From: James (james@towardex.com)
Date: Tue Oct 12 2004 - 01:32:59 GMT-3
On Mon, Oct 18, 2004 at 09:15:14PM -0700, John Matus wrote:
> oppss.........typo! thanks james!
> now, does the "*" serve as a wild card for the "[0-9]" ? i'm reading
> that "*" means 'zero of more instance' and "+" means 'one or more
> instance'. i guess you wouldn't want a '+' unless you were certain that
> there were going to be x number of as's in the path...
+ requires minimum of one ASN in path present, and that ASN may repeat itself.
* dictates that either ASN can exist and repeat itself like the +, or it may not exist.
What I mean by 'repeat itself' is prepending instance. E.g. AS5 repeating itself
3 times would be prepending 3 times or "3 3 3 i".
So if I want to build an AS-PATH bgp filter to accept my downstream customer's
AS, and lets call him AS100 just as an example, as well as his two downstream
customers AS200 and AS300, I can do this in a few ways:
Method A:
ip as-path access 1 permit ^100$
ip as-path access 1 permit ^100_200$
ip as-path access 1 permit ^100_300$
The above method is simplest and works well believe it or not. But it presents
one problem. What if AS100 does not like you and he wants most of his inbound
traffic to come in via his another ISP? Common way of him achieving that would
be to prepend his own ASN (AS100) whatever times he wants so your path looks
longer. But above as-path access list will BLOCK that. By the same token, his
downstream customers AS200 and AS300 can also do the same act, and their
prepends would also get blocked by the above acl.
The above acl would block that b/c prepended path coming from your customer
may look like "100 100 200 i" or "100 100 200 200 i" and so on and so forth
which are not matched by the above regex.
In order to rectify these prepending problems, and believe me many ISPs may
face this issue one way or another, one can do this:
ip as-path access 1 permit ^(100_)+$
ip as-path access 1 permit ^(100_)+(200_)+$
ip as-path access 1 permit ^(100_)+(300_)+$
That would allow AS100, AS100 itself repeating few times (prepending), and
same for "100 200" and "100 300" paths, while allowing non-prepended regular /
normal paths as well.
If I wanted to combine the above ACL into a single-line rule, this is how to do
that:
Method B:
ip as-path access 1 permit ^(100_)+((200|300)_)*$
The above single-line acl would match AS100, and would REQUIRE AS100 to be
present in path at all times first, because of the + sign after 100_.
Furthermore, it would then allow either AS200 <OR> AS300 right after AS100
and it would allow prepending of 200 or 300. But we are using * sign instead
of + sign, because we also need to match a path where we can only have ^100$
itself alone without any ASN's behind. So * sign means allow repeating
instances of the object, while allowing none of it as well.
Obviously, all this regex hysteria I described here is most likely way beyond
the CCIE R&S coverage, but it gives you a good insight of some advanced BGP
as-path regex in use on a provider network.
HTH,
-J
-- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:46 GMT-3