BGP AS Path Filter Example

In this lesson, we’ll look at BGP AS path filtering. Using the AS path filter, we can permit or deny prefixes from certain autonomous systems. You can use this for things like:

  • Accept only prefixes from directly connected autonomous systems
  • Accept only prefixes from directly connected autonomous systems AND one autonomous system behind the first one.
  • Deny specific transit autonomous systems
  • And more

To create rules like the examples above we need a flexible way so that we can “match” on specific autonomous systems. This can be done with regular expressions. If you have no clue how regular expressions work, then please read my regexp lesson first.

Having said that, let’s look at some examples. I will use a BGP looking-glass server for this.

A looking-glass server is a router on the Internet with a (full) Internet routing table. You can use telnet to one and use show commands to view the BGP table. It’s a great way to practice regular expressions since there are plenty of prefixes to play with.

You can find a looking-glass server on BGP4.as, I picked one that is close to me:

route-server.tinet.net

Once I connect to it through telnet, this is what I see:

+--------------------------------------------------------------------+
|                                                                    |
|                    GTT Route Monitor - AS3257                      |
|                                                                    |
|   This system is solely for internet operational purposes. Any     |
|   misuse is strictly prohibited. All connections to this router    |
|   are logged.                                                      |
|                                                                    |
|   This server provides a view on the Tinet legacy routing table    |
|   that is used in Frankfurt/Germany. If you are interested in      |
|   other regions of the backbone check out http://www.as3257.net/   |
|                                                                    |
|                Please report problems to noc@gtt.net               |
|                                                                    |
+--------------------------------------------------------------------+

route-server.as3257.net>

Let’s see what we find in the BGP table:

route-server.as3257.net>show ip bgp
BGP table version is 4491321, local router ID is 213.200.87.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.0.0.0/24       213.200.64.93            0             0 3257 15169 i
*> 1.0.4.0/24       213.200.64.93            0             0 3257 6453 7545 56203 i
*> 1.0.5.0/24       213.200.64.93            0             0 3257 6453 7545 56203 i
*> 1.0.6.0/24       213.200.64.93            0             0 3257 174 4826 38803 56203 i
*> 1.0.7.0/24       213.200.64.93            0             0 3257 174 4826 38803 56203 i
*> 1.0.20.0/23      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.22.0/23      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.24.0/23      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.26.0/23      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.28.0/22      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.38.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.41.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.43.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.46.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.48.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.64.0/18      213.200.64.93         1551             0 3257 2516 7670 18144 i
*> 1.0.128.0/18     213.200.64.93            0             0 3257 174 38040 9737 i
*> 1.0.128.0/17     213.200.64.93            0             0 3257 38040 9737 9737 i
*> 1.0.129.0/24     213.200.64.93            0             0 3257 4651 9737 9737 23969 i
*> 1.0.130.0/24     213.200.64.93            0             0 3257 6453 4651 9737 9737 9737 23969 i
*> 1.0.131.0/24     213.200.64.93            0             0 3257 6453 4651 9737 9737 9737 23969 i
*> 1.0.142.0/23     213.200.64.93            0             0 3257 6453 4651 9737 9737 9737 23969 i
*> 1.0.160.0/19     213.200.64.93           18             0 3257 2914 38040 9737 i
*> 1.0.192.0/21     213.200.64.93            0             0 3257 6453 4651 9737 9737 9737 23969 i

There are plenty of prefixes to play with…let’s try a couple of examples now, shall we?

Only allow prefixes that originated from AS 3257

This example will only accept prefixes that originated in AS 3257. All the other prefixes won’t be permitted:

route-server.as3257.net>show ip bgp regexp ^3257$
BGP table version is 4492538, local router ID is 213.200.87.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 2.16.0.0/23      213.200.64.93          154             0 3257 i
*> 2.16.4.0/24      213.200.64.93          230             0 3257 i
*> 2.16.5.0/24      213.200.64.93          230             0 3257 i
*> 2.16.34.0/24     213.200.64.93           80             0 3257 i

Let me explain the regular expression that I used here. The ^ symbol means that this is the beginning of the string, and the $ matches the end of the string. We put 3257 in between, so only “3257” matches. If you want to configure this filter on a Cisco IOS router, you can do this with the as-path access-list command:

ip as-path access-list 1 permit ^3257$

route-map AS_PATH_FILTER permit 10
match as-path 1

router bgp 1
neighbor 213.200.64.93 remote-as 3257
neighbor 213.200.64.93 route-map AS_PATH_FILTER in

The as-path access-list works like the normal access list, there is a hidden “deny any” at the bottom. First, we create the as-path access-list and then attach it to a route-map. In the BGP configuration, you can attach the route-map to one of your BGP neighbors.

Let’s look at another example…

Only allow networks that passed through AS 3257

We only want to see prefixes that passed through AS 3257. Here’s how:

route-server.as3257.net>show ip bgp regexp _3257_
BGP table version is 4492787, local router ID is 213.200.87.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.0.0.0/24       213.200.64.93            0             0 3257 15169 i
*> 1.0.4.0/24       213.200.64.93            0             0 3257 6453 7545 56203 i
*> 1.0.5.0/24       213.200.64.93            0             0 3257 6453 7545 56203 i
*> 1.0.6.0/24       213.200.64.93            0             0 3257 174 4826 38803 56203 i
*> 1.0.7.0/24       213.200.64.93            0             0 3257 174 4826 38803 56203 i
*> 1.0.20.0/23      213.200.64.93         1551             0 3257 2516 2519 i

The regular expression starts and ends with a _ . This matches the space between the AS path numbers. I’m not using a ^ or $ to indicate the start and end of the string so there can be as many autonomous systems as we want, as long as it passes through AS 3257, it will match. Here’s what it looks like on a router:

ip as-path access-list 1 permit _3257_

route-map AS_PATH_FILTER permit 10
match as-path 1

router bgp 1
neighbor 213.200.64.93 remote-as 3257
neighbor 213.200.64.93 route-map AS_PATH_FILTER in

I got a few more examples…

Deny prefixes that originated from AS 56203 and permit everything else

This one might be useful if you want to block prefixes that originated in a particular AS:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
556 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags:


Forum Replies

  1. Very helpful, thanks!

  2. Using a route-map is perfectly correct, but to be more complete you can always show that:

    neighbor x.x.x.x filter-list 1 in

    would do the same work. (Of course, the filter could be applied outbound if required by some design)

    Router(config-router-af)#neighbor 1.1.1.1 filter-list ?
        AS path access list

  3. Rene,

    Very helpful in understanding these complex expressions. However, I do have question about the following which is configured on our internet hubs by our senior engineers.

    AS path access list 20
         deny ^10886_209_
         permit ^10886_
    

    ^10886_209_ It means deny prefixes from 10886 and any prefixes passes through 209
    is that correct?
    permit ^10886_ it means permit prefixes from 10886 and what does _ means at the end.
    Please clarify

    Thanks
    Hamood

  4. Hi Hamood,

    The _ matches the white space between the AS numbers. For example take a look at this output of a BGP table:

    Network Next Hop Metric LocPrf Weight Path
    * 1.0.0.0/24 203.202.143.34 0 7474 15169 i
    * 202.139.124.130 1 0 7474 15169 i
    * 203.13.132.29 0 7474 15169 i

    In the AS path there’s a space between the AS numbers, we need to use the _ to match this.

    Let’s look at your example:

    deny ^10886_209_

    The ^ indicates the beginn

    ... Continue reading in our forum

  5. Rene,

    Thanks and it clears my concept. I just wanted to make sure if ^10886_
    can be written as permit ^10886$ and if it does the same thing?
    This is based on your first example in the lesson.
    ^10886_ permit everything from AS10886 but what is the purpose of _ at the end?

    Thanks
    Hamood

51 more replies! Ask a question or join the discussion by visiting our Community Forum