Introduction:
This document explains how to filter the BGP AS path using the Regular expression. This is mostly used when the VOS has EBGP peering with the Service provider over the Internet-Transport or on a LAN interface. This document mostly covers filtering (allow/deny) AS paths with regular expressions.
Prerequisites:
The reader should have a good understanding of BGP AS path attributes.
Refresh on BGP path attributes (RFC 4271) :
Path attributes fall into four separate categories: 1. Well-known mandatory. 2. Well-known discretionary. 3. Optional transitive. 4. Optional non-transitive. Note :
Well-known attributes must be recognized by all BGP implementations. Some of these attributes are mandatory and must be included in every UPDATE message. Others are discretionary and may or may not be sent in a particular UPDATE message .All well-known attributes must be passed along (after proper updating, if necessary) to other BGP peers.
AS_PATH
AS_PATH is a well-known mandatory attribute. This attribute identifies the autonomous systems through which routing information carried in this UPDATE message has passed. The components of this list can be AS_SETs or AS_SEQUENCEs.
AS_SET: unordered set of ASes a route in the UPDATE message has traversed
AS_SEQUENCE: ordered set of ASes a route in the UPDATE message has traversed
Points to Remember from RFC 4271 :
1) When a given BGP speaker advertises the route to an internal peer, the advertising speaker SHALL NOT modify the AS_PATH attribute associated with the route. 2) When a given BGP speaker advertises the route to an external peer, the advertising speaker updates the AS_PATH attribute as below 2.1) if the first path segment of the AS_PATH is of type AS_SEQUENCE, the local system prepends its own AS number as the last element of the sequence (put it in the leftmost position with respect to the position of octets in the protocol message) 2.2)The first path segment of the AS_PATH is of type AS_SET, the local system prepends a new path segment of type AS_SEQUENCE to the AS_PATH, including its own AS number in that segment. 2.3) if the AS_PATH is empty, the local system creates a path segment of type AS_SEQUENCE, places its own AS into that segment, and places that segment into the AS_PATH.
When a BGP speaker originates a route then: a) the originating speaker includes its own AS number in a path segment, of type AS_SEQUENCE, in the AS_PATH attribute of all UPDATE messages sent to an external peer. In this case, the AS number of the originating speaker's autonomous system will be the only entry the path segment, and this path segment will be the only segment in the AS_PATH attribute. b) the originating speaker includes an empty AS_PATH attribute in all UPDATE messages sent to internal peers. (An empty AS_PATH attribute is one whose length field contains the value zero).
Useful Links for reference:
https://www.rfc-editor.org/rfc/rfc4271
https://www.bgp4.as/
https://www.bgp4.as/looking-glasses/
Software/Hardware Used:
This is supported on all VOS hardware models and software versions. The lab output on this document is based on the 22.1.2 VOS software version.
Topology:
BGP Regular Expression :
AS Path Filters based on the Usecase:
1) Allow networks which has AS 500 in the AS path list :
1.1 Match the AS number 500 with the peer group policy and apply it to the inbound towards the EBGP peer in the UI:
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path 500
2) Allow networks which has AS 300 in the AS path list :
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path 300
3) Allow networks which start with AS 200 ^ = Match the beginning of a line.
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path ^200
4) Allow networks which is originated from AS 200 only .
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path ^200$
5) Allow networks with the numbered community 100:200 using the regular expression.
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match community ^100:200$
6) Allow networks with the AS numbers with the numbers between 4 to 6 .
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path [4-6]
Before the Configuration commit :
Post commit output :
6) Allow networks with the AS numbers either 5 or 3 .
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path [53]
6.1 Allow networks with the AS numbers either 5 or 9
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path [59]
7) Allow networks transit the AS 300 .
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path .*300.*
8) Match all networks " Everything "
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path .*
9) Match AS path that is one AS long .
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path ^[0-9]+$
10) More occurrence of the AS number eg 888 or 888 8888 or 888 888 888 .
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path 888*
11) Networks with the AS numbers 1 and 2, followed by one or more occurrences of the AS number 3.
admin@CPE1-cli(config)% set routing-instances Tenant-BGP-LAN-VR protocols bgp 1000 routing-peer-policy BGP-IN term BGP-INBOUND match as-path 123+
