Lab 8.8.3 AS_path Filtering with a Filter List

Objectives:

Filter BGP updates based on the AS_path attribute.

Scenario:

We want to deny any update whose AS_path starts with 200 and ends with 200. In other words, we want to deny any updates originating in AS 200.

Lab Tasks:

  1. Cable the lab and address the interfaces as shown in the graphic. Use the default subnet mask for all addresses. All Ethernet interfaces should use the .1 address. For example, 12.0.0.1.
  2. Enable BGP routing on each router. Only advertise the network off the Ethernet interfaces. The configurations should be as follows:

RouterC(config)#router bgp 200
RouterC(config-router)#network 11.0.0.0
RouterC(config-router)#no synchronization
RouterC(config-router)#neighbor 3.3.3.1 remote-as 300

RouterB(config)#router bgp 100
RouterB(config-router)#network 12.0.0.0
RouterB(config-router)#neighbor 2.2.2.1 remote-as 300
RouterB(config-router)#no synchronization

RouterA(config)#router bgp 300
RouterA(config-router)#network 170.10.0.0
RouterA(config-router)#neighbor 2.2.2.2 remote-as 100
RouterA(config-router)#neighbor 3.3.3.2 remote-as 200

  1. Verify that you can see networks 12.0.0.0, 11.0.0.0 and 170.10.0.0 in the routing table. Use the show ip route and show ip bgp commands to do this. Verify connectivity with the ping command. What are the differences in the path to network 11.0.0.0 in the routing tables of Routers A and B?

  1. Now we have decided to filter updates originating from AS 200 as described in the scenario on Page 1. We are going to do this from Router A. Log into Router A.
  2. To deny these updates, we will need to configure a special access list to do so. It is necessary in this scenario to deny updates from AS 200 but permit updates from elsewhere. The first command will be to deny updates containing AS_path attributes beginning and ending with 200. The command is:

RouterA(config)#ip as-path access-list 1 deny ^200$

Access list 1 denies any update whose AS_path starts with 200 (specified by the ^) and ends with 200 (specified by the $). Because Router C sends updates about 11.0.0.0 whose AS_path attributes start with 200 and end with 200, such updates will match the access list and be denied. By specifying that the update must also end with 200, the access list permits updates from another AS that may be connected to AS 200. For example, if AS 500 was attached to AS 200, the AS_path attribute would be {200, 500} so it would be permitted.

  1. Since we want to permit all other updates, we need a command to do this. The command is:

RouterA(config)#ip as-path access-list 1 permit .*

In this access list statement, the period symbol means any character, and the asterisk symbol means a repetition of that character. Together, .* matches any value of the AS_path attribute, which in effect permits any update that has not been denied by the previous access list statement.

  1. The last step is to apply the access list to a neighbor. We do not want these updates passed on to AS 100. So use the following neighbor command:

RouterA(config)#router bgp 300 RouterA(config)#neighbor 2.2.2.2 filter-list 1 out

  1. To verify the expressions are working as intended, issue the command:

RouterA#show ip bgp regexp ^200$

What do you notice?

  1. Log into Router B and check the routing table. Do you see a route for 11.0.0.0?

  1. If you still see network 11.0.0.0, issue the clear ip bgp * command and wait a few seconds. Did the 11.0.0.0 network return?