RE: BGP: striping private ASs

Perhaps I was not clear with what I want to achieve.
I do not want to filter out completely private ASs, only remove private ASs
from the AS path. Here is the scenario:

R1--------R2--------R3--------R4--------R5
As65501 AS65502 AS65503 AS400 AS500

R1 advertises 1.0.0.0/8, R2 advertises 2.0.0.9/8 etc

Current BGP table on R5 is:
   Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.45.4 0 400 65503 65502
65501 i
*> 2.0.0.0 10.1.45.4 0 400 65503 65502
i
*> 3.0.0.0 10.1.45.4 0 400 65503 i
*> 4.0.0.0 10.1.45.4 0 0 400 i
*> 5.0.0.0 0.0.0.0 0 32768 i

Now I am stripping private AS on R4 with command:
neighbor 10.1.45.5 remove-private-as

As a result BGP table on R5 looks now like this:

   Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 10.1.45.4 0 400 i
*> 2.0.0.0 10.1.45.4 0 400 i
*> 3.0.0.0 10.1.45.4 0 400 i
*> 4.0.0.0 10.1.45.4 0 0 400 i
*> 5.0.0.0 0.0.0.0 0 32768 i

I was looking for a way to do the same thing on R5 but it looks like
stripping globally private ASs can be done only on a router that is directly
connected to private AS (in this case R4), as you said below.

Thanks,

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
karim jamali
Sent: 8-Dec-09 10:26
To: Cisco certification
Subject: Re: BGP: striping private ASs

Hello Jack,

Thank You for your response.I do understand your logic of thinking. It is
quite obvious that you will deny any private address from coming on the
outside interface, I am just confused about something do you want to deny
the updates that have private-AS completely (i mean filter the update) or
you need to process the update and accept it and just remove the private AS
from the list as these are completely different approaches.

The first one is just a filtering configuration that can be done with
neighbor filter-list and as-path access-lists.

The second one i.e. to remove the private AS from appearing in the updates
when you receive the updates is something different. The remove-private as
as far as i know has to be done on the 1st AS that is directly connected to
the private AS, and then you can send the updates free of the private-as.
One way i have told you about is to use aggregate-address (not necessarily
to aggregate the subnets just use the same subnet you are receiving) and
attempt to use the advertise-map with it (in order to change the attributes
remove the private AS). But this will most likely affect the neighboring
routers not the router you are ON.I am not sure about the validity of this
solution.

Best Regards,

- Show quoted text -
On Tue, Dec 8, 2009 at 5:12 PM, Jack Router <pan.router_at_gmail.com> wrote:

Hello Karim,

Exactly, I would like, if possible, to strip all private ASs from incoming
updates. I thought that there may be a single command to achieve this. There
is a single command to strip private AS s from outgoing packets
(remove-private-as).

As an analogy, I deny all private IPs (RFC 1918) from entering my firewall
and hitting servers on DMZs. I do this just in case, I do not expect private
IPs coming from the Internet anyway.

Using the same logic, would not it be preferable to strip private ASs at
once from entering a public network? Well, I have no practical experience
with BGP, so maybe such precaution is not needed anyway ? I am asking for
training purposes only...

Thanks,

From: karim jamali [mailto:karim.jamali_at_gmail.com]
Sent: 8-Dec-09 04:49
To: Jack Router; Cisco certification
Subject: Re: BGP: striping private ASs

Hi Jack,

If I understood your question correctly it will be something of this sort:
2 Routers R1 & R2
R1 sends updates and R2 receives.
If R1 has updates containing private Ases then as you send them to R2 you
just need to remove those private As, so that R2 will only see public Ases.
The command neighbor R2 remove private-as does this perfectly.

What you are looking for is how to do this on R2's side (Receiving side).
One way I just thought of would be to use the aggregate address command
(don't aggregate) use the same subnet you recieve from R1 and modify the
attributes (using advertise-map) by removing the private AS from the
AS-Path.

I haven't tested this solution before btw.

From Cisco Documentation:
Using the advertise-map keyword selects specific routes that will be used to
build different components of the aggregate route, such as AS_SET or
community.

Best Regards,
On Tue, Dec 8, 2009 at 6:28 AM, Jack Router <pan.router_at_gmail.com> wrote:
Can I strip private as numbers from incoming updates? I know that I can
strip private ASs with command:

R1(config-router)# neighbor R2 remove-private-as

In this case R1 does the job by stripping private ASs from updates sent to
R2. Can I strip private-as on R2 instead ?

Thanks,

Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 10 2009 - 21:19:04 ART