BGP Remove Private AS and Replace ASN
We know that private ASN is generally use for enterprise networks. It also works fine, If we are using single ISP. Means source and destination both networks are connecting using same ISP.
Suppose we are using multiple ISPs. in this case we can face the issue. Because a private ASN can send the packet to public ASN or to any other ASN (known by ISP) But reverse traffic can’t reach to private ASN. because other ISPs are not having any information for it.
Example(BGP Remove Private AS and Replace ASN):
Suppose, We are having an enterprise network with BGP ASN 65532 and this network is located in USA. A user of this network is trying to ping 10.1.1.100 which is in different ASN (65531) and it is located UK. USA network is connecting to ISP ‘A’ and UK network is connecting to ISP ‘B’. But both ISP are not having direct connection two each other and they are having connected through ISP ‘C’ as below.
Thanks to ISPs. They are doing all kind of things on the behalf of us and making the communication possible.
User-A is initiating a ping for USER-B (10.1.1.100). USA-R1 will receive this packet and it will forward to ISP-A. Because USA-R1 is getting the route from ISP-A. ISP-A will receive this packet and it will forward it to ISP-C. Because ISP-A learning it from ISP-C. ISP-C will forward this packet to ISP-B and ISP will forward it to UK-R1. UKR1 will forward it to USER-B. Everything is going in right way. But what happen ? when USER-B will reply it to this packet.
Now USER-B is sending a reply packet to UK-R1 and UK-R1 is sending it to ISP-B and ISP-B is sending it to ISP-C. Till now we are not having problem.
But ISP-C will not forward this packet and it will drop it. Because ISP-C is not aware from ASN-65532.
So why are we not facing this type of issue in real environment ?
What has done ISPs ? so we are not facing this issue.
Answer is they are replacing our ASN number by public ASN. If you don’t want to replace your ASN then you should use public ASN then this type of issue will not be occur.
To resolve the above issue, ISP-A need to replace our ASN 65532 by its own ASN 100.
Replacing Private ASN By Public ASN:
ISP-A# conf t
ISP-A(config)# router bgp 100
ISP-A(config-router)# neighbor 192.168.0.1 remove-private-as all replace-as
ISP-A# clear ip bgp * softAfter completed the above configuration. USER-A will be able to ping USER-B (10.1.1.100). because ISP-A will replace the Private ASN (65532) by public ASN 100. So now ISP-C will not drop the packet because it is aware from all the public ASNs.
Remove/Replace private ASN feature can be use only with eBGP neighbors and for outbound updates.
If We are using confederations then only private ASNs will be remove and confederation ASNs will not be remove.
remove-private-as commands works only when path is containing private ASNs. If path is containing both (private and public ASN) then this command will not work. but we can use remove-private-as all command and it will work fine.
We can alsoreplace the private ASN with local public ASN using remove-private-as all replace-as command.
Removing Private ASN:
Suppose, We need to remove the private ASN from packets at ISP-C, which are receiving from ISP-A. in our case, packets are containing the As-path 65532 100.
Below configuration below remove the 65532 ASN from as-path which is an private ASN. here we are using all keyword because as-path containing the both private and public ASN.
ISP-C# conf t
ISP-C(config)# router bgp 100
ISP-C(config-router)# neighbor 100.1.1.1 remove-private-as all
ISP-C# clear ip bgp * softIf we are having all the private ASN in as-path then we can use below commands:
ISP-B# conf t
ISP-B(config)# router bgp 100
ISP-B(config-router)# neighbor 172.1.1.1 remove-private-as
ISP-B# clear ip bgp * softThanks For Reading ………………
We will recommend you to read below posts: