10-20-2009 08:04 AM - edited 03-06-2019 08:12 AM
I know what an AS path ACL is for, but I am wondering two things:
What the PLUS sign is for?
ip as-path access-list 10 permit 55555+
ip as-path access-list 10 permit 55555+ 36561+
ip as-path access-list 10 permit 55555+ 26910+
ip as-path access-list 10 permit 55555+ 6432+
ip as-path access-list 10 permit 55555+ 36492+
ip as-path access-list 10 permit 55555+ 36384+
ip as-path access-list 10 permit 55555+ 36385+
Also, if one has a BGP peering with an entity that is advertising prefixes to you, and you already have a detailed inblund prefix list in place to filter prefixes learned from that peer, what is the value, if any, in adding an AS path ACL inbound?
Thanks
10-20-2009 08:47 AM
Hello Joe,
a + means one or more occurrences of previous character or pattern.
However, to be used to handle AS path prepending the pattern should be enclosed in ()
that is
ip as-path access-list 11 permit ^55555$
allows only one occurence of ASN 55555
ip as-path access-list 11 permit ^(55555)+
can match all AS paths starting with ASN 55555 containing it one or more times consecutively
so if this is true that AS path should be written as
ip as-path access-list 10 permit (55555)+ _(36561)+
instead of
ip as-path access-list 10 permit 55555+ 36561+
where _ is a separator that matches the space between AS numbers
for example to match an exact line
ip as-path access-list 30 permit ^5610_148_284_13$
that matches AS path = '5610 148 284 13'
so it is not clear why it written in this way unless + can be also a concatenation operator between strings.
my personal opinion is that this ACL is wrongly written.
About your second question:
in some cases you may want to be able to accept a prefix only if the associated BGP AS path attribute has some characteristics.
Hope to help
Giuseppe
10-20-2009 10:30 AM
Thats fine, Giuseppe:
Thanks.
But I need to be 100% sure that this AS path list is incorrect.
Cant seem to find it anywhere on Ciscos website....
Can anyone help?
Thanks
10-20-2009 11:17 AM
Hello Joe,
I tried to look in cisco web site.
Most examples are very basic
I've found explanations of metacharacters here
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#pathfilter
A good tutorial is here
http://blog.internetworkexpert.com/2008/01/06/understanding-bgp-regular-expressions/
Looking in some old configs of an european service provider I see these examples:
ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+$
ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(3409_)+$
ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(4739_)+$
ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(4802_)+$
So I would reinforce my opinion this ACL you have found is wrong.
Hope to help
Giuseppe
10-20-2009 03:49 PM
Giuseppe:
From what youve told me, I think the syntax is wrong. I wish I could get a confirmation of that, either from someone else on this board or through reading it.
Anyway, assume it is configured correctly, what the heck is the point of that AS path list??
What is is trying to achieve?
I dont get it.
10-20-2009 05:09 PM
AS_Path Filter list and regular network filtering both do the same task. It's up to the designer to decide which method to use. If both filters are doing the same task, I consider this configuration redundant.
Regards
Edison.
10-20-2009 05:06 PM
10-20-2009 05:25 PM
Edison, lets asume the syntax is correct, what is the purpose of that AS path ACL? What is it trying to accomplish? When would you use it?
By the way, i was mistaken about one thing earlier, the prefix list denies certain networks (mostly bogons) and the as path acl is meant to permit the routes they want. So they are not redundant.
But I still dont know what that AS path list is supposed to be doing.
Thanks
10-20-2009 06:08 PM
Without seeing the BGP config, we can't tell you what they are doing but if you have a route-map that calls this as-path list and this route-map is attached to a BGP neighbor inbound - this BGP peering is allowing networks containing the ASes listed above.
This allows you to permit networks without listing every single subnet from the originating AS.
Here is an example:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml
Regards
Edison
10-20-2009 06:17 PM
Edison, sorry, should have elaborated.
This as-path ACL is attached to a route map that is applied inbound on an eBGP peer.
What I dont undersatdn is what the purpose of the + sign is....
why not "ip as-path permit 10 _15555_44456_etc_etc_" ?
Never seen this plus sign business before...
And what exactly is it saying? Permit all prefixes that are reachable by traversing these 2 AS numbers? Im not sure what the value in this is...
10-20-2009 07:04 PM
It allows subnets that contain those ASes in the AS List and it takes into account any AS Prepend.
If you use the _ - it has to list exactly as the line above 10 followed by 1555 followed by 44456 etc..
Regards
Edison.
10-20-2009 08:21 PM
hello Edison,
I see so we can say that
ASN1+ ASN2+
can be an alternate way to write
(ASN1_)+ (ASN2_)+
Thanks for your correction
I couldn't find an example but your idea to use it on a public route server combined with sh ip bgp and to see what happens is brilliant.
Hope to help
Giuseppe
10-21-2009 05:59 AM
Giuseppe,
Like you - I always used the format you explained previously. I'm very weak on regular expression so every time I get questioned by the customer, I test the regexp on the route-server.
It seems the AS+ is a valid format...
Thanks for the compliment.
Regards
Edison.
10-23-2009 09:23 AM
Wait a minute...the show commands given in previous posts do NOT prove AS+ works. They simply match on one AS. If you use regexp 24031+ and you get paths of
24031 24031
24031
This does NOT mean AS+ matches one or more occurrences of AS! There is already a match because 24031+ matches:
24031 <---- THIS IS THE MATCH YOU ARE GETTING
240311
2403111
24031111
You are not getting:
24031 24031 <--- THIS IS NOT YOUR MATCH
24031 24031 24031
Don't let the output be misleading.
10-23-2009 10:10 AM
Hello Bryan,
I thought like you.
However, if you open the file attachment called route-server1.txt in Edison's post you will find out matches with prepended ASes like it was (ASN_)+
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: