I have a ISP customer with AS number :xxxx Now he come up with further customer xxxx AS. Presently we are doing prefix based filtering at my end.
Now i want to use regular expression with " ^xxxx_ ", so that any prefix ill be allowed with ASxxxx and behinf that AS Now with this regular expression threat is what happen if my customer will leak internet routes ?
Is there any other solution with which i can allow my customer (xxxx) prefixes other that prefix-list
The usage of AS path filters and prefix-lists targets different filtering scenarios. AS path lists will only filter based on AS path, but has not prefix specific component. prefix-lists do not have any AS specific component.
So it looks to me that in your case you should apply both as input filters. This can be done either separately with two statements "neighbor a.b.c.d filter-list 1 in" with a "ip as-path access-list 1" and "neighbor a.b.c.d prefix-list XYZ in" or you can combine both in a route-map:
neighbor a.b.c.d route-map customer in
route-map customer permit 10
match as-path 1
match ip address prefix-list XYZ
The two match statements in the route-map are ANDed and will only allow certain prefixes from the customer AS.
However, using both as-path ACLs and prefix-lists is the safest choice. The prefix-list might be a burden, but it allows for tighter control of what the customer advertises, especially if they accidentally leak unacceptable more specific routes (e.g. any subnet smaller than a /24, such as a /30 or even a /32). To avoid such situations, prefix-list is your only choice, but you can make it less of a burden if you just deny all the smaller subnets, without specifying exact networks (e.g. deny 0.0.0.0/0 ge 25). Still, the recommended procedure is to control what customers advertise. It is not very flattering to be listed in the CIDR report with possible bogons.
Although as-path ACLs do not seam as tight as prefix lists, they can actually be tight in a different way. You can configure the exact AS_PATH the route should comply to. You can configure the as-path ACL to permit only routes that were locally originated in your direct customer or in a customer of your direct customer. This way, internet routes will be denied, because they fail the AS_PATH check (routes are known via customer AS as opposed to being locally originated in customer AS). For a way to accomplish this, have a look at the following post:
"minimise provide effort + tighter security" seams like a trade-off. A prefix-list together with a proper as-path ACL is as tight as it gets. I think IOS cannot help us more with this than it already does. I suppose you are actually looking for a way to automate your procedures (and effort will be minimized as a result). I have not used many automated tools to suggest one, but others here might.
You enter the prefixes in various possible formats, and the tool checks if a prefix is e.g. a private address. It can then generate prefix-lists in various vendor formats.
There is another level of automation, besides a tool generating configuration. You can have it afterwards login to the router and apply the configuration. We were doing this with plain ACLs, but I do not have the script code anymore.
If you decide on using some level of automation, other people here might be able to direct you to tools they have actually used. Depending on your automation requirements, you might or might not have to invest some time in tool development.
1. Introduction Internet security is important with the increasing
attacks that are happening every day. Many internet and browsing
security solutions exist, but some are not very easy to use or maybe the
question is how can I enable them? In this referen...
Cisco Software Manager Server API Guide This document describes the
programmatic interfaces, RESTful APIs, which are supported by Cisco
Software Manager Server (CSM Server). Overview CSM Server supports a set
of finite RESTful APIs. The first step to use ...
If you are using Cisco's new linux-based Cisco Software Manager server,
then you probably want to make sure there is a startup service for
it.I'll assume that you've already installed the CSM server on a
systemd-based linux system. The commands given belo...