BGP Filtering - AS Path ACL

Unanswered Question
Oct 20th, 2009

I know what an AS path ACL is for, but I am wondering two things:

What the PLUS sign is for?

ip as-path access-list 10 permit 55555+

ip as-path access-list 10 permit 55555+ 36561+

ip as-path access-list 10 permit 55555+ 26910+

ip as-path access-list 10 permit 55555+ 6432+

ip as-path access-list 10 permit 55555+ 36492+

ip as-path access-list 10 permit 55555+ 36384+

ip as-path access-list 10 permit 55555+ 36385+

Also, if one has a BGP peering with an entity that is advertising prefixes to you, and you already have a detailed inblund prefix list in place to filter prefixes learned from that peer, what is the value, if any, in adding an AS path ACL inbound?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.1 (9 ratings)
Loading.
Giuseppe Larosa Tue, 10/20/2009 - 08:47

Hello Joe,

a + means one or more occurrences of previous character or pattern.

However, to be used to handle AS path prepending the pattern should be enclosed in ()

that is

ip as-path access-list 11 permit ^55555$

allows only one occurence of ASN 55555

ip as-path access-list 11 permit ^(55555)+

can match all AS paths starting with ASN 55555 containing it one or more times consecutively

so if this is true that AS path should be written as

ip as-path access-list 10 permit (55555)+ _(36561)+

instead of

ip as-path access-list 10 permit 55555+ 36561+

where _ is a separator that matches the space between AS numbers

for example to match an exact line

ip as-path access-list 30 permit ^5610_148_284_13$

that matches AS path = '5610 148 284 13'

so it is not clear why it written in this way unless + can be also a concatenation operator between strings.

my personal opinion is that this ACL is wrongly written.

About your second question:

in some cases you may want to be able to accept a prefix only if the associated BGP AS path attribute has some characteristics.

Hope to help

Giuseppe

ex-engineer Tue, 10/20/2009 - 10:30

Thats fine, Giuseppe:

Thanks.

But I need to be 100% sure that this AS path list is incorrect.

Cant seem to find it anywhere on Ciscos website....

Can anyone help?

Thanks

Giuseppe Larosa Tue, 10/20/2009 - 11:17

Hello Joe,

I tried to look in cisco web site.

Most examples are very basic

I've found explanations of metacharacters here

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#pathfilter

A good tutorial is here

http://blog.internetworkexpert.com/2008/01/06/understanding-bgp-regular-expressions/

Looking in some old configs of an european service provider I see these examples:

ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+$

ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(3409_)+$

ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(4739_)+$

ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(4802_)+$

So I would reinforce my opinion this ACL you have found is wrong.

Hope to help

Giuseppe

ex-engineer Tue, 10/20/2009 - 15:49

Giuseppe:

From what youve told me, I think the syntax is wrong. I wish I could get a confirmation of that, either from someone else on this board or through reading it.

Anyway, assume it is configured correctly, what the heck is the point of that AS path list??

What is is trying to achieve?

I dont get it.

Edison Ortiz Tue, 10/20/2009 - 17:09

AS_Path Filter list and regular network filtering both do the same task. It's up to the designer to decide which method to use. If both filters are doing the same task, I consider this configuration redundant.

Regards

Edison.

Edison Ortiz Tue, 10/20/2009 - 17:06

Giuseppe,

I will have to disagree. I ran some regexp from AT&T's route-server with the syntax described in the original post and it does work.

See attached files..

ex-engineer Tue, 10/20/2009 - 17:25

Edison, lets asume the syntax is correct, what is the purpose of that AS path ACL? What is it trying to accomplish? When would you use it?

By the way, i was mistaken about one thing earlier, the prefix list denies certain networks (mostly bogons) and the as path acl is meant to permit the routes they want. So they are not redundant.

But I still dont know what that AS path list is supposed to be doing.

Thanks

Edison Ortiz Tue, 10/20/2009 - 18:08

Without seeing the BGP config, we can't tell you what they are doing but if you have a route-map that calls this as-path list and this route-map is attached to a BGP neighbor inbound - this BGP peering is allowing networks containing the ASes listed above.

This allows you to permit networks without listing every single subnet from the originating AS.

Here is an example:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml

Regards

Edison

ex-engineer Tue, 10/20/2009 - 18:17

Edison, sorry, should have elaborated.

This as-path ACL is attached to a route map that is applied inbound on an eBGP peer.

What I dont undersatdn is what the purpose of the + sign is....

why not "ip as-path permit 10 _15555_44456_etc_etc_" ?

Never seen this plus sign business before...

And what exactly is it saying? Permit all prefixes that are reachable by traversing these 2 AS numbers? Im not sure what the value in this is...

Edison Ortiz Tue, 10/20/2009 - 19:04

It allows subnets that contain those ASes in the AS List and it takes into account any AS Prepend.

If you use the _ - it has to list exactly as the line above 10 followed by 1555 followed by 44456 etc..

Regards

Edison.

Giuseppe Larosa Tue, 10/20/2009 - 20:21

hello Edison,

I see so we can say that

ASN1+ ASN2+

can be an alternate way to write

(ASN1_)+ (ASN2_)+

Thanks for your correction

I couldn't find an example but your idea to use it on a public route server combined with sh ip bgp and to see what happens is brilliant.

Hope to help

Giuseppe

Edison Ortiz Wed, 10/21/2009 - 05:59

Giuseppe,

Like you - I always used the format you explained previously. I'm very weak on regular expression so every time I get questioned by the customer, I test the regexp on the route-server.

It seems the AS+ is a valid format...

Thanks for the compliment.

Regards

Edison.

dodgerfan78 Fri, 10/23/2009 - 09:23

Wait a minute...the show commands given in previous posts do NOT prove AS+ works. They simply match on one AS. If you use regexp 24031+ and you get paths of

24031 24031

24031

This does NOT mean AS+ matches one or more occurrences of AS! There is already a match because 24031+ matches:

24031 <---- THIS IS THE MATCH YOU ARE GETTING

240311

2403111

24031111

You are not getting:

24031 24031 <--- THIS IS NOT YOUR MATCH

24031 24031 24031

Don't let the output be misleading.

Giuseppe Larosa Fri, 10/23/2009 - 10:10

Hello Bryan,

I thought like you.

However, if you open the file attachment called route-server1.txt in Edison's post you will find out matches with prepended ASes like it was (ASN_)+

Hope to help

Giuseppe

dodgerfan78 Fri, 10/23/2009 - 10:20

Hi Giuseppe.

I looked at the files. It is displaying the paths will multiple ASes because it still matches one AS. Just because the output gives paths that appear more than once, does not mean your regex is doing what you think it is. The regex 10310+ 24031+ is simply displaying any paths that have the following:

10310 24031 <---THIS IS THE MATCH

103100 24031

1031000 24031 (of course impossible)

10310 24031

10310 240311

10310 2403111

103100 2403111

(and so forth)

The command does not prove that the format AS+ gives you one or more occurrences of that AS. It does give you ONE occurrence though and that is what is being displayed.

NOW...if you look this

sh ip bgp regexp 10310+ 14778+

This gives the output

* 66.163.184.0/21 12.123.139.124 0 7018 10310 10310 10310 10310 14778 14778 i

But ask yourself...what is matching here?

The answer is the last occurrence of 10310 and the first occurrence of 14778...THAT IS THE MATCH...The match is NOT the multiple occurrences of each AS.

Giuseppe Larosa Fri, 10/23/2009 - 10:48

Hello Bryan,

I've gone to the same route-server used by Edison.

(at&t route server via www.traceroute.org)

I have to say you are right

I see the same output for

sh ip bgp regexp 10310 14778

and for

sh ip bgp regexp 10310+ 14778+

the regular expression as you say detect the change of ASN from 10310 to 14778.

To be noted the following don't match

route-server>sh ip bgp regexp 10310_14478

route-server>sh ip bgp regexp _10310_14478_

route-server>

thanks for your helpful check.

Hope to help

Giuseppe

ex-engineer Sat, 10/24/2009 - 09:05

OK, I still dont get it...sorry

What is the difference between:

permit _22222_33333_

permit 22222+ 33333+

permit (22222)+ (33333)+

dodgerfan78 Sat, 10/24/2009 - 13:46

1. _22222_33333_

This matches paths where 22222 and 33333 occur in order.

2. 22222+ 33333+

This effectively does the same as #1 because an AS path will not be longer than 5 characters.

If it could, it would match:

22222 33333

222222 33333

22222222 33333

222222222 333333

222222222 3333333

and so forth

3. (22222)+ (33333)+

This matches 1 or more instances of 22222 followed by 1 or more instances of 33333.

Example:

22222 33333

22222 22222 33333 33333

22222 22222 22222 33333

22222 33333 33333 33333

If you have the following path:

55555 22222 22222 33333 33333 66666

All 3 of those example will match on inner sequence of 22222 33333.

ex-engineer Sat, 10/24/2009 - 15:20

Mr Dodgers: :-)

Awesome explanations! Thank you...

One last question....what is the + for. Just the "+" in and of itself...

Thanks

Actions

This Discussion