Date created: Friday, May 27, 2016 11:20:42 AM. Last modified: Tuesday, October 3, 2017 8:18:52 PM

ASN Filtering

Junos Examples Here

A list of ASNs that are reserved or not expected to be seen within the global internet table:

! 2 to 4 byte ASN migrations
! This could be dissalowed if we support 4 byte ASNs
! although it is likely to drop valid paths

_23456_



! rfc7607 ASN 0 disallowed
! 0
!

_0_



! rfc5398 ASNs for documentation/examples
! 64496 - 64511
! 65536 - 65551

_(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_



! rfc6996 ASNs for Private Use
! 64512 - 65534
! 4200000000 - 4294967294

_(6451[2-9])_|_(645[2-9][0-9])_|_(64[6-9][0-9][0-9])_|_(65[0-4][0-9][0-9])_|_(655[0-2][0-9][0-9])_|_(6553[0-4])_

! This will collapse to

_6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_


(42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9])|
(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])|
(4294[0-8][0-9][0-9][0-9][0-9][0-9])|
(42949[0-5][0-9][0-9][0-9][0-9])|
(429496[0-6][0-9][0-9][0-9])|
(4294967[0-1][0-9][0-9])|
(42949672[0-8][0-9])|
(429496729[0-4])|

! The above collaspes to

_(42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9])_|_(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_|_(4294[0-8][0-9][0-9][0-9][0-9][0-9])_|_(42949[0-5][0-9][0-9][0-9][0-9])_|_(429496[0-6][0-9][0-9][0-9])_|_(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-4])_

! which further condenses to:

_42([0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]|9([0-3][0-9][0-9][0-9][0-9][0-9][0-9]|4([0-8][0-9][0-9][0-9][0-9][0-9]|9([0-5][0-9][0-9][0-9][0-9]|6([0-6][0-9][0-9][0-9]|7([0-1][0-9][0-9]|2([0-8][0-9]|9[0-4])))))))_



! rfc7300 - Last 32 & 64 bit ASNs are reserved
! 65535
! 4294967295

_65535_

_4294967295_



! ASN range 65552-131071
! is reserved on IANA page but no RFC or indication as to why or if it will be allocated later?
! 65552-131071

_6555[2-9]_
_655[6-9][0-9]_
_65[6-9][0-9][0-9]_
_6[6-9][0-9][0-9][0-9]_
_[7-9][0-9][0-9][0-9][0-9]_
_1[0-2][0-9][0-9][0-9][0-9]_
_130[0-9][0-9][0-9]_
_1310[0-6][0-9]_
_13107[0-1]_

! Which collapses to

_6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_|_[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_|_1310[0-6][0-9]_|_13107[0-1]_

Cisco IOS config to filter all the above ASNs (if using in a route-map one must use "permit" statements in the as-path list and then use "deny" in the route-map, not "deny" statements as below!):

ip as-path access-list 1 deny _0_
ip as-path access-list 1 deny _23456_  ! USE WITH CAUTION
ip as-path access-list 1 deny _(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_
ip as-path access-list 1 deny _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_
ip as-path access-list 1 deny _42([0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]|9([0-3][0-9][0-9][0-9][0-9][0-9][0-9]|4([0-8][0-9][0-9][0-9][0-9][0-9]|9([0-5][0-9][0-9][0-9][0-9]|6([0-6][0-9][0-9][0-9]|7([0-1][0-9][0-9]|2([0-8][0-9]|9[0-4])))))))_
ip as-path access-list 1 deny _65535_
ip as-path access-list 1 deny _4294967295_
ip as-path access-list 1 deny _6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_
ip as-path access-list 1 deny _[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_|_1310[0-6][0-9]_|_13107[0-1]_
ip as-path access-list 1 permit .*

! These can be slightly expanded which should give a performance increase for slower IOS CPU boxes, exact benefits are untested.
ip as-path access-list 1 deny _0_
ip as-path access-list 1 deny _23456_  ! USE WITH CAUTION
ip as-path access-list 1 deny _(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_
ip as-path access-list 1 deny _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_
ip as-path access-list 1 deny _6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_
ip as-path access-list 1 deny _[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_
ip as-path access-list 1 deny _1310[0-6][0-9]_|_13107[0-1]_
ip as-path access-list 1 deny _42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_
ip as-path access-list 1 deny _(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_|_(4294[0-8][0-9][0-9][0-9][0-9][0-9])_
ip as-path access-list 1 deny _(42949[0-5][0-9][0-9][0-9][0-9])_|_(429496[0-6][0-9][0-9][0-9])_
ip as-path access-list 1 deny _(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-4])_
ip as-path access-list 1 permit .*

The IOS-XR config to filter the same ASN list:

as-path-set BOGON-ASNs
  ios-regex '_0_',
  ios-regex '_(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_',
  ios-regex '_6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_',
  ios-regex '_42([0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]|9([0-3][0-9][0-9][0-9][0-9][0-9][0-9]|4([0-8][0-9][0-9][0-9][0-9][0-9]|9([0-5][0-9][0-9][0-9][0-9]|6([0-6][0-9][0-9][0-9]|7([0-1][0-9][0-9]|2([0-8][0-9]|9[0-4])))))))_',
  ios-regex '_65535_',
  ios-regex '_4294967295_',
  ios-regex '_6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_|_[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_|_1310[0-6][0-9]_|_13107[0-1]_'
end-set

route-policy TRANSIT-IN-IPV4-FILTER
  if destination in IPV4-BOGON then
    drop
  endif
  if as-path in BOGON-ASNs then
    drop
  endif
  if as-path length ge 70 then
    drop
  endif
  set community (XXX:YYY, XXX:ZZZ)
  set origin incomplete
  set med 0
end-policy

The IOS-XR config can be condensed using the pass-through feature in IOS-XR (which doesn't support '0' as a value):

as-path-set BOGONS-ASNs
  #rfc7607
  ios-regex '_0_',
  #2 to 4 byte ASN migrations
  passes-through '23456',
  #rfc5398
  passes-through '[64496..64511]',
  passes-through '[65536..65551]',
  #rfc6996
  passes-through '[64512..65534]',
  passes-through '[4200000000..4294967294]',
  #rfc7300
  passes-through '65535',
  passes-through '4294967295',
  #IANA reserved
  passes-through '[65552..131071]'
end-set