02-19-2010 06:33 AM - edited 03-01-2019 02:17 PM
Hi there guys, I am hoping somebody can provide me with a little sanity check. Unfortunately we do not have a lab capable of BGP for me to test this with.
I need to ensure customer eBGP peers only send us the allowed standard communites we expect to see.
I have created the following extended community:
ip community-list 100 permit 65535:40119
ip community-list 100 permit 65535:51119
ip community-list 100 permit 65535:51129
ip community-list 100 deny .*
I want to accept the first three communities and drop the rest. Based on these communities we then apply traffic engineering further upstream. At present we do not apply any sanity check to the customer prefixes and have notices customers sending us other communites we dont want :-(
Can you tell me if this community-list will have the desired effect?
Many thanks
James
Solved! Go to Solution.
02-22-2010 05:32 AM
Hello James,
the ACL will allow any BGP route having one BGP community equal to one of the permitted ones.
to be noted a BGP route can be associated to multiple BGP community values at the same time and a standard extended BGP community match if one BGP community is equal to one of the permitted.
All BGP routes with no single BGP community matching one of the permitted ones will be denied
So we can say the desired result can be achieved with the limitations reported above.
to be noted that the explicit final deny is not needed, there is an implicit deny any at the end of the ACL as for IP ACLs.
Hope to help
Giuseppe
02-22-2010 05:32 AM
Hello James,
the ACL will allow any BGP route having one BGP community equal to one of the permitted ones.
to be noted a BGP route can be associated to multiple BGP community values at the same time and a standard extended BGP community match if one BGP community is equal to one of the permitted.
All BGP routes with no single BGP community matching one of the permitted ones will be denied
So we can say the desired result can be achieved with the limitations reported above.
to be noted that the explicit final deny is not needed, there is an implicit deny any at the end of the ACL as for IP ACLs.
Hope to help
Giuseppe
02-22-2010 06:24 AM
Hi Giuseppe
Thanks for the responce. If I have understood you correctly the original filter list would pass on routes containing one of the permit routes but might have additional communites?
ip community-list 100 permit ^65535:40119$
ip community-list 100 permit ^65535:51119$
ip community-list 100 permit ^65535:51129$
On that basis I assume the above prefix list would ensure customers send only a single community and deny everything else?
Rgds
James
02-22-2010 11:04 AM
Hello James,
I agree this formulation using a regular expression that is possible with an extended BGP community list provides a definition of single BGP community using anchors ^ and $.
The regular expression treats the set of BGP communities as a string and put each BGP community value on it.
if you would like to match multiple values you should take in account the possible different order in building the pseudo string.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide