Re: BGP ASN - internal/external issue

Felipe A. Amaya · ‎02-02-2018

I have a problem, I have an ASN that it is being used internally towards the firewall and it belongs to another company, I need to a) either filter out the ASN # or b) renumber it.

Here is my config.

router bgp ###

neighbor #.#.#.27 remote-as 61001
neighbor #.#.#.27 password 7 <omitted>
neighbor #.#.#.27 ebgp-multihop 255
neighbor #.#.#.27 update-source Loopback0

This was put in place some time back and we have been contacted that we are using their ASN number.

Thank you in advance,

Mark Malone · ‎02-02-2018

Maybe the local-as feature would work in this setup , I use something similar on dual ISP circuits with same AS and the ISP cant see the same AS come in twice or it causes issues for them in MPLS domain, so I hide it with local-as feature

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13761-39.html

The local-AS feature allows a router to appear to be a member of a second autonomous system (AS), in addition to its real AS. This feature can only be used for true eBGP peers. You cannot use this feature for two peers that are members of different confederation sub-ASs.

Felipe A. Amaya · ‎02-02-2018

Thank you Mark for your response. Just a quick clarification...

We have our own BGP AS

router bgp ### - (our BGP ASN)

neighbor 4.#.#.# remote-as ### (century Link facing)

neighbor 129.#.#.27 remote-as 61001 (facing internal traffic)
neighbor #.#.#.27 password 7 <omitted>
neighbor #.#.#.27 ebgp-multihop 255
neighbor #.#.#.27 update-source Loopback0

neighbor x.x.x.x local-as 61001 <---- will this work?
neighbor peer-group local-as 61001 <---- ?

The AS 61001 is facing internally towards our ISR4451 interface towards a Palo Alto Firewall, a similar configuration is being applied on the firewall. This is controlling internal traffic headed out to Century link.

So if I applied a local-AS feature in the above scenario, is this doable, Thanks in advance for your clarification.

Philip D'Ath · ‎02-02-2018

This might help you. Even though you are using one ASN, you can pretend to be a different ASN. In the below case, the router pretends to be ASN 65383 when talking to a.b.c.d.

neighbor a.b.c.d local-as 65383

Felipe A. Amaya · ‎02-05-2018

Thanks Phillip, you both made a great point and explanation. My dilemma is that 4 years ago someone used the following AS 61001 internally and it is leaking out to the internet. Well that AS belongs to someone in the UK and they want us to stop sending it across or renumber it. I believe I have two options.

1. renumber the AS

2. see if there is a way to filter out that 61001 out so it does not leave our network.

Thanks again for all of your help.

Philip D'Ath · ‎02-05-2018

Either of those options is a sticking plaster. You should get your customer to contact the organisation originating the ISP that is connecting that ASN and have it fixed their. Otherwise I would try asking RIPE/ARIN/APNIC/{whoever the authority is} for assistance.

Georg Pauwen · ‎02-05-2018

Hello,

on a side note, the local-as command by default prepends the local AS, the original AS is still visible in the path. In order to get rid of the original AS altogether, use the command:

neighbor x.x.x.x local-as YYY no-prepend replace-as

Mark Malone · ‎02-05-2018

Nice command that should work