BGP AS Path Access List

Scenario:

Sugar Cane company is a international company that is growing at a rapid rate. To connect all the different sites BGP is used, the security officer however doesn’t want all the sites to have full connectivity and wants you to create some filters based on AS paths.

Goal:

  • All IP addresses have been preconfigured for you.
  • Configure EBGP between all routers.
  • You are only allowed to use AS Path Access-Lists to complete the following tasks.
  • Advertise the loopback0 and loopback1 interface on all routers in BGP.
  • Ensure AS1 does not become a transit AS.
  • Configure router Bakers so it doesn’t advertise any prefixes from AS 2 towards AS 4.
  • Configure AS4 so it doesn’t accept any prefixes originated by AS 1.

It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the protocols for CCNP.

Would you like to be a master of networking too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?

I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of CCNP.

You will learn all the secrets about BGP, external BGP, Transit AS and more.

Does this sound interesting to you? Take a look here and let me show you how to Master CCNP ROUTE!

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

BGP AS Path Access-List

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

18 Comments

  1. my solution 🙂

    Coarse#
    AS path access list 1
    deny _1$
    permit .*

    !
    neighbor 192.168.14.1 filter-list 1 in

    Barbados#sh ip as-path-access-list
    AS path access list 23
    permit ^$

    neighbor 192.168.14.4 filter-list 23 out
    neighbor 192.168.12.2 filter-list 23 out

    Bakers#sh ip as-path-access-list
    AS path access list 1
    deny ^2_
    permit .*

    neighbor 192.168.34.4 filter-list 1 out

  2. Hello Rene:

    Please fix the following error on your config file:
    — Barbados Router: change loopback 0 and loopback 1 to be respectively 4.4.4.4 and 44.44.44.44
    — Right now, both Coarse and Barbados Routers are using the same addresses for lo0 and lo1.
    – Consequence: at start-up, they will both use the same router-Id as BGP identifier and will never be able to form adjacency.
    – A cpature done on interface connecting both routers will show "BGP bad identifier" as a NOTIFICATION messgae to an OPEN sent by any of the peers.

  3. Soory Rene, lo0 on barbados should be 1.1.1.1 and lo1 should be 11.11.11.11 as Coarse is already using 4.4.4.4 and 44.44.44.44.
    thanks.

  4. I actually like the little issues on the lab, it tends to tune your trouble shooting skills while covering the other objectives.

    1. Completely agree. I find it much more pleasant to solve these labs when there’s need for troubleshoot.

  5. kindly upload the video my command doesn’t work

    ip as-path access-list 1 permit _1$

    when i give this in gns3 i cant get the proper output

  6. I actually did not notice that both routers have the same lo0 and lo1 ip address the same till after I fixed the error. I fixed the error by issuing the "bgp router-id 1.1.1.1" in router Barbados and "bgp router-id 4.4.4.4" in Coarse. That fixed the issue, then I noticed the IP address and changed it.

  7. Here is my homework 😉

    Barbados:
    router bgp 1
    no synchronization
    bgp log-neighbor-changes
    network 1.1.1.0 mask 255.255.255.0
    network 11.11.11.0 mask 255.255.255.0
    neighbor 192.168.12.2 remote-as 2
    neighbor 192.168.12.2 filter-list 2 out
    neighbor 192.168.14.4 remote-as 4
    neighbor 192.168.14.4 filter-list 2 out
    no auto-summary
    !
    ip http server
    ip forward-protocol nd
    !
    !
    ip as-path access-list 2 permit ^$

    *********************************************
    Castor
    router bgp 2
    no synchronization
    bgp log-neighbor-changes
    network 2.2.2.0 mask 255.255.255.0
    network 22.22.22.0 mask 255.255.255.0
    neighbor 192.168.12.1 remote-as 1
    neighbor 192.168.23.3 remote-as 3
    no auto-summary
    !

    ****************************************************
    Bakers
    router bgp 3
    no synchronization
    bgp log-neighbor-changes
    network 3.3.3.0 mask 255.255.255.0
    network 33.33.33.0 mask 255.255.255.0
    neighbor 192.168.23.2 remote-as 2
    neighbor 192.168.34.4 remote-as 4
    neighbor 192.168.34.4 filter-list 1 out
    no auto-summary
    !
    ip http server
    ip forward-protocol nd
    !
    !
    ip as-path access-list 1 deny ^2_
    ip as-path access-list 1 permit .*
    !
    ************************************************
    Coarse
    router bgp 4
    no synchronization
    bgp log-neighbor-changes
    network 4.4.4.0 mask 255.255.255.0
    network 44.44.44.0 mask 255.255.255.0
    neighbor 192.168.14.1 remote-as 1
    neighbor 192.168.14.1 filter-list 1 in
    neighbor 192.168.34.3 remote-as 3
    neighbor 192.168.34.3 filter-list 1 in
    no auto-summary
    !
    ip http server
    ip forward-protocol nd
    !
    !
    ip as-path access-list 1 deny _1$
    ip as-path access-list 1 permit .*

  8. Memorising These Regular Expressions would be very helpful for this lab by INE.

    +——————————————————+
    | CHAR | USAGE |
    +——————————————————|
    | ^ | Start of string |
    |——|———————————————–|
    | $ | End of string |
    |——|———————————————–|
    | [] | Range of characters |
    |——|———————————————–|
    | – | Used to specify range ( i.e. [0-9] ) |
    |——|———————————————–|
    | ( ) | Logical grouping |
    |——|———————————————–|
    | . | Any single character |
    |——|———————————————–|
    | * | Zero or more instances |
    |——|———————————————–|
    | + | One or more instance |
    |——|———————————————–|
    | ? | Zero or one instance |
    |——|———————————————–|
    | _ | Comma, open or close brace, open or close |
    | | parentheses, start or end of string, or space |
    +——————————————————+

    +————-+—————————+
    | Expression | Meaning |
    |————-+—————————|
    | .* | Anything |
    |————-+—————————|
    | ^$ | Locally originated routes |
    |————-+—————————|
    | ^100_ | Learned from AS 100 |
    |————-+—————————|
    | _100$ | Originated in AS 100 |
    |————-+—————————|
    | _100_ | Any instance of AS 100 |
    |————-+—————————|
    | ^[0-9]+$ | Directly connected ASes |
    +————-+—————————+

  9. Hello Guys,
    Below my solution:

    ******Castor******

    router bgp 2
    no synchronization
    bgp log-neighbor-changes
    network 2.2.2.0 mask 255.255.255.0
    network 22.22.22.0 mask 255.255.255.0
    neighbor 192.168.12.1 remote-as 1
    neighbor 192.168.23.3 remote-as 3
    no auto-summary

    *******Barbados*******

    router bgp 1
    no synchronization
    bgp log-neighbor-changes
    network 1.1.1.0 mask 255.255.255.0
    network 11.11.11.0 mask 255.255.255.0
    neighbor 192.168.12.2 remote-as 2
    neighbor 192.168.12.2 route-map FILTER_4 out
    neighbor 192.168.14.4 remote-as 4
    neighbor 192.168.14.4 route-map FILTER_2 out
    no auto-summary
    !
    ip as-path access-list 22 deny _4_
    ip as-path access-list 22 permit .*
    ip as-path access-list 44 deny _2_
    ip as-path access-list 44 permit .*
    !
    route-map FILTER_4 permit 10
    match as-path 22
    !
    route-map FILTER_2 permit 10
    match as-path 44

    *********Bakers*********

    router bgp 3
    no synchronization
    bgp log-neighbor-changes
    network 3.3.3.0 mask 255.255.255.0
    network 33.33.33.0 mask 255.255.255.0
    neighbor 192.168.23.2 remote-as 2
    neighbor 192.168.34.4 remote-as 4
    neighbor 192.168.34.4 route-map FILTER_2 out
    no auto-summary
    !
    ip as-path access-list 44 deny _2_
    ip as-path access-list 44 permit .*
    !
    route-map FILTER_2 permit 10
    match as-path 44

    *******Coarse***********

    router bgp 4
    no synchronization
    bgp log-neighbor-changes
    network 4.4.4.0 mask 255.255.255.0
    network 44.44.44.0 mask 255.255.255.0
    neighbor 192.168.14.1 remote-as 1
    neighbor 192.168.14.1 route-map FILTER_1 in
    neighbor 192.168.34.3 remote-as 3
    no auto-summary
    !
    ip as-path access-list 11 permit ^V^_
    ip as-path access-list 11 deny _1$
    ip as-path access-list 11 permit .*
    !
    !
    route-map FILTER_1 permit 10
    match as-path 11
    *********************************************

    Regards,
    Pit.

  10. Hi Rene,

    Hope you’re doing good!

    I’m unable to console into the routers after loading the topology into my GNS3 v1.3.1. On the console i get an error message:
    Connected to Dynamips VM “Coarse” (ID 4, type c3600) – Console port
    Press ENTER to get the prompt.

    Nothing happens after that, i have tried deleting the IOS image and readding it several times. I don’t get it.. Can you please suggest?

    Appreciated!

  11. HI Rene,

    I’m unable to perform the last task i.e.,
    Configure AS4 so it doesn’t accept any prefixes originated by AS 1.

    Please see my below config

    router bgp 4
    no synchronization
    bgp log-neighbor-changes
    network 4.4.4.4 mask 255.255.255.255
    network 44.44.44.44 mask 255.255.255.255
    neighbor 192.168.14.1 remote-as 1
    neighbor 192.168.14.1 filter-list 1 in
    neighbor 192.168.34.3 remote-as 3
    no auto-summary
    !
    no ip http server
    no ip http secure-server
    !
    ip forward-protocol nd
    !
    ip as-path access-list 1 deny _1$
    ip as-path access-list 1 permit .*
    !

    R4#sh ip bgp
    BGP table version is 13, local router ID is 44.44.44.44
    Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
    r RIB-failure, S Stale
    Origin codes: i – IGP, e – EGP, ? – incomplete

    Network Next Hop Metric LocPrf Weight Path
    *> 1.1.1.1/32 192.168.14.1 0 0 1 i
    *> 3.3.3.3/32 192.168.34.3 0 0 3 i
    *> 4.4.4.4/32 0.0.0.0 0 32768 i
    *> 11.11.11.11/32 192.168.14.1 0 0 1 i
    *> 33.33.33.33/32 192.168.34.3 0 0 3 i
    *> 44.44.44.44/32 0.0.0.0 0 32768 i

    I’m still seeing routes originated from R1 i.e., Barbados

    Please advise

    Sagar

  12. Great lab but i couldn’t have done it without reading some of the comments here. I have never used regular expressions before and pretty sure i could never remember them for an exam situation!

Comments are closed.