Solved: AS-Path Filtering Under Route-map

jpl861 · ‎06-04-2018

Hey Guys,

Not sure what I am missing here as I cannot test it from another platform other than the one I have right now but can someone help check why AS-Path filtering under route-map isn't working?

I am trying to filter out in this lab a network routes with AS-Path 2 4 3. Here's my route-map and AS-Path filter.

R1#sh ip as-path-access-list
AS path access list 10
permit _3_3$
AS path access list 11
deny 2 4 3$
AS path access list 12
permit 2 4 3$
AS path access list 13
deny 2 4 3$
permit .*

I am trying different combinations here that's why there are multiple AS-Path ACL

Here's the route-map. (just putting some space so it will be easier to read)

route-map BGP4R2 permit 10 - Allow the prefix if prefix-list R2IN and AS-Path. Setting local preference to identify if the route is a match
match ip address prefix-list R2IN
match as-path 10
set local-preference 10

route-map BGP4R2 permit 15 - This one I am concerned about. I am trying to block AS_Path 2 4 3 using APACL 11 but appears not to be working. I just attached a local preference to see if this sequence is somewhat permitting the route for some reason
match as-path 11
set local-preference 15

route-map BGP4R2 permit 1000 - Just a catch all and set local preference to 1000
set local-preference 1000

Here's the BGP table after applying the route-map as inbound.

R1#show ip bgp | b Network
Network Next Hop Metric LocPrf Weight Path
*> 2.2.2.2/32 10.0.12.2 0 1000 0 2 i
*> 22.22.22.22/32 10.0.12.2 0 1000 0 2 4 3 i
R1#

I can still see 22.22.22.22/32 being received with a local-pref of 1000 with AS-Path 2 4 3. That means it didn't satisfy sequence 15 and moved to sequence 1000 where it was permitted.

I tried to reverse the logic by adding another route-map sequence.

route-map BGP4R2, deny, sequence 25
Match clauses:
as-path (as-path filter): 12
Set clauses:
Policy routing matches: 0 packets, 0 bytes

The above route-map worked.

I also tried to remove the inbound route-map under BGP and replaced it with filter-list in using APACL 13 just to see if there's anything wrong with the APACL and it successfully filtered out 22.22.22.22/32.

Any idea why sequence 15 is not working? Or it's just a limitation of BGP filters under route-map?

Thanks!

JL

jpl861 · ‎06-04-2018

Here's the answer to my question.

View solution in original post

Georg Pauwen · ‎06-04-2018

Hello,

here is the regular expression with a filter list:

neighbor 192.168.12.2 filter-list 11 in
!
ip as-path access-list 11 deny ^2_3_4$
ip as-path access-list 11 permit .*

jpl861 · ‎06-04-2018

I have tried that using AS-Path ACL 13 and it worked as expected.

I am trying to use a route-map permit and AS-Path deny combo to achieve the result. I wouldn't be ble to do .* for 11 as that would permit all routes and if I decide to add other sequence after it then it may not take effect.

chrihussey · ‎06-04-2018

I believe you need to use access-list 12 with the permit, the 11 has a deny instance for as-path 2 4 3$, which means it won't apply.

Hope this helps

jpl861 · ‎06-04-2018

But doesn't that mean to deny 2 4 3$ path?

When I tried filter-list 13 inbound and removed the route-map, it worked as expected. So how is it different with APACL 11 then? The reverese logic APACL 12 just worked fine.

Jon Marshall · ‎06-04-2018

I can’t test but I think when you have a permit route map statement and a deny in your acl it just moves it on to the next route map statement.

Try using a deny route map statement and a permit in your acl.

Jon

jpl861 · ‎06-04-2018

I will test it using a simple prefix-list and see the effect.

I have already tried your suggestion with that AS-Path 12 and it worked just fine.

I was just wondering what was the logic behind the route-map permit and matching with a deny statement combo.

chrihussey · ‎06-04-2018

The deny simply means to exclude the item from that instance. So it you wish to deny something using a route map, you permit it in the ACL, but then deny it in the instance in the route map.

Hope that makes sense.

jpl861 · ‎06-04-2018

Yeah I figured that one out too just now. I used a simple prefix-list to see the effect and it was as expected.

So basically, what the router is doing is to exclude that prefix or AS-Path (in the original example) for that route-map sequence number only and take it to the next sequence of the route-map. It does not say block this route but rather take it away from this route-map sequence and continue. So yes, the correct way is to use a route-map deny sequence that says those matched permitted routes will be discarded.

R1#show route-map BGPINFILTER
route-map BGPINFILTER, permit, sequence 10
Match clauses:
ip address prefix-lists: bgp_filter
Set clauses:
local-preference 10
Policy routing matches: 0 packets, 0 bytes
route-map BGPINFILTER, permit, sequence 1000
Match clauses:
Set clauses:
local-preference 1000
Policy routing matches: 0 packets, 0 bytes

R1#sh ip prefix-list bgp_filter
ip prefix-list bgp_filter: 2 entries
seq 1 deny 222.222.222.222/32
seq 10 permit 0.0.0.0/0 le 32
R1#

jpl861 · ‎06-04-2018

Here's the answer to my question.