Re: BGP: striping private ASs

Hello Jack,

Thank You for your response.I do understand your logic of thinking. It is
quite obvious that you will deny any private address from coming on the
outside interface, I am just confused about something do you want to deny
the updates that have private-AS completely (i mean filter the update) or
you need to process the update and accept it and just remove the private AS
from the list as these are completely different approaches.

The first one is just a filtering configuration that can be done with
neighbor filter-list and as-path access-lists.

The second one i.e. to remove the private AS from appearing in the updates
when you receive the updates is something different. The remove-private as
as far as i know has to be done on the 1st AS that is directly connected to
the private AS, and then you can send the updates free of the private-as.
One way i have told you about is to use aggregate-address (not necessarily
to aggregate the subnets just use the same subnet you are receiving) and
attempt to use the advertise-map with it (in order to change the attributes
remove the private AS). But this will most likely affect the neighboring
routers not the router you are ON.I am not sure about the validity of this
solution.

Best Regards,

- Show quoted text -
On Tue, Dec 8, 2009 at 5:12 PM, Jack Router <pan.router_at_gmail.com> wrote:

Hello Karim,

Exactly, I would like, if possible, to strip all private ASs from incoming
updates. I thought that there may be a single command to achieve this. There
is a single command to strip private AS s from outgoing packets
(remove-private-as).

As an analogy, I deny all private IPs (RFC 1918) from entering my firewall
and hitting servers on DMZs. I do this just in case, I do not expect private
IPs coming from the Internet anyway.

Using the same logic, would not it be preferable to strip private ASs at
once from entering a public network? Well, I have no practical experience
with BGP, so maybe such precaution is not needed anyway ? I am asking for
training purposes only...

Thanks,

From: karim jamali [mailto:karim.jamali_at_gmail.com]
Sent: 8-Dec-09 04:49
To: Jack Router; Cisco certification
Subject: Re: BGP: striping private ASs

Hi Jack,

If I understood your question correctly it will be something of this sort:
2 Routers R1 & R2
R1 sends updates and R2 receives.
If R1 has updates containing private Ases then as you send them to R2 you
just need to remove those private As, so that R2 will only see public Ases.
The command neighbor R2 remove private-as does this perfectly.

What you are looking for is how to do this on R2's side (Receiving side).
One way I just thought of would be to use the aggregate address command
(don't aggregate) use the same subnet you recieve from R1 and modify the
attributes (using advertise-map) by removing the private AS from the
AS-Path.

I haven't tested this solution before btw.

From Cisco Documentation:
Using the advertise-map keyword selects specific routes that will be used to
build different components of the aggregate route, such as AS_SET or
community.

Best Regards,
On Tue, Dec 8, 2009 at 6:28 AM, Jack Router <pan.router_at_gmail.com> wrote:
Can I strip private as numbers from incoming updates? I know that I can
strip private ASs with command:

R1(config-router)# neighbor R2 remove-private-as

In this case R1 does the job by stripping private ASs from updates sent to
R2. Can I strip private-as on R2 instead ?

Thanks,

Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 08 2009 - 17:25:53 ART