BGP Remove-Private-AS

Most companies have acquired their own AS number and also some have implemented Private AS numbers connected to their Public AS network. They might have created a private AS number per region. There are others also who run BGP and are using private AS connected to their ISP using PA (Provider Allocated) Public IP addresses. No matter, how its implemented, announcing the private AS number you are using to the internet is a big NO, NO. ISP's should filter these private AS and not advertise them out to the internet.

Consider the diagram below. Let's say R1 is in Company A and is connected to its ISP using a private AS number 65535. The task we need to complete here is to filter any private AS to be announced to R2 so that R2 will only see the AS number of the ISP.



Firstly, I have done configuring the IP addresses indicated in the diagram. Created Loopback0 and Loopback10 in R1 and ISP and advertised them in BGP. Of course, all routers have BGP established. I have also announced networks 123.123.123.123/32 and 12.12.12.12/32 in the ISP router.

Now, lets check what R2 sees in the BGP table.


R2#sh ip bgp
BGP table version is 5, local router ID is 192.168.20.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.1/32       192.168.20.20                          0 100 65535 i
*> 11.11.11.11/32   192.168.20.20                          0 100 65535 i
*> 12.12.12.12/32   192.168.20.20            0             0 100 i
*> 123.123.123.123/32
                    192.168.20.20            0             0 100 i

We see that the AS path to get to 1.1.1.1/32 and 11.11.11.11/32 is through AS 100 then AS65535. Lets do a filtering in ISP router not to advertise this private AS but instead make the ISP's AS the originating AS.


ISP(config)#router bgp 100
ISP(config-router)#neighbor 192.168.20.1 remove-private-as


The "remove-private-as" appended to the neighbor statement ensures that any private AS connected to the ISP will not appear in the AS path. Lets clear the BGP process by doing "clear ip bgp * soft" on ISP router and see what R2 BGP table.


R2#sh ip bgp
BGP table version is 7, local router ID is 192.168.20.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.1/32       192.168.20.20                          0 100 i
*> 11.11.11.11/32   192.168.20.20                          0 100 i
*> 12.12.12.12/32   192.168.20.20            0             0 100 i
*> 123.123.123.123/32
                    192.168.20.20            0             0 100 i

The networks from R1 now is seen originated from AS 100. The private AS number was removed by the command we issued. Note that this command works in the outbound direction and should be placed on the networks with public AS number but have private AS connected to them. I tried this command on R2 before I added in ISP but I didn't work because like what I mentioned, this works in the outbound direction. Lab is done, proceeding to the next one or perhaps I might reading some cool mangas like my favorite One Piece! :)

Thursday, July 30, 2009 | Filed Under , , | 5 Comments

Comments

5 Responses to "BGP Remove-Private-AS"

Anonymous said... December 22, 2009 at 7:11 AM

YOU ARE AMAZING GUY. THAT IS GOOD. ARE YOU DOING CCIE R&S OR HAVE YOU YOUR CCIE?
Jean-Marie NGOK
CCNA,CCNP and CCIE R&S(Written).
jm.ngok@gmail.com

Pete said... December 22, 2009 at 8:36 AM

still preparing...

Anonymous said... August 16, 2010 at 11:13 PM

Pete, first of all, thank you for what you're doing, you are simplifying things for us and your material is easy to read. All this is very appreciated. My question regarding this example is that isn't this the job of the ISP? to remove private AS#? Are we even allowed to access the ISP router to make these changes? Pls let me know. Thanks again.

Sharp

Pete said... August 17, 2010 at 12:32 AM

This can be done as well in an enterprise scenario. Imagine you have two AS in your company and one has a public AS number and the other is Private AS number. The one with public AS connects to ISP directly, so you can filter the private ASes in this AS.

Joe said... December 7, 2010 at 1:42 AM

This was a great post, thanks for the info! I am using this to study for the CCIE SP.

Post a Comment

Certifications

Certifications

The Dreamer

A fun loving person who enjoys learning new things. Currently working as a Network Engineer supporting the global network of a Fortune 500 company. This blog serves as my notes for the labs I created for my CCIE journey. I can guarantee there are errors in my posts. If you spot them, please let me know.

Join my Facebook Page I WANT TO BE A CCIE

Donate to the Cause

My aim is to create materials for free and possibly a free lab. If you wish to help out, please send any amount. Thanks.

Join my Bandwagon

Blogs that I Read