These examples were prepared using data captured on 14-Mar-2001 as indicated. At that time, AS5089 was announcing the following aggregates:
62.252.0.0/14 151.212.0.0/16 163.164.0.0/16 194.168.0.0/16 212.3.160.0/19 212.21.0.0/19 212.82.0.0/19 212.91.0.0/19 212.121.0.0/19 212.129.64.0/24 212.250.0.0/16 213.104.0.0/14 217.22.0.1/32
It was also announcing the following subnets:
62.252.0.0/16 62.252.0.0/17 62.252.128.0/17 62.253.0.0/16 62.253.0.0/17 62.254.0.0/16 62.254.0.0/17 62.255.0.0/16 62.255.0.0/17 213.106.0.0/17
It's customers were:
5500: 192.153.153.0/24 195.206.192.0/19 195.206.192.0/24 195.206.193.0/24 195.206.194.0/24 195.206.195.0/24 195.206.196.0/24 195.206.197.0/24
9011: 212.100.0.0/19
12323: 195.182.160.0/19 212.43.160.0/19 212.59.96.0/19
15727: 217.22.0.0/20
15926: 217.12.32.0/20
15952: 217.67.128.0/20
16032: 212.108.64.0/19
and in turn, AS12323 had it's own customer:
12616: 212.67.192.0/19

This example shows the 'Standard Access-list' tool. The access-list number defaults to 99 unless the 'List Number' field is defined and consists of 'deny' statements unless the 'ACL-Permits' option is selected.

Note: One or both of the 'Include-Self' and 'Customer-Recursive' options are necessary to generate any useful output.

Cisco BGP Toolkit

This tool generates fragments of BGP configuration using data from Internet routing tables captured on 14-Mar-2001

AS:
Tool

Options
Include-ThisAS			Include-Subnets
ACL-Permits			Customer-Recursive
List Number			Ranking-Filter

For suggested Martians use AS 0(zero)

Statics to Null0

Network Statements

Standard Access-list

Extended Access-list

Prefix-list

AS-Path list

You can edit the panel below before copying & pasting

no access-list 99
access-list 99 deny 62.252.0.0 0.3.255.255
access-list 99 deny 151.212.0.0 0.0.255.255
access-list 99 deny 163.164.0.0 0.0.255.255
access-list 99 deny 194.168.0.0 0.0.255.255
access-list 99 deny 212.3.160.0 0.0.31.255
access-list 99 deny 212.21.0.0 0.0.31.255
access-list 99 deny 212.82.0.0 0.0.31.255
access-list 99 deny 212.91.0.0 0.0.31.255
access-list 99 deny 212.121.0.0 0.0.31.255
access-list 99 deny 212.129.64.0 0.0.0.255
access-list 99 deny 212.250.0.0 0.0.255.255
access-list 99 deny 213.104.0.0 0.3.255.255
access-list 99 deny 217.22.0.1 0.0.0.0

If the 'ACL-Permits' option was selected, the output would be a list of 'permit' statements.

Options
Include-ThisAS			Include-Subnets
ACL-Permits			Customer-Recursive
List Number			Ranking-Filter

no access-list 99
access-list 99 permit 62.252.0.0 0.3.255.255
access-list 99 permit 151.212.0.0 0.0.255.255
access-list 99 permit 163.164.0.0 0.0.255.255
access-list 99 permit 194.168.0.0 0.0.255.255
access-list 99 permit 212.3.160.0 0.0.31.255
access-list 99 permit 212.21.0.0 0.0.31.255
access-list 99 permit 212.82.0.0 0.0.31.255
access-list 99 permit 212.91.0.0 0.0.31.255
access-list 99 permit 212.121.0.0 0.0.31.255
access-list 99 permit 212.129.64.0 0.0.0.255
access-list 99 permit 212.250.0.0 0.0.255.255
access-list 99 permit 213.104.0.0 0.3.255.255
access-list 99 permit 217.22.0.1 0.0.0.0

If the 'Include-Subnets' option was selected, the output would also include any subnets being announced by AS5089.

Options
Include-ThisAS			Include-Subnets
ACL-Permits			Customer-Recursive
List Number			Ranking-Filter

no access-list 99
access-list 99 deny 62.252.0.0 0.3.255.255
access-list 99 deny 62.252.0.0 0.0.255.255
access-list 99 deny 62.252.0.0 0.0.127.255
access-list 99 deny 62.252.128.0 0.0.127.255
access-list 99 deny 62.253.0.0 0.0.255.255
access-list 99 deny 62.253.0.0 0.0.127.255
access-list 99 deny 62.254.0.0 0.0.255.255
access-list 99 deny 62.254.0.0 0.0.127.255
access-list 99 deny 62.255.0.0 0.0.255.255
access-list 99 deny 62.255.0.0 0.0.127.255
access-list 99 deny 151.212.0.0 0.0.255.255
access-list 99 deny 163.164.0.0 0.0.255.255
access-list 99 deny 194.168.0.0 0.0.255.255
access-list 99 deny 212.3.160.0 0.0.31.255
access-list 99 deny 212.21.0.0 0.0.31.255
access-list 99 deny 212.82.0.0 0.0.31.255
access-list 99 deny 212.91.0.0 0.0.31.255
access-list 99 deny 212.121.0.0 0.0.31.255
access-list 99 deny 212.129.64.0 0.0.0.255
access-list 99 deny 212.250.0.0 0.0.255.255
access-list 99 deny 213.104.0.0 0.3.255.255
access-list 99 deny 213.106.0.0 0.0.127.255
access-list 99 deny 217.22.0.1 0.0.0.0

If the 'Customer-Recursive' option was selected, the output would contain all the aggregates of AS5089 and their customer networks. The 'Ranking Filter' option ensures that as each customer is recursively expanded, they are only expanded if their connectivity ranking is equal or worst that the network being expanded. This option allows the toolkit to handle network mis-configurations where customers network are incorrectly providing transit routing to one or more of their transit providers. Further explanation of this feature is provided at the foot of this page.

Options
Include-ThisAS			Include-Subnets
ACL-Permits			Customer-Recursive
List Number			Ranking-Filter

no access-list 99
access-list 99 deny 62.252.0.0 0.3.255.255
access-list 99 deny 151.212.0.0 0.0.255.255
access-list 99 deny 163.164.0.0 0.0.255.255
access-list 99 deny 192.153.153.0 0.0.0.255
access-list 99 deny 194.168.0.0 0.0.255.255
access-list 99 deny 195.182.160.0 0.0.31.255
access-list 99 deny 195.206.192.0 0.0.31.255
access-list 99 deny 212.3.160.0 0.0.31.255
access-list 99 deny 212.21.0.0 0.0.31.255
access-list 99 deny 212.43.160.0 0.0.31.255
access-list 99 deny 212.59.96.0 0.0.31.255
access-list 99 deny 212.67.192.0 0.0.31.255
access-list 99 deny 212.82.0.0 0.0.31.255
access-list 99 deny 212.91.0.0 0.0.31.255
access-list 99 deny 212.100.0.0 0.0.31.255
access-list 99 deny 212.108.64.0 0.0.31.255
access-list 99 deny 212.121.0.0 0.0.31.255
access-list 99 deny 212.129.64.0 0.0.0.255
access-list 99 deny 212.250.0.0 0.0.255.255
access-list 99 deny 213.104.0.0 0.3.255.255
access-list 99 deny 217.12.32.0 0.0.15.255
access-list 99 deny 217.22.0.0 0.0.15.255
access-list 99 deny 217.22.0.1 0.0.0.0
access-list 99 deny 217.67.128.0 0.0.15.255

If only the 'Customer-Recursive' option is selected, the list would consist only of customer aggregates:

Options
Include-ThisAS			Include-Subnets
ACL-Permits			Customer-Recursive
List Number			Ranking-Filter

no access-list 99
access-list 99 deny 192.153.153.0 0.0.0.255
access-list 99 deny 195.182.160.0 0.0.31.255
access-list 99 deny 195.206.192.0 0.0.31.255
access-list 99 deny 212.43.160.0 0.0.31.255
access-list 99 deny 212.59.96.0 0.0.31.255
access-list 99 deny 212.67.192.0 0.0.31.255
access-list 99 deny 212.100.0.0 0.0.31.255
access-list 99 deny 212.108.64.0 0.0.31.255
access-list 99 deny 217.12.32.0 0.0.15.255
access-list 99 deny 217.22.0.0 0.0.15.255
access-list 99 deny 217.67.128.0 0.0.15.255

If the 'Statics-to-Null0' tool is used with only the 'Include-ThisAS' option selected, the output would consist of static routes for each of AS5089's aggregates. The 'ACL-Permits' option has no effect on the output of this tool, but the other options would affect the output in much the same way as described for the 'Standard Access-list' tool.

ip route 62.252.0.0 255.252.0.0 Null0 254
ip route 151.212.0.0 255.255.0.0 Null0 254
ip route 163.164.0.0 255.255.0.0 Null0 254
ip route 194.168.0.0 255.255.0.0 Null0 254
ip route 212.3.160.0 255.255.224.0 Null0 254
ip route 212.21.0.0 255.255.224.0 Null0 254
ip route 212.82.0.0 255.255.224.0 Null0 254
ip route 212.91.0.0 255.255.224.0 Null0 254
ip route 212.121.0.0 255.255.224.0 Null0 254
ip route 212.129.64.0 255.255.255.0 Null0 254
ip route 212.250.0.0 255.255.0.0 Null0 254
ip route 213.104.0.0 255.252.0.0 Null0 254
ip route 217.22.0.1 255.255.255.255 Null0 254

If the 'Network Statements' tool is used with only the 'Include-ThisAS' option selected, the output would consist of network statements for each of AS5089's aggregates. The 'ACL-Permits' option has no effect on the output of this tool, but the other options would affect the output in much the same way as described for the 'Standard Access-list' tool.

 network 62.252.0.0 mask 255.252.0.0
 network 151.212.0.0 mask 255.255.0.0
 network 163.164.0.0 mask 255.255.0.0
 network 194.168.0.0 mask 255.255.0.0
 network 212.3.160.0 mask 255.255.224.0
 network 212.21.0.0 mask 255.255.224.0
 network 212.82.0.0 mask 255.255.224.0
 network 212.91.0.0 mask 255.255.224.0
 network 212.121.0.0 mask 255.255.224.0
 network 212.129.64.0 mask 255.255.255.0
 network 212.250.0.0 mask 255.255.0.0
 network 213.104.0.0 mask 255.252.0.0
 network 217.22.0.1 mask 255.255.255.255

If the 'Extended Access-list' tool is used with only the 'Include-ThisAS' option selected, the output would consist of filter statements for each of AS5089's aggregates. All options would affect the output in much the same way as described for the 'Standard Access-list' tool and the access-list number defaults to 199 unless the 'List Number' field is defined.

no access-list 199
access-list 199 deny 62.252.0.0 0.3.255.255 255.254.0.0 0.1.255.255
access-list 199 deny 151.212.0.0 0.0.255.255 255.255.128.0 0.0.127.255
access-list 199 deny 163.164.0.0 0.0.255.255 255.255.128.0 0.0.127.255
access-list 199 deny 194.168.0.0 0.0.255.255 255.255.128.0 0.0.127.255
access-list 199 deny 212.3.160.0 0.0.31.255 255.255.240.0 0.0.15.255
access-list 199 deny 212.21.0.0 0.0.31.255 255.255.240.0 0.0.15.255
access-list 199 deny 212.82.0.0 0.0.31.255 255.255.240.0 0.0.15.255
access-list 199 deny 212.91.0.0 0.0.31.255 255.255.240.0 0.0.15.255
access-list 199 deny 212.121.0.0 0.0.31.255 255.255.240.0 0.0.15.255
access-list 199 deny 212.129.64.0 0.0.0.255 255.255.255.128 0.0.0.127
access-list 199 deny 212.250.0.0 0.0.255.255 255.255.128.0 0.0.127.255
access-list 199 deny 213.104.0.0 0.3.255.255 255.254.0.0 0.1.255.255
access-list 199 deny 217.22.0.1 0.0.0.0 128.0.0.0 127.255.255.255

If the 'Prefix-list' tool is used with only the 'Include-ThisAS' option selected, the output would consist of filter statements for each of AS5089's aggregates. All options would affect the output in much the same way as described for the 'Standard Access-list' tool and the access-list number defaults to 199 unless the 'List Number' field is defined.

no ip prefix-list as5089
ip prefix-list as5089 deny 62.252.0.0/14
ip prefix-list as5089 deny 151.212.0.0/16
ip prefix-list as5089 deny 163.164.0.0/16
ip prefix-list as5089 deny 194.168.0.0/16
ip prefix-list as5089 deny 212.3.160.0/19
ip prefix-list as5089 deny 212.21.0.0/19
ip prefix-list as5089 deny 212.82.0.0/19
ip prefix-list as5089 deny 212.91.0.0/19
ip prefix-list as5089 deny 212.121.0.0/19
ip prefix-list as5089 deny 212.129.64.0/24
ip prefix-list as5089 deny 212.250.0.0/16
ip prefix-list as5089 deny 213.104.0.0/14
ip prefix-list as5089 deny 217.22.0.1/32

If the 'AS-Path list' tool is used with only the 'Include-ThisAS' option selected, the output would consist of filter statements for each of AS5089's aggregates. All options would affect the output in much the same way as described for the 'Standard Access-list' tool and the access-list number defaults to 199 unless the 'List Number' field is defined.

It is unlikely that both line 2 & 3 would be pasted into the same router. Line 2 would most likely be used on the router in AS5089, while line 3 would most likely be used on the router with a peering connection to AS5089.

no ip as-path access-list 199
ip as-path access-list 199 deny ^$
ip as-path access-list 199 deny _(5089)$

A more likely use of the 'AS-Path list' tool would use both the 'Include-ThisAS' and 'Customer-Recursive' options.

no ip as-path access-list 199
ip as-path access-list 199 deny ^$
ip as-path access-list 199 deny _(5089|5500|9011|12323|12616|15727|15926)$
ip as-path access-list 199 deny _(15952|16032)$

Rank Filtering

While working with the routing data that we collect, we have encountered many situations where network mis-configuration results in incorrect transit routing.

For any given network, it's various peering relationships usually fall into one of the three categories: Transit, Free-Peering or Customer.

Transit relationships usually provide a path to every corner of the Internet, so if a customer network receives routes from one transit and forwards them to another transit this could result in major traffic flow between the transits across the customer network.

Free-Peering relationships usually provide a shortcut paths to between each other's own and customer networks only. If a network received routes from one free-peer and forwards them to another free-peer, the network could find itself being loaded with large chunks of it's neighboring networks traffic.

Customer relationships usually provide paths to the customers network and to any customers of the customer. The routes received from one customer should be shared with other customers, free-peers and transits since that is what the customer relationship usually demands. However, if a customer gives you routes received from another of it's transits, you could find yourself pushing large amount of your network traffic across his potentially small capacity.

When you configure your routing filters purely on the basis of what you can see through a network, you can find yourself suffering from mis-configurations which lead to the above.

In collecting the large amounts of raw routing information required by the various tools on this site, we have the means to calculate a connectivity index for each and every network on the Internet. This allows to compare any two networks and assess which of the two is better connected to the rest of the Internet, and to make an calculated guess at the direction of each transit/customer relationship. We can then use this to limit the customer recursion to those with worse connected networks.

When this 'Ranking-Filter' option is selected, all customer relationships are considered for expansion, even it they also appear to provide transit routing. Without this option, all customer relationships are expanded except where they also provide transit routing.

If you haven't understood this explanation, we recommend that you set it the same as the 'Customer-Recursive' option.