Removing Private ASNs from the AS Path

2017-11-03 09:05:04

Problem

You want to prevent your internal private ASNs from reaching the public Internet.

Solution

You have to be extremely careful that any unregistered ASNs that you may be using don't propagate into the public Internet.

In this example, the router has a BGP connection to an ISP, which uses ASN 1. Our router uses ASN 2 and connects to another router with an unregistered ASN, 65500:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#interface Serial0 Router1(config-if)#description connection to ISP #1, ASN 1 Router1(config-if)#ip address 192.168.1.6 255.255.255.252 Router1(config-if)#exit Router1(config)#interface Serial1 Router1(config-if)#description connection to private network, ASN 65500 Router1(config-if)#ip address 192.168.5.1 255.255.255.252 Router1(config-if)#exit Router1(config)#router bgp 2 Router1(config-router)#neighbor 192.168.5.2 remote-as 65500 Router1(config-router)#neighbor 192.168.1.5 remote-as 1 Router1(config-router)#neighbor 192.168.1.5 remove-private-AS Router1(config-router)#no synchronization Router1(config-router)#exit Router1(config)#end Router1#

Discussion

An unregistered ASN is a little bit like an unregistered IP address, in that anybody can use it. So if your routing prefixes have an unregistered ASN, this information is eventually passed to another router somewhere else in the Internet, and that router happens to be using the same unregistered ASN, then that router will assume that there is a routing loop, and drop your routes.

Having said this, if you look on an Internet backbone router at any given moment, there is a reasonably good chance of seeing several unregistered ASNs being propagated. This is a dangerous situation because the misbehaving networks could well be working perfectly well today. But tomorrow somebody else could start using the same unregistered ASN. Every route from the first network will look like a loop when received by the second network. So two ASs will not be able to communicate if they both use the same ASN.

All of the work in this example is done by the simple remove-private-AS command. Here is what the BGP route table looks like on this router:

Router1#show ip bgp BGP table version is 6, local router ID is 192.168.55.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 172.20.1.2 0 0 1 i *> 172.21.0.0 172.25.1.7 0 0 65500 i *> 172.25.1.0/24 172.25.1.7 0 0 65500 i Router1#

As you can see, we are receiving information about network 10.0.0.0 from the ISP router in AS 1, and 172.21.0.0 from the router with ASN 65500. Looking at the routes on the ISP router before turning on the remove-private-AS feature, you can see that this private ASN is propagating into the Internet, which is not allowed:

Router3#show ip bgp BGP table version is 8, local router ID is 172.20.100.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 0.0.0.0 0 32768 i *> 172.21.0.0 172.20.1.1 0 2 65500 i *> 172.25.1.0/24 172.20.1.1 0 2 65500 i Router3#

But after turning on the command, as shown above, all of the private ASNs are removed, while the routes are propagated normally:

Be careful of this feature, though, because it can't remove private ASNs from the middle of an AS Path. If you have a topology where there is a public ASN behind a private one, it's not safe to remove the private ASN because you could cause routing loops. So the remove-private-AS feature completely gives up and passes on the entire path for routes that have a public ASN after a private ASN.

If this is the case, your only recourse is to suppress the route with the illegal path. Then, as long as you distribute a prefix that includes this route, everything will work.

Категории