Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
4
Helpful
2
Replies

BGP Filtering AS Paths

eknell
Level 1
Level 1

‎12-07-2007 09:47 AM - edited ‎03-03-2019 07:50 PM

I have a client that has an eBGP connection with me and uses us as a backup ISP. I also have 2 other eBGP peer connections which we load share for all our internet traffic.

My question is, I am trying to make sure that I never get inbound traffic from one of my AS's to my customers AS. In case thier primary AS fails, and they switch to us as a thier backup, I need to make sure all thier inound traffic comes from a particluar AS on my end.

This is what I have and I think it is fine, but not sure. I want to make sure thier AS never gets advertised to one of my upstream AS's.

neighbor 1.1.1.1 remote-as 111

neighbor 1.1.1.1 description UPSTREAM AS

neighbor 1.1.1.1 remove-private-as

neighbor 1.1.1.1 soft-reconfiguration inbound

neighbor 1.1.1.1 route-map UPSTREAM-AS-IN in

neighbor 1.1.1.1 route-map UPSTREAM-AS-OUT out

neighbor 1.1.1.1 filter-list 3 out

neighbor 2.2.2.2 remote-as 222

neighbor 2.2.2.2 description CLIENT

neighbor 2.2.2.2 ebgp-multihop 2

neighbor 2.2.2.2 soft-reconfiguration inbound

neighbor 2.2.2.2 route-map CLIENT-RECEIVE in

neighbor 2.2.2.2 route-map CLIENT-SEND out

ip as-path access-list 3 deny ^222$

ip as-path access-list 3 permit .*

Will this filter list make sure that AS 222 never gets advertised out to my UPSTREAM-AS that this is a valid path for inbound traffic?

Thanks for your help!

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎12-07-2007 10:15 AM

Ethan

There are some aspects of your situation that I do not understand well, such as if you are the backup ISP for the client why you would not want to advertise their routes to the upstream in the event that they have failed over and are using you as their Internet connection.

But as far as you immediate question is concerned your as path filter list would effectively prevent advertising to neighbor 1.1.1.1 of any route originated by the client and advertised directly from the client to you.

HTH

Rick

HTH

Rick

eknell
Level 1
Level 1
In response to Richard Burts

‎12-07-2007 10:27 AM

Awesome!! That is what I wanted to hear! I just get confused on CISCO's "regular expressions".

I was also thinking this, but wasn't for sure.

ip as-path access-list 3 deny _222_

ip as-path access-list 3 deny ^222$

ip as-path access-list 3 permit .*

A little background on the situation: Thier primary AS, is also one of our AS's, which is the AS they DON'T want to use as a path if thier primary fails. An example would be if thier primary AS is having issues and they switch over to us, we/they don't want thier inbound traffic coming from the same AS they just killed. Otherwise the issues could follow them if they switched over. Make sense?

I apprecaite your help, and if you have a good link or a good explanation of Cisco's "expressions" that would be great. By the way, I will make this change in a few days. If it works, I will rate your "post" then. Thanks Richard!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card