You want to prevent your internal private ASNs from reaching the public Internet.
When using unregistered ASNs you have to be careful that they don't propagate into the public Internet.
In this example, the router has a BGP connection to an ISP, which uses ASN 1. Our router uses ASN 2, and connects to another router with an unregistered ASN, 65500:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#interface Serial0 Router1(config-if)#description connection to ISP #1, ASN 1 Router1(config-if)#ip address 192.168.1.6 255.255.255.252 Router1(config-if)#exit Router1(config)#interface Serial1 Router1(config-if)#description connection to private network, ASN 65500 Router1(config-if)#ip address 192.168.5.1 255.255.255.252 Router1(config-if)#exit Router1(config)#router bgp 2 Router1(config-router)#neighbor 192.168.5.2 remote-as 65500 Router1(config-router)#neighbor 192.168.1.5 remote-as 1 Router1(config-router)#neighbor 192.168.1.5 remove-private-AS Router1(config-router)#no synchronization Router1(config-router)#end Router1#
An unregistered ASN is a little bit like an unregistered IP address in that anybody can use it. So, if your routing prefixes have an unregistered ASN, and this information is eventually passed to another router that happens to be using the same unregistered ASN somewhere else in the Internet, that router will assume that there is a routing loop, and drop your routes.
Having said this, if you look on an Internet backbone router at any given moment, there is a reasonably good chance of seeing several unregistered ASNs being propagated. This is a dangerous situation, because the misbehaving networks could well be working perfectly today. But tomorrow, somebody else could start using the same unregistered ASN. Every route from the first network will look like a loop when received by the second network. Two ASes will not be able to communicate if they both use the same ASN.
All of the work in this example is done by the simple remove-private-AS command. Here is what the BGP route table looks like on this router:
Router1#show ip bgp BGP table version is 6, local router ID is 192.168.55.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 172.20.1.2 0 0 1 i *> 172.21.0.0 172.25.1.7 0 0 65500 i *> 172.25.1.0/24 172.25.1.7 0 0 65500 i Router1#
As you can see, we are receiving information about network 10.0.0.0 from the ISP router in AS 1, and 172.21.0.0 from the router with ASN 65500. Looking at the routes on the ISP router before turning on the remove-private-AS feature, you can see that this private ASN is propagating into the Internet, which is not allowed:
Router3# show ip bgp BGP table version is 8, local router ID is 172.20.100.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 0.0.0.0 0 32768 i *> 172.21.0.0 172.20.1.1 0 2 65500 i *> 172.25.1.0/24 172.20.1.1 0 2 65500 i Router3#
But after using the remove-private-AS command, all of the private ASNs are removed:
Router3# show ip bgp BGP table version is 8, local router ID is 172.20.100.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 0.0.0.0 0 32768 i *> 172.21.0.0 172.20.1.1 0 2 i *> 172.25.1.0/24 172.20.1.1 0 2 i Router3#
Be careful of this feature, though, because it can't remove private ASNs from the middle of an AS Path. If you have a topology where there is a public ASN behind a private one, it's not safe to remove the private ASN because you could cause routing loops. So the remove-private-AS feature completely gives up and passes on the entire path for routes that have a public ASN after a private ASN.
If this is the case, your only recourse is to suppress the route with the illegal path. Then, as long as you distribute a prefix that includes this route, everything will work.
|
|
|
| Top |