BGP AS Path Filter Example

In this tutorial we’ll take a look at BGP AS path filtering. Using the AS path filter we can permit or deny prefixes from certain autonomous systems. You can use this for things like:

  • Accept only prefixes from directly connected autonomous systems
  • Accept only prefixes from directly connected autonomous systems AND one autonomous system behind the first one.
  • Deny certain transit autonomous systems
  • And more

To create rules like the examples above we need a flexible way so that we can “match” on certain autonomous systems. This can be done with regular expressions. If you have no clue how regular expressions work then please read my regexp tutorial first.

Having said that, let’s look at some examples. I will use a BGP looking glass server for this.

A looking glass server is a router on the Internet that has a (full) internet routing table. You can use telnet to one and use show commands to view the BGP table. It’s a great way to practice regular expressions since there’s plenty of prefixes to play with.

You can find a looking glass server on BGP4.as, I picked one that is close to me:

route-server.tinet.net

Once I connect to it through telnet this is what I see:

+--------------------------------------------------------------------+
|                                                                    |
|                    GTT Route Monitor - AS3257                      |
|                                                                    |
|   This system is solely for internet operational purposes. Any     |
|   misuse is strictly prohibited. All connections to this router    |
|   are logged.                                                      |
|                                                                    |
|   This server provides a view on the Tinet legacy routing table    |
|   that is used in Frankfurt/Germany. If you are interested in      |
|   other regions of the backbone check out http://www.as3257.net/   |
|                                                                    |
|                Please report problems to noc@gtt.net               |
|                                                                    |
+--------------------------------------------------------------------+

route-server.as3257.net>

Let’s see what we find in the BGP table:

route-server.as3257.net>show ip bgp
BGP table version is 4491321, local router ID is 213.200.87.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.0.0.0/24       213.200.64.93            0             0 3257 15169 i
*> 1.0.4.0/24       213.200.64.93            0             0 3257 6453 7545 56203 i
*> 1.0.5.0/24       213.200.64.93            0             0 3257 6453 7545 56203 i
*> 1.0.6.0/24       213.200.64.93            0             0 3257 174 4826 38803 56203 i
*> 1.0.7.0/24       213.200.64.93            0             0 3257 174 4826 38803 56203 i
*> 1.0.20.0/23      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.22.0/23      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.24.0/23      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.26.0/23      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.28.0/22      213.200.64.93         1551             0 3257 2516 2519 i
*> 1.0.38.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.41.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.43.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.46.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.48.0/24      213.200.64.93          815             0 3257 9304 24155 i
*> 1.0.64.0/18      213.200.64.93         1551             0 3257 2516 7670 18144 i
*> 1.0.128.0/18     213.200.64.93            0             0 3257 174 38040 9737 i
*> 1.0.128.0/17     213.200.64.93            0             0 3257 38040 9737 9737 i
*> 1.0.129.0/24     213.200.64.93            0             0 3257 4651 9737 9737 23969 i
*> 1.0.130.0/24     213.200.64.93            0             0 3257 6453 4651 9737 9737 9737 23969 i
*> 1.0.131.0/24     213.200.64.93            0             0 3257 6453 4651 9737 9737 9737 23969 i
*> 1.0.142.0/23     213.200.64.93            0             0 3257 6453 4651 9737 9737 9737 23969 i
*> 1.0.160.0/19     213.200.64.93           18             0 3257 2914 38040 9737 i
*> 1.0.192.0/21     213.200.64.93            0             0 3257 6453 4651 9737 9737 9737 23969 i

Plenty of prefixes to play with…let’s try a couple of examples now shall we?

Only allow prefixes that originated from AS 3257

This example will only accept prefixes that originated in AS 3257, all the other prefixes won’t be permitted:

route-server.as3257.net>show ip bgp regexp ^3257$
BGP table version is 4492538, local router ID is 213.200.87.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 2.16.0.0/23      213.200.64.93          154             0 3257 i
*> 2.16.4.0/24      213.200.64.93          230             0 3257 i
*> 2.16.5.0/24      213.200.64.93          230             0 3257 i
*> 2.16.34.0/24     213.200.64.93           80             0 3257 i

Let me explain the regular expression that I used here. The ^ symbol means that this is the beginning of the string and the $ matches the end of the string. We put 3257 in between so only “3257” matches. If you want to configure this filter on a Cisco IOS router you can do this with the as-path access-list command:

ip as-path access-list 1 permit ^3257$

route-map AS_PATH_FILTER permit 10
match as-path 1

router bgp 1
neighbor 213.200.64.93 remote-as 3257
neighbor 213.200.64.93 route-map AS_PATH_FILTER in

The as-path access-list works like the normal access-lists, there is a hidden “deny any” at the bottom. First we create the as-path access-list and then attach it to a route-map. In the BGP configuration you can attach the route-map to one of your BGP neighbors.

Let’s look at another example…

Only allow networks that passed through AS 3257

We only want to see prefixes that passed through AS 3257, here’s how:

route-server.as3257.net>show ip bgp regexp _3257_
BGP table version is 4492787, local router ID is 213.200.87.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.0.0.0/24       213.200.64.93            0             0 3257 15169 i
*> 1.0.4.0/24       213.200.64.93            0             0 3257 6453 7545 56203 i
*> 1.0.5.0/24       213.200.64.93            0             0 3257 6453 7545 56203 i
*> 1.0.6.0/24       213.200.64.93            0             0 3257 174 4826 38803 56203 i
*> 1.0.7.0/24       213.200.64.93            0             0 3257 174 4826 38803 56203 i
*> 1.0.20.0/23      213.200.64.93         1551             0 3257 2516 2519 i

The regular expression starts and ends with a _ . This matches the space between the AS path numbers. I’m not using a ^or $ to indicate the start and end of the string so there can be as many autonomous systems as we want, as long as it passed through AS 3257 it will match. Here’s what it looks like on a router:

ip as-path access-list 1 permit _3257_

route-map AS_PATH_FILTER permit 10
match as-path 1

router bgp 1
neighbor 213.200.64.93 remote-as 3257
neighbor 213.200.64.93 route-map AS_PATH_FILTER in

I got a few more examples…

Deny prefixes that originated from AS 56203 and permit everything else

This one might be useful if you want to block prefixes that originated in a particular AS:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Full Access to our 655 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

561 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,

    Great topic! However, I am having trouble understanding the following expressions: ^3257_[0-9]$
    Ok, so far I understand that the ^3257 is the start of the AS path, so this would be a directly connected AS. I also understand that _ represents any AS paths after 3257 and you would have to define the $ expression to define the last AS path to match on, otherwise all AS paths after 3257 would be considered.
    However, i don’t get the [0-9]
    at all…Can you clarify this by also using the + and ? in substitution for the *?
    I read your BGP Regular Expression topi

    ... Continue reading in our forum

  2. Hi Mario,

    The [0-9] means any number between 0 and 9, this means 0,1,2,3,4,5,6,7,8 and 9 are valid. The * means that we repeat the previous number 0 or multiple times. Basically this means any number from 0 to infinity matches. In our example we have 16 bit AS numbers so that means any AS number from 0 to 65535 will be matched.

    The + is similar to the * but it means that we repeat the previous number 1 or multiple times. In practice, there’s a big difference between the two…for example:

    When I use ^3257_[0-9]*$ then I’m matching everything that starts with AS 3

    ... Continue reading in our forum

  3. Hi Rene,

    Need your expertise on this one… I have a regex script to filter prep-pended AS’s. The issue is when I test it with the “sh ip bgp regexp” cmd; no pre-pended routes are tagged (rightly fully so, because they aren’t configured yet…). So my thought is the script is functional, but when I apply the access list w/ as-path filter all of my routes disappear…

    R1#sh ip bgp | B Net
    Network Next Hop Metric LocPrf Weight Path
    *> 1.0.0.0 0.0.0.0 0 32768 i
    *> 2.0.0.0 12.1.1.2 0 0 200 i
    *> 3.0.0.0 12.1.1.2 0 200 300 i
    *> 4.0.0.0 12.1.1.2 0 200 300 400 i
    
    ... Continue reading in our forum

  4. Hi Jon,

    This regex seems to be valid, I tested it on a looking glass server (routeserver.sunrise.ch):

    RS_AS6730>show ip bgp regexp ^([0-9]+)(_\1)+$
    BGP table version is 1413944297, local router ID is 193.192.254.90
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
    r RIB-failure, S Stale, m multipath, b backup-path, x best-external
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
    Network Next Hop Metric LocPrf Weight Path
    *>i1.9.0.0/16 193.192.254.1 20 80 0 4788 4788 4788 i
    * i 193.192.254.35 20 80 0 4788 4788 4788 i
    ... Continue reading in our forum

  5. Hi @cradlepoint,

    It is possible to mix route-maps, filter-lists, distribute-lists etc. but it’s better to stick to a single route-map.

    The route-map can do everything you want and it allows you to keep everything in one place. If you want to match on an AS path and set the local preference for those routes, you can do something like this:

    ip as-path access-list 1
     permit ^46435_[0-9]*$
    !
    route-map filter-and-local-pref permit 10
      match as-path 1
     set local-preference 200
    !
    neighbor x.x.x.x route-map filter-and-local-pref in
    

    Without the empty permit 20 stateme

    ... Continue reading in our forum

28 more replies! Ask a question or join the discussion by visiting our Community Forum