Editing AS-path access lists

Jerry sent me an interesting question:

I was wondering if there's a way to modify an as-path access-list much like we do with regular access lists, simply by adding/ removing lines according to their sequence numbers.

I'm not aware of any such mechanism in Cisco IOS (but then maybe I’m missing something), but his question made me wonder: if you’re maintaining large AS-path access lists, do you edit them on the router (I guess not) or off-line (on a NMS platform) and download them when they need to be changed?

4 comments:

  1. Usually edit offline and upload, but try to avoid AS-Path ACLs in favour of std-community based route policies (co-operating peers and upstreams are always far better :)

    ReplyDelete
  2. I think such mechanism doesn't exist in Cisco IOS. But it is not necessary. In case of ACL on interface traffic flow continuously. If we remove ACL - it will be a disaster. As-path access-list works only when there is a change somewhere in BGP table. So it is not terrible to remove it and then to paste new one with the same number. At least it works pretty well with small as-path ACLs. ;) As concerns long as-pasth ACLs and huge BGP tables... What is the real task? In most cases, I think, you have to avoid as-path ACLs (see previous comment) and use communities (if it is possible :) ) or a script that will query whois databases and bogon route-servers to compile incredible long ip prefix-lists.

    ReplyDelete
  3. I'm generating and uploading BGP filters automatically from a NMS. The best way to construct BGP filters (as-path based or prefix-list based) is to query RADB, since RADB mirrors all other routing registry databases. RADB also provides a nice mechanism to expand customer as-sets recursively:

    whois -h whois.radb.net \!iAS-SET,1

    From that one constructing the as-path acl is easy - you can use even an one-liner like this:

    whois -h whois.radb.net \!iAS-SET,1 | head -2 | tail -1 | fmt - 70 | tr '[as]' '[AS]' | fmt -50 | \
    sed -e 's/AS/|/g' -e 's/\ //g' -e 's/$/\)\$/g' -e 's/^|/ip\ as-path\ access-list NNN\ permit\ \_\(/g'

    ReplyDelete
  4. So - when will Cisco fix this limitation? It makes no sense that you cannot delete one line of config without inadvertently removing the whole ip as-path access-list.

    Example:
    ip as-path access-list 90 permit ^5400_7018
    ip as-path access-list 90 permit ^5400_1239

    Action:
    no ip as-path access-list 90 permit ^5400_7018

    Result:
    [ip as-path access-list 90 is GONE]

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.