Sunday, April 7, 2013

BGP AS-Path Filter Lists

A filter list is a form of route policy that restricts the routes that will be advertised or accepted based on the AS-Path of the route. To configure a filter list, you must first create an AS-path access list based on the known paths you wish to permit.
as-path access-list xx permit 701
as-path access-list xx permit 701 6461
as-path access-list xx permit 701 6461 3
The list above will permit the following AS-paths:
701
701 6461
701 6461 3
To appy this list to a BGP session, use the following command:
neighbor <IP address> filter-list xx in|out
The list can be applied either to the route received (inbound) or the routes advertised (outbound). Now let us suppose that to adjust the routing, an administrator at MIT used AS-path-prepending to make routes to one provider more preferred over another. This new prependedAS-path would look like this:
701 6461 3 3
This path would never be permitted through the AS-path filter because AS 3 appears twice. Worse, suppose that after the filter was changed to match this, the administrator at MIT decided to go back to a standard announcement, or decided to prepend twice. This would mean a headache for the person maintaining the filter and delay needed changes.
To make the list more flexible, Cisco has enabled the use of regular expressions in an as-path filter list. The same list above could be rewritten to permit prepends from all of the providers in the AS path, and even shorten the list:
as-path access-list xx permit ^(_701)+(_6461)*(_3)$
The filter list above whould permit the following AS-paths:
701
701 701
701 6461
701 3
701 6461 3
701 6461 6461 3 3 3
Clearly this second list is shorter, and much more flexible. The characters that are used above are as follows:
Char.Meaning
^Beginning of character string
_Any whitespace
( )Brackets are used to group items together
NNNThe numbers represent the number patterns of the AS numbers.
*Zero or more of the previous object
+One or more of the previous object


The list above will permit the following AS-paths:
701
701 6461
701 6461 3
To appy this list to a BGP session, use the following command:
neighbor <IP address> filter-list xx in|out
The list can be applied either to the route received (inbound) or the routes advertised (outbound). Now let us suppose that to adjust the routing, an administrator at MIT used as-path-prepending to make routes to one provider more preferred over another. This new prepended AS path would look like this:
701 6461 3 3
This path would never be permitted throught the AS-path filter because AS 3 appears twice. Worse, suppose that after the filter was changed to match this, the administrator at MIT decided to go back to a standard announcement, or decided to prepend twice. This would mean a headache for the person maintaining the filter and delay needed changes.
To make the list more flexible, Cisco has enabled the use of regular expressions in an as-path filter list. The same list above could be rewritten to permit prepends from all of the providers in the AS path, and even shorten the list:
as-path access-list xx permit ^(_701)+(_6461)*(_3)$
The filter list above whould permit the following AS-paths:
701
701 701
701 6461
701 3
701 6461 3
701 6461 6461 3 3 3
Clearly this second list is shorter, and much more flexible. The characters that are used above are as follows:
Char.Meaning
^Beginning of character string
_Any whitespace
( )Brackets are used to group items together
NNNThe numbers represent the number patterns of the AS numbers.
*Zero or more of the previous object
+One or more of the previous object


Related Posts Plugin for WordPress, Blogger...