BGP essentials: Non-transit AS

Sometimes I find the information on the Internet that is so far from the facts that it might actually hurt someone. For example, the configuration in this post supposedly prevents you from becoming a transit AS (which is a really bad idea if you're a multi-homed end-user). Actually, it achieves the goal as it drops all incoming routes due to a malformed AS-path access-list that denies everything :) … but then, why do you need BGP in the first place?

Fortunately, someone provided correct configuration in the comments to the post, just made in unnecessarily complex with the introduction of a route-map.

It really pays off to study all the available BGP filtering mechanisms: AS-path access-list can be applied to updates directly with the neighbor filter-list command. The minimum configuration that guarantees you won't become a transit AS is thus as follows:

router bgp 65000
 neighbor filter-list 1 out
ip as-path access-list 1 permit ^$

Of course you can make things really interesting by introducing BGP communities: if you mark all routes received from the EBGP peers with the NO_EXPORT community, they will be filtered out on other EBGP sessions automatically :) Here's a sample configuration:

router bgp 65001
 neighbor route-map setNoExport in
 neighbor route-map setNoExport in

route-map setNoExport permit 10
 set community no-export additive

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.


  1. link you posted doesn't exist. Can you explain in details?

  2. Link said (via Google cache) :

    Preventing AS from becoming Transit AS
    Published October 24, 2007 Access-lists , IP Routing , bgp

    To prevent your AS from becoming a Transit AS, use following startegy

    Create a route map say “transit” in config mode

    route-map transit permit 10

    match as-path 1

    In config mode, use following command

    ip as-path access-list 1 deny ^$

    This command will only allow routes with origin code “i” and filter all routes with incomplete as-path.

    Apply the above route-map with neighbor statement

    router bgp 64000

    neighbor route-map transit in

    Only routes with origin code” i” will enter your AS.

  3. @jdenoy: Thanks for the text. It's amazing how quickly the Internet landscape changes (and luckily Google caches a few things :).

    @singh: I apologize for the brevity of my text, I shall write a follow-up one explaining the principles of the non-transit AS (and what you have to filter and where). However, here are the details as they relate to the text jdenoy included:

    * Every as-path access-list has an implicit "deny all" at the end. The as-path access-list in the example thus matches nothing at all.

    * The routes received from an EBGP neighbor always have at least one AS number in the AS path. The "deny ^$" pattern (which matches an empty AS-path) is thus irrelevant. But, as said above, everything else would be dropped as well.

    * You cannot use an as-path access-list to match the origin code (even though it looks like the origin code is part of an AS-path, it's not).

    * There is no such thing as incomplete AS-paths.

    * The 'incomplete' origin code is a leftover of the past long gone and is mostly irrelevant these days. It definitely has nothing to do with (non)transit behavior.

    * The route-map in the text supplied by jdenoy when applied to inbound updates from an EBGP peer would drop all inbound BGP prefixes.

    Hope this helps

  4. This comment has been removed by the author.

  5. I think the comment by jdenoy above just shows an ip as-path access list. if a person reading BGP article doesn't know that every acceess-list has implicit deny at the end then I am not sure how come reader is jumping his horses and learning about BGP communities :). anyway I used the as-path access list mentioned by jdenoy, and addedd

    ip as-path aceess-list 1 permit any and it prevent AS from becoming the transit AS. so I think even if blogger has mistyped something, readers should use their brains while using it on production network.

  6. I do it proper way:

    router bgp 12345
    neighbor prefix-list AS12345 out
    ip prefix-list AS12345 seq 5 permit
    ip prefix-list AS12345 seq 10 permit
    ip prefix-list AS12345 seq 15 permit

  7. Thanks for the prefix-list hint. I've included it in the non-transit AS tutorial.

  8. :-E *DONT_KNOW*

  9. :-E *DONT_KNOW*

  10. Thank you for the explanation.

  11. Hi, I just want to ask you. My Hub router DMVPN(Phase 2) is using IP as-path,
    ip as-path access-list 100 deny _65000$
    ip as-path access-list 100 permit .*

    I would like to deny for 65000 but allowing all for the spokes.
    I can see the dynamic tunnel is up however the BGP routing showing the next hop to reach destination still going to Hub IP, then only reach to destination. When I removed the IP AS-Path, then the spoke router getting the correct information on BGP and able traverse via dynamic tunnels to other spoke. Is this a limitation of DMVPN or IP AS-Path?


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.