Private AS peering with Public One

Mohamed Sobair · ‎02-13-2007

Hi All,

Any precaution should be taken on Bgp when peering between two ASs (One of them is private & the othe is Public.

Thanks for your feedback,

mheusinger · ‎02-14-2007

Hello,

You should apply the proper inbound and outbound filters to be sure an ISP mistake will not get you in trouble. I am assuming your IP addresses to be announced are from network 1.1.0.0/16. An example configuration would look like this:

interface Ethernet0/1

description to ISP

ip address 1.4.5.2 255.255.255.252

router bgp 65000

network 1.1.0.0 mask 255.255.0.0

neighbor 1.4.5.1 remote-as 1

neighbor 1.4.5.1 prefix-list NoTrash in

neighbor 1.4.5.1 filter-list 1 out

no auto-summary

ip as-path access-list 1 permit ^$

ip prefix-list NoTrash deny 192.168.0.0/16 le 32

ip prefix-list NoTrash deny 172.16.0.0/12 le 32

ip prefix-list NoTrash deny 10.0.0.0/8 le 32

ip prefix-list NoTrash deny 1.1.0.0/16 le 32

ip prefix-list NoTrash permit 0.0.0.0/0 le 32

ip route 1.1.0.0 255.255.0.0 Null 0 250

This would announce only the official IP addresses to the ISP. Also all RFC1918 routes are blocked. You could extend this and use the BOGON list for filtering, but this would require more maintainance, because you have to adjust the filters from time to time. For a customer it should be sufficient to block all routes you potentially have internally.

This is just in case the ISP messes up his filters. Outgoing filterlist 1 is not really needed in such an environment, but with two ISPs to prevent the customer from becoming transit AS. You can omit this, if only one ISP is present.

Hope this helps! Please rate all posts.

Regards, Martin

royalblues · ‎02-14-2007

Martin,

Can we not achieve the same with only one prefix entry ip prefix-list NoTrash permit 0.0.0.0/0 le 32 .

All others would be denied implicitly

Narayan

mheusinger · ‎02-14-2007

Hi Narayan,

ip prefix-list NoTrash permit 0.0.0.0/0 le 32

means "everything", i.e any route with a mask between /0 and /32.

This is like access-list 100 permit ip any any

As there will always be a match, nothing would be implicitly denied.

Hope this helps! Please use the rating system.

Regards, Martin

royalblues · ‎02-14-2007

Sorry martin,

I didn't read the le parameter.

What i wanted to ask was tf we use only the 0.0.0.0/0 ge 32 le 32 as a prefix entry, it should allow only the default route and not anything else and hence need not require to deny the RFC 1918 address

Narayan

mheusinger · ‎02-14-2007

Ok,

but this will only work, if the SP sends the default route, which can of course be negotiated. In this case the following prefix list would be simpler yet do the same:

ip prefix-list NoTrash permit 0.0.0.0/0

This will only allow the default route.

Hope this helps!

Regards, Martin

royalblues · ‎02-14-2007

Thanks martin..

Actually i have used the following configuration on my router. Hope the config accepts only the default even if other prefixes are sent

router bgp xxxxx

neighbor x.x.x.x remote-as yyyy

neighbor x.x.x.x route-map acceptroutes in

route-map acceptroutes permit 10

match ip address 3

access-list 3 permit 0.0.0.0

Narayan

mheusinger · ‎02-14-2007

Narayan,

your config will achieve exactly this, though I personally prefer the prefix-list. You never know for what you need a route-map in future ;-)

Besides the prefix-list is more easy to read (no multiple config scrolling to find all "ingredients")

Regards, Martin

Danilo Dy · ‎02-16-2007

Precaution? Remember not to propagate Private BGP AS number to internet.

One of the use of this type of configuration is provided to customers who subscribed to two uplinks connection to the same ISP with two subnets using BGP load sharing for incoming traffic (plus link redundancy). Between the provider and the customer, they use Private BGP AS.

For the ISP not to propagate the Private BGP AS to internet, the ISP should remove Private BGP AS number on its BGP configuration. See sample http://www.cisco.com/warp/public/459/36.html