes with the filters so they are doing something

have you verified with a sh ip bgp that there are AS paths that should have been filtered?

Hope to help

Giuseppe

jigsaw2026 Fri, 07/17/2009 - 03:02

Hi Guiseppe,

What should I be looking for with a sh ip bgp? That the path contains only 5678 plus 2 others?

Thanks,

J

Jon Marshall Fri, 07/17/2009 - 01:14

J

^5678_[0-9]*$ will not just accept routes with only 5678 AS in them. It will accept routes with 2 AS paths.

Your other regex should work tho ie. ^5678$. Not sure whether you need to soft reset the connection if you apply a different filter.

Jon

k.hariharan1 Fri, 07/17/2009 - 02:22

Reason for getting more number of routes

========================================

If you want your AS to get networks originated from AS 5678 and all directly attached ASs of AS 5678, then only you have to apply the following inbound filter on your Router.

ip as-path access-list 1 permit^5678_[0-9]*$

If you would like for your Router to receive only the routes originated from AS 5678 (and no Internet routes), you can apply an inbound access list on your Router as follows:

ip as-path access-list 1 permit ^5678$

and then give

clear ip bgp 2.2.2.2 soft in prefix-filter

hi guys,

correct me if am wrong

Regards,

Hariharan k

Jon Marshall Fri, 07/17/2009 - 02:30

Harihan

"If you want your AS to get networks originated from AS 5678 and all directly attached ASs of AS 5678, then only you have to apply the following inbound filter on your Router.

ip as-path access-list 1 permit^5678_[0-9]*$"

Correct, looks like you read the question better than me :-)

J, apologies as i misread your original post. I didn't realise you wanted AS 5678 + any directly attached ASs.

Jon

jigsaw2026 Fri, 07/17/2009 - 02:38

Many thanks for your responses everyone.

The thing is I did apply ip as-path access-list 1 permit^5678_[0-9]*$ as an inbound filter (see config above), and it didn't make any difference! That's my problem - but I seem to get 280,000 routes in my routing table no matter what regex I use....

Marwan ALshawi Fri, 07/17/2009 - 03:33

can you please post your bgp config including

the route-map, as-path and part of the show ip bgp

Pavel Bykov Fri, 07/17/2009 - 04:22

J, It looks like you have created an ACL that allows all routes that are transiting through your ISP, which are all of them.

Change your AS_PATH acl to this:

ip as-path access-list 18 permit ^5678(_[0-9]+)?$

Also, try turning on and off deterministic regexp. This also can make a difference in interpreting regexp.

As a side note, do not rush into route-maps without a need. If your requirement is only to filter paths, use "neighbor x.x.x.x filter-list YYY in"

Do not necessarily overcomplicate things

hemscott_support Mon, 07/20/2009 - 02:15

Hariharan is correct: you need ip as-path access-list 20 permit ^5678$

And don't use the route-map.

You need to look at State/PfxRcd for how many routes you are getting.

Pavel Bykov Mon, 07/20/2009 - 03:46

Deterministic regexp:

(config)#router bgp XXX

(config-router)#bgp regexp deterministic

ANAND VALMIKI Tue, 07/21/2009 - 15:06

Just want to make sure that you 'soft in' the bgp session after making changes to your filters.

Actions

This Discussion