BGP and AS-Path access-lists

      1 Comment on BGP and AS-Path access-lists

One of the well known BGP attributes is AS-Path.  This tell us where the BGP prefix came from in terms of autonomous systems that the prefix has traversed to get to you.  Filtering routes in the BGP table by AS-Path can be a handy trick when trying to find prefixes from a particular AS.  In addition, AS-Path ACLs can be defined on BGP peers to filter updates received and/or transmitted. 

Filtering based on AS-Path is done with the use of regular expressions more commonly refereed to as ‘regex’.  Regular expressions are built using a combination of numbers and symbols.  The symbols ,and their associated purposes, are listed below…

.   Match any character including blanks
^   Match the beginning of the string
$   Match the end of the string
_   Match the beginning of a string, the end of a string, a comma, a brace, or a space
|   Logical OR
\   Escape character used when the following character needs to be literally interpreted. 
*   Match zero or more occurrences of the preceding character
+   Match one of more occurrences of the proceeding character
?   Match zero or one occurrences of the preceding character
[] Match the set of numbers inside of the brackets.  This can be a range or a set of individual numbers separated by either a comma or a ‘|’.  If Carrot (^) is used, it negates what’s in the brackets. 

For the sake of example, let’s assume that we’re using the ‘show ip bgp regexp’ command to examine routes already in the routers BGP table.  These regular expressions can also be set on a BGP neighbor but I won’t cover that in this post.

So let’s run through some quick examples.  I’ll try to use all of the symbols at least once…

show ip bgp regexp _65[2|3][1-4].$
This example nicely uses quite a few of the symbols.  To summarize, this would filter prefixes that originated in an AS that started with 65, had a third number that was a 2 or a 3, had a forth number that was in the range of 1-4, and could have any number it wanted (0-9) for the 5th number. 

show ip bgp regexp ^$
This will show all routes that are locally originated into BGP.  That is, they have an empty AS-Path attribute.  I use this one quite a bit on MPLS connections at remote sites.  Apply this outbound on the CE to PE connection to ensure that you aren’t looping any routes from the 2nd MPLS carrier if there is iBGP peering between the two routers. 

show ip bgp regexp ^65..[^1-8]_
This will show you routes whose AS-Path starts with ‘65’, has a third and forth digit that could be 1 through 9, and whose fifth digit is a 0 or 9 (AKA, not 1 through 8).  Not here that we used the ^ initially to tell the filter to look for a AS-Path that started with what followed, and then later we used it in the brackets to say anything BUT 1 through 8.

show ip bgp regexp ^[^65001]
This will show you all prefixes that did not come from the neighbor in AS 65001. 

show ip bgp regexp _64999_|_65155_
This will show you an prefixes that have either AS 64999 or AS 65155 in their AS-Path.

show ip bgp regexp ^[0-9]+$
This will show you prefixes generated by all directly connected BGP neighbors.  That is, the AS-Path would consists of one AS and that would be of the directly peered neighbor.  The regex for this says that the AS-Path should start with a number in the range of 0-9 and that number can be repeated one or more times. 

show ip bgp regexp ^[0-9]*$
Same as above but we changed the + to a *.  This will give you the same results as above but also add locally originated routes. 

Those are just a few examples but I hope you can see that these can be very powerful. 

1 thought on “BGP and AS-Path access-lists

  1. badam

    Hi Jon,

    Let me point out that the “show ip bgp regexp ^[^65001]” command will not only prevent from showing up the prefixes learned “from the neighbor in AS 65001” (side effect) but would also hide prefixes learned from neighbor in *any* AS number whose first digit happens to be ‘6’ or ‘5’ or ‘0’ or ‘0’(duplicate) or ‘1’.

    Greetings,
    Adam

    PS. Pleasure to read your BGP articles.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *