Now if you want to filter routes based
on the AS path,
you have multiple tools depending on the vendor that you're going to use.
For Cisco it's called a filter list, and it allows you to filter
routes based on the AS path
and you can apply it in the inbound direction for
announcements coming towards you
or in the outbound direction for announcements
that you are making.
It's referenced in the BGP neighbor configuration as:
"neighbor <the address> filter-list",
and then <a number> and then the direction
whether it's "in" or "out".
The way you create the AS path is in the main configuration you type:
"ip as-path access-list"
and then a <number>,
the same number that you're going
to reference in the BGP neighbor configuration,
and then either a "permit"
or "deny", and then a way to match the particular AS path that you want.
For Cisco IOS, the AS path access list finishes with an implicit default deny.
This is an example of a configuration that does it.
So you have neighbor 102.10.1.1,
and you have "filter-list 5" applied in the outbound
direction and "filter-list 6" applied in the inbound direction.
A you can see at the bottom you have,
"ip as-path access-list 5 permit" and then
a regular expression,
and then "ip as-path access-list 6 permit and then a different regular expression.
We shall look at the way you construct these regular
expressions next.
The regular expressions are very similar to UNIX regular
expressions as defined in 461003.2.
And according to
this standard, a dot (.) will match one particular character.
The asterisk (*), or the star, will match any number of the preceding expression.
The plus (+) will match
at least one of the preceding expression.
The carrot (^), or the hat, matches at the
beginning of the line.
The dollar sign ($) matches at the end of the line.
And to
escape a particular regular expression character you need the backslash (\).
Then you have an underscore (_)
which can match at the beginning or at the end or wherever there's white space or just where there's a brace.
Then you have the pipe (|) which is a
way to use the logical or.
And the you have brackets () to contain expressions
that you can either group against other different match characters.
And then you
have square brackets [] to contain number ranges.
Juniper has regular expressions
very similar in construct to the Cisco ones but with a couple of differences.
Firstly, the entire AS number composes one term inside Juniper AS.
It is not possible to reference individual characters within an AS number.
So this is
a strong difference from regular expressions as defined in the POSIX standard.
This means that the square brackets [] operator will work differently as we shall show in the next slide.
In addition Juniper uses more of the
extra operators as shown in the table that follows.
Also some operators have
been changed in Junos' implementation.
So this table shows you the main
differences between the Juniper regular expressions.
So if you have an operator: "{m,n}",
that means that the previous
expression must match at minimum "m" times and at most "n" times.
"m" and "n"
must both be positive integers and "m" must be smaller than "n".
If you have just: "{m}",
then "m" repetitions must match exactly "m" times, "m" has to be a positive integer.
If you have: "{m,}", then it's
either "m" or more repetitions of the term, so from "m" to infinity.
You can have a question mark (?), which means 0 or 1 repetitions of the term, this is equivalent to having
"{0,1}".
Now these last operators in red are the ones which are different from the way Cisco does it.
So the square brackets [], have a set of AS numbers rather than individual digits.
The hat sign (^), or the carrot, will match at the start of the regex similar to Cisco
but for Juniper it's implicit because all regular expressions must match the
entire AS path in Junos.
So therefore, the hat sign (^) is not necessary and is
implicit in every regular expression.
Similarly, the dollar sign ($) must match at
the end of a regex and it's also implicit so it's therefore not required.
Because each term is a full AS the underscore (_), is not used in Junos regular expressions
because each term is matched as an individual item.
So let's
look at some examples as you have on the screen,
these are examples of how you'd
write to match inside Cisco IOS regular expressions.
So the "." followed by the "*", means match anything.
"." followed by a "+" means match at least
one character.
Then the next one, the "^" followed by the "$" means match routes local to the AS.
Because there's nothing inside
the AS path, it's a null AS path.
So these are routes that the autonomous
system number is originating.
The next one shows you how you would match routes
which are originated by AS1800.
The next one shows you how you'd match routes
which are received from AS 1800.
The difference between the previous two is,
the first one is routes which are originated by AS 1800 irrespective of how we are connected to them.
The next one means we are directly connected to 1800
and we want any route that comes through that link.
The next one shows you how you
could do routes which have passed through 1800.
Either at the beginning, middle,
or the end.
And the next one shows you how you'd say
790 followed by 1800 and then it could be in the middle, beginning, or end.
In some cases people might have
prepends of their AS number and the next one shows you how you match them.
So you'd have multiple "1800"s inside the sequence.
Lastly, if you want to match
something that is part of a confederation,
you'd need to escape the
brackets as shown with a back slashes.
And this would match for this example, AS 65530.
This slide shows you the exact same way
of implementing the same regular expressions as we have for Cisco but in this case for Juniper.
As you can see they're more or less similar except that
you have a "." matching
a full autonomous system number rather than a
single character.
This means that the third one is the main first difference
that we see,
So to match routes local to the AS, you just have the brackets without any spaces and inside quotation marks by themselves, "()".
To match anything originated
by AS1800 you have, ".* 1800".
To match everything received from AS 1800 you have,
"1800 .*".
And so on and so forth.
For the last one since we do not match
individual characters you do not need to match the brackets.
So to match AS65530 inside a confederation,
you just have, ".* 65530 .*".
These are some not so simple examples of how to match an AS path length of 1, of 2, of 1 or 2, or 1, 2, or 3.
And for Cisco the way it's
implemented is you have the range 0 to 9 inside square brackets,
and then you have the "+" which means this 0 to 9 should match 1 or more times,
so that will make a single AS.
If you have a "*" this means that these square brackets, or the characters 0 to 9, will match 0 or more times, so that makes that match optional.
This example is easily done in Juniper and it's widely different because of the way things are matched.
So to just match an AS path link of one you
just need a ".",
a path length of two you need two dots with a space in between ". .",
an optional path length of two or one you have a dot followed by a question mark space and then another dot ".? .", and so on and so forth.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.