BGP LAB #2: Removing Private Autonomous System Numbers

In the topology below you can see that R3’s BGP process is running in AS 65000. AS Numbers 64511 through 65535 are private and should not be leaked into a BGP table because they are not unique.

Private AS numbers are usually assigned to a company that only has a single ISP with one or multiple connections. This is called a single-homed connection.

In this update I will look into which methods are available to make sure the private AS numbers are removed from the PATH list before the routers are propagated to a BGP peer.

Topology

R3 represents our client-side office, with R2 being its ISP. R1, in turn, represents a network somewhere else on the internet.

Initial Configuration

R1
==

R1#sh run int se 0/0
Building configuration…

Current configuration : 84 bytes
!
interface Serial0/0
ip address 10.0.0.1 255.255.255.252
clock rate 2000000
end

R1#sh run int lo 1
Building configuration…

Current configuration : 61 bytes
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
end

R1#sh run | sec bgp
router bgp 100
no synchronization
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
neighbor 10.0.0.2 remote-as 200
no auto-summary

R2
==

R2#sh run int se 0/0
Building configuration…

Current configuration : 84 bytes
!
interface Serial0/0
ip address 10.0.0.2 255.255.255.252
clock rate 2000000
end

R2#sh run int se 0/1
Building configuration…

Current configuration : 84 bytes
!
interface Serial0/1
ip address 20.0.0.2 255.255.255.252
clock rate 2000000
end

R2#sh run int lo 1
Building configuration…

Current configuration : 61 bytes
!
interface Loopback1
ip address 2.2.2.2 255.255.255.0
end

R2#sh run | sec bgp
router bgp 200
no synchronization
bgp log-neighbor-changes
network 2.2.2.0 mask 255.255.255.0
neighbor 10.0.0.1 remote-as 100
neighbor 20.0.0.1 remote-as 65000
no auto-summary

R3
==

R3#sh run int se 0/1
Building configuration…

Current configuration : 84 bytes
!
interface Serial0/1
ip address 20.0.0.1 255.255.255.252
clock rate 2000000
end

R3#sh run int lo 1
Building configuration…

Current configuration : 61 bytes
!
interface Loopback1
ip address 3.3.3.3 255.255.255.0
end

R3#sh run | sec bgp
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 3.3.3.0 mask 255.255.255.0
neighbor 20.0.0.2 remote-as 200
no auto-summary

Looking at the paths on R1, we can see that AS 65000 is included. This means that our private AS information is being leaked into the internet which could have some bad results!

By doing some research, you can find that Cisco has added a feature to their routers which will allow you to remove the private AS numbers from any advertisements.

This is done by adding the keyword “remove-private-as” to your BGP neighbour statement towards the router that should NOT receive the private AS.

Let’s go on our ISP router, R2, and configure this to see the results.

R2(config)#router bgp 200
R2(config-router)#neighbor 10.0.0.1 remove-private-as

Let’s take another look at the paths on R1 after running “Clear IP BGP *” on R2.

We can now see that the private AS is no longer showing up.

What happened is that R2 removed the private AS number and replaced it with its own. You can see that for R3’s loopback interface, the only known path is AS 200.

Then at R2, we can still see the required path information and are still able to ping R3 from R1.

So that is it. We have successfully stopped the private AS number from leaking into the ‘internet’.

References:
BGP Best path selection.
Removing private AS.