Re: Missing BGP command - bgp enforce-first-as

From: Howard C. Berkowitz (hcb@gettcomm.com)
Date: Fri Jan 03 2003 - 13:21:22 GMT-3

• Next message: Dang Quang Minh: "RE: Null route without being null?"
• Previous message: Matthew Poole: "Resolved: BGP Sync IBGP over IGP."
• Maybe in reply to: cebuano: "Missing BGP command - bgp enforce-first-as"
• Next in thread: Aidan Marks: "Re: Missing BGP command - bgp enforce-first-as"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

At 10:33 PM +1100 1/3/03, Aidan Marks wrote:
>Not sure what else you need to know, but here is something - have
>not checked CCO for this, perhaps it's in the 12.0S stuff somewhere
>back around 12.0(2.6)S when it was implemented.
>
>Aidan

This is an interesting command. One of the first questions I'd have
is whether it's showing up in the running config, either in the no or
the positive form, if it's not configured.

Actually, it's a rather clever reality check on proper configuration
(primarily) and possibly routing system attacks (albeit a pretty
clumsy one). It's enforcing what is supposed to happen anyway.

Maybe I'm having a senior moment, but a neighbor command I vaguely
remember -- vaguely because no ISP I know would use it -- had an
"any" or "promiscuous" mode so any AS would form a neighbor
relationship. I can't find it, but the same effect could probably be
achieved with neighbor route-maps matching to an AS path filter
allowing anything.

>
>------------------------------
>bgp enforce-first-as
>
>To have cisco IOS enforce the first AS (in the AS_PATH) of a route
>received from an eBGP peer to be the same as the remote AS configured, use
>the 'bgp enforce-first-as' command. To not enforce this rule, use the
>'no' form of the command.
>
>bgp enforce-first-as
>no bgp enforce-first-as
>
>Syntax Description
>
>This command has no arguments or keywords.
>
>Default
>
>The software does not require the first AS (in the AS_PATH) of a route
>received from an eBGP peer to be the same as the remote AS configured.
>
>Command Mode
>
>Router configuration mode.
>
>Usage Guidelines
>
>This command first appeared in Cisco IOS Release 12.0S.
>
>If 'bgp enforce-first-as' is enabled then any update (received from an
>eBGP neighbor) that does not have the neighbor's configured AS at the
>beginning of the AS_PATH will be denied. When configured, the command
>applies to all the eBGP peers of the router.
>
>Example
>
>The following example shows a configuration in which all incoming updates
>from the eBGP peers will be examined to guarantee that the first AS (in
>the AS_PATH) is in fact the same as the configured AS for that neighbor.
>
>!
>router bgp 109
> bgp enforce-first-as
> neighbor 131.108.1.1 remote-as 65001
> neighbor 160.89.2.33 remote-as 2051
>!
>
>Related Commands
>
>show ip bgp
>
>
>At 05:04 PM 3/01/2003, cebuano wrote:
>
>>Hi all.
>>I can't find any info on this command. Any help is greatly appreciated.
>>As per CCO.
>>* If you enabled bgp enforce-first-as and the UPDATE doesn't
>>contain the AS of the neighbor as the first AS number in the
>>AS_SEQUENCE, the router sends a notification and closes the session.
>>Thanks.
>>Elmer
>>.
>.
>_
.

• Next message: Dang Quang Minh: "RE: Null route without being null?"
• Previous message: Matthew Poole: "Resolved: BGP Sync IBGP over IGP."
• Maybe in reply to: cebuano: "Missing BGP command - bgp enforce-first-as"
• Next in thread: Aidan Marks: "Re: Missing BGP command - bgp enforce-first-as"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:40 GMT-3