cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8093
Views
37
Helpful
22
Replies

BGP Filtering - AS Path ACL

visitor68
Level 4
Level 4

I know what an AS path ACL is for, but I am wondering two things:

What the PLUS sign is for?

ip as-path access-list 10 permit 55555+

ip as-path access-list 10 permit 55555+ 36561+

ip as-path access-list 10 permit 55555+ 26910+

ip as-path access-list 10 permit 55555+ 6432+

ip as-path access-list 10 permit 55555+ 36492+

ip as-path access-list 10 permit 55555+ 36384+

ip as-path access-list 10 permit 55555+ 36385+

Also, if one has a BGP peering with an entity that is advertising prefixes to you, and you already have a detailed inblund prefix list in place to filter prefixes learned from that peer, what is the value, if any, in adding an AS path ACL inbound?

Thanks

22 Replies 22

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Joe,

a + means one or more occurrences of previous character or pattern.

However, to be used to handle AS path prepending the pattern should be enclosed in ()

that is

ip as-path access-list 11 permit ^55555$

allows only one occurence of ASN 55555

ip as-path access-list 11 permit ^(55555)+

can match all AS paths starting with ASN 55555 containing it one or more times consecutively

so if this is true that AS path should be written as

ip as-path access-list 10 permit (55555)+ _(36561)+

instead of

ip as-path access-list 10 permit 55555+ 36561+

where _ is a separator that matches the space between AS numbers

for example to match an exact line

ip as-path access-list 30 permit ^5610_148_284_13$

that matches AS path = '5610 148 284 13'

so it is not clear why it written in this way unless + can be also a concatenation operator between strings.

my personal opinion is that this ACL is wrongly written.

About your second question:

in some cases you may want to be able to accept a prefix only if the associated BGP AS path attribute has some characteristics.

Hope to help

Giuseppe

Thats fine, Giuseppe:

Thanks.

But I need to be 100% sure that this AS path list is incorrect.

Cant seem to find it anywhere on Ciscos website....

Can anyone help?

Thanks

Hello Joe,

I tried to look in cisco web site.

Most examples are very basic

I've found explanations of metacharacters here

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#pathfilter

A good tutorial is here

http://blog.internetworkexpert.com/2008/01/06/understanding-bgp-regular-expressions/

Looking in some old configs of an european service provider I see these examples:

ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+$

ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(3409_)+$

ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(4739_)+$

ip as-path access-list 102 permit ^(2516_)+(1221_)+(2764_)+(4802_)+$

So I would reinforce my opinion this ACL you have found is wrong.

Hope to help

Giuseppe

Giuseppe:

From what youve told me, I think the syntax is wrong. I wish I could get a confirmation of that, either from someone else on this board or through reading it.

Anyway, assume it is configured correctly, what the heck is the point of that AS path list??

What is is trying to achieve?

I dont get it.

AS_Path Filter list and regular network filtering both do the same task. It's up to the designer to decide which method to use. If both filters are doing the same task, I consider this configuration redundant.

Regards

Edison.

Giuseppe,

I will have to disagree. I ran some regexp from AT&T's route-server with the syntax described in the original post and it does work.

See attached files..

Edison, lets asume the syntax is correct, what is the purpose of that AS path ACL? What is it trying to accomplish? When would you use it?

By the way, i was mistaken about one thing earlier, the prefix list denies certain networks (mostly bogons) and the as path acl is meant to permit the routes they want. So they are not redundant.

But I still dont know what that AS path list is supposed to be doing.

Thanks

Without seeing the BGP config, we can't tell you what they are doing but if you have a route-map that calls this as-path list and this route-map is attached to a BGP neighbor inbound - this BGP peering is allowing networks containing the ASes listed above.

This allows you to permit networks without listing every single subnet from the originating AS.

Here is an example:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml

Regards

Edison

Edison, sorry, should have elaborated.

This as-path ACL is attached to a route map that is applied inbound on an eBGP peer.

What I dont undersatdn is what the purpose of the + sign is....

why not "ip as-path permit 10 _15555_44456_etc_etc_" ?

Never seen this plus sign business before...

And what exactly is it saying? Permit all prefixes that are reachable by traversing these 2 AS numbers? Im not sure what the value in this is...

It allows subnets that contain those ASes in the AS List and it takes into account any AS Prepend.

If you use the _ - it has to list exactly as the line above 10 followed by 1555 followed by 44456 etc..

Regards

Edison.

hello Edison,

I see so we can say that

ASN1+ ASN2+

can be an alternate way to write

(ASN1_)+ (ASN2_)+

Thanks for your correction

I couldn't find an example but your idea to use it on a public route server combined with sh ip bgp and to see what happens is brilliant.

Hope to help

Giuseppe

Giuseppe,

Like you - I always used the format you explained previously. I'm very weak on regular expression so every time I get questioned by the customer, I test the regexp on the route-server.

It seems the AS+ is a valid format...

Thanks for the compliment.

Regards

Edison.

Wait a minute...the show commands given in previous posts do NOT prove AS+ works. They simply match on one AS. If you use regexp 24031+ and you get paths of

24031 24031

24031

This does NOT mean AS+ matches one or more occurrences of AS! There is already a match because 24031+ matches:

24031 <---- THIS IS THE MATCH YOU ARE GETTING

240311

2403111

24031111

You are not getting:

24031 24031 <--- THIS IS NOT YOUR MATCH

24031 24031 24031

Don't let the output be misleading.

Hello Bryan,

I thought like you.

However, if you open the file attachment called route-server1.txt in Edison's post you will find out matches with prepended ASes like it was (ASN_)+

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: