Hi there guys, I am hoping somebody can provide me with a little sanity check. Unfortunately we do not have a lab capable of BGP for me to test this with.
I need to ensure customer eBGP peers only send us the allowed standard communites we expect to see.
I have created the following extended community:
ip community-list 100 permit 65535:40119
ip community-list 100 permit 65535:51119
ip community-list 100 permit 65535:51129
ip community-list 100 deny .*
I want to accept the first three communities and drop the rest. Based on these communities we then apply traffic engineering further upstream. At present we do not apply any sanity check to the customer prefixes and have notices customers sending us other communites we dont want :-(
Can you tell me if this community-list will have the desired effect?
the ACL will allow any BGP route having one BGP community equal to one of the permitted ones.
to be noted a BGP route can be associated to multiple BGP community values at the same time and a standard extended BGP community match if one BGP community is equal to one of the permitted.
All BGP routes with no single BGP community matching one of the permitted ones will be denied
So we can say the desired result can be achieved with the limitations reported above.
to be noted that the explicit final deny is not needed, there is an implicit deny any at the end of the ACL as for IP ACLs.
Hope to help