12-07-2007 09:47 AM - edited 03-03-2019 07:50 PM
I have a client that has an eBGP connection with me and uses us as a backup ISP. I also have 2 other eBGP peer connections which we load share for all our internet traffic.
My question is, I am trying to make sure that I never get inbound traffic from one of my AS's to my customers AS. In case thier primary AS fails, and they switch to us as a thier backup, I need to make sure all thier inound traffic comes from a particluar AS on my end.
This is what I have and I think it is fine, but not sure. I want to make sure thier AS never gets advertised to one of my upstream AS's.
neighbor 1.1.1.1 remote-as 111
neighbor 1.1.1.1 description UPSTREAM AS
neighbor 1.1.1.1 remove-private-as
neighbor 1.1.1.1 soft-reconfiguration inbound
neighbor 1.1.1.1 route-map UPSTREAM-AS-IN in
neighbor 1.1.1.1 route-map UPSTREAM-AS-OUT out
neighbor 1.1.1.1 filter-list 3 out
neighbor 2.2.2.2 remote-as 222
neighbor 2.2.2.2 description CLIENT
neighbor 2.2.2.2 ebgp-multihop 2
neighbor 2.2.2.2 soft-reconfiguration inbound
neighbor 2.2.2.2 route-map CLIENT-RECEIVE in
neighbor 2.2.2.2 route-map CLIENT-SEND out
ip as-path access-list 3 deny ^222$
ip as-path access-list 3 permit .*
Will this filter list make sure that AS 222 never gets advertised out to my UPSTREAM-AS that this is a valid path for inbound traffic?
Thanks for your help!
12-07-2007 10:15 AM
Ethan
There are some aspects of your situation that I do not understand well, such as if you are the backup ISP for the client why you would not want to advertise their routes to the upstream in the event that they have failed over and are using you as their Internet connection.
But as far as you immediate question is concerned your as path filter list would effectively prevent advertising to neighbor 1.1.1.1 of any route originated by the client and advertised directly from the client to you.
HTH
Rick
12-07-2007 10:27 AM
Awesome!! That is what I wanted to hear! I just get confused on CISCO's "regular expressions".
I was also thinking this, but wasn't for sure.
ip as-path access-list 3 deny _222_
ip as-path access-list 3 deny ^222$
ip as-path access-list 3 permit .*
A little background on the situation: Thier primary AS, is also one of our AS's, which is the AS they DON'T want to use as a path if thier primary fails. An example would be if thier primary AS is having issues and they switch over to us, we/they don't want thier inbound traffic coming from the same AS they just killed. Otherwise the issues could follow them if they switched over. Make sense?
I apprecaite your help, and if you have a good link or a good explanation of Cisco's "expressions" that would be great. By the way, I will make this change in a few days. If it works, I will rate your "post" then. Thanks Richard!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide