BGP Private and Public AS Range

This topic is to discuss the following lesson:

1 Like

Excellent! Thank you Rene!

“Removing the private AS numbers is a bit similar to NAT where we hide private IP addresses behind one or more public IP addresses”
Accepted.
But how are we going to do the mapping from private AS to public AS and back when the private AS number is not advertised by AS2 to AS 3 ?

Hi Nikhil,

We don’t. The only thing we do is remove the private AS number and then advertise the prefix(es). Take a look here:

BGP Remove Private AS

There’s no need to create a mapping between the private/public AS number.

Rene

Hey Rene,

In your last diagram in this lesson, suppose we have many private AS behind R2 which needs to go to the Internet, in this case how will R2 handle those sessions ? We all know that in similar situation in IPv4 world we have PAT which maps the private IP with one Public IP using unique port number how does R2 handle this situation? Appreciate if you shed some light on this.

Best,

Sahil

Hi Sahil,

You can see it in this example:

BGP Remove Private AS

R2 will have the private AS paths in its own BGP table so it knows what to do.

Rene

Hi guys,

With regards to BGP Confederations and Private AS, if we go back to the Confederations example:

In this case would Sub-ASes be Private ASes e.g. 64512, 54513

Essentially nested inside the Public AS 2 ?

Hello Joseph

Yes, typical best practice is to use a public AS for the confederation ID, which in this case is AS2, and the sub ASs would use private AS numbers. This is possible because sub ASs are only visible within the confederation itself. In the above topology, R1 has no information at all about what resides within AS2, whether it is simply an iBGP topology, or if it contains sub ASs.

Technically speaking, you could use public ASs as sub ASs, but that would be a waste.

I hope this has been helpful!

Laz

Hi Rene,
I know we need to create iBGP in the same AS and eBGP between different AS. However, I have some questions.
How do we define the different AS? Does one company have one AS regardless of their branches and location? What if one company has two branches. (Site A and site B. Site A is the headquarter). Does each sites have their own AS? (Two different AS in this case?) Or, are they considered in the same AS even if they are in the different location? If I connect the two sites via BGP, will it be eBGP? or iBGP?
Thank you
Bruce

Hello Bruce

ISPs of all levels that administrate infrastructure that supports the Internet are assigned specific AS numbers, and they use them as they see fit within their network. Generally speaking, Autonomous Systems within ISPs are clustered together geographically, to a certain extent. You will have a network segmented into various different sections each with its own AS, and they’re interconnected using eBGP. Something like this, but to a much bigger scale:


But geography is not the only thing that affects the way these network sections are clustered. Network traffic patterns, interconnections with other ISPs, and interconnections with customers also play a role.

Now for a private enterprise, where private AS numbers are used, how you distribute your network depends on what you want to do. Typically, in all but the largest private networks, an enterprise will employ a private BGP AS at the connection to the Internet, where an AS is defined, and an eBGP connection is established with the ISP. If you have more than one branch, typically, you would have a different AS number at each branch, but you would still connect to the ISP, so you wouldn’t have direct interaction between the BGP Autonomous Systems.

The accompanying technology used often defines how BGP will be used. For example, MPLS uses MultiProtocol BGP configurations to function. Similarly, you can use BGP with DMVPN in either an iBGP or eBGP arrangement, where each one has its pros and cons.

The specific lesson was created to show how BGP behaves in various situations. As such, it’s rare that you would configure a BGP setup similar to the one in the lesson.

So you see, you can configure all branches to have the same AS, or different AS’es, depending on what you want to do and what accompanying protocols and features are being used.

First of all, if you want to use BGP between the sites, they must be directly connected somehow. But there is usually some infrastructure like MPLS or DMVPN between them. But if they were to be directly connected, then if they use the same AS, by definition, iBGP would be used. If you used a different AS, by definition again, eBGP would be used.

I hope this has been helpful!

Laz

1 Like

public as are as where their hosts for example are all available to the internet, right? is there any other application of public as’s? what are the most common use cases?

Hello Konstantinos

Public ASes are those that are used on the Internet. In other words, BGP on the Internet will be able to reach an AS that is in the public range of AS numbers. You could choose to use a public AS internally on your network, but that would only cause problems with routing.

It’s similar to the public and private IPv4 address ranges. Only public IPv4 addresses can be routed on the internet. Any attempt to route private IPv4 addresses will simply have those packets dropped. Similarly, any attempt to route to private ASNs will have such packets dropped.

Beyond providing public routing capabilities using BGP, there is no other application for public ASNs.

I hope this has been helpful!

Laz

Hello!

I would just like to quickly confirm that I have understood everything correctly.

So an organization could request a private ASN from its ISP if it wants to use BGP without having to consult things with the RIRs, do registration, pay fees, etc. correct?

But that could only be used if the enterprise is only connected to one ISP, correct? Would this be possible to be used with multiple ISPs?

There’s two more things that I would like to know. If an enterprise is behind an ISP and is using a private ASN, this means that they haven’t registered a provider-independent public IP block and a public ASN from the RIRs. So why exactly would they even want to use BGP in the first place if they have nothing to advertise?

And to finish this up, can AS Path Prepending be used to influence inbound traffic in a situation like this?

Thank you in advance!

Kind regards,
David

Hello David

Yes that is correct. Although theoretically you can choose the private ASN you use, it is best to coordinate with your ISP as they may have specific private ASNs that they would like to use for your network.

If an enterprise is multi-homed (connected to multiple ISPs), it would need to obtain a public ASN from an RIR. This is necessary to ensure unique routing policies and global reachability via multiple providers. This process would involve registration and fees. However, if you had multiple connections to a single ISP, you could still use a private ASN. Again, coordination with the ISP is vital.

BGP is indeed useful even in single-homed scenarios. Though it’s commonly associated with multi-homing, BGP can offer benefits even with a single ISP. As you noted, it allows for path manipulation and more advanced traffic engineering, and it also provides a way to monitor the availability and performance of the BGP session with your ISP.

Yes, it can. To learn more about how to influence inbound traffic, take a look at this NetworkLessons note on BGP Influencing incoming traffic.

I hope this has been helpful!

Laz

Hello Laz!

I appreciate your help here, it all makes sense now :slight_smile: There’s just one more thing that I would like to know about these private ASNs.

If an enterprise is behind an ISP and is using a private ASN, this means that they haven’t registered a provider-independent public IP block and a public ASN from the RIRs. So why exactly would they even want to use BGP in the first place if they have nothing to advertise? This would mean that they can’t do any path manipulation and traffic engineering at all.

David

Hello David

That’s an excellent question. First of all, let me just mention that it is possible for an enterprise to have purchased public IP addresses and to advertise those addresses using BGP, while at the same time maintaining a private AS at the edge of the network. This would have to be done in close coordination with the ISP. Specifically:

  1. The enterprise leases a block of public IP addresses from the ISP.
  2. The ISP assigns a private ASN to the enterprise.
  3. The enterprise uses BGP to advertise these IP addresses to the ISP using a BGP session with the ISP’s router.
  4. On the ISP’s side, the BGP session would be established with the enterprise’s private ASN. The ISP will then “strip” this private ASN when advertising the routes to the public Internet, replacing the private AS number with its own public ASN. Thus the ISP becomes the destination AS for the enterprise’s public IPs.

This setup allows the enterprise to manage its public IP space and control how traffic flows to and from its network while allowing the ISP to take care of the BGP peering on the public internet.

However, in this setup, the enterprise won’t be able to perform certain BGP functions, such as multi-homing with different ISPs, without coordination from its ISP. This is because it does not own the public ASN and cannot directly control how routes are advertised to the rest of the internet.

Now on to your specific question. What is the benefit of using a private ASN and private IP addresses if you have no public addresses to advertise? Well, there are still some advantages and these are listed below:

  1. Even with a private ASN, an enterprise can still achieve multi-homing to multiple ISPs for redundancy and failover. BGP can be used to manage the failover process for outgoing traffic.
  2. BGP may be used internally by the enterprise for implementations of MPLS VPNs, or traffic engineering, and in such cases, BGP and private ASNs are still necessary.
  3. Complex network topologies often require BGP even if you’re not advertising to the Internet at large. This may be needed for extensively large networks, or in order to manage IP address spaces more efficiently.

So there are reasons to employ BGP and private ASNs even if you’re not advertising public addresses that you may own.

I hope this has been helpful!

Laz

Hi so we can say that private AS is for customer site LAN? and public AS is for ISP? or could be a different? and the request is the same for customer site and ISP? Than you for your reply

Hello Edgar

Yes you are correct. Strictly speaking, a private AS can be used anywhere except on the Internet. If you have a large enterprise network that uses BGP as its underlying routing protocol, you would typically use private ASes to create a BGP hierarchy for this purpose. Now where your private network meets your public network, that’s where the removal of the AS numbers occurs, as indicated in the lesson.

I hope this has been helpful!

Laz