BGP – How to Filter All BGP Routes from One Specific AS

bgproute-filter

how can I filter all the routes from one AS?

enter image description here

I want to filter all routes from AS 6400 towards AS1000, how can I filter whole routes from one AS to another?

I do not want to be used as transit AS so I need to do that, I Googled and got some stuff about using prefix-list + route-map but the thing is AS6400 is an actual Internet active AS which hosts some 500000 plus routes, and it does not sound reasonable to write prefix list for that amount of route, so what should I do?

Best Answer

There are a couple ways to do this, without having to specify every single prefix that you're receiving from AS6400 in a prefix-list (I would personally advise against doing this because as you mentioned, the administrative overhead is high and the process will become exponentially more error-prone as the number of prefixes increases).

1) Tag routes you've received from AS6400 with the no export community. You would do this within a route-map:

route-map RECEIVE-FROM-6400 permit 5
  set community no-export additive

This will tell R3 to not advertise the routes learned from AS6400 to AS1000 via the eBGP session to R1. This is your simplest option (note here that this will need to be an inbound filter applied on R4 on the eBGP session to R2/AS6400).

2) You could use an AS Path access list to determine which prefixes have an AS path that begins with 6400 and then you could use it on a BGP neighbor statement with a filter list, or you could use it in a route-map to deny advertising the prefixes on R3. This is less simple because it requires knowledge of regex (to be fair, the regex required here is somewhat simple) and it also depends on no one doing anything funny with their AS path, of which there's no real guarantee. Using a route-map, the configuration to implement would look something like this (assuming IOS):

ip as-path access-list 10 permit ^6400_[0-9]*$

route-map ANNOUNCE-TO-1000 deny 5
  match as-path 10

route-map ANNOUNCE-TO-1000 permit 10

Note that the above will need to be configured as an outbound filter on R3 for the eBGP session with AS1000.

Using the well-known 'no export' community is likely going to be your best bet, along with being very judicious with your outbound announcements to AS1000 and AS6400.

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

There is no reason to limit customer to blackhole only /32, allow them to blackhole anything from them.

Something like this:

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            prefix-list-filter AS42 orlonger;
        }
        then {
            community add NO-EXPORT;
            next-hop 192.0.2.1;
            accept;
        }
    }
    term advertise {
        from {
            prefix-list AS42;
        }
        then {
            community add ADVERTISE;
            next-hop peer-address;
            accept;
        }
    }
    term reject {
        then reject;
    }
}

Remember to set 'accept-remote-nexthop' under BGP settings, so that the next-hop can be changed to something else than link address.

I also strongly support that providers start to support different blackhole communities than just 'full blackhole'. Especially if you operate in more than one country usually attack is from transit and often customer actually mostly wants to access domestic peerings, so it's useful to implement several levels of blackhhole:

Full
Outside local country (local IXP, whole own AS + customers seen)
Outside local area (if applicable, like for me it could be 'Nordics')
Include/Exclude specific peering router in blackhole

I'm happy to give example how to implement something like this with JNPR DCU/SCU, provided your peering routers are JNPR, but it's possible with just communities, just bit more awkward.

If you absolutely want to limit your customer's options you can add this:

policy-statement /32 {
    term /32 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /32-/32;
        }
        then accept;
    }
    term reject {
        then reject;
    }
}

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            policy /32;
            prefix-list-filter AS42 orlonger;
        }
..
}

This way it should be logical AND. But I really don't see the value in creating complexity to reduce expressiveness of configuration.

Routing – Creating a JunOS firewall filter based on dynamic routing properties

GRNET (the Greek Research and Education network) have developed a web application for customers to do this with Flowspec. The web portal has a BGP Flowspec backend which injects flowspec into your network. Highly configurable and in use on the 500-1,000 Gbps pan-European GEANT backbone: https://www.noc.grnet.gr/en/fod

Best Answer

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

Routing – Creating a JunOS firewall filter based on dynamic routing properties

Related Topic