Editing AS-path access lists

Jerry sent me an interesting question:

I was wondering if there's a way to modify an as-path access-list much like we do with regular access lists, simply by adding/ removing lines according to their sequence numbers.

I'm not aware of any such mechanism in Cisco IOS (but then maybe I’m missing something), but his question made me wonder: if you’re maintaining large AS-path access lists, do you edit them on the router (I guess not) or off-line (on a NMS platform) and download them when they need to be changed?

Recent posts in the same categories

4 comments:

  1. lochii 22 April 2010 17:08
    Usually edit offline and upload, but try to avoid AS-Path ACLs in favour of std-community based route policies (co-operating peers and upstreams are always far better :)
  2. ODIN 23 April 2010 07:37
    I think such mechanism doesn't exist in Cisco IOS. But it is not necessary. In case of ACL on interface traffic flow continuously. If we remove ACL - it will be a disaster. As-path access-list works only when there is a change somewhere in BGP table. So it is not terrible to remove it and then to paste new one with the same number. At least it works pretty well with small as-path ACLs. ;) As concerns long as-pasth ACLs and huge BGP tables... What is the real task? In most cases, I think, you have to avoid as-path ACLs (see previous comment) and use communities (if it is possible :) ) or a script that will query whois databases and bogon route-servers to compile incredible long ip prefix-lists.
  3. Halloween 18 October 2010 22:11
    I'm generating and uploading BGP filters automatically from a NMS. The best way to construct BGP filters (as-path based or prefix-list based) is to query RADB, since RADB mirrors all other routing registry databases. RADB also provides a nice mechanism to expand customer as-sets recursively:

    whois -h whois.radb.net \!iAS-SET,1

    From that one constructing the as-path acl is easy - you can use even an one-liner like this:

    whois -h whois.radb.net \!iAS-SET,1 | head -2 | tail -1 | fmt - 70 | tr '[as]' '[AS]' | fmt -50 | \
    sed -e 's/AS/|/g' -e 's/\ //g' -e 's/$/\)\$/g' -e 's/^|/ip\ as-path\ access-list NNN\ permit\ \_\(/g'
  4. Jim 01 December 2010 14:34
    So - when will Cisco fix this limitation? It makes no sense that you cannot delete one line of config without inadvertently removing the whole ip as-path access-list.

    Example:
    ip as-path access-list 90 permit ^5400_7018
    ip as-path access-list 90 permit ^5400_1239

    Action:
    no ip as-path access-list 90 permit ^5400_7018

    Result:
    [ip as-path access-list 90 is GONE]
Add comment
Home
Sidebar