Solved: Route Filtering Regular Expression

nikgupt4 · ‎01-20-2020

I am little confused about using the exact RegEx for route filtering.

here is the BGP topology

R1(IDMZ)---------ebgp 64000------FIREWALL-----ibgp 64600-----R2(EDMZ)

R1 is sending default to R2 and receiving only R2 Local and its connected AS routes(lets say 64999 only). No other route from EDMZ is allowed.

so how would be my AS-PATH access list at R1 with RegEx

Muhammad Awais Khan · ‎01-20-2020

The ACL to allow routes originated from R2 at 64999 and learned through 646000 and 64000.

ip as-path access-list 10 permit ^64000_64600_64999$

View solution in original post

Georg Pauwen · ‎01-20-2020

Hello,

it is unclear in which AS your R1 router is, is it 64000 ?

If you want to receive only routes from 64600 and neighbors directly attached to 64600, you can use the AS PATH access list below:

ip as-path access-list 1 permit ^64600_[0-9]*$

This will allow 64600 and any neighbors directly attached to 64600...

ip as-path access-list 1 permit ^64600_64999$

This will allow only routes from 64600 and the neighbor 64999 directly attached to 64600...

View solution in original post

Muhammad Awais Khan · ‎01-20-2020

The ACL to allow routes originated from R2 at 64999 and learned through 646000 and 64000.

ip as-path access-list 10 permit ^64000_64600_64999$

nikgupt4 · ‎01-20-2020

R2 is running 64600 with Firewall (iBGP) and has downstream AS connected as 64999. I want only local routes of R2 and connected AS routes at R1. No other routes except 64600 and 64999 should be in BGP table of R1

Muhammad Awais Khan · ‎01-20-2020

Then my above ACL should be fine as it will allows the route originated from 649999.

nikgupt4 · ‎01-20-2020

R2 is running 64600 with Firewall (iBGP) and has downstream AS connected as 64999. I want only local routes of R2 and connected AS routes at R1. No other routes except 64600 and 64999 should be in BGP table of R1

Georg Pauwen · ‎01-20-2020

If R1 is in AS 64000, this access list will block all routes:

ip as-path access-list 10 permit ^64000_64600_64999$

That is because no route will ever match, as it has its own AS (64000) in the path.

Georg Pauwen · ‎01-20-2020

Hello,

it is unclear in which AS your R1 router is, is it 64000 ?

If you want to receive only routes from 64600 and neighbors directly attached to 64600, you can use the AS PATH access list below:

ip as-path access-list 1 permit ^64600_[0-9]*$

This will allow 64600 and any neighbors directly attached to 64600...

ip as-path access-list 1 permit ^64600_64999$

This will allow only routes from 64600 and the neighbor 64999 directly attached to 64600...

nikgupt4 · ‎01-20-2020

Yes R1 is 64000 with FW. R2 64600 and its connected AS i.e 64999 should be seen in R1 . Moreover 64999 is prepended 4 times while reaching R1 IDMZ. no other AS should reach R1.

so your RegEx can be used ?

Georg Pauwen · ‎01-20-2020

Hello,

actually, I think your AS path list needs two lines:

ip as-path access-list 1 permit ^64600$
ip as-path access-list 1 permit ^64600_64999$

If you just use the second line, you won't get networks originated in AS 64600, but only networks that originate in AS 64999 and that traverse AS 64600.