BGP Remove-Private ASN
This chapter describes BGP Remove-Private ASN.
Topics in this chapter include:
Applicability
The information and configuration in this chapter are based on SR OS Release 22.10.R2.
Overview
In some networks, the network operator may need to assign a private Autonomous System Number (ASN) to the BGP speakers in a region or domain. These private ASNs are taken from the following ranges defined by IANA:
64512 to 65534 inclusive, for 2-octet ASNs
4200000000 to 4294967294 inclusive, for 4-octet ASNs
In SR OS, the ASN numbers 65535 and 4294967295, which are reserved values, are also treated as private ASNs.
The remove-private command is required when routes originated by a BGP speaker with a private ASN need to be advertised into a public domain, such as the Internet, where private ASNs may not be unique. The functionality of the remove-private command in SR OS is as follows:
When the remove-private command is configured for neighbor X, the stripping of private ASNs applies only to outbound routes advertised to neighbor X.
The remove-private command supports the following three options, which can be configured standalone or combined:
The limited option causes BGP to remove only the private ASNs until the first public ASN.
The skip-peer-as option causes BGP to not remove a private ASN from the AS path attribute if that ASN is the same as the BGP peer ASN.
The replace option replaces the private ASN with the ASN of the router, as configured in:
local-as if the router advertises routes to a peer covered by such a command, and not configured as private
configure router autonomous-system if there is no applicable local-as configuration in BGP and the router is not part of a confederation
configure router bgp confederation if the router advertises routes to an eBGP peer outside the confederation
The use of the remove-private command without the replace option can make the AS path attribute shorter. This makes the route more preferable for the BGP decision process, which may not be the wanted outcome.
When as-override is enabled in the same session as remove-private, processing related to remove-private occurs first, followed by the processing related to as-override.
Configuration
Use case 1: Initial example topology
Use case 1 topology shows the initial example topology with six nodes in different ASs: CE-3 and CE-6 have a private ASN, whereas PE-1, PE-2, PE-4, and PE-5 have a public ASN.
The initial configuration on the nodes includes:
Cards, MDAs, ports
Router interfaces
eBGP between adjacent nodes for the IPv4 address family
The initial BGP configuration on PE-2 is as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.23.2
peer-as 64512
exit
neighbor 192.168.12.1
peer-as 64496
exit
exit
no shutdown
exit
CE-6 exports prefix 10.0.0.0/16. The configuration is as follows:
# on CE-6:
configure
router Base
interface "int-CE-6-PE-5"
address 172.16.56.2/30
port 1/1/c1/2:100
no shutdown
exit
interface "lo1"
address 10.0.0.1/16
loopback
no shutdown
exit
interface "system"
address 172.31.2.6/32
no shutdown
exit
autonomous-system 64513
policy-options
begin
prefix-list "10.0.0.0/16"
prefix 10.0.0.0/16 longer
exit
policy-statement "export-prefix"
entry 10
from
prefix-list "10.0.0.0/16"
exit
action accept
exit
exit
exit
commit
exit
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.56.1
export "export-prefix"
peer-as 64499
exit
exit
no shutdown
exit
PE-2 receives the following BGP route for prefix 10.0.0.0/16 with public and private ASNs in the AS path: 64512 (private ASN of CE-3) – 64498 (public ASN of PE-4) – 64499 (public ASN of PE-5) – 64513 (private ASN of CE-6).
*A:PE-2# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:192.0.2.2 AS:64497 Local AS:64497
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
172.16.23.2 None 0
64512 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
PE-2 adds its own public ASN (64497) to the AS path when it sends the BGP route to its neighbor PE-1. The following BGP route is received by PE-1:
*A:PE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
192.168.12.2 None 0
64497 64512 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
PE-2 adds its ASN and keeps all ASNs in the AS path (default) shows the BGP routes for prefix 10.0.0.0/16 received by PE-2 and PE-1:
In the following examples, different remove-private ASN configurations are demonstrated: first without replace and afterward with replace.
remove-private ASN without any extra option (= default setting)
remove-private ASN with limited option
remove-private ASN with skip-peer-as option
Remove all private ASNs
On PE-2, the remove-private command is configured for neighbor 192.168.12.1, as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.23.2
peer-as 64512
exit
neighbor 192.168.12.1
remove-private
peer-as 64496
exit
exit
no shutdown
exit
PE-2 removes all private ASNs (64512 from CE-3 and 64513 from CE-6) from the AS path, which makes the AS path shorter. PE-1 receives the following BGP route for prefix 10.0.0.0/16:
*A:PE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
192.168.12.2 None 0
64497 64498 64499 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
PE-2 adds its own ASN and removes all private ASNs shows the AS path of the BGP routes for prefix 10.0.0.0/16 received by PE-2 and PE-1:
Replace all private ASNs
On PE-2, the remove-private command is configured with the replace option for neighbor 192.168.12.1, as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.23.2
peer-as 64512
exit
neighbor 192.168.12.1
remove-private replace
peer-as 64496
exit
exit
no shutdown
exit
PE-2 adds its ASN 64497 and replaces the private ASNs 64512 and 64513 with its own public ASN 64497 (in bold), so ASN 64497 occurs three times in the AS path, as follows:
*A:PE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
192.168.12.2 None 0
64497 64497 64498 64499 64497 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
PE-2 adds its own ASN and replaces all private ASNs with its own ASN shows the BGP routes for prefix 10.0.0.0/16 received by PE-2 and PE-1.
Use case 2: Local private ASN in PE-2
Use case 2 topology shows the example topology that is modified with local private ASN 64514 configured on PE-2 for the neighbor 172.16.23.2. On CE-3, the peering with neighbor 172.16.23.1 is configured with private ASN 64514.
Initially (without remove-private command), the private ASN is kept. The BGP configuration on PE-2 is as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.23.2
local-as 64514
peer-as 64512
exit
neighbor 192.168.12.1
no remove-private
peer-as 64496
exit
exit
no shutdown
exit
The BGP configuration on CE-3 is modified as follows:
# on CE-3:
configure
router Base
bgp
group "eBGP"
neighbor 172.16.23.1
peer-as 64514
exit
exit
On PE-2, the received BGP route for prefix 10.0.0.0/16 is the same as before. With the preceding BGP configuration, PE-2 adds two ASNs: private ASN 64514 and public ASN 64497. PE-1 receives the following BGP route for prefix 10.0.0.0/16:
*A:PE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
192.168.12.2 None 0
64497 64514 64512 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
PE-2 adds its own private ASN and its public ASN (default) shows the AS path of the BGP routes received by PE-2 and PE-1.
When the local ASN is explicitly configured as private, the local ASN is not added to the AS path attribute. The local address configuration on PE-2 is modified with the private option, as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.23.2
local-as 64514 private
peer-as 64512
exit
neighbor 192.168.12.1
peer-as 64496
exit
exit
no shutdown
exit
PE-1 receives the BGP route for prefix 10.0.0.0/16 with an AS path that does not include the private ASN 64514 anymore, as follows:
*A:PE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
192.168.12.2 None 0
64497 64512 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
PE-2 adds only its own public ASN when local ASN is configured as private shows the AS paths in the BGP routes received by PE-2 and PE-1.
Remove private ASNs until the first public ASN
On PE-2, the remove-private command is configured with the limited option, as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.23.2
local-as 64514 private
peer-as 64512
exit
neighbor 192.168.12.1
remove-private limited
peer-as 64496
exit
exit
no shutdown
exit
The first ASN in the AS path is private (64512) and is removed by PE-2. The next ASN in the AS path is public (64498), so the rest of the AS path is preserved. PE-1 receives the following BGP route for prefix 10.0.0.0/16:
*A:PE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
192.168.12.2 None 0
64497 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
PE-2 removes the private ASNs until the first public ASN shows the BGP routes received by PE-2 and PE-1.
Replace private ASNs until the first public ASN
On PE-2, the replace option is added to the remove-private settings:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.23.2
local-as 64514 private
peer-as 64512
exit
neighbor 192.168.12.1
remove-private limited replace
peer-as 64496
exit
exit
no shutdown
exit
Instead of removing the private ASN 64512, PE-2 replaces it with its own public ASN 64497, so PE-1 receives the following BGP route for prefix 10.0.0.0/16:
*A:PE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:192.0.2.1 AS:64496 Local AS:64496
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
192.168.12.2 None 0
64497 64497 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
This route is shown in PE-2 replaces the private ASNs until the first public ASN.
Use case 3: CE-1 and CE-6 in the same private AS
Use case 3 topology with private ASN 64513 on CE-1 and CE-6 shows the Use case 3 topology where PE-1 is replaced by CE-1 with a private ASN 64513, equal to the private ASN of CE-6.
On PE-2, the peer ASN for neighbor 172.16.12.1 is 64513. Initially, no private ASNs are removed. The BGP configuration is as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.12.1
peer-as 64513
exit
neighbor 172.16.23.2
local-as 64514 private
peer-as 64512
exit
exit
no shutdown
exit
On CE-1, the received route for prefix 10.0.0.0/16 is invalid, because CE-1 detects its own ASN in the AS path attribute, which is considered an AS loop:
*A:CE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:172.31.2.1 AS:64513 Local AS:64513
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 10.0.0.0/16 None None
172.16.12.2 None 0
64497 64512 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
*A:CE-1# show router bgp routes 10.0.0.0/16 detail | match Flags
Flags : Invalid IGP AS-Loop # Original Attributes
Flags : Invalid IGP AS-Loop # Modified Attributes
PE-2 adds its public ASN to the AS path shows the BGP routes received by PE-2 and CE-1.
Remove private ASNs except peer AS 64513
On PE-2, the remove-private command is configured with the skip-peer-as option, as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.12.1
remove-private skip-peer-as
peer-as 64513
exit
neighbor 172.16.23.2
local-as 64514 private
peer-as 64512
exit
exit
no shutdown
exit
On PE-2, for neighbor 172.16.12.1, the peer ASN is 64513, so this private ASN is not removed; only private ASN 64512 (from CE-3) is removed. As a result, CE-1 receives the following BGP route:
*A:CE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:172.31.2.1 AS:64513 Local AS:64513
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 10.0.0.0/16 None None
172.16.12.2 None 0
64497 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
Again, this route is invalid because of the AS loop, as indicated by the flags:
*A:CE-1# show router bgp routes 10.0.0.0/16 detail | match Flags
Flags : Invalid IGP AS-Loop # Original Attributes
Flags : Invalid IGP AS-Loop # Modified Attributes
PE-2 removes the private ASNs except peer ASN 64513 shows the BGP routes received by PE-2 and CE-1.
Replace private ASNs except peer AS 64513
On PE-2, the remove-private command is modified with the replace option, as follows:
# on PE-2:
configure
router Base
bgp
split-horizon
group "eBGP"
family ipv4
neighbor 172.16.12.1
remove-private skip-peer-as replace
peer-as 64513
exit
neighbor 172.16.23.2
local-as 64514 private
peer-as 64512
exit
exit
no shutdown
exit
The following BGP route for prefix 10.0.0.0/16 is received on CE-1. PE-2 has replaced the private ASN 64512 in the AS path with its own public ASN 64497, while the private ASN 64513 is preserved.
*A:CE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:172.31.2.1 AS:64513 Local AS:64513
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
i 10.0.0.0/16 None None
172.16.12.2 None 0
64497 64497 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
Again, the route is invalid because of the AS loop, as indicated by the flags:
*A:CE-1# show router bgp routes 10.0.0.0/16 detail | match Flags
Flags : Invalid IGP AS-Loop # Original Attributes
Flags : Invalid IGP AS-Loop # Modified Attributes
PE-2 replaces the private ASNs except peer ASN 64513 shows the received BGP routes on PE-2 and CE-1.
Loop-detect threshold N
If the received AS path has a local AS number of the router, the route is considered a loop if the number of occurrences is greater than the configured value N. By default, the loop-detect threshold in BGP is zero, meaning that any route with at least one occurrence of the local ASN is considered a loop and therefore invalid. The loop-detect threshold can be configured in the general bgp context, the bgp group context, or the bgp neighbor context.
On CE-1 and CE-6, the loop-detect threshold is configured with the value of 1 for group "eBGP", as follows:
# on CE-1 and CE-6:
configure
router Base
bgp
group "eBGP"
loop-detect-threshold 1
exit
Loop-detect thresholds are only applicable for newly learned prefixes. Existing loop states remain unchanged.
After the BGP session with peer PE-2 has been bounced (disabled and re-enabled), the prefix is learned again. The route is valid, because the local ASN only occurs once in the AS path attribute, so the loop-detect threshold is not violated on CE-1.
# Bounce BGP group "eBGP" on CE-1 and CE-6:
configure
router
bgp
group "eBGP"
shutdown
sleep 3
no shutdown
exit
*A:CE-1# show router bgp routes 10.0.0.0/16
===============================================================================
BGP Router ID:172.31.2.1 AS:64513 Local AS:64513
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop (Router) Path-Id IGP Cost
As-Path Label
-------------------------------------------------------------------------------
u*>i 10.0.0.0/16 None None
172.16.12.2 None 0
64497 64497 64498 64499 64513 -
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
The loop-detect threshold is not reflected in the show commands.
Conclusion
Network operators may assign private ASNs to the BGP speakers in a region or domain. These private ASNs may not be unique when advertised into a public domain. In such cases, the remove-private command can either remove one or more private ASNs or replace the private ASNs with its public ASN.