RE: BGP: striping private ASs from Jack Router on 2009-12-08 (Ccielab archives 12/2009)

From: Jack Router <pan.router_at_gmail.com>
Date: Tue, 8 Dec 2009 10:12:54 -0500

Hello Karim,

Exactly, I would like, if possible, to strip all private ASs from incoming
updates. I thought that there may be a single command to achieve this. There
is a single command to strip private ASs from outgoing packets
(remove-private-as).

As an analogy, I deny all private IPs (RFC 1918) from entering my firewall
and hitting servers on DMZs. I do this just in case, I do not expect private
IPs coming from the Internet anyway.

Using the same logic, would not it be preferable to strip private ASs at
once from entering a public network? Well, I have no practical experience
with BGP, so maybe such precaution is not needed anyway ? I am asking for
training purposes only...

Thanks,

From: karim jamali [mailto:karim.jamali_at_gmail.com]
Sent: 8-Dec-09 04:49
To: Jack Router; Cisco certification
Subject: Re: BGP: striping private ASs

Hi Jack,

If I understood your question correctly it will be something of this sort:
2 Routers R1 & R2
R1 sends updates and R2 receives.
If R1 has updates containing private Ases then as you send them to R2 you
just need to remove those private As, so that R2 will only see public Ases.
The command neighbor R2 remove private-as does this perfectly.

What you are looking for is how to do this on R2's side (Receiving side).
One way I just thought of would be to use the aggregate address command
(don't aggregate) use the same subnet you recieve from R1 and modify the
attributes (using advertise-map) by removing the private AS from the
AS-Path.

I haven't tested this solution before btw.

From Cisco Documentation:
Using the advertise-map keyword selects specific routes that will be used to
build different components of the aggregate route, such as AS_SET or
community.

Best Regards,
On Tue, Dec 8, 2009 at 6:28 AM, Jack Router <pan.router_at_gmail.com> wrote:
Can I strip private as numbers from incoming updates? I know that I can
strip private ASs with command:

R1(config-router)# neighbor R2 remove-private-as

In this case R1 does the job by stripping private ASs from updates sent to
R2. Can I strip private-as on R2 instead ?

Thanks,

Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 08 2009 - 10:12:54 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 02 2010 - 11:11:07 ART