Access lists, prefix lists work very well in case we want to filter prefixes, but sometimes you may want to take action not against particular networks, but particular Autonomous Systems. Then AS-PATH filtering is comming forward.
AS-PATH filtering is based on regular expressions, so there is no way to configure any filters without at least fundamental knowneldge of regular expressions. So firstly let’s go over to them and then to AS-PATH filtering.
Regular Expressions (Regexp) plays a meaningful role in conjunction with AS Path filters. Initialy were only used in programming, but now are being used commonly in BGP for matching items in the AS PATH.
Regular Expressions are designed to match and all it does is taking a string and finding required stuff in it.
Here is the list with regular expressions:
^ matches the beginning of input
$ matches the end of input
| (pipe) a logical OR statement
. (period) matches a single character
+ matches the character to the left 1 or more times
* (asterisk) matches the character to the left 0 or more times
? matches the character to the left 0 or 1 times
\ removes special meanings
() affects order of operations
[] creates a group of characters
The best explanation of Regexp is on examples. Let’s take an AS PATH:
AS Path : 3567 234 92 2319 298 2671 23 29
_– (underscore) white space, the gap betwen autonomous systems numbers, takes place is searching as a part of the string
Let’s try make some searching on above AS PATH string in bgp table. We run command show ip bgp regexp:
92|23 (92 OR 23 in ANY of the AS) – result is AS PATH that contains AS 92 or 23 : 234 92 2319 23
_92_|_23_ (ONLY 92 OR 23)- result is AS PATH that contains exactly AS 92 or 23 : 92 23
^3567_ – the AS PATH string begin with 3567
_29$ – the AS PATH string ending with AS 29
(_92_|_23)_2319 – the AS PATH string exactly with AS 92 or 23 FOLLOWED BY 2319
^3567_. – the AS PATH string begin with 3567 and contains any AS behind
.* – match everything, we will get the full bgp table
If we know how to use basic regular expressions we may go over AS-PATH filtering and the lab.
I’ve made the lab that consists of 5 AS. On R5 I added a few networks 10.0.1.0-6.0. Everything is pre-configured, so you may imidiately play around with filtering. I created 3 scenarios.
https://mega.nz/#!W2gwgQDY
3lSC0go9-6XiVfUIXGb2eaNbZVr7Fub-ZzsHkVm4ie8
in order tu unpack the rar file use as usual password :
www.itbundle.net
Firstly let’s check how bgp table on R1 looks like before we start configuring anything. As we see everything is in working order and as we expected
AS PATH filtering – means matching routes based on AS PATH, we have to remember that at the end of as-path access-list there is an implicit ‘deny’ statement as in ordinary access list.
In order to utilize AS-PATH filter, firstly we have to create ip as-path access-list, next we create a route map with match and/or set statement. At the end we apply the route-map against the neighbor.
All three scenarios we are applying on R2 against R1, so all outcomes we will be checking on R1.
Scenario 1
We want to block on R2 towards R1 all updates for any network that contain in AS PATH Autonomous System 3
ip as-path access-list 1 deny _3_ – every update that containes AS3 in AS PATH string will be rejected, _3_ is a regular expression
ip as-path acces-list 1 permit .* – the other ASs are allowed (permit ANY)
route-map FILTER_3 permit 10
match as-path 1 – as-path access-list number
router bgp 2
neighbor 1.1.1.1 route-map FILTER_3 out – application against the neighbor
bgp table on R1 shows that all routes with AS3 have dissapeared
Scenario 2
We want to change the metric for any network that in AS PATH has AS3
ip as-path access-list 2 permit _3_
route-map METRIC_3 permit 10
match as-path 2
set weight 155
route-map METRIC_3 permit 20
router bgp 2
neighbor 1.1.1.1 route-map METRIC_3 out
BGP table on R1 shows to us changed metric to 155 for routes with AS3 in AS PATH
Scenario 3
We want to change AS PATH string (we are doing that with as-path prepend) for each network that has in AS PATH AS4
ip as-path access-list 3 permit _4_
route-map AS_PATH_PREP permit 10
match as-path 1
set as-path prepend 100 101 102 103
route-map AS_PATH_PREP permit 20
router bgp 2
neighbor 1.1.1.1 route-map AS_PATH_PREP out
On R1 it is highly visible that AS PATH attribute has changed. ASs ‘100 101 102 103′ have been added to the networks that have AS4 in the AS PATH.