BGP AS Path Access Lists

AS Path access lists entries determine if networks are allowed or denied in specific BGP configuration contexts. They are primarily used in BGP route maps, but also can be used in other areas of BGP configuration which accept AS Path lists as parameters.

The order of entries inside an AS Path list is important, and this order is determined by a sequence number. As with other access lists, AS Path access lists implicitly deny anything not matched.

BGP AS Path Configuration

To create a new AS Path list, from config-frr-bgp mode, use the as-path <name> command, which enters config-aspath mode:

tnsr(config-frr-bgp)# as-path myasp
tnsr(config-aspath)#

config-aspath mode contains only the rule <seq> (permit|deny) <pattern> command which defines a new AS Path rule with the following parameters:

<seq>:

The sequence number for this rule, which controls the order in which rules are matched inside this AS Path list. Each rule must have a unique sequence number. Best practice is to leave gaps in the sequence to allow for adding rules in the future. For example, use 10, 20, 30, rather than 1, 2, 3.

(permit|deny):

The action taken when this AS Path rule is matched, either permit or deny.

<pattern>:

A regular expression pattern which will match on the AS number.

Regular expression patterns support common pattern special characters for matching, but also a special _ character. The _ character matches common AS delimiters such as start of line, end of line, space, comma, braces, and parenthesis. The _ character can be used on either side of an AS number to match it exactly, such as _65534_.

BGP AS Path Example

This AS Path could match an empty AS value or the specific value of 65002, and no others:

tnsr(config-frr-bgp)# as-path myasp
tnsr(config-aspath)# rule 10 permit ^$
tnsr(config-aspath)# rule 20 permit _65002_
tnsr(config-aspath)# exit
tnsr(config-frr-bgp)#

This AS Path will match only when the path being compared starts with 65500. This is a common way to ensure that routes from a peer contain the expected AS in the AS Path.

tnsr(config)# route dynamic bgp
tnsr(config-frr-bgp)# as-path R2-AS
tnsr(config-aspath)# rule 10 permit ^65005
tnsr(config-aspath)# exit
tnsr(config-frr-bgp)# exit
tnsr(config)# route dynamic route-map CHECK-R2-AS
tnsr(config-route-map)# sequence 10
tnsr(config-route-map-rule)# policy permit
tnsr(config-route-map-rule)# match as-path R2-AS
tnsr(config-route-map-rule)# exit
tnsr(config-route-map)# exit
tnsr(config)# route dynamic bgp
tnsr(config-frr-bgp)# server 65002
tnsr(config-bgp)# neighbor 10.2.222.2
tnsr(config-bgp-neighbor)# remote-as 65005
tnsr(config-bgp)# address-family ipv4 unicast
tnsr(config-bgp-ip4uni)# neighbor 10.2.222.2
tnsr(config-bgp-ip4uni-nbr)# route-map CHECK-R2-AS in
tnsr(config-bgp-ip4uni-nbr)# exit
tnsr(config-bgp-ip4uni)# exit
tnsr(config-bgp)# exit
tnsr(config-frr-bgp)# exit
tnsr(config)#

BGP AS Path Status

To view AS Path lists, use the show route dynamic bgp as-path [<name>] command. Add the name of an AS Path list to restrict the output to a single entry.

tnsr(config)# show route dynamic bgp as-path

Name  Seq Policy Pattern
----- --- ------ -------
R2-AS  10 permit ^65005

myasp  10 permit ^$
myasp  20 permit _65002_