BGP AS Manipulation
AS Manipulation with RegEx, Route-Maps, Confederation and more
Theory
With AS Manipulation you are able to manipulate the prefixes and routes that get advertised or received through BGP.
A BGP peering is a a connection between two routers that receive BGP update packets with information about reachable prefixes and their aspaths. If we want to deny/permit an AS from the aspath or change the route a packet travels we need a way to manipulate the BGP update packets.
There are different approaches to do this.
Topology
The topology consists of 4 Routers each with a different AS and loopback interface.
All have the Cisco vRouter Image IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.9(3)M2, RELEASE SOFTWARE (fc1).
Route-Map
With a route-map you can match prefixes and set metrics according to it.
In this example we set the local preference (2nd option of BGP route selection) to 150 so the routes of the R2 peer gets preferred.
The route-map R2_PEER permit 20 statement is important cause it has no criterias so it acts as a permit any any for our prefixes.
R3
route-map R2_PEER permit 10
set local-preference 150
route-map R2_PEER permit 20
router bgp 300
neigh 10.2.0.2 remote-as 200
neigh 10.2.0.2 route-map R2_PEER in
The output (shortened) on R3 shows all routes coming from R2 have a local-preference of 150. The command for the output is show ip bgp .
Network Next Hop Metric LocPrf Weight Path
* 1.1.1.1/32 10.3.0.2 0 0 100 i
*> 10.2.0.2 150 0 200 100 i
* 2.2.2.2/32 10.3.0.2 0 100 200 i
*> 10.2.0.2 0 150 0 200 i
*> 3.3.3.3/32 0.0.0.0 0 32768 i
Access-List
You can use access-lists in combination with route-maps to allow/deny prefixes to a peer.
R3
access-list 1 permit 1.1.1.1
route-map PERMIT1_1_1_1 permit 10
match ip add 1
router bgp 300
neigh 10.4.0.2 route-map PERMIT1_1_1_1 out
The output on R4 shows that only the prefix 1.1.1.1/32 is advertised from R3 to R4. The other prefixes are local networks on R4.
Network Next Hop Metric LocPrf Weight Path
* 1.1.1.1/32 10.2.0.2 0 150 0 300 200 100 i
*> 4.4.4.4/32 0.0.0.0 0 32768 i
*> 44.44.44.44/32 0.0.0.0 0 32768 i
Distribute-list
With the distribute-list command you can use access-lists without route-maps to allow/deny prefixes to a peer.
R3
access-list 1 deny 1.1.1.1 0.0.0.0
access-list 1 permit any
router bgp 300
neigh 10.4.0.2 distribute-list 1 out
Prefix-List
With prefix-lists you can also use the subnet mask and use greater ge or less le.
As example you could have a prefix-list 192.168.0.0/16 ge 20 le 26 that matches all prefixes within the /16 network that have a subnet mask that is greater than 20 but less than 26. Since we only configured /32 loopbacks (and the peer networks) as network statements in our bgp config it is not relevant to us.
R4
ip prefix-list 2_2_2_2 permit 2.2.2.2/32
route-map 2_2_2_2WEIGHT permit 10
match ip address prefix-list 2_2_2_2
set weight 100
route-map 2_2_2_2WEIGHT permit 20
router bgp 400
neigh 10.4.0.1 route-map 2_2_2_2WEIGHT in
The output (shortened) on R4 shows that only the 2.2.2.2/32 prefix has a Weight of 100.
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.4.0.1 0 300 100 i
*> 2.2.2.2/32 10.4.0.1 100 300 200 i
*> 3.3.3.3/32 10.4.0.1 0 0 300 i
*> 4.4.4.4/32 0.0.0.0 0 32768 i
Outbound Route Filtering
You can tell your peers that you only want to receive specific prefixes.
R4
ip prefix-list PERMIT1_1_1_1 permit 1.1.1.1/32
router bgp 400
neigh 10.4.0.1 capability orf prefix-list send
neigh 10.4.0.1 prefix-list PERMIT1_1_1_1 in
R3
router bgp 300
neigh 10.4.0.2 capability orf prefix-list receive
#show ip bgp neigh 10.4.0.1 received prefix-filter
#show ip bgp neigh 10.4.0.1 advertised-routes
The output on R4 shows that only 1.1.1.1/32 prefix gets received from R3. The other prefixes are local networks.
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.4.0.1 0 300 100 i
*> 4.4.4.4/32 0.0.0.0 0 32768 i
*> 44.44.44.44/32 0.0.0.0 0 32768 i
Regular Expressions
Are strings with special characters that can be used for advanced prefix filtering.
Here are the four most important strings:
- ^ = start of string
- $ = end of string
- * = one or more
- _ = matching space or comma
You can use the regexp characters in your show commands. since the pipe | is also a regexp you need to use quote-regexp if you want to use the | to filter your output.
sh ip bgp regexp ^$ #show routes that originated from me
sh ip bgp regexp ^200$ #shows routes from as 200
sh ip bgp regexp ^200 100$ #shows routes from as200 and origination AS is as100
sh ip bgp regexp _200$ #show routes origination from AS200,
sh ip bgp quote-regexp ^200_ | i 10.2 #if you want to use the pipe you have to use quote-regexp since | is part of regexp
sh ip bgp quote-regexp _10+[0-9]*$ | beg Network #this will search for an AS that begins with 10 + any other number from 0 - 9.
Weight is the first option when it comes to route selection in BGP and the prefix with the higher weight wins.
In this example we set the weight to 100 for prefixes that have the AS 100 in their as-path.
R4
ip as-path access-list 5 permit _10+[0-9]*$
route-map AS100WEIGHT permit 10
match as-path 5
set weight 500
route-map AS100WEIGHT permit 20
router bgp 400
neigh 10.4.0.1 route-map AS100WEIGHT in
The output (shortened) on R4 shows that only the prefix with 100 in the aspath has a weight set to 500.
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.4.0.1 500 300 100 i
*> 2.2.2.2/32 10.4.0.1 0 300 200 i
*> 3.3.3.3/32 10.4.0.1 0 0 300 i
*> 4.4.4.4/32 0.0.0.0 0 32768 i
Communities
A community is a tag for prefixes that are advertised through BGP. You can either set a custom community in a route-map or use a well-known community that will influence the way your bgp prefixes are treated.
In this example we use the no-export community to only advertise our prefixes to the directly connected peer but not the remote peers.
ip prefix-list PERMIT4_4_4_4 permit 4.4.4.4/32
route-map PERMIT4_4_4_4 permit 10
match ip add prefix-list PERMIT4_4_4_4
set community no-export
#set community no-advertise #does the same
route-map PERMIT4_4_4_4 permit 20
neigh 10.4.0.1 send-community
neigh 10.4.0.1 route-map PERMIT4_4_4_4 out
The output (shortened) on R1 shows that the 4.4.4.4/32 prefix is not received.
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 0.0.0.0 0 32768 i
* 2.2.2.2/32 10.3.0.1 0 300 200 i
*> 10.1.0.2 0 0 200 i
* 3.3.3.3/32 10.1.0.2 0 200 300 i
*> 10.3.0.1 0 0 300 i
* 10.3.0.0/30 10.3.0.1 0 0 300 i
*> 0.0.0.0 0 32768 i
Here we set a custom community in a route-map so all prefixes that we advertise to the peer get this community.
route-map COMM1 permit 10
set community 12345
neigh 10.4.0.2 send-community
neigh 10.4.0.2 route-map COMM1
sh ip bgp community 12345 #on the peer router to show the prefixes
Local-AS
pretends to be a different AS
R4
router bgp 400
neigh 10.4.0.1 remote-as 300
neigh 10.4.0.1 local-as 123
R3
router bgp 300
neigh 10.4.0.2 remote-as 123
Confederation
Lets you combine multiple AS (300+400 in our example) to one custom AS (111). Other routers can peer with the custom AS and all prefixes from the combined AS will be advertised as one AS.
R3
router bgp 300
bgp confederation id 111
bgp confederation peers 400
neigh 10.4.0.2 remote-as 400
R4
router bgp 400
bgp confederation id 111
bgp confederation peers 300
neigh 10.4.0.1 remote-as 300
R1
router bgp 100
neigh 10.3.0.1 remote-as 111
the output (shortened) on R1 shows that prefixes from AS 300 and AS 400 get advertised as AS 111.
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 0.0.0.0 0 32768 i
* 10.1.0.2 0 200 300 i
*> 4.4.4.4/32 10.3.0.1 0 111 i
* 10.3.0.0/30 10.3.0.1 0 0 111 i
*> 0.0.0.0 0 32768 i
Thanks for reading my article. If you have any questions or recommendations you can message me via arvednetblog@gmail.com.