Академический Документы
Профессиональный Документы
Культура Документы
By Ivan Pepelnjak
Solution
Use the following statement in an AS-path access list to block all AS-paths where
the same AS number appears more than five times consecutively (change the
number of _\1_ expressions to tailor the filter to your needs).
ip as-path access-list 100 deny _([0-9]+)_\1_\1_\1_\1_
Short
The \1 Cisco IOS regular expression pattern allows you to match a previouslyexplanation matched string. This pattern can be used to match prepended AS-paths.
Contents
[hide]
1 Detailed description
2 Test bed
3 Test results
4 Initial configurations
Detailed description
The following features of Cisco IOS regular expressions were used in this solution:
The _[0-9]+_ pattern matches a complete number (the _ characters match separators,
including beginning or end of string).
The _([0-9]+)_ pattern matches a complete number and saves it for further reference.
The regular expression _([0-9]+)_\1_\1_\1_\1_ therefore matches any AS path where a single AS
number appears five or more times in a sequence.
Test bed
A simple test network was set up using a single Cisco IOS router (10.17.0.1) and a Linux host
(10.17.0.2) running Quagga BGP daemon (see the Initial configurations section for details). The
Quagga BGP daemon advertised numerous BGP routes with various lengths of prepended AS
paths to the Cisco IOS router (note that prepending happens at various points in the AS path, not
just at the beginning of it).
Rtr#show ip bgp
Network
*> 10.2.1.0/24
*> 10.2.2.0/24
*> 10.2.3.0/24
*> 10.2.4.0/24
*> 10.2.5.0/24
*> 10.2.6.0/24
| begin Network
Next Hop
Metric Loc Weight Path
10.17.0.2
0
0 65000 1 2 3 4 i
10.17.0.2
0
0 65000 1 2 2 3 4
10.17.0.2
0
0 65000 1 2 3 3 3
10.17.0.2
0
0 65000 1 2 3 4 4
10.17.0.2
0
0 65000 1 2 2 2 2
10.17.0.2
0
0 65000 1 1 1 1 1
i
4
4
2
1
i
4 i
3 4 i
2 3 4 i
Test results
You can use the show ip bgp regexp command to test a regular expression on the actual data
stored in the BGP table. When used on the test router, the regular expression matched all IP
prefixes where a single AS number was prepended four or more times, verifying the correctness
of the regular expression.
The show ip bgp quote-regexp command was used to combine the regexp match with additional
show filters.
R2#show ip bgp quote-regexp "_([0-9]+)_\1_\1_\1_\1_" | begin Network
Network
Next Hop
Metric Loc Weight Path
*> 10.2.5.0/24 10.17.0.2
0
0 65000 1 2 2 2 2 2 3 4 i
*> 10.2.6.0/24 10.17.0.2
0
0 65000 1 1 1 1 1 1 2 3 4 i
The following changes were made to the router configuration to filter excessively prepended
BGP prefixes:
After a soft reset of the BGP session, the printout of the resulting BGP table verified that the
router has filtered all inbound BGP updates with excessively prepended AS paths.
Final BGP table on the router
R2#show ip bgp begin Network
Network
Next Hop
Metric Loc Weight Path
*> 10.2.1.0/24 10.17.0.2
0
0 65000 1 2 3
*> 10.2.2.0/24 10.17.0.2
0
0 65000 1 2 2
*> 10.2.3.0/24 10.17.0.2
0
0 65000 1 2 3
*> 10.2.4.0/24 10.17.0.2
0
0 65000 1 2 3
Initial configurations
Router configuration
hostname Rtr
!
ip cef
!
interface Loopback0
ip address 10.0.1.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.17.0.1 255.255.255.0
!
router bgp 65100
no synchronization
bgp log-neighbor-changes
neighbor 10.17.0.2 remote-as 65000
no auto-summary
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
stopbits 1
!
ntp logging
end
4
3
3
4
i
4 i
3 4 i
4 4 4 i
permit 10
prepend 1 2 3 4
permit 10
prepend 1 2 2 3 4
permit 10
prepend 1 2 3 3 3 4
permit 10
prepend 1 2 3 4 4 4 4
permit 10
prepend 1 2 2 2 2 2 3 4
permit 10
prepend 1 1 1 1 1 1 2 3 4
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
stopbits 1
!
ntp logging
http://wiki.nil.com/Special:Categories
http://wiki.nil.com/Filter_excessively_prepended_BGP_paths
Matching on ^ASPath_ASPath$ Prepending information.
Posted on 22/10/2008 by vcappuccio
Suppose you want to find all routes that have the same AS number in a row 8 or more times
is this possible using regexp?
Yes you can :)
using this Regular Expression
1
^([0-9]+)(_\1)*$
3
4
r RIB-failure, S Stale
Network
8*> 2.2.2.0/24
Next Hop
172.22.142.2
0222222222?
2
3
4
5
6
Network
Next Hop
*> 1.1.1.1/32
172.22.83.1
*> 3.3.3.3/32
172.22.83.1
7
0
8
9
*> 33.33.0.0/16
172.22.83.1
1
0 R6(config)#do show ip bgp regex ^([0-9]+)(_\1)*$| b Net
1
1
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
1
4
Network
1
5 *> 1.1.1.1/32
Next Hop
172.22.83.1
1
6
the expression
1
^([0-9]+)(_\1)*$
in the first parenthesis, matches any AS Number, the parenthesis stores the value of the matched
ASNumber, and this value is called by the second part of the regular expression, in the Variable
\1 is like where you store the result and clearly you repeat this value zero or more atoms, and
the $ matches the end of the string.
if you are looking for more information, here is a nice article wrote by Brian McGahan about
Understanding BGP Regular Expressions
http://anetworkerblog.com/2008/10/22/as-path-prepend/
Hi everybody!
What regular expression should be used to display only BGP routes on which as path prepending
was done, say, more than 20 times (by the same AS)?
The question was born after reading the article: http://www.renesys.com/blog/2009/02/longer-isnot-better.shtml.
The task is to find whether there are such suspicious internet routes, on which some ISP executed
as-path prepending procedure unusually many times.
I thought that _([0-9]+)(_\1){20,} would work (repeat delimiter and backreference 20 or more
times), but public route server @ Optus, Australia, said otherwise:
******************************************************************************
***
route-views.optus.net.au>
******************************************************************************
***
- actually, nothing. That is, even at least triple prepending is not discovered, although the standard expression
_([0-9]+)(_\1)+ works fine:
******************************************************************************
***
route-views.optus.net.au>sh ip bgp reg _([0-9]+)(_\1)+
BGP table version is 150012938, local router ID is 203.202.125.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
*> 1.0.4.0/22
202.160.242.71
203.13.132.49
20
203.13.132.47
10
202.139.124.175
202.139.124.145
10
202.139.124.130
20
202.139.124.159
203.13.132.51
202.139.124.177
192.65.89.98
20
192.65.89.161
******************************************************************************
*******
Help, please!
Hi Eugene,
I was sure that I had tested that regex before posting it, so I had to go back and look. When I use
the regex (_[0-9]+)\1\1\1\1, this will display routes with an AS-PATH that have AT LEAST 5
ASNs in a row, it will also show 6, 7, 8, 9..... The regex that you have listed above, _([09]+)\1\1\1\1 does not repeat the delimiter match, _ So, what your regex is actually matching is
AS paths that include ASNs with 5 digits. Try again and put the underscore inside the
parenthesis.
http://www.ciscopress.com/articles/article.asp?p=169556
http://networklessons.com/bgp/bgp-regular-expressions-examples/