Filtering BGP Routes Based on AS Paths

Problem

You want to filter the BGP routes that you send or receive based on the AS path information in the routes.

Solution

To filter the routes, create a routing policy that acts on a routes AS path information. The first step is to define a regular expression that matches the AS path information:

	[edit policy-options]
	aviva@RouterD#  
set as-path from-AS-65500 "65500{4}"

Then reference the AS path information in a routing policy:

	[edit policy-options policy-statement match-AS65500 ]
	aviva@RouterD# set term 1 from as-path from-AS-65500 
	aviva@RouterD# set term 1 then reject 
	aviva@RouterD# set term accept-others then accept 

Finally, apply the policy to a BGP group:

	[edit protocols bgp]
	aviva@RouterD# set group session-to-AS65500 import match-AS65500

Discussion

It it often useful to develop routing policies based on information within the AS path information. You can then use these policies to enforce your networks administrative policy with respect to a customer or peer. Instead of looking for many prefixes or routes individually, it can be easier to use the AS path. The AS path attribute lets you filter all routes that originated from or transited through a particular AS, all routes announced by a particular neighboring AS, and routes that originated in the local AS.

To match information in the AS path attribute, you first create a regular expression that identifies the match conditions. In this recipe, the set as-path command creates the regular expression from-AS-65500, which matches exactly four occurrences of the string 65500.

A regular expression (also sometimes called a regex) is a pattern-matching tool that applies to strings in AS paths. It has two components, a term and an operator. The term matches an AS number or an AS path, or it can be a wildcard character. If the term includes any spaces, enclose it in quotation marks. The operator indicates how to match the term, typically how many times to match a specific term. In this recipe, 65500 is the term and {4} is the operator. Table 13-1 describes the regular expression operators.

Table 13-1. AS path regular expression operators

Operator

Description

Match example

{m,n}

Match at least m and at most n repetitions of term.

65500{2,3}Match only "65500 65500" and "65500 65500 65500".

?

Match zero or one repetition of term; equivalent to {0,1}.

65500?Match only "65500" and "65500 65500".

{m}

Match exactly m repetitions of term.

65500{2}Match only "65500 65500".

{m,}

Match m or more repetitions of term.

65500{2,}Match "65500 65500", "65500 65500 65500", "65500 65500 65500 65500", and so on.

*

Match zero or more repetitions of term; equivalent to {0,}.

65500*Match "65500", "65500 65500", and so on; also match a path that does not contain "65500".

+

Match one or more repetitions of term; equivalent to {1,}.

65500+Match "65500", "65500 65500", and so on.

.(dot)

Match any single instance of any term.

65500.Match 65500 if it appears anywhere in the AS path. A more exact way to create this match is ".* 65500 .*".

|

Match one of the terms on either side of the pipe; the terms can include other operators.

(65500 | 65505)Match either "65500" or "65505".

( )

Match a group of terms enclosed in the parentheses.

 

Match a range; the terms can include other operators.

65500-65505Match 65500, 65501, 65502, 65503, 65504, or 65505.

"( )"

Match a null AS path.

 

^

Indicates the character at the beginning of an AS path.

 

$

Indicates the character at the end of an AS path.

 


You must include the term when defining the pattern to match, but the operator is optional. When you leave out an operator, the AS path exactly matches what you type for the term.

The JUNOS regular expressions for AS paths are, for the most part, identical to Unix regular expressions. There are, however, a few differences. The main difference is that the basic unit of matching is an entire AS number, not an individual character. This means that the JUNOS regular expression treats 65500 as a single entity when it performs any matching operations, not as the five individual digits 6, 5, 5, 0, and 0. In other words, the AS number is effectively a single integer. A second difference is that with Unix, you need to type the operators ^ (which matches the beginning of a string) and $ (which matches the end of a string), but in the JUNOS regular expressions, these operators are always assumed to be present. So, with Unix you would type ^65500$ to match the string 65500, but in the AS path regular expression you just need to type 65500.

Looking back at our recipe, the AS path match term and operator are:

	65500{4}

Translated, this match looks for four adjacent occurrences of the AS path 65500. It would match a path of 65500 65500 65500 65500. Examples of AS paths that this regular expression would not match are 65500 65500 65500, which has only three occurrences of the AS number, and 65500 65525 65500 65500 65500, which doesn have four consecutive occurrences of the AS number.

After you define the match criteria in the set as-path command, you then need to incorporate them into a routing policy. In this recipe, the policy match-AS65500 rejects all routes whose AS path matches the regular expression but accepts all other routes.

As a final step, apply the policy to your BGP group as an import policy.

To verify that the policy is working, look at the BGP routes in the routing table. Before applying the policy, routes containing the AS path 65500 65500 65500 65500 are present:

	aviva@RouterD> show route protocol bgp
	inet.0: 25 destinations, 31 routes (25 active, 0 holddown, 0 
hidden)
	+ = Active Route, - = Last Active, * = Both

	10.0.8.0/24 *[BGP/170] 01:42:26, localpref 100
	 AS path: 65500 65500 65500 65500 I
	 > to 10.0.31.2 via t1-0/0/3.0
	…

The route to 10.0.8.0/24 is active (indicated by the asterisk). After applying the policy, the route is no longer in the routing table:

	aviva@RouterD> show route 10.0.8.0/24
	inet.0: 25 destinations, 31 routes (14 active, 0 holddown, 14 hidden)

This output shows that there are now 14 hidden routes. This is where you find the routes that your policy rejected:

	aviva@RouterD> show route 10.0.8.0/24 hidden
	inet.0: 25 destinations, 31 routes (14 active, 0 holddown, 14 hidden)
	+ = Active Route, - = Last Active, * = Both
	10.0.8.0/24 [BGP ] 01:44:48, localpref 100
	 AS path: 65500 65500 65500 65500 I
	 > to 10.0.31.2 via t1-0/0/3.0

Because the route is hidden, there is no preference associated with it. The route is marked as [BGP ] instead of [BGP/170].

Routes that originate within your AS do not yet have an AS path associated with them. To find them with an as-path policy, create a match condition based on the null AS path:

	[edit policy-options]
	aviva@RouterF# set as-path local-as "()" 
	[edit policy-options policy-statement null-path ]
	aviva@RouterF# set term accept-null-path from protocol bgp 
	aviva@RouterF# set term accept-null-path from as-path local-as 
	aviva@RouterF# set term accept-null-path then accept 
	aviva@RouterF# set term else-reject then reject 

This policy accepts all routes learned from BGP and that have no AS path, and rejects all other routes. A policy like this is useful when the only routes you want to advertise to a particular EBGP peer are those that originated in your AS. For instance, if another AS is advertising routes to you and you don want to readvertise them, you can apply this null AS path policy with a set export null-path command.


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net