Wondering if anyone has any BGP route-map examples to block learning any routes that has a select BGP ASN in its path.
I have a cloudguard FW deployed where I am peering with an Azure route server (ARS) (ASN 65515) and that ARS also is learning routes from an expressroute circuit (ASN 12076). The ARS has some very limited capabilities and can't put any real filters in place when you redistrobute routes there.
In this example, I want my cloudguard FW to accept routes that come from the ARS and its direct vnets (65515) but any routes being learned from the expressroute (i.e. has asn 12076 in its aspath), i want to reject.
I have a feeling i can do this with a import route-map configuration on my peer with the ARS using an aspath-regex.
Example:
set routemap ARS-Peer-In id 100 on
set routemap ARS-Peer-In id 100 restrict
set routemap ARS-Peer-In id 100 match aspath-regex "_12076_" origin any
set routemap ARS-Peer-In id 200 on
set routemap ARS-Peer-In id 200 allow
set routemap ARS-Peer-In id 200 match as 65515 on
set routemap ARS-Peer-In id 200 action nexthop ip 10.1.1.1 <= this being the ip of the GW cluster; 10.1.1.2 used on other cluster.
set bgp external remote-as 65515 import-routemap ARS-Peer-In preference 1 on
Is this an ample way to address this? (## Note: question relating to ability to block a ASN in a path for check point but accept others; we have confirmed with Microsoft Azure engineering teams that this restriction of ASN 12076 will address our issue)
The other validation I wanted to ask was the use of the routemap IDs and preferences.
- My understanding is the ID # in the same route-map is the order of processing
- Therefore I want my 'restrict' rule above my allow.
In regards to the route map preferences, can you do this same retriction type with various route maps and place in the preference order?
Example:
set routemap ARS-Peer-restrict id 100 on
set routemap ARS-Peer-restrict id 100 restrict
set routemap ARS-Peer-restrict id 100 match aspath-regex "_12076_" origin any
set routemap ARS-Peer-In id 200 on
set routemap ARS-Peer-In id 200 allow
set routemap ARS-Peer-In id 200 match as 65515 on
set routemap ARS-Peer-In id 200 action nexthop ip 10.1.1.1 <= this being the ip of the GW cluster
set bgp external remote-as 65515 import-routemap ARS-Peer-restrict preference 1 on
set bgp external remote-as 65515 import-routemap ARS-Peer-In preference 2 on
It feels normal to me for any vendor BGP configuration to have one set of routemaps on a peer and set the order of operations with the route map IDs. But I wanted to know if i understand the processing here with the multiple map options and preference order if both would indeed be 'inspected' at all times and the preference just is setting the map 'order'. (a.k.a 'best practice' for routemaps with checkpoint 😉 )
Thanks in advance for any assistance