Filter Transit Routes

In the previous lab exercises you configured EBGP sessions with two routers belonging to upstream ISPs.

Lab topology

With no additional configuration, BGP routers propagate every route known to them to all neighbors, which means that your device propagates routes between AS 65100 and AS 651011. That wouldn’t be so bad if the ISP-2 wouldn’t prefer customer routes over peer routes. Well, it does, and you became a transit network between ISP-2 and ISP-1.

You don’t have to trust me – log into X2 and execute sudo vtysh -c 'show ip bgp' command2. You’ll see that the best paths to AS 65100 (ISP-1) go through AS 65000 (your network).

Existing BGP Configuration

The routers in your lab use the following BGP AS numbers. Each autonomous system advertises one loopback address and another IPv4 prefix. Upstream routers (x1, x2) also advertise the default route to your router (rtr).

Node/ASN Router ID Advertised prefixes

Your router has these EBGP neighbors. netlab configures them automatically; if you’re using some other lab infrastructure, you’ll have to configure EBGP neighbors and advertised prefixes manually. You can also use the configuration you made in the previous exercise.

Neighbor Neighbor IPv4 Neighbor AS
x1 65100
x2 65101

Start the Lab

Assuming you already set up your lab infrastructure:

  • Change directory to policy/2-stop-transit
  • Execute netlab up (other options)
  • Log into your device (RTR) with netlab connect rtr and verify IP addresses and BGP configuration.

Note: netlab will configure IP addressing, EBGP sessions, and BGP prefix advertisements on your router. If you’re not using netlab just continue with the configuration you made during the previous exercise.

Configuration Tasks

You have to filter BGP prefixes sent to X1 and X2, and advertise only prefixes with an empty AS path – the prefixes originating in your autonomous system3.

On some BGP implementations (example: Cisco IOS and IOS XE, Cumulus Linux, FRR) you configure outbound AS-path filters in two steps:

  • Configure an AS-path access list that matches an empty AS path4.
  • Apply the AS-path access list as an outbound filter to all EBGP neighbors.

Some other implementations (example: Arista EOS) might require a more convoluted approach using a route map as an intermediate step:

  • After configuring the AS-path access list, create a route map that permits BGP prefixes matching your AS-path access list.
  • Apply that route map as an outbound filter to all EBGP neighbors.


Applying filters to BGP neighbors doesn’t necessarily trigger new updates – you might have to use a command similar to clear ip bgp * soft out to tell your router to recalculate and resend BGP prefixes from its BGP table to its neighbors.


Examine the BGP table on X1 and X2 to verify that your router advertises only routes from AS 65000. This is the printout you should get on X1:

$ sudo vtysh -c 'show ip bgp'
BGP table version is 6, local router ID is, vrf id 0
Default local pref 100, local AS 65100
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*                              0 65101 65000 i
*>                                       0 65000 i
*>                  0         32768 i
*>                0             0 65101 i
*                              0 65101 65000 ?
*>                                       0 65000 ?
*>                  0         32768 i
*>                0             0 65101 i

Displayed  6 routes and 8 total paths

Next: Filter prefixes advertised to EBGP neighbors

Reference Information

You might find the following information useful if you’re not using netlab to build the lab:

Lab Wiring

This lab uses a subset of the 4-router lab topology:

Origin Device Origin Port Destination Device Destination Port
rtr Ethernet1 x1 swp1
rtr Ethernet2 x2 swp1
x1 swp2 x2 swp2

Lab Addressing

Node/Interface IPv4 Address IPv6 Address Description
rtr Loopback
Ethernet1 rtr -> x1
Ethernet2 rtr -> x2
x1 Loopback
swp1 x1 -> rtr
swp2 x1 -> x2
x2 Loopback
swp1 x2 -> rtr
swp2 x2 -> x1

  1. Devices strictly compliant with RFC 8212 are an exception – they won’t advertise anything to their EBGP neighbors unless you configured an outbound filter. 

  2. sudo to make sure you’re an admin user, vtysh is the name of the FRR CLI shell, and the -c argument passes the following argument to vtysh so you don’t have to type another line. 

  3. Please note that all BGP implementations I’ve seen so far apply filters to the contents of the BGP table. Prefixes originated by your router have an empty AS path while they’re in the BGP table of your router. 

  4. I don’t want you to waste too much time on regular expressions, so here’s a hint: you can usually use ^$ to match an empty AS-path.