AS_Path Filter Applications in BGP
Overview
The AS_Path attribute is an ordered list of all the ASs that a route passes through from the source to the destination. In Figure 1, the AS_Path attribute of a BGP route can be considered as a string containing spaces and can be used to match routes through a regular expression.
A regular expression is a string that describes a characteristic and verifies whether another string conforms to this characteristic. The AS_Path filter of BGP defines an AS_Path regular expression to match AS_Path attributes of BGP routes for filtering BGP routing information.
For example, ip as-path-filter 1 permit 495 defines an AS_Path filter 1 and a regular expression 495, indicating that any string containing 495 can be matched.
AS_Path Regular Expressions
The core of an AS_Path filter is a regular expression. The content of a regular expression is complex. The following describes the AS_Path filter.
An AS_Path filter uses a regular expression to define matching rules. A regular expression consists of the following parts:
Metacharacter: defines matching rules.
General character: defines matching objects.
Table 1 lists metacharacters supported by BGP AS_Path regular expressions.
Metacharacter |
Description |
Example |
|---|---|---|
. |
Matches AS_Paths with any single character except "\n", including spaces. |
.* matches any AS_Path or route. NOTE:
If you have defined multiple ip as-path-filter clauses in deny mode, run the ip as-path-filter as-path-filter-name permit .* command to permit other routes. |
* |
Matches AS_Paths with 0 or more sequences of the character before the asterisk "*". |
See the preceding example. |
+ |
Matches AS_Paths with 1 or more sequences of the character before the plus "+". |
65+ matches AS_Paths that begin with 6 and include one 5 or consecutive 5s.
|
| |
Matches any AS_Path with characters on either side of the vertical bar "|". |
100|65002|65003 matches 100, 65002, or 65003. |
^ |
Matches AS_Paths beginning with the characters that follow the caret "^". |
^65 matches AS_Paths beginning with 65.
|
$ |
Matches AS_Paths ending with the characters before the dollar sign "$". |
65$ matches AS_Paths ending with 65.
NOTE:
^$ matches null character strings (null AS_Path) and can be used to match the locally originated routes. |
(xyz) |
Defines a subexpression, which can be null. Both the expression and the subexpression should be matched. |
100(200)+ matches "100200" and "100200200". |
[xyz] |
Matches AS_Paths with any character in the brackets "[ ]". |
[896] matches AS_Paths with 8, 9, or 6. |
[^xyz] |
Matches AS_Paths with any character except those in the brackets "[ ]". |
[^896] matches AS_Paths with any character except 8, 9, and 6. |
[a-z] |
Matches AS_Paths with any character within the range specified in the brackets "[ ]". |
[2-4] matches 2, 3, and 4, and [0-9] matches numbers 0 to 9.
NOTE:
The characters in the brackets "[ ]" can only be numbers 0 to 9. To match AS_Paths within the range of 735 to 907, use (73[5-9]|7[4-9][0-9]|8[0-9][0-9]|90[0-7]). |
[^a-z] |
Matches AS_Paths without any character within the range specified in the brackets "[ ]". |
[^2-4] matches AS_Paths without 2, 3, or 4, and [^0-9] matches AS_Paths without numbers 0 to 9. |
_ |
Matches AS_Paths with a sign, such as a comma ",", left brace "{", right brace "}", left parenthesis "(", right parenthesis ")", or space. The underscore "_" can be used at the beginning of a regular expression with the same function as the caret "^" or at the end of a regular expression with the same function as the dollar sign "$". |
|
\ |
Indicates an escape character. |
A backslash "\" is used to disable special functions of signs in regular expressions, such as the left parenthesis "(" and right parenthesis ")" in an AS_Confed_Sequence, the left bracket "[" and right bracket "]" in an AS_Confed_Set, and the left brace "{" and right brace "}" in an AS_Set.
|
Multiple rules (permit or deny) can be specified in an AS_Path filter. The relationship between theses rules is "OR", which means that if a route meets one of the matching rules, the route matches the AS_Path filter. The following demonstrates the functions of AS_Path filters in different scenarios.
Applications
The AS_Path filter defines only a filtering tool, which takes effect only after being invoked. Two methods are available in BGP to invoke the AS_Path filter:
- Use the peer command.
- Use a route-policy.
Method 1: Invoke the AS_Path filter using the peer command.
# ip as-path-filter s1 permit ^100$ # bgp 65100 peer 10.1.1.2 as-path-filter s1 import #
In method 1, an AS_Path filter s1 is defined and associated with a regular expression ^100$. This AS_Path filter can match routes carrying the AS_Path attribute 100 (this attribute contains only the AS number 100) and is applied in the peer command. In this situation, only the routes that match AS_Path filter s1 can be advertised to the BGP peer 10.1.1.2.
Method 2: Invoke the AS_Path filter using a route-policy.
# ip as-path-filter s1 permit ^100$ # route-policy huawei permit node 10 if-match as-path-filter s1 apply local-preference 100 # bgp 65100 peer 10.1.1.2 route-policy huawei import #
In method 2, a defined AS_Path filter s1 is invoked in the if-match command in a route-policy, and then the Local-Preference attribute is set using the apply command and applied in the peer command (in the import direction) in BGP configuration mode. In this situation, among the BGP routes received from the BGP peer 10.1.1.2, all the routes that match the AS_Path filter s1 have their LP path attributes set to 100.
AS_Path Filter Examples
In Figure 2, an EBGP peer relationship is established between LSW1 and LSW2, between LSW1 and LSW3, between LSW2 and LSW3, between LSW2 and LSW4, between LSW3 and LSW4, and between LSW4 and LSW5. Each device uses the network command to advertise IP addresses of LoopBack0 into BGP and filter these routes.
If no AS_Path filter is used, the original BGP routing table of LSW1 is as follows:
[LSW1] display bgp routing-table
BGP Local router ID is 10.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 9
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 1.1.1.9/32 0.0.0.0 0 0 i
*> 2.2.2.9/32 10.1.1.2 0 0 65200i
* 10.1.2.2 0 65300 65200i
*> 3.3.3.9/32 10.1.2.2 0 0 65300i
* 10.1.1.2 0 65200 65300i
*> 4.4.4.9/32 10.1.1.2 0 65200 65400i
* 10.1.2.2 0 65300 65400i
*> 5.5.5.9/32 10.1.1.2 0 65200 65400 65500i
* 10.1.2.2 0 65300 65400 65500i
Case 1: Define an AS_Path filter s1 to receive only the routes originated in AS65500.
[LSW1] ip as-path-filter s1 permit _65500$ //Define an AS_Path filter s1. [LSW1] bgp 65100 [LSW1-bgp] ipv4-family unicast [LSW1-bgp-af-ipv4] peer 10.1.1.2 as-path-filter s1 import //Invoke the AS_Path filter s1 using the peer command. [LSW1-bgp-af-ipv4] peer 10.1.2.2 as-path-filter s1 import
After the preceding configurations are complete, the BGP routing table is as follows:
[LSW1] display bgp routing-table
BGP Local router ID is 10.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 1.1.1.9/32 0.0.0.0 0 0 i
*> 5.5.5.9/32 10.1.1.2 0 65200 65400 65500i
* 10.1.2.2 0 65300 65400 65500i
The preceding command output shows that the routes originated in AS65500 are permitted and other routes are denied.
Case 2: Define an AS_Path filter s2 to deny the routes originated in AS65500 and permit other routes.
[LSW1] ip as-path-filter s2 deny _65500$ [LSW1] ip as-path-filter s2 permit .* [LSW1] bgp 65100 [LSW1-bgp] ipv4-family unicast [LSW1-bgp-af-ipv4] peer 10.1.1.2 as-path-filter s2 import [LSW1-bgp-af-ipv4] peer 10.1.2.2 as-path-filter s2 import
After the preceding configurations are complete, the BGP routing table is as follows:
[LSW1] display bgp routing-table
BGP Local router ID is 10.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 7
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 1.1.1.9/32 0.0.0.0 0 0 i
*> 2.2.2.9/32 10.1.1.2 0 0 65200i
* 10.1.2.2 0 65300 65200i
*> 3.3.3.9/32 10.1.2.2 0 0 65300i
* 10.1.1.2 0 65200 65300i
*> 4.4.4.9/32 10.1.1.2 0 65200 65400i
* 10.1.2.2 0 65300 65400i
The preceding command output shows that the routes originated in AS65500 are denied and other routes are permitted.
Case 3: Define an AS_Path filter s3 to deny the routes that pass through AS65400.
[LSW1] ip as-path-filter s3 deny _65400_ [LSW1] ip as-path-filter s3 permit .* [LSW1] bgp 65100 [LSW1-bgp] ipv4-family unicast [LSW1-bgp-af-ipv4] peer 10.1.1.2 as-path-filter s3 import [LSW1-bgp-af-ipv4] peer 10.1.2.2 as-path-filter s3 import
After the preceding configurations are complete, the BGP routing table is as follows:
[LSW1] display bgp routing-table
BGP Local router ID is 10.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 1.1.1.9/32 0.0.0.0 0 0 i
*> 2.2.2.9/32 10.1.1.2 0 0 65200i
* 10.1.2.2 0 65300 65200i
*> 3.3.3.9/32 10.1.2.2 0 0 65300i
* 10.1.1.2 0 65200 65300i
The preceding command output shows that the routes that pass through AS65400 are denied and other routes are permitted.
Case 4: Define an AS_Path filter s4 to deny the routes that pass through AS65400. AS65400 is not the first or last AS that routes pass through.
[LSW1] ip as-path-filter s4 deny ._65400_. [LSW1] ip as-path-filter s4 permit .* [LSW1] bgp 65100 [LSW1-bgp] ipv4-family unicast [LSW1-bgp-af-ipv4] peer 10.1.1.2 as-path-filter s4 import [LSW1-bgp-af-ipv4] peer 10.1.2.2 as-path-filter s4 import
After the preceding configurations are complete, the BGP routing table is as follows:
[LSW1] display bgp routing-table
BGP Local router ID is 10.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 7
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 1.1.1.9/32 0.0.0.0 0 0 i
*> 2.2.2.9/32 10.1.1.2 0 0 65200i
* 10.1.2.2 0 65300 65200i
*> 3.3.3.9/32 10.1.2.2 0 0 65300i
* 10.1.1.2 0 65200 65300i
*> 4.4.4.9/32 10.1.1.2 0 65200 65400i
* 10.1.2.2 0 65300 65400i
The preceding command output shows that the routes carrying the AS_Path attribute in which AS65400 is neither the first nor last AS number are denied and other routes are permitted.
Case 5: Define an AS_Path filter s5 to permit locally originated routes and deny routes of other ASs.
[LSW1] ip as-path-filter s5 permit ^$ [LSW1] bgp 65100 [LSW1-bgp] ipv4-family unicast [LSW1-bgp-af-ipv4] peer 10.1.1.2 as-path-filter s5 import [LSW1-bgp-af-ipv4] peer 10.1.2.2 as-path-filter s5 import
After the preceding configurations are complete, the BGP routing table is as follows:
[LSW1] display bgp routing-table
BGP Local router ID is 10.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1
Network NextHop MED LocPrf PrefVal Path/Ogn
*> 1.1.1.9/32 0.0.0.0 0 0 i
The preceding command output shows that only locally originated routes with empty AS_Path attribute are permitted and other routes are denied.