Solved: leak private as to public as bgp

marcusbrutus · ‎01-08-2014

Hi Experts,

I was doing some lab work with the below setup.

R1 with private as 64512 connected to both R2 and R3.

R2 with public as 60.

R3 with public as 70.

R2 and R3 are connected to R4 with public as 50.

I advertised network 99.1.1.0/24 from R1.

Without the command neighbor remote-private-as, i can see the above route on R4.

From every documentation i can see, it states that routes from the private AS should not leak into R4. In fact both R2 and R3 should not even advertise it to R4.

Can somebody please clarify?

Thanks in advance.

Jon Marshall · ‎01-09-2014

Maybe i am misunderstood your question but i thought you asked when the "remove-private-as" was not configured you were seeing the router on R4.

If so then that is what will happen. The document you linked to states that private AS numbers should not be leaked but it doesnt say they are automatically removed. It says that to ensure they are not leaked you use the "remove-private-as" config command but if you don't use it then BGP will not remove it and simply advertise it out which is exactly what you are seeing.

That is why you have the command.

If i am misunderstanding please clarify.

Jon

View solution in original post

Jon Marshall · ‎01-08-2014

Can you point to the documentation ?

You are right that private AS numbers should be removed on the internet but as far as i know there is no automatic mechanism in BGP to remove them or not to advertise routes with them in (i could be missing something though).

After all this is often how MPLS networks work ie. the customer uses a private AS and peers with an SP using a public AS and the routes are advertised to all other sites through the public AS.

Like i say, i may be missing something but i think if you don't want to advertise routes with a private AS you need to manually do something in the BGP config.

Jon

marcusbrutus · ‎01-09-2014

Hi Jon,

I appreciate the response.

Please see below link.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f27.shtml

From my understanding of the above doc, the very reason the command "remove-private-as" was created was to overcome this automatic behavior of BGP.

Jon Marshall · ‎01-09-2014

Maybe i am misunderstood your question but i thought you asked when the "remove-private-as" was not configured you were seeing the router on R4.

If so then that is what will happen. The document you linked to states that private AS numbers should not be leaked but it doesnt say they are automatically removed. It says that to ensure they are not leaked you use the "remove-private-as" config command but if you don't use it then BGP will not remove it and simply advertise it out which is exactly what you are seeing.

That is why you have the command.

If i am misunderstanding please clarify.

Jon

marcusbrutus · ‎01-09-2014

Ah ok. I think I get it. I assumed it is dropped by default. So essentially to avoid the Private AS appearing on the path, best practice to apply the remove-private-as command or if dropping is preferred then a manual filter is required.

Thanks Jon!!!

Happy New Year by the way!!

Jon Marshall · ‎01-09-2014

Ah ok. I think I get it. I assumed it is dropped by default. So essentially to avoid the Private AS appearing on the path, best practice to apply the remove-private-as command or if dropping is preferred then a manual filter is required.

Exactly, there is no default in BGP that filters routes if they contain a private AS number.

Happy New Year to you also

Jon