Re: BGP: striping private ASs

Here is a pretty good summary of the limitations of the command:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f27.shtml#topic1

On Thu, Dec 10, 2009 at 7:19 PM, Jack Router <pan.router_at_gmail.com> wrote:

> Perhaps I was not clear with what I want to achieve.
> I do not want to filter out completely private ASs, only remove private ASs
> from the AS path. Here is the scenario:
>
> R1--------R2--------R3--------R4--------R5
> As65501 AS65502 AS65503 AS400 AS500
>
> R1 advertises 1.0.0.0/8, R2 advertises 2.0.0.9/8 etc
>
> Current BGP table on R5 is:
> Network Next Hop Metric LocPrf Weight Path
> *> 1.0.0.0 10.1.45.4 0 400 65503
> 65502
> 65501 i
> *> 2.0.0.0 10.1.45.4 0 400 65503
> 65502
> i
> *> 3.0.0.0 10.1.45.4 0 400 65503 i
> *> 4.0.0.0 10.1.45.4 0 0 400 i
> *> 5.0.0.0 0.0.0.0 0 32768 i
>
> Now I am stripping private AS on R4 with command:
> neighbor 10.1.45.5 remove-private-as
>
> As a result BGP table on R5 looks now like this:
>
> Network Next Hop Metric LocPrf Weight Path
> *> 1.0.0.0 10.1.45.4 0 400 i
> *> 2.0.0.0 10.1.45.4 0 400 i
> *> 3.0.0.0 10.1.45.4 0 400 i
> *> 4.0.0.0 10.1.45.4 0 0 400 i
> *> 5.0.0.0 0.0.0.0 0 32768 i
>
> I was looking for a way to do the same thing on R5 but it looks like
> stripping globally private ASs can be done only on a router that is
> directly
> connected to private AS (in this case R4), as you said below.
>
> Thanks,
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> karim jamali
> Sent: 8-Dec-09 10:26
> To: Cisco certification
> Subject: Re: BGP: striping private ASs
>
> Hello Jack,
>
> Thank You for your response.I do understand your logic of thinking. It is
> quite obvious that you will deny any private address from coming on the
> outside interface, I am just confused about something do you want to deny
> the updates that have private-AS completely (i mean filter the update) or
> you need to process the update and accept it and just remove the private AS
> from the list as these are completely different approaches.
>
> The first one is just a filtering configuration that can be done with
> neighbor filter-list and as-path access-lists.
>
> The second one i.e. to remove the private AS from appearing in the updates
> when you receive the updates is something different. The remove-private as
> as far as i know has to be done on the 1st AS that is directly connected to
> the private AS, and then you can send the updates free of the private-as.
> One way i have told you about is to use aggregate-address (not necessarily
> to aggregate the subnets just use the same subnet you are receiving) and
> attempt to use the advertise-map with it (in order to change the attributes
> remove the private AS). But this will most likely affect the neighboring
> routers not the router you are ON.I am not sure about the validity of this
> solution.
>
> Best Regards,
>
>
> - Show quoted text -
> On Tue, Dec 8, 2009 at 5:12 PM, Jack Router <pan.router_at_gmail.com> wrote:
>
> Hello Karim,
>
> Exactly, I would like, if possible, to strip all private ASs from incoming
> updates. I thought that there may be a single command to achieve this.
> There
> is a single command to strip private AS s from outgoing packets
> (remove-private-as).
>
> As an analogy, I deny all private IPs (RFC 1918) from entering my firewall
> and hitting servers on DMZs. I do this just in case, I do not expect
> private
> IPs coming from the Internet anyway.
>
> Using the same logic, would not it be preferable to strip private ASs at
> once from entering a public network? Well, I have no practical experience
> with BGP, so maybe such precaution is not needed anyway ? I am asking for
> training purposes only...
>
> Thanks,
>
> From: karim jamali [mailto:karim.jamali_at_gmail.com]
> Sent: 8-Dec-09 04:49
> To: Jack Router; Cisco certification
> Subject: Re: BGP: striping private ASs
>
>
> Hi Jack,
>
> If I understood your question correctly it will be something of this sort:
> 2 Routers R1 & R2
> R1 sends updates and R2 receives.
> If R1 has updates containing private Ases then as you send them to R2 you
> just need to remove those private As, so that R2 will only see public Ases.
> The command neighbor R2 remove private-as does this perfectly.
>
> What you are looking for is how to do this on R2's side (Receiving side).
> One way I just thought of would be to use the aggregate address command
> (don't aggregate) use the same subnet you recieve from R1 and modify the
> attributes (using advertise-map) by removing the private AS from the
> AS-Path.
>
> I haven't tested this solution before btw.
>
>
> From Cisco Documentation:
> Using the advertise-map keyword selects specific routes that will be used
> to
> build different components of the aggregate route, such as AS_SET or
> community.
>
> Best Regards,
> On Tue, Dec 8, 2009 at 6:28 AM, Jack Router <pan.router_at_gmail.com> wrote:
> Can I strip private as numbers from incoming updates? I know that I can
> strip private ASs with command:
>
> R1(config-router)# neighbor R2 remove-private-as
>
> In this case R1 does the job by stripping private ASs from updates sent to
> R2. Can I strip private-as on R2 instead ?
>
> Thanks,
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
> --
> KJ
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Bryan Bartik
CCIE #23707 (R&S, SP), CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net