Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
1
Replies

ASR 9K BGP Filtering

Go to solution
feableee123
Level 1
Level 1

‎03-27-2014 09:30 AM - edited ‎03-04-2019 10:40 PM

Hi,

I have question about filtering bgp routes from bgp client.

We are bgp transit for client.

Client AS number for example 100

Client IP  192.168.0.0/22

We want only prefixes from AS 100 and be sure that there is no other prefixes than 192.168.0.0/22

as-path-set AS1
  ios-regex '^100$'
end-set

prefix-set prefix1
  192.168.0.0/22 le 32
  end-set

route-policy  CLIENT-IN
  if (destination in prefix1) or (as-path in as1) then
pass

 else
drop
endif
end-policy

Question 1

Is that policy correct - or prefix list is enough?

Question 2

Is any difference when route-policy looks like below?

route-policy  CLIENT-IN
  if (destination in prefix1)  then
pass
elseif (as-path in as1) then
pass

 else
drop
endif
 

 

regards,
end-policy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-29-2014 02:55 PM

I think your configuration may need some modifying.

Based on your description you only want the single 192.168.0.0/22 route from your client but it's not entirely clear whether you want to match just the route prefix or the route prefix and the AS.

If you just wanted to match the route prefix then using the prefix list should be enough but it needs modifying ie.

you are using 192.168.0.0/22 le 32

but if you want to match just the single route it should be -

192.168.0.0/22

if you do also want to match on the AS just to be sure then you can do but you need to modify the logic ie you do not want this - 

if (destination in prefix1) or (as-path in as1) then

which means allow any route that is matched in your prefix list or any route with an AS of 100 only in the path ie. it would allow routes with an AS of 100 that are not in your prefix list.

You would need to change it to this -

if (destination in prefix1) and (as-path in as1) then

which means the route must match what is in your prefix list and also it must only have AS 100 in the path.

Just seen the second question.

You wouldn't want to use that for the same reasons already described ie. you would allow both routes that are specified in your prefix list but it would also allow routes with an AS of 100 which is not what you are trying to do.

Jon

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-29-2014 02:55 PM

I think your configuration may need some modifying.

Based on your description you only want the single 192.168.0.0/22 route from your client but it's not entirely clear whether you want to match just the route prefix or the route prefix and the AS.

If you just wanted to match the route prefix then using the prefix list should be enough but it needs modifying ie.

you are using 192.168.0.0/22 le 32

but if you want to match just the single route it should be -

192.168.0.0/22

if you do also want to match on the AS just to be sure then you can do but you need to modify the logic ie you do not want this - 

if (destination in prefix1) or (as-path in as1) then

which means allow any route that is matched in your prefix list or any route with an AS of 100 only in the path ie. it would allow routes with an AS of 100 that are not in your prefix list.

You would need to change it to this -

if (destination in prefix1) and (as-path in as1) then

which means the route must match what is in your prefix list and also it must only have AS 100 in the path.

Just seen the second question.

You wouldn't want to use that for the same reasons already described ie. you would allow both routes that are specified in your prefix list but it would also allow routes with an AS of 100 which is not what you are trying to do.

Jon

0 Helpful
Customers Also Viewed These Support Documents