Solved: AS-Path Access-List Expression

Dipesh Patel · ‎01-16-2013

Dear Experts,

We need to apply As-Path Access-list for allowing any traffic originated from mentioned AS no's (Total 52 no's) and any traffic locally originated.

I have prepared this list :

ip as-path access-list 1 ^$

ip as-path access-list 1 ^64522$

ip as-path access-list 1 ^64523$

ip as-path access-list 1 ^64524$

ip as-path access-list 1 ^64525$

ip as-path access-list 1 ^64526$

ip as-path access-list 1 ^64551$

ip as-path access-list 1 ^64556$

ip as-path access-list 1 ^64557$

ip as-path access-list 1 ^64561$

ip as-path access-list 1 ^64562$

ip as-path access-list 1 ^64563$

ip as-path access-list 1 ^64580$

ip as-path access-list 1 ^64581$

ip as-path access-list 1 ^64582$

ip as-path access-list 1 ^64583$

ip as-path access-list 1 ^64584$

ip as-path access-list 1 ^64585$

ip as-path access-list 1 ^64586$

ip as-path access-list 1 ^64587$

ip as-path access-list 1 ^64588$

ip as-path access-list 1 ^64589$

ip as-path access-list 1 ^64651$

ip as-path access-list 1 ^65429$

ip as-path access-list 1 ^65430$

ip as-path access-list 1 ^65431$

ip as-path access-list 1 ^65432$

ip as-path access-list 1 ^65434$

ip as-path access-list 1 ^65435$

ip as-path access-list 1 ^65436$

ip as-path access-list 1 ^65437$

ip as-path access-list 1 ^65439$

ip as-path access-list 1 ^65462$

ip as-path access-list 1 ^65463$

ip as-path access-list 1 ^65464$

ip as-path access-list 1 ^65465$

ip as-path access-list 1 ^65466$

ip as-path access-list 1 ^65467$

ip as-path access-list 1 ^65468$

ip as-path access-list 1 ^65469$

ip as-path access-list 1 ^65471$

ip as-path access-list 1 ^65518$

ip as-path access-list 1 ^65519$

ip as-path access-list 1 ^65520$

ip as-path access-list 1 ^65521$

ip as-path access-list 1 ^65522$

ip as-path access-list 1 ^65523$

ip as-path access-list 1 ^65524$

ip as-path access-list 1 ^65525$

ip as-path access-list 1 ^65526$

ip as-path access-list 1 ^65527$

ip as-path access-list 1 ^65528$

How can I use in a single line or two line uing AS-Pth Regular Expression?

Regards

John Blakley · ‎01-16-2013

You could combine these with something like:

ip as-path access-list 1 ^6[4-5][4-6][0-9][0-9]$|^$

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎01-16-2013

You could combine these with something like:

ip as-path access-list 1 ^6[4-5][4-6][0-9][0-9]$|^$

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Dipesh Patel · ‎01-16-2013

Here " | " means 6**** or Local Originated ?

Is there any tools like subnet calculator?

Regards

John Blakley · ‎01-16-2013

Yes, the pipe means OR '|' ^$ (locally originated).

There's not a calculator that I'm aware of, but there are regex testers online that you can use. Here's one that I use:

http://www.regextester.com/

Be sure to select "PREG" before doing your testing. You won't be able to match on the ^$, but you should be able to match on the others by putting the above string in, and then typing individual AS numbers to see if they match. Like I said though, there are plenty of other testers so look around to see which one you like best

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Dipesh Patel · ‎01-16-2013

Is it ok if I will use

ip as-path access-list 1 ^6[4-5][4-6][0-9][0-9]$

ip as-path access-list 1 ^$

Regards

John Blakley · ‎01-16-2013

Sure you can do that too....

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Dipesh Patel · ‎01-16-2013

Hi John,

Sorry I missed,

I need to allow advertisement for all network prefixes mention above as well as locally originated network prefixes but need to deny network prefixes originated from below AS no's:

65457
65458
65459
64521
64560
65460
65400
65406
65412
65418
65461
65427
65428
64521
64560
65457
65459
65460
65406
65418
65458
65412
65427
65428
65400
65461

The ealier AS-Path list is matching these AS no's also.

Pls help.

Also suggest the reff. doc from that I can have grip on Regular Expression.

Regards

milan.kulik · ‎01-17-2013

Hi,

IMHO, the easiest way of creating effective AS-Path lists is following:

1) sort the AS numbers you want to permit.

So your original list sorted looks like:

^$

64522

64523

64524

64525

64526

64551

64556

64557

64561

64562

64563

64580

64581

64582

64583

64584

64585

64586

64587

64588

64589

64651

65429

65430

65431

65432

65434

2) Now you can see what are the digits repeating and you can shrink it a little:

ip as-path access-list 1 permit ^$

ip as-path access-list 1 permit ^6452[2-6]$

ip as-path access-list 1 permit ^64551$

ip as-path access-list 1 permit ^6455[6-7]$

ip as-path access-list 1 permit ^6456[1-3]$

ip as-path access-list 1 permit ^6458[0-9]$

ip as-path access-list 1 permit ^64651$

ip as-path access-list 1 permit ^65429$

ip as-path access-list 1 permit ^6543[0-4]$

I'm afraid this is the shortes AS-Path list covering your request.

3) Generally, you can use a combination of deny and permit entries in your AS-Path list if necessary.

ip as-path access-list 1 deny ^6455[4-5]$

ip as-path access-list 1 permit ^645[5-6][0-9]$

will permit

^64550$

...

^64553$

and

^64556$

...

^64569$

e.g.

HTH,

Milan

John Blakley · ‎01-17-2013

Yeah, the original is going to match on anything in the range of 64400 - 65699. As Milan states, since you're going to need to deny prefixes in this range, it may be easier to just create the permits for the ASes that you want to permit and then your as-path access-list would deny anything that isn't permitted in the list explicitly.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

AS-Path Access-List Expression

AS-PATH PREPEND

Re: Access Control Lists (ACL) Explained

Enhanced BGP Route Advertisement and AS Path Handling by Secure Access

Configuring Dynamic Access Control List

IOSXR RPL AS-Path Prepend Matches