Tuesday, June 5, 2012

Configuring BGP - Remove Private AS

Most of you are familiar with private IP addresses. Right? Well the basic concept behind private IP address is that they should not be in the global ISP routing table. Private IP addresses were created to conserve IPv4 space and not to be routed globally. There is something very similar in the BGP world called Private ASN. Bascially, these ASNs should never be advertised from one ISP to another ISP. BGP Private ASNs are to be used within an organization for internal purposes only.

In this blogtorial we will see how we can remove these private AS before sending our update to an ISP.

Consider this simple topology below and let's begin.


Imagine that R2 is your enterprise edge router with a private ASN. R3 is an ISP and R4 is an ISP. According to the BGP rules private ASNs should never be advertised from one ISP to another ISP. Therefore, our objective is to remove the private ASN before R3 advertises the routes to R4.

Our checklist: 
  • Provide a brief overview. 
  • Configure all of the necessary interfaces.
  • Configure BGP on all the devices.
  • Verify that private ASNs are not removed.
  • Configure removal of the private ASN in the BGP outgoing advertisements from R3 to R4.
  • Verify that private ASNs are removed. 
  • Conclusion.
So with that checklist let's begin with a brief overview.

Private ASN are 64512 - 65534
Public ASN are 1 - 64511
Remove-private-as will not work between iBGP neighbors and will only work on eBGP neighbors.
Remove-private-as will not work when it is a mix and match of private and public ASN in the AS_PATH. *Thanks to Gary for his comment*
Remove-private-as will not work when the eBGP peer ASN is in the AS_PATH.

Configure all of the necessary interfaces.
  1. Configure R2 Fast1/0 interface.
  2. Configure R2 loopback 1. 
  1. Configure R3 Fast1/0 interface.
  2. Configure R3 Fast1/1 interface.
  3. Configure R3 loopback 1 interface.
  1. Configure R4 Fast1/1 interface.
  2. Configure R4 Loopback 1 interface.
Configure BGP on all the routers
  • Create BGP relationship with R3 (remote-as 3)
  • Advertise R2 loopback 1.

  • Create BGP relationship with R2 and R4.
  • Advertise R3 loopback 1.
  • Create BGP relationship with R3
  • Advertise its loopback 1.
Verify that private ASNs are not removed. 

Only real place to check it would be at R4 to see whether it has private ASNs in its routing table. Remember ISPs should not be advertising prefixes with private ASN to other ISPs. 

As you can clearly see, R4 has received the private ASN 65002 from ASN 3 (R3). So now let's see how we can prevent advertisement of private ASNs. 

The only place we would need to do it is at R3. Because it is the ISPs edge and they cannot update the other ISPs with private ASN.

Configure removal of the private ASN in the BGP outgoing advertisements from R3 to R4.

Under the BGP configuration, 'neighbor <neighbor IP> remove-private-as' will remove any private ASN before sending the update to the neighbor.

Verify that private ASNs are removed. 

Notice that the private ASN 65002 is gone from 2.2.2.2/32.
Conclusion: 

As you can see, instead of manipulating ASPATH with route-maps and such, it is very easy to just 'remove private-as'. Needless to say I have used this plenty of times when I worked at an ISP (CTC). By the way, shout out to all my friends at Champaign Telephone Company (www.ctc.biz). 

All of the configurations for the routers in this lab are located here.

Please make sure to subscribe/comment/+1 if you like my posts. 

Thank you. 

2 comments:

  1. Note: You can only remove Private-AS from the BGP AS_PATH if the private AS (or AS's) are at the beginning; if the Private AS is surrounded on either side by a public AS you cannot remove it.

    ReplyDelete
    Replies
    1. Thank you for the comment. You are absolutely correct and I should have added that in the brief overview. To add on to the comment above, the AS PATH cannot contain a mix and match of private and public ASN in which case BGP will not remove the private AS. There are couple more instances where BGP will not remove private AS such as if the AS PATH contains the ASN of the eBGP neighbor.

      Delete