Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
0
Helpful
5
Replies

Help with BGP/AS number design

christopher_hall
Level 1
Level 1

‎02-21-2013 07:26 AM - edited ‎03-04-2019 07:06 PM

Hello group,

We are in the process of moving our network from NetVPN to AVPN. At our core location, we'll be running both for a period of time until all remote locations can be switched over. I'm configuring a router for our AVPN circuit and have questions about choosing an AS number. At the present, we have:

    1. A internet facing router with a AS number
    2. A WAN router with a AS number
    3. A core switch with a AS number

I know these devices were setup as they are to help us with internet access redundancy (we have another internet circuit in our remote, DR site). After we bring all locations onto the AVPN network, the existing WAN router will be removed. My question(s) is do I need to have a separate AS number for the new router? I have a general idea of what AS numbers are and what they do, but still not 100% clear about their use. It would help if someone could show me an example of AS numbers and how they're used. I can provide config info if needed.

Thanks in advance,

Chris

Labels:
0 Helpful
5 Replies 5

adnane dakna
Level 1
Level 1

‎02-21-2013 07:48 AM

is better to submit  you config routers with architecture network you're planning  to switch to.

0 Helpful

christopher_hall
Level 1
Level 1
In response to adnane dakna

‎02-21-2013 08:08 AM

I don't have access to the Internet router right now, but will try to post it shortly.

I'm not sure what to post for the 'architecture network you're planning  to switch to'. I've attached the new router, the current router and switch configs.


3115389-Core Switch.txt.zip
0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-21-2013 08:03 AM

Hello Chris,

as it happens for IP addresses there are public AS numbers and private AS numbers ( 64512 - 65535 for 16 bit AS numbers).

Public AS numbers are assigned by regional internet registries like ARIN, RIPE, APNIC and a few others.

Like public IPv4 address blocks public AS numbers are precious and some conditions have to be met to get one.

A public AS number is unique woldwide and it is assigned to a specific company, A public AS number may appear in public BGP internet tables as the source of some public IP address blocks belonging to your company (in the AS path BGP attribute that records all the ASes a prefix has been propagated through )

Again these public IP addresses are assigned by RIRs.

However, for VPN services customers like you are connected to, the use of private AS numbers is enough. A private AS numbers provide a non unique non global AS number just to be used to setup eBGP sessions with the ISP. In this case the ISP will handle the private AS number in such a way that the private AS number is removed before propagating customer routes to the internet.

The private AS number is assigned to you by the ISP or agreed with them

It is likely that all your devices are using private AS numbers, The new AVPN service can re-use the same AS number or  it can use a new one.

Hope to help

Giuseppe

0 Helpful

christopher_hall
Level 1
Level 1
In response to Giuseppe Larosa

‎02-21-2013 08:10 AM

Thanks, Giuseppe!

0 Helpful

christopher_hall
Level 1
Level 1
In response to Giuseppe Larosa

‎02-21-2013 08:16 AM

Don't know why my txt file was seen as a virus, but here's the contents of the three files attached..

**************

WAN Router

**************

!

! Last configuration change at 14:12:35 EST Wed Jan 9 2013 by wjerrell

! NVRAM config last updated at 14:02:34 EST Wed Jan 9 2013 by wjerrell

!

version 12.4

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname RT00-2811-01

!

boot-start-marker

boot-end-marker

!

logging buffered 32000 debugging

no logging console

no logging monitor

enable secret 5 $1$Uj7n$/gpiBefkWvQI2iwOPfoe7.

!

no aaa new-model

clock timezone EST -5

clock summer-time EST recurring

ip wccp web-cache redirect-list 120

!

!

ip cef

!

!

ip flow-cache timeout active 1

no ip bootp server

no ip domain lookup

ip domain name secfedbank.com

ip name-server 205.152.226.254

ip name-server 205.152.0.5

ip sla monitor 1

type echo protocol ipIcmpEcho 10.45.45.1 source-interface FastEthernet0/0.10

ip sla monitor schedule 1 life forever start-time now

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-2105432603

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2105432603

revocation-check none

rsakeypair TP-self-signed-2105432603

!

!

crypto pki certificate chain TP-self-signed-2105432603

certificate self-signed 01

  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32313035 34333236 3033301E 170D3038 30353231 30323136

  31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31303534

  33323630 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B35A 3AB46162 379144AE 24923FA4 BC263CEF EE6956E9 0BAD15EC 428795FE

  6CD29BF5 453D0D2B 223BAAC9 C7737337 7CB8A3FB 4F46CC4B 81391004 F218159D

  BAD172A9 1F13747F 89F32806 583B9F8C C6BE72CF E02393A9 52B6ED2E C7002A6A

  CB33B650 5A965B69 F21345A3 E99A1F06 D6DDF77D 5E18EBCD F955B3A8 3BA151B2

  A0090203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603

  551D1104 1F301D82 1B525430 302D3238 31312D30 312E7365 63666564 62616E6B

  2E636F6D 301F0603 551D2304 18301680 142ACDDC 6AF8C469 E5D285AF DEEAA249

  383B80B5 17301D06 03551D0E 04160414 2ACDDC6A F8C469E5 D285AFDE EAA24938

  3B80B517 300D0609 2A864886 F70D0101 04050003 81810042 54F8188B 8EBDA319

  C0B76D85 AD4F05F1 5804BD0B 19EB6C72 11575565 FC4F61FA 7D80D2FA 20A3565E

  C19C5903 FCB215D4 CBAB12F6 4D4A4D35 29D5AD58 72112742 3912E23D 3C36D386

  F6D81943 F37A5C5F 36146C78 328EB9E3 2839C466 B5DEBF8F 696B0C8A BE001E36

  B34D06C8 E725CED4 E9D5C953 30C702B4 39479E68 CC8568

  quit

!

ip ssh version 2

!

track 1 rtr 1 reachability

!

class-map match-any Business_Ingress

match access-group 130

class-map match-any Business_Data

match ip dscp af21

match access-group 130

class-map match-any ATM_Traffic

match access-group 140

class-map match-any Voice

match  dscp ef

match access-group name Voice-Traffic

class-map match-any Replication

match access-group 150

class-map match-any Voice_Ingress

match access-group name Voice-Traffic

!

!

policy-map Voice-Traffic

class Voice

  priority percent 15

class Business_Data

  bandwidth percent 64

class Replication

    police 7000000

class ATM_Traffic

  priority percent 5

class class-default

policy-map WAN_QOS

class class-default

  shape average 10000000

  service-policy Voice-Traffic

policy-map QOS_INGRESS_LAN

class Business_Ingress

  set ip dscp af21

class Voice_Ingress

  set ip dscp ef

!

!

!

!

interface FastEthernet0/0

no ip address

ip flow ingress

ip flow egress

ip route-cache flow

duplex auto

speed auto

mpls netflow egress

service-policy input QOS_INGRESS_LAN

!

interface FastEthernet0/0.10

description Data Network

encapsulation dot1Q 10

ip address 10.20.102.10 255.255.255.0

no ip redirects

ip accounting output-packets

ip wccp web-cache redirect in

ip flow ingress

!

interface FastEthernet0/0.100

description SAN Replication

encapsulation dot1Q 4

ip address 10.20.100.10 255.255.255.0

no ip redirects

ip accounting output-packets

ip wccp web-cache redirect in

ip flow ingress

!

interface FastEthernet0/0.104

encapsulation dot1Q 104

ip address 10.20.104.10 255.255.255.0

no ip redirects

ip accounting output-packets

ip wccp web-cache redirect in

ip flow ingress

!

interface FastEthernet0/0.172

description Voice Network

encapsulation dot1Q 172

ip address 172.20.102.2 255.255.255.0

ip helper-address 10.20.102.4

ip helper-address 10.20.102.5

no ip redirects

ip accounting output-packets

ip flow ingress

ip flow egress

no cdp enable

!

interface FastEthernet0/1

no ip address

duplex full

speed 100

!

interface FastEthernet0/1.22

description Operations - AT&T - 42.KQGN.400006

bandwidth 10000

encapsulation dot1Q 22

ip address 192.168.0.102 255.255.255.252

no ip redirects

ip accounting output-packets

ip nbar protocol-discovery

ip flow ingress

service-policy output WAN_QOS

!

router bgp 65342

bgp log-neighbor-changes

neighbor 10.20.100.1 remote-as 2388

neighbor 10.20.102.1 remote-as 2388

neighbor 10.20.104.1 remote-as 2388

neighbor 192.168.0.101 remote-as 6389

!

address-family ipv4

  neighbor 10.20.100.1 activate

  neighbor 10.20.102.1 activate

  neighbor 10.20.104.1 activate

  neighbor 192.168.0.101 activate

  no auto-summary

  no synchronization

  network 10.15.1.0 mask 255.255.255.0

  network 10.20.100.0 mask 255.255.255.0

  network 10.20.102.0 mask 255.255.255.0

  network 10.20.104.0 mask 255.255.255.0

  network 10.79.104.0 mask 255.255.255.0

  network 10.255.102.0 mask 255.255.255.0

  network 172.20.102.0 mask 255.255.255.0

  network 192.168.0.100 mask 255.255.255.252

exit-address-family

!

ip forward-protocol nd

ip route 10.15.1.0 255.255.255.0 10.20.102.125 track 1

ip route 10.15.1.0 255.255.255.0 10.20.128.16 100

ip route 10.20.10.0 255.255.255.0 10.20.102.195

ip route 10.45.45.1 255.255.255.255 10.20.102.125 10

ip route 10.45.45.1 255.255.255.255 10.20.128.16 20

ip route 10.79.0.0 255.255.0.0 10.20.102.195

ip route 10.79.104.0 255.255.255.0 10.20.102.195

ip route 10.100.102.0 255.255.255.0 10.20.128.10

ip route 170.209.0.2 255.255.255.254 10.20.102.12

ip route 170.209.0.2 255.255.255.255 10.20.102.12 permanent

ip route 170.209.0.3 255.255.255.255 10.20.102.12 permanent

ip route 192.168.0.0 255.255.255.0 192.168.0.101

ip route 208.61.216.1 255.255.255.255 10.20.102.195

!

ip flow-export source FastEthernet0/1.22

ip flow-export version 9

ip flow-export destination 10.20.102.15 2055

ip flow-top-talkers

top 20

sort-by bytes

cache-timeout 30000

!

ip http server

ip http authentication local

no ip http secure-server

!

ip access-list extended Voice-Traffic

permit udp 172.20.0.0 0.0.255.255 any eq 2427

permit udp 172.20.0.0 0.0.255.255 any eq 2727

permit udp 172.20.0.0 0.0.255.255 any range 5440 5446

permit ip 172.20.0.0 0.0.255.255 any dscp ef

permit ip 172.20.0.0 0.0.255.255 any

!

logging trap debugging

logging facility local2

logging 10.20.102.20

access-list 5 permit 0.0.0.0

access-list 6 permit 208.61.216.1

access-list 7 permit 10.15.1.0 0.0.0.255

access-list 10 permit 0.0.0.0

access-list 10 permit any

access-list 20 permit 10.20.102.22

access-list 100 permit ip 10.20.102.0 0.0.0.255 any

access-list 100 deny   ip any 170.209.0.2 0.0.0.1

access-list 100 permit ip any any

access-list 120 deny   ip host 10.20.102.22 any

access-list 120 permit ip host 10.20.102.89 any

access-list 120 deny   ip any any

access-list 127 deny   ip host 10.20.102.51 host 205.152.226.254

access-list 127 deny   ip host 10.20.102.51 host 205.152.0.5

access-list 127 permit ip host 10.20.102.51 any

access-list 127 deny   ip host 10.20.102.52 host 205.152.226.254

access-list 127 deny   ip host 10.20.102.52 host 205.152.0.5

access-list 127 permit ip host 10.20.102.52 any

access-list 127 deny   ip any any

access-list 130 deny   ip 10.20.100.0 0.0.0.255 any

access-list 130 deny   ip host 10.20.102.8 any

access-list 130 deny   ip host 10.20.102.154 any

access-list 130 deny   ip host 10.20.102.23 any

access-list 130 permit ip 10.20.0.0 0.0.255.255 10.20.0.0 0.0.255.255

access-list 140 permit ip any host 10.20.105.254

access-list 140 permit ip any host 10.20.110.254

access-list 140 permit ip any host 10.20.112.254

access-list 140 permit ip any host 10.20.114.254

access-list 140 permit ip any host 10.20.117.2

access-list 140 permit ip any host 10.20.118.254

access-list 140 permit ip any host 10.20.122.254

access-list 140 permit ip any host 10.20.124.254

access-list 140 permit ip any host 10.20.128.254

access-list 140 permit ip any host 10.20.126.254

access-list 140 permit ip any host 10.20.134.254

access-list 140 permit ip any host 10.20.132.254

access-list 140 permit ip any host 10.20.140.254

access-list 140 permit ip any host 10.20.142.254

access-list 150 permit ip 10.20.100.0 0.0.0.255 any

access-list 150 permit ip host 10.20.102.8 any

access-list 150 permit ip host 10.20.102.23 any

access-list 150 permit ip host 10.20.102.154 any

snmp-server community sfbnet RO

snmp-server enable traps envmon

snmp-server enable traps voice poor-qov

snmp-server host 10.20.102.15 sfbnet

snmp-server host 10.20.102.21 sfbnet

route-map ADV_ROUTES permit 10

match ip address 7

!

route-map Set_Local_Pref permit 10

match ip address 10

set local-preference 120

set community 418709624

!

route-map Check-Internet permit 10

match ip address 5

match ip next-hop 6

set community 418709624

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

banner motd ^C

banner motd ^C

******************************************************************************

THIS SYSTEM IS FOR THE USE OF AUTHORIZED USERS ONLY!  INDIVIDUALS USING

THIS COMPUTER SYSTEM WITHOUT AUTHORITY, OR IN EXCESS OF THEIR AUTHORITY,

ARE SUBJECT TO DISCIPLINARY ACTION.  ANYONE USING THIS SYSTEM EXPRESSLY

CONSENTS TO MONITORING. BY ACCESSING THIS SYSTEM, YOU ARE ACCEPTING

RESPONSIBILITY FOR ALL OF YOUR ACTIONS.  THIS SYSTEM IS THE PROPERTY OF

SECURITY FEDERAL BANK.

******************************************************************************

^C^C

!

line con 0

password 7 133C4F5C3C582E0E7F

login

line aux 0

password 7 071C244F1D0C4A

line vty 0 4

password 7 152B5342137E21207C

login local

transport input ssh

transport output ssh

line vty 5 15

login local

transport input ssh

transport output ssh

!

scheduler allocate 20000 1000

ntp clock-period 17180045

ntp server 208.61.216.1

!

end

**************

End WAN Router

**************

*****************

Core Switch

*****************

!

! Last configuration change at 11:52:39 EST Thu Jan 31 2013 by chall

! NVRAM config last updated at 11:52:40 EST Thu Jan 31 2013 by chall

!

version 12.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname sw00-3560-01

!

boot-start-marker

boot-end-marker

!

logging buffered 32000 warnings

no logging console

enable secret 5 $1$Evs8$nsd7tSGp6asz4z.Fm9jbW.

!

!

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

ip routing

!

router bgp 2388

bgp log-neighbor-changes

neighbor 10.20.102.10 remote-as 65342

neighbor 208.61.216.1 remote-as 2386

neighbor 208.61.216.1 ebgp-multihop 3

neighbor 208.61.216.1 update-source Vlan1

!

address-family ipv4

  neighbor 10.20.102.10 activate

  neighbor 10.20.102.10 default-originate route-map Check-Internet

  neighbor 208.61.216.1 activate

  neighbor 208.61.216.1 prefix-list 10 out

  no auto-summary

  no synchronization

  network 10.20.10.0 mask 255.255.255.0

exit-address-family

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.20.102.10 201

ip route 10.20.10.0 255.255.255.0 10.20.102.195

ip route 10.20.11.0 255.255.255.0 10.20.102.10

ip route 10.255.128.0 255.255.255.0 10.20.102.10

ip route 170.209.0.2 255.255.255.255 10.20.102.12 permanent

ip route 170.209.0.3 255.255.255.255 10.20.102.12 permanent

ip route 172.16.1.0 255.255.255.224 10.20.128.10

ip route 192.168.0.0 255.255.248.0 10.20.102.10

ip route 208.61.216.1 255.255.255.255 10.20.102.195

!

ip http server

ip http authentication local

no ip http secure-server

!

!

ip prefix-list 10 seq 1 deny 10.20.0.0/16

ip prefix-list 10 seq 2 deny 172.20.0.0/16

!

ip prefix-list 11 seq 1 deny 208.61.216.0/24

ip sla enable reaction-alerts

access-list 5 permit 0.0.0.0

access-list 6 permit 208.61.216.1

access-list 10 permit 10.20.0.0 0.0.255.255

access-list 10 permit 172.20.0.0 0.0.255.255

route-map Check-Internet permit 10

match ip address 5

match ip next-hop 6

!

!

snmp-server community sfbnet RO

snmp-server location Ops

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server host 10.20.102.15 sfbnet

snmp ifmib ifindex persist

!

banner motd ^C

******************************************************************************

THIS SYSTEM IS FOR THE USE OF AUTHORIZED USERS ONLY!  INDIVIDUALS USING

THIS COMPUTER SYSTEM WITHOUT AUTHORITY, OR IN EXCESS OF THEIR AUTHORITY,

ARE SUBJECT TO DISCIPLINARY ACTION.  ANYONE USING THIS SYSTEM EXPRESSLY

CONSENTS TO MONITORING. BY ACCESSING THIS SYSTEM, YOU ARE ACCEPTING

RESPONSIBILITY FOR ALL OF YOUR ACTIONS.  THIS SYSTEM IS THE PROPERTY OF

SECURITY FEDERAL BANK.

******************************************************************************

^C

!

line con 0

line vty 0 4

login local

length 0

line vty 5 15

login local

!

ntp clock-period 36029059

ntp server 10.20.102.10

end

*********************

End core switch

*********************

***********************

New Router

***********************

SH RUN

Building configuration...

Current configuration : 3098 bytes

!

version 12.4

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname RT00-2811-02

!

boot-start-marker

boot-end-marker

!

logging buffered 32000 debugging

no logging console

no logging monitor

enable secret 5 $1$Uj7n$/gpiBefkWvQI2iwOPfoe7.

!

no aaa new-model

clock timezone EST -5

clock summer-time EST recurring

ip wccp web-cache redirect-list 120

!

!

ip cef

!

!

ip flow-cache timeout active 1

no ip bootp server

no ip domain lookup

ip sla monitor 1

type echo protocol ipIcmpEcho 10.45.45.1 source-interface FastEthernet0/0.10

ip sla monitor schedule 1 life forever start-time now

!

voice-card 0

no dspfarm

!

!

!

ip ssh version 2

!

track 1 rtr 1 reachability

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0.10

description Data Network

encapsulation dot1Q 10

ip address 10.20.102.110 255.255.255.0

no ip redirects

no ip proxy-arp

ip accounting output-packets

ip wccp web-cache redirect in

ip flow ingress

no cdp enable

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1.436

description AT&T 42.KQGN.600265.SB

bandwidth 20000

encapsulation dot1Q 436

ip address 192.168.0.90 255.255.255.252

no ip redirects

no ip proxy-arp

ip accounting output-packets

ip nbar protocol-discovery

ip flow ingress

no cdp enable

!

interface Serial0/0/0

no ip address

shutdown

!

ip forward-protocol nd

!

!

ip http server

ip http authentication local

no ip http secure-server

!

snmp-server community sfbnet RO

snmp-server enable traps envmon

snmp-server enable traps voice poor-qov

snmp-server host 10.20.102.15 sfbnet

snmp-server host 10.20.102.21 sfbnet

!

!

!

control-plane

!

!

!

!

!

!

line con 0

password 7 133C4F5C3C582E0E7F

login

line aux 0

password 7 071C244F1D0C4A

line vty 0 4

password 7 152B5342137E21207C

login local

transport input ssh

transport output ssh

line vty 5 15

login local

transport input ssh

transport output ssh

!

scheduler allocate 20000 1000

ntp clock-period 17180045

ntp server 208.61.216.1

!

end

RT00-2811-02#

************************

End New Router

************************

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card