Suppose we have the following scenario:

R1—R2–R3–R4—R5

R1 is AS 100
R2, R3, R4 are AS 200
R5 is AS 300

R2, R3, R4 are confederated, with sub as’s 65002, 65003, and 65004 respectively. They are also originating prefixes A, B, & C respectively. If AS 200 does not want to be transit, we must only advertise out prefixes originated in these three sub AS’s.

From R2′s perspective, we see the following prefixes, and the following AS-Path’s:

A – EMPTY
B – (65003)
C – (65003,65004)

From R4′s perspective, we see the following prefixes, and the following AS-Path’s:

A – (65002,65003)
B – (65003)
C – EMPTY

Now we must consider how to match all of these cases in a single line. Remember that parentheses are special characters within the as-path list.

Our minimum case to match would be:

^\$

This is our empty AS-PATH, which is prefixes locally originated in our sub-as.

Our maximum case to match would be:

\(X\)

where X is any number of AS’s, or a comma. Remember that we need to escape the parens.

To satisfy our condition of X, we should be matching 1 or more instance of any character, which equates to:

.+

Therefore our maximum case is now:

^\(.+\)\$

However, we must match the minimum case at the same time. Therefore, our current expression \(.+\) is either true or false. True or false (0 or 1 instance) is covered by the expression ?.

Therefore, our final regular expression will read:

^(\(.+\))?\$

Advertise only prefixes which match this expression outbound on your border routers, and your confederated AS’s will not be transit.

##### About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 10 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

You can leave a response, or trackback from your own site.

### 5 Responses to “How do I stop a confederation from being used as transit?”

1. Em says:

very cool. How do you get the IOS to take the question mark without trying to do help?

2. Em says:

i got this to work:

R2#show ip bgp regexp ^\(.*\)\$

this means we only want to match routes where the AS path starts and ends with a parenthesis, which is what routes starting in our confed would look like. I used ‘*’ instead of ‘+’ because ‘+’ was not matching the ‘A’ prefix connected to R2.

not sure if that would work in all cases though…trying to think of what else the AS paths could look like…

anyways, nice post. bgp regexp is fun

3. Em says:

ok! here it goes:

show ip bgp regexp ^\$|^\(.*\)\$

match empty set OR
match beginning/ending with parenthesis

4. You can do that too. For clarity you may want to use extra parens to show what the or actually switches between. I.e.:

(^\$)|(^\(.*\)\$)

5. Brian,

Instead of refering to ? as a true/false operator, you could you Cisco’s explanation, which I think is a bit more enlightning:

“? – Matches zero or one occurrence of the pattern. (Precede the question mark with Ctrl-V sequence to prevent it from being interpreted as a help command.) ”

P.S.- Great blog!