Solved: BGP Extended Community List example

james-worley · ‎02-19-2010

Hi there guys, I am hoping somebody can provide me with a little sanity check. Unfortunately we do not have a lab capable of BGP for me to test this with.

I need to ensure customer eBGP peers only send us the allowed standard communites we expect to see.

I have created the following extended community:

ip community-list 100 permit 65535:40119

ip community-list 100 permit 65535:51119

ip community-list 100 permit 65535:51129

ip community-list 100 deny .*

I want to accept the first three communities and drop the rest. Based on these communities we then apply traffic engineering further upstream. At present we do not apply any sanity check to the customer prefixes and have notices customers sending us other communites we dont want :-(

Can you tell me if this community-list will have the desired effect?

Many thanks

James

Giuseppe Larosa · ‎02-22-2010

Hello James,

the ACL will allow any BGP route having one BGP community equal to one of the permitted ones.

to be noted a BGP route can be associated to multiple BGP community values at the same time and a standard extended BGP community match if one BGP community is equal to one of the permitted.

All BGP routes with no single BGP community matching one of the permitted ones will be denied

So we can say the desired result can be achieved with the limitations reported above.

to be noted that the explicit final deny is not needed, there is an implicit deny any at the end of the ACL as for IP ACLs.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎02-22-2010

Hello James,

the ACL will allow any BGP route having one BGP community equal to one of the permitted ones.

to be noted a BGP route can be associated to multiple BGP community values at the same time and a standard extended BGP community match if one BGP community is equal to one of the permitted.

All BGP routes with no single BGP community matching one of the permitted ones will be denied

So we can say the desired result can be achieved with the limitations reported above.

to be noted that the explicit final deny is not needed, there is an implicit deny any at the end of the ACL as for IP ACLs.

Hope to help

Giuseppe

james-worley · ‎02-22-2010

Hi Giuseppe

Thanks for the responce. If I have understood you correctly the original filter list would pass on routes containing one of the permit routes but might have additional communites?

ip community-list 100 permit ^65535:40119$

ip community-list 100 permit ^65535:51119$

ip community-list 100 permit ^65535:51129$

On that basis I assume the above prefix list would ensure customers send only a single community and deny everything else?

Rgds

James

Giuseppe Larosa · ‎02-22-2010

Hello James,

I agree this formulation using a regular expression that is possible with an extended BGP community list provides a definition of single BGP community using anchors ^ and $.

The regular expression treats the set of BGP communities as a string and put each BGP community value on it.

if you would like to match multiple values you should take in account the possible different order in building the pseudo string.

Hope to help

Giuseppe