AS-Path Filtering

Before we get into the how, let’s talk about the why. According to the CIDR Report, the global IPv4 routing table sits at about 525,000 routes, it has doubled in size since mid 2008 and continues to press upwards at an accelerated rate. This momentum, which in my estimate started around 2006, will most likely never slow down. As network engineers, what are we to do? Sure, memory is as plentiful as we could ask for, but what of TCAM? On certain platforms, like the 7600/6500 on the Sup720 and even some of the ASR1ks we have already surpassed the limits of what they can handle (~512k routes in the FIB). While it is possible to increase the TCAM available for routing information, there are other solutions that don’t include replacing hardware just yet.

As far as I know, adjusting TCAM partitioning on the ASR1000 is not possible at this time.

Before I get too deep into this, I should clarify as many of you (yes, I’m looking at you Fry) are asking yourselves why is an ISP running BGP on a 6500… Many of my customers are small ISPs or data centers that have little to no networking experience. They are the small guys attempting to provide high speed service to rural areas that truly need it. Most of these guys are 3-4 person shops that have a ton of people wearing multiple hats, and after spending the last decade working with them, I have to respect that. /soapbox

AS Path Filtering

My favorite solution to this problem has been to filter out routes that have long AS-Paths. This works particularly well if you’re receiving full tables + a default from your upstream providers. My thoughts have always been, less ensure path optimization for very short AS-Paths, and for anything above 3 networks… who cares!? The example below uses AS-path filtering and local preference to always ensure that we’re sending traffic, to destinations 3 networks or less away, out the best path that we have.

ip as-path access-list 100 permit ^[0-9]*$
ip as-path access-list 200 permit ^[0-9]*_[0-9]*$
ip as-path access-list 300 permit ^[0-9]*_[0-9]*_[0-9]*$
!
ip prefix-list any seq 5 permit 0.0.0.0/0 le 32
!
route-map ebgp-in permit 10
 match as-path 100
 set local-preference 193
!
route-map ebgp-in permit 20
 match as-path 200
 set local-preference 192
!
route-map ebgp-in permit 20
 match as-path 300
 set local-preference 191
!
route-map ebgp-in deny 99
 match ip address any
!
router bgp 65100
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 65011
 neighbor 1.1.1.1 route-map ebgp-in in
 neighbor 2.2.2.2 remote-as 65022
 neighbor 2.2.2.2 route-map ebgp-in in
!

As you can see, we’re using a route-map to filter updates from our peer. Inside our first statement we’re using a match statement on AS-Path ACL 100, which has a regular expression to match updates with a single AS number in the AS-Path. Our set statement is used to modify the local-preference on those routes well above the default 100. While the BGP best path selection algorithm would certainly prefer these routes according to their AS-Path, personally I like overriding all local-preference settings throughout my configs to suit the needs of the business. I also typically set BGP Communities on these prefixes to aide in identification of applied policy. But I digress. This continues on in the next statement, matching an AS-Path length of 2, and setting a slightly lower local-preference. And again in the third statement, until we reach statement 99, which is configured to deny any other routes from being learned.

Forklifting

In addition to the routing table limitations, the sheer amount of load that running BGP adds to the CPU in your 6500/7600 series is going to be the last nail in the coffin, and I completely understand and agree. And because I understand many of you that are still on those platforms need an affordable option, I have good news for you. The ASR 9001 has a scaled down 60gbps build that comes in at a rather reasonable price, which should be rather affordable after you factor in trade-in value on your legacy platform. Not only will the ASR 9k completely blow the doors off your 7600 right out of the box, but it should last you a rather long time, as it is scalable to 120gbps. As for it’s routing abilities, it shares the same IOS-XR platform as the larger ASR 9ks, and has plenty of memory to support millions of routes.