So far, we've explored filtering BGP routes using ACLs and Prefix Lists, focusing on the prefixes themselves and their masks for our criteria. But what if you're a large enterprise or an Internet Service Provider (ISP) and you're interested in filtering routes based on the AS path? Suppose you need to block routes originating from a certain Autonomous System (AS), or you want to ensure that your prefixes only get advertised if they traverse a specific AS. While it's possible to achieve this using prefix-based filtering, it would be incredibly cumbersome given the vast number of prefixes to manage.
Enter AS_Path filtering, a simple approach to route filtering that focuses on the AS_Path attribute in BGP routes. With AS_Path filters, you can create rules based on the autonomous systems that routes have passed through. What makes AS_Path filtering particularly powerful is the ability to use regular expressions (regex) to identify AS paths. This means you don't have to specify each AS number explicitly—instead, you can use regex patterns to match a range of AS paths.
BGP AS_Path Filter Regex
There are many regex operators available, but for the sake of simplicity, let's start with the three most commonly used ones in the context of AS_Path filtering: ^
, $
, and _
.
^
(Caret) - This symbol matches the beginning of a string. In AS_Path filtering, it's used to specify that the AS number following the caret should be the first AS in the AS_Path list. For example,^100
would match any AS_Path that starts with AS 100.- Example - If the AS_Path is
100 200 300
, the regex^100
matches because AS 100 is at the beginning.
- Example - If the AS_Path is
$
(Dollar) - This symbol matches the end of a string. It's used to indicate that the AS number preceding the dollar sign should be the last AS in the AS_Path list. For example,100$
would match any AS_Path that ends with AS 100.- Example: If the AS_Path is
200 300 100
, the regex100$
matches because AS 100 is at the end.
- Example: If the AS_Path is
_
(Underscore) - The underscore acts as a delimiter between AS numbers. It's useful for specifying that an AS number must appear anywhere in the path without necessarily being at the beginning or the end. For example,_100_
matches any AS_Path that includes AS 100 anywhere in the path.- Example - If the AS_Path is
200 100 300
, the regex_100_
matches because AS 100 is included in the path, regardless of its position.
- Example - If the AS_Path is
BGP AS_Path Filter Examples
Let's look at some examples and how to configure AS_Path filters. The examples are based on the following diagram.
I've configured eBGP between each router and redistributed the connected routes on HQ-01 and Branch-01 routers. Here is the BGP table from the ENT-01 router.
#ENT-01
ENT-01#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 12.12.12.0/24 12.12.14.2 0 200 1000 ?
*> 12.12.13.0/24 12.12.14.2 0 200 100 ?
*> 100.100.1.0/24 12.12.14.2 0 200 1000 ?
*> 100.100.2.0/24 12.12.14.2 0 200 1000 ?
*> 100.100.55.0/25 12.12.14.2 0 200 100 ?
*> 100.100.60.0/24 12.12.14.2 0 200 100 ?
*> 100.100.61.0/26 12.12.14.2 0 200 100 ?
Let's start with a simple example. ENT-01 only wants to accept routes that originate from AS 1000. Of course, we can use ACLs and prefix lists to filter out the routes but what happens if there are new prefixes coming through? It won't scale well. Let's use the AS_Path filter and see how it works.
- Step 1 - Create an
as-path
ACL - Step 2 - Apply the ACL to the neighbour (in or out direction)
#ENT-01
ip as-path access-list 1 permit 1000$
router bgp 2000
bgp log-neighbor-changes
neighbor 12.12.14.2 remote-as 200
neighbor 12.12.14.2 filter-list 1 in
1000$
- This is the regular expression that defines the pattern to match the AS_PATH attribute of BGP routes. The dollar sign $
at the end of the expression means "end of string". So, 1000$
matches any BGP route whose AS_PATH ends with the AS number 1000. (aka the originator of the route has to be 1000)
ENT-01#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 12.12.12.0/24 12.12.14.2 0 200 1000 ?
*> 100.100.1.0/24 12.12.14.2 0 200 1000 ?
*> 100.100.2.0/24 12.12.14.2 0 200 1000 ?
As you can see from the output, just with a single filter, we were able to omit the routes coming from autonomous systems other than AS1000.
Locally Originated Routes
The regular expression ^$
is used in BGP to match routes that are originated locally. Here's how it breaks down.
^
asserts the start of a string$
asserts the end of a string
When combined as ^$
with no characters between them, this regex matches a string that starts and ends immediately, meaning it has no content—it's empty. In the context of BGP AS_PATH filtering, this pattern matches routes that have an empty AS_PATH attribute. Since the AS_PATH attribute lists the ASes a route has traversed, an empty AS_PATH implies the route did not traverse any ASes and is therefore originated by the local router itself.
For example, if I look at the show ip bgp
output from the Branch-01 router, it contains both locally originated routes and the routes being advertised from HQ-01.
Branch_01#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 12.12.12.0/24 12.12.13.2 0 200 1000 ?
*> 12.12.13.0/24 0.0.0.0 0 32768 ?
*> 100.100.1.0/24 12.12.13.2 0 200 1000 ?
*> 100.100.2.0/24 12.12.13.2 0 200 1000 ?
*> 100.100.55.0/25 0.0.0.0 0 32768 ?
*> 100.100.60.0/24 0.0.0.0 0 32768 ?
*> 100.100.61.0/26 0.0.0.0 0 32768 ?
Let's say I just want to see the locally originated routes. As you can see in the following output, ^$
gives us the locally originated routes only.
Branch_01#show ip bgp regexp ^$
Network Next Hop Metric LocPrf Weight Path
*> 12.12.13.0/24 0.0.0.0 0 32768 ?
*> 100.100.55.0/25 0.0.0.0 0 32768 ?
*> 100.100.60.0/24 0.0.0.0 0 32768 ?
*> 100.100.61.0/26 0.0.0.0 0 32768 ?
^$
, you can only advertise the prefixes that were locally originated.Multiple Regex and Match Any
You might be wondering if you can stack multiple AS-path ACLs and how to match 'any' AS path after denying specific ones. Let’s revisit our first example on ENT-01 router. Let's say now we want to deny any routes originating from AS1000 and allow everything else. Here’s how you can do it.
#ENT-01
ip as-path access-list 1 deny 1000$
ip as-path access-list 1 permit .*
router bgp 2000
bgp log-neighbor-changes
neighbor 12.12.14.2 remote-as 200
neighbor 12.12.14.2 filter-list 1 in
ENT-01#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 12.12.13.0/24 12.12.14.2 0 200 100 ?
*> 100.100.55.0/25 12.12.14.2 0 200 100 ?
*> 100.100.60.0/24 12.12.14.2 0 200 100 ?
*> 100.100.61.0/26 12.12.14.2 0 200 100 ?
.*
pattern. The dot .
matches any single character, and the asterisk *
signifies zero or more occurrences of the preceding element. Together, .*
matches any sequence of characters effectively capturing any AS_PATH.BGP Filtering with Route Maps
Route maps can filter networks similar to ACLs or prefix lists, but they can provide additional capability through the addition or modification of network attributes. For the purpose of this example, we will just focus on the BGP filtering aspects of route maps. We will cover other uses of route maps in the upcoming posts.
A route map has four components.
- Sequence number - Dictates the processing order of the route map.
- Matching criteria - Identifies prefix characteristics such as networks, BGP path attributes, next hop, and so on for a specific sequence.
- Processing action - Permits or denies the prefix.
- Optional action - Actions can include modification, addition, or removal of the route characteristics.
A route map uses the command syntax route-map route-map-name [permit | deny] [sequence-number]
The following rules apply to route map statements.
- If a processing action is not provided, the default value permit is used.
- If a sequence number is not provided, the sequence number is incremented by 10 automatically.
- If a matching statement is not included, all prefixes are matched.
- Processing within a route map stops after all optional actions have been processed after matching conditional matching criteria.
With route maps, you can assign sequence numbers to different conditions, allowing you to specify actions based on whether certain conditions are met. For example, you could configure a route map to check if a route matches a specific prefix, like x.x.x.x/x
. If it does, you can then define specific actions to take, such as modifying route attributes, accepting the route, or denying it. If there is no match, it just goes to the next sequence until it reaches the bottom where the route map has an implicit deny.
In this final example, let's explore how to use Route Maps to filter routes. Suppose we want to allow the prefix 100.100.20.0/24 from AS1000 but deny everything else from AS1000. We also want to allow prefixes from other ASs. Here is how you can do it with a route map.
Here is the output from the ENT-01 router before we apply any filters. You can see, that ENT-01 currently has 3 prefixes that are originating from AS1000. After applying the filters, we should only see a single prefix (100.100.2.0/24
)
ENT-01#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 12.12.12.0/24 12.12.14.2 0 200 1000 ?
*> 12.12.13.0/24 12.12.14.2 0 200 100 ?
*> 100.100.1.0/24 12.12.14.2 0 200 1000 ?
*> 100.100.2.0/24 12.12.14.2 0 200 1000 ?
*> 100.100.55.0/25 12.12.14.2 0 200 100 ?
*> 100.100.60.0/24 12.12.14.2 0 200 100 ?
*> 100.100.61.0/26 12.12.14.2 0 200 100 ?
I'm going to create a prefix-list to match 100.100.2.0/24
and an as-path filter to match routes originating from AS1000.
#ENT-01
ip prefix-list ALLOW-100-100-2-0-24 seq 5 permit 100.100.2.0/24
ip as-path access-list 1 permit 1000$
route-map MY_MAP permit 5
description ALLOW-100-100-2-0-24
match ip address prefix-list ALLOW-100-100-2-0-24
!
route-map MY_MAP deny 10
description DENY-AS1000
match as-path 1
!
route-map MY_MAP permit 15
description PERMIT-EVERYTHING-ELSE
#ENT-01
router bgp 2000
bgp log-neighbor-changes
neighbor 12.12.14.2 remote-as 200
neighbor 12.12.14.2 route-map MY_MAP in
ENT-01#show ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 12.12.13.0/24 12.12.14.2 0 200 100 ?
*> 100.100.2.0/24 12.12.14.2 0 200 1000 ?
*> 100.100.55.0/25 12.12.14.2 0 200 100 ?
*> 100.100.60.0/24 12.12.14.2 0 200 100 ?
*> 100.100.61.0/26 12.12.14.2 0 200 100 ?
We will look at some more Route Maps examples in the upcoming sections (Path Attributes)
References
ENCOR 350-401 Official Study Guide