Date created: Friday, May 27, 2016 11:20:42 AM. Last modified: Tuesday, October 3, 2017 8:18:52 PM
ASN Filtering
A list of ASNs that are reserved or not expected to be seen within the global internet table:
! 2 to 4 byte ASN migrations ! This could be dissalowed if we support 4 byte ASNs ! although it is likely to drop valid paths _23456_ ! rfc7607 ASN 0 disallowed ! 0 ! _0_ ! rfc5398 ASNs for documentation/examples ! 64496 - 64511 ! 65536 - 65551 _(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_ ! rfc6996 ASNs for Private Use ! 64512 - 65534 ! 4200000000 - 4294967294 _(6451[2-9])_|_(645[2-9][0-9])_|_(64[6-9][0-9][0-9])_|_(65[0-4][0-9][0-9])_|_(655[0-2][0-9][0-9])_|_(6553[0-4])_ ! This will collapse to _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_ (42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9])| (429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])| (4294[0-8][0-9][0-9][0-9][0-9][0-9])| (42949[0-5][0-9][0-9][0-9][0-9])| (429496[0-6][0-9][0-9][0-9])| (4294967[0-1][0-9][0-9])| (42949672[0-8][0-9])| (429496729[0-4])| ! The above collaspes to _(42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9])_|_(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_|_(4294[0-8][0-9][0-9][0-9][0-9][0-9])_|_(42949[0-5][0-9][0-9][0-9][0-9])_|_(429496[0-6][0-9][0-9][0-9])_|_(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-4])_ ! which further condenses to: _42([0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]|9([0-3][0-9][0-9][0-9][0-9][0-9][0-9]|4([0-8][0-9][0-9][0-9][0-9][0-9]|9([0-5][0-9][0-9][0-9][0-9]|6([0-6][0-9][0-9][0-9]|7([0-1][0-9][0-9]|2([0-8][0-9]|9[0-4])))))))_ ! rfc7300 - Last 32 & 64 bit ASNs are reserved ! 65535 ! 4294967295 _65535_ _4294967295_ ! ASN range 65552-131071 ! is reserved on IANA page but no RFC or indication as to why or if it will be allocated later? ! 65552-131071 _6555[2-9]_ _655[6-9][0-9]_ _65[6-9][0-9][0-9]_ _6[6-9][0-9][0-9][0-9]_ _[7-9][0-9][0-9][0-9][0-9]_ _1[0-2][0-9][0-9][0-9][0-9]_ _130[0-9][0-9][0-9]_ _1310[0-6][0-9]_ _13107[0-1]_ ! Which collapses to _6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_|_[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_|_1310[0-6][0-9]_|_13107[0-1]_
Cisco IOS config to filter all the above ASNs (if using in a route-map one must use "permit" statements in the as-path list and then use "deny" in the route-map, not "deny" statements as below!):
ip as-path access-list 1 deny _0_ ip as-path access-list 1 deny _23456_ ! USE WITH CAUTION ip as-path access-list 1 deny _(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_ ip as-path access-list 1 deny _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_ ip as-path access-list 1 deny _42([0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]|9([0-3][0-9][0-9][0-9][0-9][0-9][0-9]|4([0-8][0-9][0-9][0-9][0-9][0-9]|9([0-5][0-9][0-9][0-9][0-9]|6([0-6][0-9][0-9][0-9]|7([0-1][0-9][0-9]|2([0-8][0-9]|9[0-4])))))))_ ip as-path access-list 1 deny _65535_ ip as-path access-list 1 deny _4294967295_ ip as-path access-list 1 deny _6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_ ip as-path access-list 1 deny _[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_|_1310[0-6][0-9]_|_13107[0-1]_ ip as-path access-list 1 permit .* ! These can be slightly expanded which should give a performance increase for slower IOS CPU boxes, exact benefits are untested. ip as-path access-list 1 deny _0_ ip as-path access-list 1 deny _23456_ ! USE WITH CAUTION ip as-path access-list 1 deny _(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_ ip as-path access-list 1 deny _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_ ip as-path access-list 1 deny _6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_ ip as-path access-list 1 deny _[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_ ip as-path access-list 1 deny _1310[0-6][0-9]_|_13107[0-1]_ ip as-path access-list 1 deny _42[0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]_ ip as-path access-list 1 deny _(429[0-3][0-9][0-9][0-9][0-9][0-9][0-9])_|_(4294[0-8][0-9][0-9][0-9][0-9][0-9])_ ip as-path access-list 1 deny _(42949[0-5][0-9][0-9][0-9][0-9])_|_(429496[0-6][0-9][0-9][0-9])_ ip as-path access-list 1 deny _(4294967[0-1][0-9][0-9])_|_(42949672[0-8][0-9])_|_(429496729[0-4])_ ip as-path access-list 1 permit .*
The IOS-XR config to filter the same ASN list:
as-path-set BOGON-ASNs
ios-regex '_0_',
ios-regex '_(6449[6-9])_|_(6450[0-9])_|_(6451[0-1])_|_(6553[6-9])_|_(6554[0-9])_|_(6555[0-1])_',
ios-regex '_6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_',
ios-regex '_42([0-8][0-9][0-9][0-9][0-9][0-9][0-9][0-9]|9([0-3][0-9][0-9][0-9][0-9][0-9][0-9]|4([0-8][0-9][0-9][0-9][0-9][0-9]|9([0-5][0-9][0-9][0-9][0-9]|6([0-6][0-9][0-9][0-9]|7([0-1][0-9][0-9]|2([0-8][0-9]|9[0-4])))))))_',
ios-regex '_65535_',
ios-regex '_4294967295_',
ios-regex '_6555[2-9]_|_655[6-9][0-9]_|_65[6-9][0-9][0-9]_|_6[6-9][0-9][0-9][0-9]_|_[7-9][0-9][0-9][0-9][0-9]_|_1[0-2][0-9][0-9][0-9][0-9]_|_130[0-9][0-9][0-9]_|_1310[0-6][0-9]_|_13107[0-1]_'
end-set
route-policy TRANSIT-IN-IPV4-FILTER
if destination in IPV4-BOGON then
drop
endif
if as-path in BOGON-ASNs then
drop
endif
if as-path length ge 70 then
drop
endif
set community (XXX:YYY, XXX:ZZZ)
set origin incomplete
set med 0
end-policy
The IOS-XR config can be condensed using the pass-through feature in IOS-XR (which doesn't support '0' as a value):
as-path-set BOGONS-ASNs #rfc7607 ios-regex '_0_', #2 to 4 byte ASN migrations passes-through '23456', #rfc5398 passes-through '[64496..64511]', passes-through '[65536..65551]', #rfc6996 passes-through '[64512..65534]', passes-through '[4200000000..4294967294]', #rfc7300 passes-through '65535', passes-through '4294967295', #IANA reserved passes-through '[65552..131071]' end-set
Previous page: IOS XR - AS Options
Next page: Basic filtering with communities, route-maps and prefix-lists