Private AS peering with Public One

Unanswered Question
Feb 13th, 2007

Hi All,

Any precaution should be taken on Bgp when peering between two ASs (One of them is private & the othe is Public.

Thanks for your feedback,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mheusinger Wed, 02/14/2007 - 01:00

Hello,

You should apply the proper inbound and outbound filters to be sure an ISP mistake will not get you in trouble. I am assuming your IP addresses to be announced are from network 1.1.0.0/16. An example configuration would look like this:

interface Ethernet0/1

description to ISP

ip address 1.4.5.2 255.255.255.252

router bgp 65000

network 1.1.0.0 mask 255.255.0.0

neighbor 1.4.5.1 remote-as 1

neighbor 1.4.5.1 prefix-list NoTrash in

neighbor 1.4.5.1 filter-list 1 out

no auto-summary

ip as-path access-list 1 permit ^$

ip prefix-list NoTrash deny 192.168.0.0/16 le 32

ip prefix-list NoTrash deny 172.16.0.0/12 le 32

ip prefix-list NoTrash deny 10.0.0.0/8 le 32

ip prefix-list NoTrash deny 1.1.0.0/16 le 32

ip prefix-list NoTrash permit 0.0.0.0/0 le 32

ip route 1.1.0.0 255.255.0.0 Null 0 250

This would announce only the official IP addresses to the ISP. Also all RFC1918 routes are blocked. You could extend this and use the BOGON list for filtering, but this would require more maintainance, because you have to adjust the filters from time to time. For a customer it should be sufficient to block all routes you potentially have internally.

This is just in case the ISP messes up his filters. Outgoing filterlist 1 is not really needed in such an environment, but with two ISPs to prevent the customer from becoming transit AS. You can omit this, if only one ISP is present.

Hope this helps! Please rate all posts.

Regards, Martin

royalblues Wed, 02/14/2007 - 05:08

Martin,

Can we not achieve the same with only one prefix entry ip prefix-list NoTrash permit 0.0.0.0/0 le 32 .

All others would be denied implicitly

Narayan

mheusinger Wed, 02/14/2007 - 05:18

Hi Narayan,

ip prefix-list NoTrash permit 0.0.0.0/0 le 32

means "everything", i.e any route with a mask between /0 and /32.

This is like access-list 100 permit ip any any

As there will always be a match, nothing would be implicitly denied.

Hope this helps! Please use the rating system.

Regards, Martin

royalblues Wed, 02/14/2007 - 06:42

Sorry martin,

I didn't read the le parameter.

What i wanted to ask was tf we use only the 0.0.0.0/0 ge 32 le 32 as a prefix entry, it should allow only the default route and not anything else and hence need not require to deny the RFC 1918 address

Narayan

mheusinger Wed, 02/14/2007 - 07:25

Ok,

but this will only work, if the SP sends the default route, which can of course be negotiated. In this case the following prefix list would be simpler yet do the same:

ip prefix-list NoTrash permit 0.0.0.0/0

This will only allow the default route.

Hope this helps!

Regards, Martin

royalblues Wed, 02/14/2007 - 07:40

Thanks martin..

Actually i have used the following configuration on my router. Hope the config accepts only the default even if other prefixes are sent

router bgp xxxxx

neighbor x.x.x.x remote-as yyyy

neighbor x.x.x.x route-map acceptroutes in

route-map acceptroutes permit 10

match ip address 3

access-list 3 permit 0.0.0.0

Narayan

mheusinger Wed, 02/14/2007 - 07:45

Narayan,

your config will achieve exactly this, though I personally prefer the prefix-list. You never know for what you need a route-map in future ;-)

Besides the prefix-list is more easy to read (no multiple config scrolling to find all "ingredients")

Regards, Martin

Danilo Dy Fri, 02/16/2007 - 03:40

Precaution? Remember not to propagate Private BGP AS number to internet.

One of the use of this type of configuration is provided to customers who subscribed to two uplinks connection to the same ISP with two subnets using BGP load sharing for incoming traffic (plus link redundancy). Between the provider and the customer, they use Private BGP AS.

For the ISP not to propagate the Private BGP AS to internet, the ISP should remove Private BGP AS number on its BGP configuration. See sample http://www.cisco.com/warp/public/459/36.html

Actions

This Discussion