Re: [nsp] Extended community-lists & filtering of customer communities

From: Wayne Bouchard (web@typo.org)
Date: Fri Aug 21 1998 - 18:57:55 EDT


> Any chance someone could sanity check this for me, there being no
> docs available.
>
> I wish to allow my customers to send me communities within my
> community space (let's say for AS4444), but to avoid collateral
> damage by their leaking other communities they might send me in that
> I act on, whilst in general still passing throughout my AS anything
> else they may set on them (for instance their communities of perhaps
> those of my upstreams/peers if I chose to propagate them on egress).
>
> I want a route-map which as its first stage rejects all routes
> with any communities that begin with 4444: other than 4444:1000-4444:1999,
> and also rejects any with communities that begin 0: (i.e. I want
> to let my customers send me *some* communities in my range, but
> not all, and not 0: communities, but otherwise allow them to pass
> through).

So only 4444:1000 through 1999 will be let through...

> Bearing in mind there may be more than one community attribute present,
> I think the correct way to do this is (and testing *seems* to work)
> as follows. Would someone who has used these things in anger care
> to check my logic?

It doesn't have to be that hard.

ip community-list 109 permit 4444:1[0-9]*

or if you want tem exactly 4 digits..

ip community-list 109 permit 4444:1...

> ! match (for filtering) communities beginning 0:
> ip community-list 109 permit _0:.*_
> ! match (for filtering) any 4444:s other than those starting 4444:1
> ip community-list 109 permit _4444:[2-90].*_
> ! match (for filtering) any 4444:1 followed by 0, 1, 2, or 4 or more digits
> ip community-list 109 permit _4444:1(_|[0-9]_|[0-9][0-9]_|
> [0-9][0-9][0-9][0-9]+_)
> ! (line above broken for readability only)
> ! leaving an implicit deny for 4444:1 followed by 4 digits
>
> ! route-map for customer routes in
> !
> ! first strip routes with bogus communities
> !
> route-map receive-routes-from-customer deny 5
> match community 109
> !
> ! check the AS-Path (networks checked via
> ! distribute list applied to peering)
> !
> ! If they're OK, tag the routes internally how we
> ! want them, leaving their communities on but adding the ones we
> ! require
> !
> route-map receive-routes-from customer permit 10
> match as-path 123
> set community 4444:2000 4444:2002 4444:3000 additive
> !
>
> --
> Alex Bligh
> GX Networks (formerly Xara Networks)
>
>
>

----------------------------------------------------------------------
Wayne Bouchard GlobalCenter
web@globalcenter.net
Network Engineer
(602) 416-6422 800-373-2499 x6422
FAX: (602) 416-9422 http://www.globalcenter.net
----------------------------------------------------------------------



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:13 EDT