Monday, August 26, 2013

BGP Filtering AS-PATH traffic

Traffic engineering with BGP AS-PATH ACL

A short time ago I have sumbled upon this small lab with 4 BGP AS routers that I will use today to simulate traffic engineering via the BGP control plane. Diagram is showing 4 routers, presenting themself as four independent Autonomous Systems, that can be servicing many clients in their AS. I have preconfigured the simulated WAN links and router BGP processes for all of the routers. 
A couple of tasks I have found on that lab that are important to be completed. 
  1. We must ensure that the AS 1 does not become transit AS
  2. Prevent router R3 to send prefixes from AS2 to AS4
  3. Configure AS4 not to receive any prefixes from AS1.
Now let us look at the diagram and see the config scripts.


At the initial configurations we can see that we have eBGP sessions with all of four eBGP speakers. We are using simulated wan links between routers as update sources for BGP information. And I have advertised a couple of loopbacks to have some prefixes to play with.

R1
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Loopback1
 ip address 22.22.22.22 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.23.2 255.255.255.0
 duplex auto
 speed auto
!
router bgp 2
 no synchronization
 bgp log-neighbor-changes
 network 2.2.2.0 mask 255.255.255.0
 network 22.22.22.0 mask 255.255.255.0
 neighbor 192.168.12.1 remote-as 1
 neighbor 192.168.23.3 remote-as 3
 no auto-summary

R2
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface Loopback1
 ip address 44.44.44.44 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.14.1 255.255.255.0
 duplex auto
 speed auto
!
router bgp 1
 no synchronization
 bgp router-id 4.4.4.4
 bgp log-neighbor-changes
 network 4.4.4.0 mask 255.255.255.0
 network 44.44.44.0 mask 255.255.255.0
 neighbor 192.168.12.2 remote-as 2
 neighbor 192.168.14.4 remote-as 4
 neighbor 192.168.14.4 update-source FastEthernet1/0
 no auto-summary

R3
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface Loopback1
 ip address 33.33.33.33 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.34.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.23.3 255.255.255.0
 duplex auto
 speed auto
!
router bgp 3
 no synchronization
 bgp log-neighbor-changes
 network 3.3.3.0 mask 255.255.255.0
 network 33.33.33.0 mask 255.255.255.0
 neighbor 192.168.23.2 remote-as 2
 neighbor 192.168.23.2 update-source FastEthernet1/0
 neighbor 192.168.34.4 remote-as 4
 no auto-summary

R4
interface Loopback0
 ip address 5.5.5.5 255.255.255.0
!
interface Loopback1
 ip address 55.55.55.55 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.14.4 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.34.4 255.255.255.0
 duplex auto
 speed auto
!
router bgp 4
 no synchronization
 bgp log-neighbor-changes
 network 5.5.5.0 mask 255.255.255.0
 network 55.55.55.0 mask 255.255.255.0
 neighbor 192.168.14.1 remote-as 1
 neighbor 192.168.14.1 update-source FastEthernet0/0
 neighbor 192.168.34.3 remote-as 3
 no auto-summary

For the first task we should prevent R2 to become a Transit provider. We can do this using a AS-PATH access list that will allow only prefixes originated inside the AS, the string should be empty in the AS-PATH.

So I will create an AS-PATH acl:

ip as-path access-list 23 permit ^$

This I would apply to the both neighbors to the outside direction.

neighbor 192.168.12.2 filter-list 23 out
neighbor 192.168.14.4 filter-list 23 out

Now we can verify that only R2 prefixes are being advertised to the neighbors.

R2#sh ip bgp neighbors 192.168.12.2 advertised-routes
BGP table version is 27, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.0/24       0.0.0.0                  0         32768 i
*> 44.44.44.0/24    0.0.0.0                  0         32768 i

Total number of prefixes 2

R2#sh ip bgp neighbors 192.168.14.4 advertised-routes
BGP table version is 27, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 4.4.4.0/24       0.0.0.0                  0         32768 i
*> 44.44.44.0/24    0.0.0.0                  0         32768 i

Total number of prefixes 2

Next step is to configure R3 not to advertise prefixes from AS2 to AS4. This can be also done via an filter-list and the AS-PATH acl. This ACL is denying everything that has an AS2 in the PATH, and permiting everything else.

ip as-path access-list 111 deny ^2_
ip as-path access-list 111 permit .*

And apply it to the neighbor.

neighbor 192.168.34.4 filter-list 111 out

We can verify this action on the router in the AS4. We should not see any prefix originated from AS2.

R4#sh ip bgp
BGP table version is 17, local router ID is 55.55.55.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 3.3.3.0/24       192.168.34.3             0             0 3 i
*> 5.5.5.0/24       0.0.0.0                  0         32768 i
*> 33.33.33.0/24    192.168.34.3             0             0 3 i
*> 55.55.55.0/24    0.0.0.0                  0         32768 i

In the RIB table of the R4 we cannot see any AS2 paths. So the task is done.
The final task is to deny R4 on accepting any prefixes that are originating in AS1. This also can be done via a simple IP-AS Path access list. This list will filter inside information from the AS1 neighbor and deny any AS1 originated prefixes. And of course the last line should allow all other prefixes.

ip as-path access-list 1 deny _1$
ip as-path access-list 1 permit .*

Then we should apply this ACL as a inside filter list on the neighbor in the AS1 domain.

 neighbor 192.168.14.1 filter-list 1 in

Once more to verify this we will look at the RIB of the BGP speaking router R4.

R4#sh ip bgp
BGP table version is 17, local router ID is 55.55.55.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 3.3.3.0/24       192.168.34.3             0             0 3 i
*> 5.5.5.0/24       0.0.0.0                  0         32768 i
*> 33.33.33.0/24    192.168.34.3             0             0 3 i
*> 55.55.55.0/24    0.0.0.0                  0         32768 i

We can see for certain that there are no prefixes with the AS1 in the path. So we have achieved every goal. This small scenario is great to play with, but it gets complicated in larger networks. For those who want to explore and understand more of the BGP regular expression can visit the Cisco page.

Feel free to comment.

Thanks.

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)