Re: HIDE BGP AS from Petr Lapukhov on 2009-08-11 (Ccielab archives 08/2009)

From: Petr Lapukhov <petr_at_internetworkexpert.com>
Date: Tue, 11 Aug 2009 12:33:29 -0700

Hi again,

ok, i might have misunderstood your scenario. But it seems you are
confusing two features

1) Remove private AS: stips any number of a contionuous private AS
repetition in the path
2) Hide-local AS/replace AS: masks local AS number and pretends to be
a different AS

The purposes of the two features are different.

1) If you mask your AS with a private AS# of the customers
(hide/replace), it's up to your peer to stip the private AS# when
sending updates to other neighbors.
2) If you want to hide the private AS of your customer, you only need
to strip the private AS when advertising updates to your peers. The
routes will appear like they originate in your AS.

You may configure the two features on different peering sessions
depending on your neeeds.

HTH,

-- 
Petr Lapukhov, petr_at_INE.com
CCIE #16379 (R&S/Security/SP/Voice)
Internetwork Expert, Inc.
http://www.INE.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
2009/8/9 jack daniels <jckdaniels12_at_gmail.com>:
> Hi Petr,
>
> But over here If I try L3 - Please see below option marked with <<<<<<<<<<<<
>
>
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f27.
> shtml
>
> To remove the private AS number, use the *neighbor x.x.x.x remove-private-as
> * router configuration command.
>
> The *neighbor x.x.x.x remove-private-as* per-neighbor configuration command
> forces BGP to drop the private AS numbers. You can configure this command
> for external BGP neighbors. When the outbound update contains a sequence of
> private AS numbers, this sequence is dropped.
>
> The following conditions apply:
>
> 7         You can only use this solution with external BGP (eBGP) peers.
>
> 7         If the update has only private AS numbers in the AS_PATH, BGP
> removes these numbers.
>
> 7         If the AS_PATH includes both private and public AS numbers, BGP
> doesn't remove the private AS numbers. This situation is considered a
> configuration error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> 7         If the AS_PATH contains the AS number of the eBGP neighbor, BGP
> does not remove the private AS number.
>
> 7         If the AS_PATH contains confederations, BGP removes the private AS
> numbers only if they come after the confederation portion of the AS_PATH.
> Regards
> J.Daniels
>
>
> On 8/10/09, Petr Lapukhov <petr_at_internetworkexpert.com> wrote:
>>
>> Hey Jack,
>>
>> Nice to see that idea popping up again :) This is what i've been
>> actually using in production to hide an intermediate ISP (ISP1 below)
>> from showing in the path between Customer/ISP2.
>>
>> Customer---ISP1---ISP2---Internet
>>
>> Like you said, using "local-as no-prepend replace-as" (Cisco commands)
>> configured for ISP1 BGP peering sessions with "Customer" and "ISP2"
>> would do the trick of hiding ISP1's AS#. ISP1 will pretend to look
>> like "Customer" to ISP2, and look like "ISP2" to "Customer".
>> Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make
>> it look almost completely transparent to "Customer".
>>
>> An alternative to this would be using a Layer 2 VPN solution like you
>> mentioned. However, using this pure L3 solution has added benefits of
>> controlling the prefixes advertised by customer/upstream ISP and more
>> granular control of the traffic entering ISP1 at the edge.
>>
>> HTH,
>>
>> --
>> Petr Lapukhov, petr_at_INE.com
>> CCIE #16379 (R&S/Security/SP/Voice)
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>> Toll Free: 877-224-8987
>> Outside US: 775-826-4344
>>
>> 2009/8/9 jack daniels <jckdaniels12_at_gmail.com>:
>> > Hi All,
>> >
>> > We had a requirement in which customer wants that the ISP- AS should not
>> be
>> > visible when route are advertised to internet via a upstream(L2 VPN
>> > solution).
>> > Can we use BGP command no-prepend with Replace AS attribute to hide ISP
>> AS
>> > in internet. ------------
>> >
>> > Can we peer with customer using local AS which will be private AS.We will
>> > use no prepend command along with Replace AS which will replace ISP AS
>> with
>> > the private AS which is used for Peering.While going out to any
>> > international Peer we will remove private AS . On internet only customer
>> AS
>> > and Peer AS will be visible.
>> >
>> > Please advise is this solution will work . Also advise if any better
>> > solution for this scenario.
>> >
>> > Thanks and Regards
>> > J.Daniels
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Tue Aug 11 2009 - 12:33:29 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:56 ART