I'm recieving the full routing table from my ISP, and then I'm trying to control what routes we have in our routing table using an ip as-path access-list (ideally I only want routes orginated in the ISP's AS or directly attached). But it looks like we're receiving the full routing table, regardless of my prefix-list. Here's my config:
router bgp 1234
neighbor 22.214.171.124 remote-as 1234
neighbor 126.96.36.199 next-hop-self
neighbor 188.8.131.52 timers 5 15
neighbor 184.108.40.206 soft-reconfiguration inbound
neighbor 220.127.116.11 password xxx
neighbor 18.104.22.168 remote-as 5678
neighbor 22.214.171.124 soft-reconfiguration inbound
neighbor 126.96.36.199 prefix-list transit out
neighbor 188.8.131.52 route-map allow-from-isp in
ip as-path access-list 18 permit ^5678_[0-9]*$
ip prefix-list transit seq 5 deny 184.108.40.206/24 <-----------this is just for testing purposes before we go live
route-map allow-from-isp permit 10
match as-path 18
With this set up, I was getting the following:
BGP router identifier 220.127.116.11, local AS number 1234
BGP table version is 21988, main routing table version 21988
284942 network entries using 28779142 bytes of memory
284940 path entries using 13677120 bytes of memory
49179 BGP path attribute entries using 2951400 bytes of memory
44072 BGP AS-PATH entries using 1137420 bytes of memory
185 BGP community entries using 7282 bytes of memory
49 BGP route-map cache entries using 980 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 46553344 total bytes of memory
263363 received paths for inbound soft reconfiguration
BGP activity 285248/306 prefixes, 285333/393 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
18.104.22.168 4 1234 0 0 0 0 0 never Active
22.214.171.124 4 5678 50353 26 21988 0 0 00:22:45 21577
I also tried these regular expressions to see if that altered the number of entries, but it didn't:
ip as-path access-list 19 permit _5678$
ip as-path access-list 20 permit ^5678$
I then dropped the incoming filtering and accepted all routes, and it was again approx 284,000.
Any ideas on why this isn't working? We are using this exact set up with 2 other ISPs, so I'm not sure what is different in this case.
Any help would be much appreciated.
you are receiving
126.96.36.199 4 5678 50353 26 21988 0 0 00:22:45 21577
21577 ip prefixes with the filters so they are doing something
have you verified with a sh ip bgp that there are AS paths that should have been filtered?
Hope to help
^5678_[0-9]*$ will not just accept routes with only 5678 AS in them. It will accept routes with 2 AS paths.
Your other regex should work tho ie. ^5678$. Not sure whether you need to soft reset the connection if you apply a different filter.
Reason for getting more number of routes
If you want your AS to get networks originated from AS 5678 and all directly attached ASs of AS 5678, then only you have to apply the following inbound filter on your Router.
ip as-path access-list 1 permit^5678_[0-9]*$
If you would like for your Router to receive only the routes originated from AS 5678 (and no Internet routes), you can apply an inbound access list on your Router as follows:
ip as-path access-list 1 permit ^5678$
and then give
clear ip bgp 188.8.131.52 soft in prefix-filter
correct me if am wrong
"If you want your AS to get networks originated from AS 5678 and all directly attached ASs of AS 5678, then only you have to apply the following inbound filter on your Router.
ip as-path access-list 1 permit^5678_[0-9]*$"
Correct, looks like you read the question better than me :-)
J, apologies as i misread your original post. I didn't realise you wanted AS 5678 + any directly attached ASs.
Many thanks for your responses everyone.
The thing is I did apply ip as-path access-list 1 permit^5678_[0-9]*$ as an inbound filter (see config above), and it didn't make any difference! That's my problem - but I seem to get 280,000 routes in my routing table no matter what regex I use....
J, It looks like you have created an ACL that allows all routes that are transiting through your ISP, which are all of them.
Change your AS_PATH acl to this:
ip as-path access-list 18 permit ^5678(_[0-9]+)?$
Also, try turning on and off deterministic regexp. This also can make a difference in interpreting regexp.
As a side note, do not rush into route-maps without a need. If your requirement is only to filter paths, use "neighbor x.x.x.x filter-list YYY in"
Do not necessarily overcomplicate things
Thank you Slidersv. I will give your suggestion a try.
I referred to http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a92.shtml#t5 to get the regexp ^5678_[0-9]*$ - this is also what we're using happily on 2 other devices.
Also I will remove the route-map.
Can you explain how to turn on/off deterministic regexp? I've not come across this before.
Hariharan is correct: you need ip as-path access-list 20 permit ^5678$
And don't use the route-map.
You need to look at State/PfxRcd for how many routes you are getting.