In the following scenario, CLIENT1 having AS420 is connected with AS100. CLIENT1 has the prefix of 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24. With having only prefix filter, AS100 will only allow these prefixes coming from AS420 and will configure it in AS420 BGP session. AS100 is connected with two upstream service provider AS1 & AS2. AS100 will only announce the prefixes received from AS420 (CLIENT1) to AS1 & AS2 and will do it by prefix filtering of AS1 & AS2 BGP session.
CLIENT1 is also connected with AS3. CLIENT1 announce 192.0.2.0/24 via AS100 and 198.51.100.0/24, 203.0.113.0/24 via AS3. As AS1, AS2 & AS3 is connected in global internet, AS100 will get these two prefixes via AS1 or AS2 depending on the shortest path. Let say prefix 198.51.100.0/24 & 203.0.113.0/24 received via AS2. There is a chance that these prefix will be best route and will be in AS100 routing table. AS100 will announce this to it’s EBGP peer. As AS100 is only doing prefix filter, by default AS100 will announce these prefixes to AS1. Now for prefix 198.51.100.0/24 & 203.0.113.0/24 AS100 will become transit for AS1.
To overcome this situation, you need to apply AS Filter. What you need to do is having an as-path access-list having a regular expression which will only allow those prefix which has only peering AS Number in it’s AS PATH. Bellow is the regular expression:
This will allow those prefixes originated from AS420 and only have AS420 in it’s AS PATH. Other prefixes (198.51.100.0/24 & 203.0.113.0/24) coming via AS3 and AS2 will be eliminated and will not be announced to AS100 upstream.
You can get the output of these regular expression with follwoing sysntex:
show ip bgp regexp ^(420)(_420)*$
ip as-path access-list 500 permit ^(420)(_420)*$
router bgp 100
neighbor xxx.xxx.xxx.xxx filter-list 500 out
neighbor yyy.yyy.yyy.yyy filter-list 500 out