Now if you want to filter routes based on the AS path, you have multiple tools depending on the vendor that you're going to use. For Cisco it's called a filter list, and it allows you to filter routes based on the AS path and you can apply it in the inbound direction for announcements coming towards you or in the outbound direction for announcements that you are making. It's referenced in the BGP neighbor configuration as: "neighbor <the address> filter-list", and then <a number> and then the direction whether it's "in" or "out". The way you create the AS path is in the main configuration you type: "ip as-path access-list" and then a <number>, the same number that you're going to reference in the BGP neighbor configuration, and then either a "permit" or "deny", and then a way to match the particular AS path that you want. For Cisco IOS, the AS path access list finishes with an implicit default deny. This is an example of a configuration that does it. So you have neighbor 102.10.1.1, and you have "filter-list 5" applied in the outbound direction and "filter-list 6" applied in the inbound direction. A you can see at the bottom you have, "ip as-path access-list 5 permit" and then a regular expression, and then "ip as-path access-list 6 permit and then a different regular expression. We shall look at the way you construct these regular expressions next. The regular expressions are very similar to UNIX regular expressions as defined in 461003.2. And according to this standard, a dot (.) will match one particular character. The asterisk (*), or the star, will match any number of the preceding expression. The plus (+) will match at least one of the preceding expression. The carrot (^), or the hat, matches at the beginning of the line. The dollar sign ($) matches at the end of the line. And to escape a particular regular expression character you need the backslash (\). Then you have an underscore (_) which can match at the beginning or at the end or wherever there's white space or just where there's a brace. Then you have the pipe (|) which is a way to use the logical or. And the you have brackets () to contain expressions that you can either group against other different match characters. And then you have square brackets [] to contain number ranges. Juniper has regular expressions very similar in construct to the Cisco ones but with a couple of differences. Firstly, the entire AS number composes one term inside Juniper AS. It is not possible to reference individual characters within an AS number. So this is a strong difference from regular expressions as defined in the POSIX standard. This means that the square brackets [] operator will work differently as we shall show in the next slide. In addition Juniper uses more of the extra operators as shown in the table that follows. Also some operators have been changed in Junos' implementation. So this table shows you the main differences between the Juniper regular expressions. So if you have an operator: "{m,n}", that means that the previous expression must match at minimum "m" times and at most "n" times. "m" and "n" must both be positive integers and "m" must be smaller than "n". If you have just: "{m}", then "m" repetitions must match exactly "m" times, "m" has to be a positive integer. If you have: "{m,}", then it's either "m" or more repetitions of the term, so from "m" to infinity. You can have a question mark (?), which means 0 or 1 repetitions of the term, this is equivalent to having "{0,1}". Now these last operators in red are the ones which are different from the way Cisco does it. So the square brackets [], have a set of AS numbers rather than individual digits. The hat sign (^), or the carrot, will match at the start of the regex similar to Cisco but for Juniper it's implicit because all regular expressions must match the entire AS path in Junos. So therefore, the hat sign (^) is not necessary and is implicit in every regular expression. Similarly, the dollar sign ($) must match at the end of a regex and it's also implicit so it's therefore not required. Because each term is a full AS the underscore (_), is not used in Junos regular expressions because each term is matched as an individual item. So let's look at some examples as you have on the screen, these are examples of how you'd write to match inside Cisco IOS regular expressions. So the "." followed by the "*", means match anything. "." followed by a "+" means match at least one character. Then the next one, the "^" followed by the "$" means match routes local to the AS. Because there's nothing inside the AS path, it's a null AS path. So these are routes that the autonomous system number is originating. The next one shows you how you would match routes which are originated by AS1800. The next one shows you how you'd match routes which are received from AS 1800. The difference between the previous two is, the first one is routes which are originated by AS 1800 irrespective of how we are connected to them. The next one means we are directly connected to 1800 and we want any route that comes through that link. The next one shows you how you could do routes which have passed through 1800. Either at the beginning, middle, or the end. And the next one shows you how you'd say 790 followed by 1800 and then it could be in the middle, beginning, or end. In some cases people might have prepends of their AS number and the next one shows you how you match them. So you'd have multiple "1800"s inside the sequence. Lastly, if you want to match something that is part of a confederation, you'd need to escape the brackets as shown with a back slashes. And this would match for this example, AS 65530. This slide shows you the exact same way of implementing the same regular expressions as we have for Cisco but in this case for Juniper. As you can see they're more or less similar except that you have a "." matching a full autonomous system number rather than a single character. This means that the third one is the main first difference that we see, So to match routes local to the AS, you just have the brackets without any spaces and inside quotation marks by themselves, "()". To match anything originated by AS1800 you have, ".* 1800". To match everything received from AS 1800 you have, "1800 .*". And so on and so forth. For the last one since we do not match individual characters you do not need to match the brackets. So to match AS65530 inside a confederation, you just have, ".* 65530 .*". These are some not so simple examples of how to match an AS path length of 1, of 2, of 1 or 2, or 1, 2, or 3. And for Cisco the way it's implemented is you have the range 0 to 9 inside square brackets, and then you have the "+" which means this 0 to 9 should match 1 or more times, so that will make a single AS. If you have a "*" this means that these square brackets, or the characters 0 to 9, will match 0 or more times, so that makes that match optional. This example is easily done in Juniper and it's widely different because of the way things are matched. So to just match an AS path link of one you just need a ".", a path length of two you need two dots with a space in between ". .", an optional path length of two or one you have a dot followed by a question mark space and then another dot ".? .", and so on and so forth.

© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.