From: Aidan Marks (amarks@cisco.com)
Date: Fri Jan 03 2003 - 17:58:27 GMT-3
At 03:21 AM 4/01/2003, Howard C. Berkowitz wrote:
>At 10:33 PM +1100 1/3/03, Aidan Marks wrote:
>>Not sure what else you need to know, but here is something - have not
>>checked CCO for this, perhaps it's in the 12.0S stuff somewhere back
>>around 12.0(2.6)S when it was implemented.
>>
>>Aidan
>
>This is an interesting command. One of the first questions I'd have is
>whether it's showing up in the running config, either in the no or the
>positive form, if it's not configured.
Default is off, if enabled we nvgen "bgp enforce-first-as".
There was an issue with this command not being removed once entered. Fixed
in 22S.
as far as I can see, this command is integrated in 12.0S only.
>Actually, it's a rather clever reality check on proper configuration
>(primarily) and possibly routing system attacks (albeit a pretty clumsy
>one). It's enforcing what is supposed to happen anyway.
>
>Maybe I'm having a senior moment, but a neighbor command I vaguely
>remember -- vaguely because no ISP I know would use it -- had an "any" or
>"promiscuous" mode so any AS would form a neighbor relationship. I can't
>find it, but the same effect could probably be achieved with neighbor
>route-maps matching to an AS path filter allowing anything.
fwiw, you are probably thinking of "neighbor any <acl>" that was talked
about in 12.0, 12.1 and 12.2 docs, but since the command is not
relevant/does not exist, it was removed from all the docs back in May 2001.
Aidan
>>------------------------------
>>bgp enforce-first-as
>>
>>To have cisco IOS enforce the first AS (in the AS_PATH) of a route
>>received from an eBGP peer to be the same as the remote AS configured, use
>>the 'bgp enforce-first-as' command. To not enforce this rule, use the
>>'no' form of the command.
>>
>>bgp enforce-first-as
>>no bgp enforce-first-as
>>
>>Syntax Description
>>
>>This command has no arguments or keywords.
>>
>>Default
>>
>>The software does not require the first AS (in the AS_PATH) of a route
>>received from an eBGP peer to be the same as the remote AS configured.
>>
>>Command Mode
>>
>>Router configuration mode.
>>
>>Usage Guidelines
>>
>>This command first appeared in Cisco IOS Release 12.0S.
>>
>>If 'bgp enforce-first-as' is enabled then any update (received from an
>>eBGP neighbor) that does not have the neighbor's configured AS at the
>>beginning of the AS_PATH will be denied. When configured, the command
>>applies to all the eBGP peers of the router.
>>
>>Example
>>
>>The following example shows a configuration in which all incoming updates
>>from the eBGP peers will be examined to guarantee that the first AS (in
>>the AS_PATH) is in fact the same as the configured AS for that neighbor.
>>
>>!
>>router bgp 109
>> bgp enforce-first-as
>> neighbor 131.108.1.1 remote-as 65001
>> neighbor 160.89.2.33 remote-as 2051
>>!
>>
>>Related Commands
>>
>>show ip bgp
>>
>>
>>At 05:04 PM 3/01/2003, cebuano wrote:
>>
>>>Hi all.
>>>I can't find any info on this command. Any help is greatly appreciated.
>>>As per CCO.
>>>* If you enabled bgp enforce-first-as and the UPDATE doesn't
>>>contain the AS of the neighbor as the first AS number in the
>>>AS_SEQUENCE, the router sends a notification and closes the session.
>>>Thanks.
>>>Elmer
>>>.
>>.
>>_
>.
.
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:40 GMT-3