Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1782
Views
2
Helpful
2
Replies

AS Path Filtering use cases

Go to solution
Mitrixsen
Level 1
Level 1

‎07-11-2023 06:23 AM - last edited on ‎07-11-2023 10:00 PM by Community Manager

Hello!

I've been studying about BGP Filtering and I've learned about the option to filter prefixes based off the autonomous systems found in the AS Path field.

However, I didn't manage to find a real-world use of this AS Path Filtering so far. Could someone please give me some scenarios where filtering using this method would be more useful and appropriate than filtering using

prefix lists/route maps

?

Thank you in advance for your help.

Kind regards,

David.

 

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
David Ruess
VIP
VIP

‎07-11-2023 07:56 AM - last edited on ‎07-11-2023 10:07 PM by Community Manager

It can be used for a many number of things. He is one example from a lab I have.

DavidRuess_0-1689086747781.png

Customer 1 has 2 connections to the same ISP. (Note this is more effective if they are different ISPs or different routers in the same ISP but the concept remains the same).

R2 advertises routes to R4 and R5. R4 and 5 exchange routes as well being iBGP neighbors. Depending on how your routing is set up lets say R4 and R5 advertise all networks back to R2. Like I said this is better with DUAL ISPs as R2 will reject its own advertisement of networks from R4 and R5. Regardless you can use a

route-map

with an AS-path to only advertise out local AS (400) to the ISP so we dont become an internet transit router. Because lets say R5 is connected to another ISP and then R5 sends its ISP2 learned routes to R4 who in turn sends to ISP1 to R2. Now R2 learned another ISPs routes through a customer. Bad news if R2 ever decides to use Customer 1 as a transit site to forward internet traffic. See below for configuration for R4, you would do the same on R5:

DavidRuess_1-1689087301938.png

This uses regular expressions for the AS path to denote "local AS" but you could easily just put the AS number in there. 

Like I said there are many applications to include but not limited to rejecting prefixes from certain AS paths or rejecting specific routes that transit a specific AS path. 

 

Hope that helps

-David

 

View solution in original post

2 Replies 2

Go to solution
M02@rt37
VIP
VIP

‎07-11-2023 07:19 AM - last edited on ‎07-11-2023 10:03 PM by Community Manager

Hello @Mitrixsen,

AS Path filtering in BGP can be useful in several real-world scenarios where filtering based on

prefix lists or route maps

may not be sufficient. 

--"Peer Locking": AS Path filtering can be used to implement a technique called peer locking, which restricts the acceptance of certain prefixes only from specific ASNs (cf sources). This can be useful in preventing routing leaks or hijacks by ensuring that routing updates are received only from authorized ASNs, enhancing security and preventing unintended advertisement of routes.

--Transit AS Filtering: AS Path filtering can be used to filter out prefixes from transit ASNs, also known as AS-Set Aggregation suppression. This can help optimize the routing table by filtering transit ASNs that are not preferred for transit traffic, reducing the processing overhead on the routers and improving overall routing efficiency.

--Avoiding AS Loops: AS Path filtering can be employed to prevent the formation of routing loops by selectively filtering certain ASNs from the AS Path. This can be particularly useful in multi-homed scenarios where redundancy is desired, as it allows fine-grained control over the routing paths and ensures that loops are avoided.

"AS-Path Filters can be like the secret agents of the BGP filtering world! They use the AS-path list to selectively filter routes, choosing only the most trustworthy data packets to let into your network.

When it comes to incoming routes, AS-Path filters work like a secret door at a VIP party. Only the permitted routes are allowed in and added to the local BGP table, while the denied routes are silently dropped, like a party crasher trying to sneak in.

For outgoing routes, AS-Path filters are like a trusty messenger. The permitted routes are transmitted to the neighbor, while the denied routes are never sent, like a message that’s too sensitive to send to just anyone." [https://afrozahmad.com/blog/bgp-filtering/]

 

Sources: https://archive.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
David Ruess
VIP
VIP

‎07-11-2023 07:56 AM - last edited on ‎07-11-2023 10:07 PM by Community Manager

It can be used for a many number of things. He is one example from a lab I have.

DavidRuess_0-1689086747781.png

Customer 1 has 2 connections to the same ISP. (Note this is more effective if they are different ISPs or different routers in the same ISP but the concept remains the same).

R2 advertises routes to R4 and R5. R4 and 5 exchange routes as well being iBGP neighbors. Depending on how your routing is set up lets say R4 and R5 advertise all networks back to R2. Like I said this is better with DUAL ISPs as R2 will reject its own advertisement of networks from R4 and R5. Regardless you can use a

route-map

with an AS-path to only advertise out local AS (400) to the ISP so we dont become an internet transit router. Because lets say R5 is connected to another ISP and then R5 sends its ISP2 learned routes to R4 who in turn sends to ISP1 to R2. Now R2 learned another ISPs routes through a customer. Bad news if R2 ever decides to use Customer 1 as a transit site to forward internet traffic. See below for configuration for R4, you would do the same on R5:

DavidRuess_1-1689087301938.png

This uses regular expressions for the AS path to denote "local AS" but you could easily just put the AS number in there. 

Like I said there are many applications to include but not limited to rejecting prefixes from certain AS paths or rejecting specific routes that transit a specific AS path. 

 

Hope that helps

-David

 

Customers Also Viewed These Support Documents
Top