Understanding BGP AS-Override Feature

SunilKhanna · ‎01-05-2012

Introduction

Loop prevention in BGP is done by verifying the AS number in the AS Path. If the receiving router sees its own AS number in the AS Path of the received BGP packet, the packet is dropped. The receiving Router assumes that the packet was originated from its own AS and has reached the same place from where it originated initially.

The feature could be a disaster if customers are using same AS number along the various sites and disallows customer sites having identical AS numbers to be linked by another AS number. In such a scenario, routing updates from one site will be dropped when the other site receives them.

To override this feature, AS-Override function causes to replace the AS number of originating router with the AS number of the sending BGP router. The command is neighbor ip-address as-override and can only be executed under the VPNv4 address-family.

Here are the steps to illustrate the As-Override process

Router TAURUS_Site-A advertises route 10.3.3.3 with AS100.
Router PE-1 propagates this as an internal route to PE2 as AS100.
PE2 prepends 10.3.3.3 with AS 121 and replaces 100 in the AS-Path to 121 and propagates the prefix.
Router TAURUS_Site-B accepts 10.3.3.3 update.

Prerequisite

Understanding of MPLS Technology
Understanding of MBGP
Understanding of OSPF routing protocol

Topology Diagram

Background

In this Topology, router PE-1 and PE-2 forms the Service Provider MPLS Cloud. The two routers are connected via fast Ethernet interface 0/0 and are running OSPF (Area 0) routing protocol. MPLS is configured on physical links (Fast Ethernet 0/0) of the SP network. Tagging is done via LDP and the labels are assigned in the range 100-199 on PE1 and 200-299 on PE2.

TAURUS and CINDY are the two customers with multiple sites (Site-A and Site-B). Customer TAURUS is operating under AS 100 and customer CINDY is operating under AS 200.

VPNv4 neighbor relationship is configured between (vrf TAURUS and vrf CINDY)

PE-1 & TAURUS_Site-A
PE-1 & CINDY_Site-A
PE-2 & TAURUS_Site-B
PE-2 & CINDY_Site-A

Routes from each site are advertised to PE routers within EBGP session. These routes are further propagated to next PE routers which are then forwarded to respective Customer-Site.

Note: All configurations are tested on Cisco 3700 series router with IOS 12.4.

Configuration

1. PE Configuration

PE-1PE-2

hostname PE-1

ip cef

ip vrf CINDY

rd 1:200

route-target export 1:200

route-target import 1:200

ip vrf TAURUS

rd 1:100

route-target export 1:100

route-target import 1:100

no ip domain lookup

mpls label range 100 199

mpls label protocol ldp

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface FastEthernet0/0

ip address 10.12.12.1 255.255.255.0

duplex auto

speed auto

mpls ip

interface Serial0/0

ip vrf forwarding TAURUS

ip address 192.13.13.1 255.255.255.252

clock rate 2000000

interface Serial0/1

ip vrf forwarding CINDY

ip address 192.14.14.1 255.255.255.252

clock rate 2000000

router ospf 10

router-id 1.1.1.1

log-adjacency-changes

network 1.1.1.1 0.0.0.0 area 0

network 10.12.12.1 0.0.0.0 area 0

router bgp 121

no synchronization

bgp log-neighbor-changes

network 11.11.11.11 mask 255.255.255.255

neighbor 2.2.2.2 remote-as 121

neighbor 2.2.2.2 update-source Loopback0

neighbor 2.2.2.2 next-hop-self

no auto-summary

address-family vpnv4

neighbor 2.2.2.2 activate

neighbor 2.2.2.2 send-community both

exit-address-family

address-family ipv4 vrf TAURUS

redistribute connected

neighbor 192.13.13.2 remote-as 100

neighbor 192.13.13.2 activate

neighbor 192.13.13.2 as-override

no synchronization

exit-address-family

address-family ipv4 vrf CINDY

redistribute connected

neighbor 192.14.14.2 remote-as 200

neighbor 192.14.14.2 activate

neighbor 192.14.14.2 as-override

no synchronization

exit-address-family

mpls ldp router-id Loopback0

exit

hostname PE-2

ip cef

ip vrf CINDY

rd 1:200

route-target export 1:200

route-target import 1:200

ip vrf TAURUS

rd 1:100

route-target export 1:100

route-target import 1:100

no ip domain lookup

mpls label range 200 299

mpls label protocol ldp

interface Loopback0

ip address 2.2.2.2 255.255.255.255

interface Loopback1

ip address 22.22.22.22 255.255.255.255

interface FastEthernet0/0

ip address 10.12.12.2 255.255.255.0

duplex auto

speed auto

mpls ip

interface Serial0/0

ip vrf forwarding TAURUS

ip address 192.23.23.1 255.255.255.252

clock rate 2000000

interface Serial0/1

ip vrf forwarding CINDY

ip address 192.26.26.1 255.255.255.252

clock rate 2000000

router ospf 10

router-id 2.2.2.2

log-adjacency-changes

network 2.2.2.2 0.0.0.0 area 0

network 10.12.12.2 0.0.0.0 area 0

router bgp 121

no synchronization

bgp log-neighbor-changes

network 22.22.22.22 mask 255.255.255.255

neighbor 1.1.1.1 remote-as 121

neighbor 1.1.1.1 update-source Loopback0

neighbor 1.1.1.1 next-hop-self

no auto-summary

address-family vpnv4

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community both

exit-address-family

address-family ipv4 vrf TAURUS

redistribute connected

neighbor 192.23.23.2 remote-as 100

neighbor 192.23.23.2 activate

neighbor 192.23.23.2 as-override

no synchronization

exit-address-family

address-family ipv4 vrf CINDY

redistribute connected

neighbor 192.26.26.2 remote-as 200

neighbor 192.26.26.2 activate

neighbor 192.26.26.2 as-override

no synchronization

exit-address-family

mpls ldp router-id Loopback0

exit

2. CE Configuration

TAURUS_Site-ACINDY_Site-ATAURUS_Site-BCINDY_Site-B

hostname TAURUS-Site_A

ip cef

no ip domain lookup

interface Loopback0

ip address 10.3.3.3 255.255.255.255

interface Serial0/0

ip address 192.13.13.2 255.255.255.252

clock rate 2000000

router bgp 100

no synchronization

bgp log-neighbor-changes

network 10.3.3.3 mask 255.255.255.255

neighbor 192.13.13.1 remote-as 121

no auto-summary

exit

hostname CINDY-SITE_A

ip cef

no ip domain lookup

interface Loopback0

ip address 10.4.4.4 255.255.255.255

interface Serial0/0

ip address 192.14.14.2 255.255.255.252

clock rate 2000000

router bgp 200

no synchronization

bgp log-neighbor-changes

network 10.4.4.4 mask 255.255.255.255

neighbor 192.14.14.1 remote-as 121

no auto-summary

exit

hostname TAURUS-Site_B

ip cef

no ip domain lookup

interface Loopback0

ip address 10.5.5.5 255.255.255.255

interface Serial0/0

ip address 192.23.23.2 255.255.255.252

clock rate 2000000

router bgp 100

no synchronization

bgp log-neighbor-changes

network 10.5.5.5 mask 255.255.255.255

neighbor 192.23.23.1 remote-as 121

no auto-summary

exit

hostname CINDY-SITE_B

ip cef

no ip domain lookup

interface Loopback0

ip address 10.6.6.6 255.255.255.255

interface Serial0/0

ip address 192.26.26.2 255.255.255.252

clock rate 2000000

router bgp 200

no synchronization

bgp log-neighbor-changes

network 10.6.6.6 mask 255.255.255.255

neighbor 192.26.26.1 remote-as 121

no auto-summary

exit

Verification

PE-1#show ip bgp vpnv4 all summary

< output truncated >

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

2.2.2.2 4 121 115 116 15 0 0 01:09:16 4

192.13.13.2 4 100 70 74 15 0 0 00:46:42 1

192.14.14.2 4 200 41 44 15 0 0 00:36:14 1

PE-2#show ip bgp vpnv4 all summary

< output truncated >

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

1.1.1.1 4 121 119 118 15 0 0 01:11:22 4

192.23.23.2 4 100 53 56 15 0 0 00:48:07 1

192.26.26.2 4 200 41 44 15 0 0 00:36:46 1

PE-1#sh ip route vrf TAURUS bgp

192.23.23.0/30 is subnetted, 1 subnets

B 192.23.23.0 [200/0] via 2.2.2.2, 00:25:32

10.0.0.0/32 is subnetted, 2 subnets

B 10.3.3.3 [20/0] via 192.13.13.2, 00:35:30

B 10.5.5.5 [200/0] via 2.2.2.2, 00:33:03

PE-1#show ip route vrf CINDY bgp

192.26.26.0/30 is subnetted, 1 subnets

B 192.26.26.0 [200/0] via 2.2.2.2, 00:27:05

10.0.0.0/32 is subnetted, 2 subnets

B 10.6.6.6 [200/0] via 2.2.2.2, 00:32:36

B 10.4.4.4 [20/0] via 192.14.14.2, 00:34:51

PE-1#show ip bgp vpnv4 all

BGP table version is 15, local router ID is 11.11.11.11

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:100 (default for vrf TAURUS)

*> 10.3.3.3/32 192.13.13.2 0 0 100 i

*>i10.5.5.5/32 2.2.2.2 0 100 0 100 i

*> 192.13.13.0/30 0.0.0.0 0 32768 ?

*>i192.23.23.0/30 2.2.2.2 0 100 0 ?

Route Distinguisher: 1:200 (default for vrf CINDY)

*> 10.4.4.4/32 192.14.14.2 0 0 200 i

*>i10.6.6.6/32 2.2.2.2 0 100 0 200 i

*> 192.14.14.0/30 0.0.0.0 0 32768 ?

*>i192.26.26.0/30 2.2.2.2 0 100 0 ?

TAURUS-Site_A#ping 10.5.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 456/696/972 ms

The prefix 10.5.5.5 (from Router TAURUS-Site_B) is receieved and pinged successfully from Router TAURUS-Site_A.

References

Cisco IOS IP and IP Routing Command Reference

Configuring Basic MPLS VPN

Cisco IOS Multiprotocol Label Switching Configuration Guide

Cisco MPLS Support Page

Cisco BGP Support Page

Yasir nawaz · ‎03-22-2014

Thanks! Nice explanation. I tried as override command under address family ipv4 and it worked.

mmehdar77 · ‎06-12-2014

Thanks very much , SunilKhanna

Nice explanation ,

mohsinsalimvs · ‎12-23-2014

This post helped me to revive the as-override feature. Thank you very much.

Mohsin Saleem

HairulAhmad5459 · ‎01-07-2019

This is a good example indeed and it gives out a better understanding of as-override feature with the diagram with the PE and CE configuration.

Well done!

If I may suggest - for the next post, to have a sample ping and traceroute of similar setup , this time without the line as-overide included in the PE configuration as see what happens.

A video on the screenshot configuration could also be helpful in seeing the effect of removing one line .

Keep up the good work @SunilKhanna !

MysticalTh0r · ‎01-15-2019

Hi all,

Does any one know on which IOS release was the support for as-override, without using a vrf, added?

I tested on a 1800 with IOS 12.4 and VRF is needed to be able to add the as-override command. Also tested on a 897 with IOS 15.4 and it worked fine without it.

Thanks,

Best regards.

drumfrodo · ‎05-24-2019

@SunilKhanna wrote:

The command is neighbor ip-address as-override and can only be executed under the VPNv4 address-family.

This sentence must be a typo. The as-override feature works only for IPv4 and IPv6 address-families (for VRF, and global routing table for newer IOS releases). You cannot use it under VPNv4/v6 address families.

DWAM · ‎02-03-2020

Good evening,

on your exemple, your are using public AS (100, 200,121)

I'm trying to do the same think with public AS and it doesn't work (with an ASR1000, there is no change with or without as-override)

Is it available on public AS ? or is it only available on private AS ?

Or is it a bug version ?

best regards.

./DWAM

jpl861 · ‎06-23-2022

I was actually doing some lab regarding this and you can actually make this work in IPv4 network as long as the source AS is the same as the receiving AS.

Sample below:

AS15---AS16---AS17

If you advertise networks of AS15 to AS16 then you configure AS-Override to AS17, nothing will happen. The AS-Path in AS17 will still look "16 15".

But if we change it to:

AS17---AS16---AS17

If we advertise the AS17(left) route to AS17(right) with AS-Override on AS16 facing the right-side AS17, the AS-Path will look as "16 16"

So looks like it is restricted in VPNv4 environment.

Korth501 · ‎03-04-2024

I was having this exact problem where as-override is only working when you connect two AS numbers that are overlapping with each other AS12 - AS13 - AS12. When i change AS12 - AS13 - AS14, the as-override is not working anymore.