BGP AS Path Manipulation

BGP Local-AS ,No-Prepend, Dual-AS, AS-Override, Remove Private AS, and Allow AS IN Options

One ASN is usually given to the Regional Internet Register (RIR) when two companies merge. Each organization must maintain its ASN while its peering neighbors’ configurations are changed during the migration.

The Local-AS feature is configurable per peer and allows BGP sessions to be established using a different ASN than the one used by the BGP process. The Local-AS functionality supports only EBGP peerings.

local-as” is a straightforward command. It simply inserts the AS number to the BGP packets following the local-as command, making eBGP neighbors believe it is in a different AS than specified under “router bgp {ASN}“.

For example, R1 may be using BGP ASN 65001, but it should inform R1’s eBGP neighbor that it is 65222. The setup would look like this if the network between R1 and R2 was 10.1.0.0/24, with R1 being .1 and R2 being .2:

R1:

router bgp 65001
neighbor 10.1.0.2 remote-as 65002
neighbor 10.1.0.2 local-as 65222

R2:

router bgp 65002
neighbor 10.1.0.1 remote-as 65222

If we look at the BGP routing table, we can see that ASN65222 was prepended.

R1:

show ip bgp | b Net

Network	Next Hop	Metric	LocalPrf	Weight 	Path
1.1.1.0	0.0.0.0		0				32768	i
2.2.2.0	10.1.0.2	0		             0	65222 65002 i

R2:

show ip bgp | b Net

Network	Next Hop	Metric	LocalPrf	Weight 	Path
1.1.1.0	10.1.0.1	0	                     0	65222 65001 i
2.2.2.0	0.0.0.0		0				32768	i

The fact that ASN65222 is being prepended should stand out. This is due to R1’s usage of the “local-as” command. Unless we add the “no-prepend” command to the “local-as” command on R1, every prefix announced by eBGP neighbors with that command will automatically have the local-as value added.

Let’s look at what happens when we use the “no-prepend” option:

R1:

router bgp 65001
neighbor 10.1.0.2 local-as 65222 no-prepend

R1:

show ip bgp | b Net

Network	Next Hop	Metric	LocalPrf	Weight 	Path
1.1.1.0	0.0.0.0		0				32768	i
2.2.2.0	10.1.0.2	0		             0	65002 i

We can see that 65222 is longer being diplayed in the BGP routing table.

The “no-prepend” command modifies the router’s default behavior when using “local-as” to prevent the AS number from being added to BGP prefixes published by that neighbor.

You also have the option to use “replace-as .”When using the “hide” local AS functionality, keep in mind that the external peers will see the local-AS and the actual AS number prepended to the AS-PATH. It’s often preferable to hide the “actual” AS number entirely which is the one configured via the router BGP command. To do so, use the local-as command with the no-prepend replace-as arguments. The true AS number will be replaced by the one supplied in the local-as command with this combination. Because this number appears in the AS-PATH and BGP OPEN messages, the appropriate neighbor will believe that all routes are received from the AS number defined with the local-as command.

For example:
The neighbor 10.1.0.2 will only see AS 65222 in the AS_PATH and BGP OPEN messages.

R1:

router bgp 65001
neighbor 10.1.0.2 local-as 65222 no-prepend replace-as

Now, if was add the “dual-as .”Neighbor 10.1.0.2 will now be able to peer with R1 using AS 65001, the new AS when employing the dual-as statement. The AS-PATH value will be 65001. The AS-PATH would change to AS 65222 if you updated neighbor 10.1.0.2 to now peer with AS 65222.

R1:

router bgp 65001
neighbor 10.1.0.2 local-as 65222 no-prepend replace-as dual-as

 

 

These are just a couple of ways to manipulate AS-Paths. We also have:

remove-as” peer option:

Enterprises use private AS numbers in the range 64512–65535. Private AS numbers are similar to RFC 1918 IP addresses in that they allow AS numbers to be consumed via the Internet. On the other hand, private AS numbers should not be visible on the public Internet because other sites may utilize the same number. As a result, the AS that supplies the private site’s upstream connection should delete the private AS numbers from the AS-PATH parameter.

neighbor IP IPAddress remove-private-as” is the command in IOS for removing the AS-PATH. At the start of this session, the AS-PATH of all BGP updates delivered is verified for a series of private AS numbers. After all private numbers have been removed, the local AS number is prepended. If the private AS sequence is not detected at the start of the AS-PATH, the stripping will fail, and the AS-PATH will remain unaltered. It’s worth noting that the remove-private-as command only affects egress routes; therefore, it’s only used at network egress points.

allowas-in” peer option:

A BGP speaker cannot accept prefixes with the local AS number in the AS PATH list because of the BGP loop-prevention feature. In some circumstances, however, it may be preferable to allow routes that originate in the same AS but are routed through another AS.

1. The company’s network is divided into sections, each of which is connected to the Internet or an ISP. Every network uses the same AS number but has its own set of prefixes. The partitions must allow NLRIs with the same AS number to swap prefixes in this situation.

2. The firm establishes a connection with an ISP and intends to utilize it as a transit channel if the company’s network is segmented as a result of an emergency. The border peers must accept the prefixes broadcast to the ISP in this situation.

The command “neighbor {IPAddress} allowas-in {count} in” Cisco IOS allows you to accept prefixes with the local AS number from a specific peer. Count refers to the number of local AS number occurrences in the AS-PATH property, set to three by default. This option supports the well-known count-to-infinity loop avoidance mechanism, analogous to the hop-count limit in the distance-vector protocol.

When using this functionality, you should be cautious when implementing prefix aggregation to avoid routing loops. Only one “partition” or border peer can employ summarizing, and summarization should be avoided altogether. Otherwise, the upstream ASs will have difficulty determining the appropriate AS partition entry point. Utilizing the Allow-AS IN function is not encouraged and should only be used as a last option. This functionality may be used securely in a Layer 3 MPLS-VPNs environment by sites that connect to the same service provider and do not have a backdoor link. The sites can all be on the same AS and use neighbor allowas-in to communicate with their provider edge router. If the Layer 3 MPLS VPN’s client sites have routers that don’t support allowas-in, the service provider can use the “neighbor {IPAddress} as-override” command instead.

 

as-override” peer option:

ASN65001:R1  <—–> R2:ASN65002:R3  <—–>  R4:ASN65001

The customer private AS is partitioned from the provider backbone in this typical MPLS network. The path for R1 to get to a device on R4 would be AS65002 -> AS65001. If R4 notices that the path contains its own AS number along the way, it will reject the route information and dump it. That’s all well and good, except that standard BGP won’t let you do that.

Run a debug if you’re having problems and think this is the problem (always be careful with debugs in a live production environment). “Debug ip bgp all updates” is the command to use. If the as-override condition is the reason for a route not appearing, the message “DENIED due to:AS-PATH includes our own AS” will appear. You’ll want to add an extra neighbor statement on the provider edge routers, in our example R2 and R3, “neighbor X.X.X.X as-override.” The connection will flap and reset, but the provider router will change the AS number with its own for that hop in the path. Instead of seeing 65001 and 65002 on the route, we’ll see the path 65002 -> 65002 . After that, the route will appear in our routing table as well! Otherwise, if you’re unable to troubleshoot, double-check the AS numbers to determine if any matches exist between customer edge devices.

 

NOTES:

  • Other IBGP peers discard the network prefixes as part of a routing loop detection when the alternate ASN is prepended upon receiving the routes.
  • The optional keyword no-prepend is used to prevent the alternate ASN from being prepended while receiving routes.
  • The optional keywords no-prepend replace-as prevent the substitute ASN from being prepended while transmitting routes.
  • All routers view the BGP advertising as if running the original AS in the BGP process if both no-prepend replace-as keywords are applied.
  • The ASN in the router process statement, or the alternate ASN in the local-as configuration, is peering with the remote BGP router. The local-as instructions should be deleted once the remote peer modifies the remote-as value in the BGP configuration. The no-prepend replace-as dual-as optional keywords allow the remote peer to utilize either ASN for the BGP session if maintenance windows cannot be coordinated at the same time.