Overview

This section describes the commands for configuring and verifying the filter-list.The filter-list identifies the BGP routes to be filtered by AS_PATH ACL.

Flow of Configuring filter-list

The configuration flow for filtering BGP routes using filter-list is as follows

  1. Identify route information to be filtered by AS_PATH ACL
  2. Applying AS_PATH ACL to a specific neighbor
  3. Re-sent/Re-recieve BGP routes

Configuration Commands for filter-list

The commands to create AS_PATH ACL and apply it to BGP neighbor are as follows.

filter-list configuration command

(config)#ip as-path access-list <num> {permit|deny} <regular-expression>
(config)#router bgp <AS>
(config-router)#neighbor <ip-address> filter-list <as-path-acl-num> {in|out}

<as-path-acl-num>:AS_PATH ACL number
<regular-expression>:regular expression of AS_PATH attribute
<AS>:AS number
<ip-address>: neighbor IP address
<as-path-acl-num>: AS_PATH ACL number to be applied

The AS_PATH ACL identifies BGP routes by checking the AS_PATH attribute of the BGP route; the AS_PATH attribute lists the AS number from which the BGP route was advertised. The most important point of the filter list is to identify BGP routes by regular expressions of AS_PATH attribute. How the AS_PATH attribute is expressed in regular expressions is described later in this article.

Then, determine the action of “permit” or “deny” for the identified BGP routes. “permit” means to allow route information. That is, if it is applied out, BGP routes are advertised; if it is applied in, BGP routes are received. “deny” means discard route information. That is, if it is applied out, the corresponding BGP route is not advertised; if it is applied in, the corresponding BGP route is not received.

Remember that AS_PATH ACLs, like regular ACLs and prefix-lists, also have an “implicit deny” at the end.

Figure BGP Route Filter filter-list(AS_PATH ACL)
Figure BGP Route Filter filter-list(AS_PATH ACL)

Regular Expression Concept of AS_PATH Attribute

AS_PATH attribute example

BGP routes always have an AS_PATH attribute attached to them; the AS_PATH attribute is a Well known Mandatory attribute.

The AS_PATH attribute lists the AS number to which the BGP route has been advertised. Consider a specific example of the AS_PATH attribute in the following network diagram.

Figure Example of AS_PATH attribute
Figure Example of AS_PATH attribute

When advertising a BGP route to an EBGP neighbor, the AS_PATH attribute is prefixed with the neighbor’s AS number. This operation is called prepend.

The route “100.100.100.0/24” in AS100 has an AS_PATH of empty when generated as a BGP route. And AS_PATH becomes “100” when advertised from AS100 to AS200. Furthermore, the BGP route “100.100.100.0/24” have AS_PATH attribute “200 100” when advertised from AS200 to AS2. Similarly, when the BGP route “100.100.100.100.0/24” is advertised from AS2 to AS1, the AS_PATH attached to “100.100.100.0/24” becomes “2 200 100”.

Because of this AS_PATH prepend behavior, the AS number in the AS_PATH attribute has the following meaning

  • AS number at the end of the list : Route origin AS
  • AS number at the top of the list : Neighbor AS

The meaning of the AS_PATH attribute of the BGP route in this example is as follows

meaning of AS_PATH attribute

BGP route “100.100.100.0/24” AS_PATH 2 200 100

The BGP route “100.100.100.0/24” is generated by AS100. It is then advertised from AS2 to AS1 via AS200.

The BGP route “100.100.100.0/24” received by R1 in the figure is captured as follows.

図 AS_PATHアトリビュート パケットキャプチャ
図 AS_PATHアトリビュート パケットキャプチャ

AS_PATH attribute packet caputure

Frame 12: 139 bytes on wire (1112 bits), 139 bytes captured (1112 bits) on interface -, id 0
Ethernet II, Src: aa:bb:cc:00:02:00 (aa:bb:cc:00:02:00), Dst: aa:bb:cc:00:01:00 (aa:bb:cc:00:01:00)
Internet Protocol Version 4, Src: 10.0.0.2, Dst: 10.0.0.1
Transmission Control Protocol, Src Port: 51245, Dst Port: 179, Seq: 43, Ack: 24, Len: 85
Border Gateway Protocol - UPDATE Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 62
    Type: UPDATE Message (2)
    Withdrawn Routes Length: 0
    Total Path Attribute Length: 35
    Path attributes
        Path Attribute - ORIGIN: IGP
        Path Attribute - AS_PATH: 2 200 100 
            Flags: 0x40, Transitive, Well-known, Complete
            Type Code: AS_PATH (2)
            Length: 14
            AS Path segment: 2 200 100
                Segment type: AS_SEQUENCE (2)
                Segment length (number of ASN): 3
                AS4: 2
                AS4: 200
                AS4: 100
        Path Attribute - NEXT_HOP: 10.0.0.2 
            Flags: 0x40, Transitive, Well-known, Complete
            Type Code: NEXT_HOP (3)
            Length: 4
            Next hop: 10.0.0.2
        Path Attribute - MULTI_EXIT_DISC: 0
    Network Layer Reachability Information (NLRI)
        100.100.100.0/24
            NLRI prefix length: 24
            NLRI prefix: 100.100.100.0
Border Gateway Protocol - ROUTE-REFRESH Message

AS_PATH attribute and regular expressions

A regular expression is a format for representing strings. To represent the AS_PATH attribute in a regular expression, the AS_PATH attribute is treated as a string. String the AS numbers of the AS_PATH attribute separated by spaces.

Figure AS_PATH to string

Possible character types for the AS_PATH attribute string include are follows.

  • String of numbers 1 to 9
  • ( )
  • { }
  • space

( ) appears in the AS_PATH attribute string when the confederation is being configured. The { } also appears in the string of the AS_PATH attribute when the as-set is configured in the aggregate route.

Regular expression special characters

To represent multiple strings in one format, regular expressions have special characters (meta characters). Regular expression special characters are used in combination with regular characters. The following table summarizes the main regular expression special characters.

Special charactersmeaning
.Any one character
^beginning of string
$End of string
_Non-letter beginning, ending, whitespace, tab, comma
*No preceding character or one or more consecutive characters
?No or one character immediately preceding
+One or more letters immediately preceding
|OR Condition
[ ]Any of the characters in [ ].
( )Treat strings in ( ) as a single character
\Treat the special character immediately following as a normal character.
表 正規表現の特殊文字(メタ文字)

Example of regular expression for AS_PATH attribute string

Consider some examples of regular expressions for AS_PATH attribute strings.

^1.

The “^” represents the beginning of the string. In other words, the first character of the AS_PATH attribute is “1”. The “.” after it is any single character. AS_PATH attributes that match this regular expression include “10”, “191 20”, “15 10 20”, and so on. This regular expression specifies only the first two characters. Therefore, the AS number at the beginning of the corresponding AS_PATH attribute may be only two digits, or it may be three or more digits.

The AS_PATH attribute is prepended by the neighbor’s AS number. Therefore, the ^ special character is used to represent the neighbor AS.

^1._

Similar to the regular expression example above, but with a “_” at the end. The “_” is a special character that represents a space, the end, etc. This regular expression would indicate an AS_PATH attribute with a leading AS number between 10 and 19. The AS number in the first part is two digits because of the __. That is, the matching AS_PATH attribute is “11”, “12 13 15”, “19 1”, and so on.

_100$

The “$” is a special character that indicates the end of a string. Therefore, this regular expression indicates that the last AS number in the AS_PATH attribute is 100. The matching AS_PATH attributes include “1 2 100” “100” “10 20 30 100” and so on.

The last AS number in the AS_PATH attribute is the AS number from which the route was originated. Therefore, the $ special character is used to indicate the AS number from which the route was originated.

_100_

The “_” is a non-normal character. It can be the beginning, the end, or a blank space.Then this regular expression indicates that there is a 100 somewhere in the AS_PATH attribute. In other words, “1 2 100 200” “100” “100 1 2 3” etc. are applicable.

^2*3$

“*” indicates no preceding character or one or more consecutive characters. In other words, “2*” has no “2” or one or more “2” in consecutive lines. The corresponding AS_PATH attribute for this regular expression is “3” “23” “223” “2223” “22223” and so on.

An AS number between the ^ and $ means that the AS number is the neighbor AS and the originator AS of the route.

^2?3$

?” indicates that there is no or only one preceding character. The corresponding AS_PATH attribute for this regular expression is “3” “23”.

^2+3$

The “+” indicates that there is more than one preceding character. The corresponding AS_PATH attributes for this regular expression are “23”, “223”, “2223”, and “22223”.

^[123]1$

[ ] is a special character that represents one of the characters in [ ]. [123] means 1, 2, or 3. Therefore, the corresponding AS_PATH attributes for this regular expression are “11”, “21”, and “31”.

Any consecutive string of characters can be expressed using -. For example, [0-9] means any of the numbers 0 through 9.

^(12)?1$

The characters in parentheses ( ) are treated as a single character. Since (12) combines 12, the corresponding AS_PATH attribute for this regular expression is “1” “121”.

(^10_)|(^20_)

| represents one of the characters before or after it. This regular expression groups before and after the | by ( ). The corresponding AS_PATH attributes are “10 1” “20 10 1” “10” “20 “, etc.

\(65001\)_

\ treats the special character after it as a normal character. Therefore, the corresponding AS_PATH attribute for this regular expression is “(65001)” “(65001) 123”, etc.

When confederation is used, the AS_PATH attribute will show ( ).

^$

The absence of any characters between the beginning and end of the string indicates that the AS_PATH attribute is empty.

When a BGP route is generated, such as with the network command, AS_PATH is empty. Therefore, this regular expression represents a route generated within its own AS.

.*

This regexp can contain no characters at all or arbitrary character repetitions. In other words, it is a method of expression applicable to any AS_PATH attribute.

The following table summarizes examples of regular expressions and the corresponding AS_PATH attribute.

Regular Expression ExamplesThe corresponding AS_PATH attribute string
^1.“10” “191 20” “15 10 20” etc.
^1._”11” “12 13 15” “19 1” etc.
_100$”1 2 100” “100” “10 20 30 100” etc.
_100_”1 2 100 200” “100” “100 1 2 3” etc.
^2*3$”3” “23” “223” “2223” “22223”
^2?3$”3” “23”
^2+3$”23” “223” “2223” “22223”
^[123]1$”11” “21” “31”
^(12)?1$”1” “121”
(^10_)|(^20_)”10 1” “20 10 1” “10” “20” etc.
\(65001\)_”(65001)” “(65001) 123” etc.
^$empty
.*any AS_PATH attribute
Table AS_PATH attribute regular expression examples

Re-send/Re-recieve BGP routes

Simply applying filter-list to a neighbor does not make the route filter work. BGP routes must be re-sent/received. Re-send or re-receive, depending on the direction in which filter-list is applied. Use the following commands in privileged EXEC mode.

Re-send/Re-recieve BGP routes

#clear ip bgp <ip-address> {in|out}

<ip-address> : neighbor IP address

Verifycation Commands for filter-list

The following table summarizes the main show commands for verifying BGP route filtering by filter-list.

CommandSummary
#show ip as-path access-listVerify AS_PATH ACL to identify BGP routes.
#show ip protocolsVerify the AS_PATH ACL applied to the BGP neighbor.
#show ip bgpVerify the BGP table.
#show ip bgp neighbor advertised-routesVerify BGP routes to be advertised to the specified BGP neighbor.
#show ip bgp neighbor routesVerify BGP routes received from the specified BGP neighbor.
Table Main verification commands for filter-list

show ip as-path access-list

Use the show ip as-path access-list command to display the contents of the AS_PATH ACL.

show ip as-path access-list

R1#show ip as-path-access-list
AS path access list 1
    permit ^$
AS path access list 2
    permit _2$|_20$
AS path access list 3
    deny _2$|_20$
    permit .*

show ip protocols

To verify the filter-list applied to the neighbor, the show ip protocols command is useful.

show ip protocols

R1#show ip protocols
*** IP Routing is NSF aware ***

-- omitted --

Routing Protocol is "bgp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  IGP synchronization is disabled
  Automatic route summarization is disabled
  Neighbor(s):
    Address          FiltIn FiltOut DistIn DistOut Weight RouteMap
    10.0.0.2              2       1
    10.0.0.6              3       1
  Maximum path: 1
  Routing Information Sources:
    Gateway         Distance      Last Update
    10.0.0.2              20      00:02:44
    10.0.0.6              20      00:02:43
  Distance: external 20 internal 200 local 200

show ip bgp

Verify the BGP table with the show ip bgp command. You can also filter the contents of the BGP table by specifying a regular expression after show ip bgp.

show ip bgp

R1#show ip bgp
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i
 *>  10.3.3.0/24      10.0.0.6                 0             0 3 i
 *>  10.3.30.0/24     10.0.0.6                 0             0 3 30 i
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i
R1#show ip bgp regexp ^$
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i

show ip bgp neighbor advertised-routes

The show ip bgp neighbor advertised-routes command displays BGP routes advertised to a specific neighbor.

show ip bgp neighbor advertised-routes

R1#show ip bgp neighbors 10.0.0.2 advertised-routes
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.1.0      0.0.0.0                  0         32768 i
 *>  192.168.2.0      0.0.0.0                  0         32768 i
 *>  192.168.3.0      0.0.0.0                  0         32768 i

Total number of prefixes 3

show ip bgp neighbor routes

The show ip bgp neighbor routes command displays BGP routes received from a specific neighbor.

show ip bgp neighbor routes

R1#show ip bgp neighbors 10.0.0.2 routes
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.2.2.0/24      10.0.0.2                 0             0 2 i
 *>  10.2.20.0/24     10.0.0.2                 0             0 2 20 i

Total number of prefixes 2

Summary

Points

  • The configuration flow for filtering BGP routes using filter-list is as follows
    • Identify route information to be filtered by AS_PATH ACL
    • Applying AS_PATH ACL to a specific neighbor
    • Re-sent/Re-recieve BGP routes
  • The AS_PATH ACL identifies the route information to be filtered by the AS_PATH attribute of the BGP route.