BGP Remove Private AS

This topic is to discuss the following lesson:

https://networklessons.com/bgp/bgp-remove-private-as/

hi Rene,

couple of doubts on this concept :

You said :
"Removing the private AS number(s) will only work if there are no public AS numbers in the AS path. "
but we have “2” which is public AS in the path right ? so why did privateAS 64512 got removed after applying the remove-priv-as command.

   Network          Next Hop            Metric LocPrf Weight Path
*&gt; 1.1.1.1/32       192.168.23.2                           0 <strong>2 64512</strong> i
  1. should ping work from R3 to 1.1.1.1 using config you gave ?

Thanks

Hi Abhishek,

It’s about the updates that R2 receives from R1, in this AS path you shouldn’t see any public AS numbers.

If you do have any public AS numbers there then the router won’t remove them unless you use the remove-private-as all command.

The ping will not work unless you advertise network 192.168.23.0/24 on R2 or R3 so that R1 can learn it. Otherwise, R1 doesn’t know how to reach 192.168.23.3.

Rene

Hello Rene,
Great lesson however, I have a question if R3 learns about 1.1.1.1 from R1 then why do we need to remove private AS# command at R2. Please clarify.

Thanks
Hamood

Hello Hamood

R3 learns about 1.1.1.1 from R2. This can be seen in the output from the show ip bgp command executed on R3. The next hop IP is 192.168.23.2 which is that of R2. Also, when BGP neighbour relationships are configured, R3 and R2 are configured to be neighbours.

So the remove private-as command that’s implemented at R2 will have the result of removing the private AS’s from BGP updates from R2 to R3.

As a general rule, the remove private-as command is implemented on the router that is in a public AS but is directly connected to a router in a private AS. This way, private AS’s will not be propagated to the Internet.

I hope this has been helpful!

Laz

why we remove the private as ? it create any problem ?

Hi Shiva,

Imagine an ISP that is connected to the Internet that has some customers that use private AS numbers. We don’t want to advertise those private AS numbers to other ASes on the Internet, which is why we should remove them.

Rene

Hi,

What below point means?

If the AS path contains the AS number of the eBGP neighbor then it won’t be removed.

In example given, all are EBGP neighbors only. So For eg : if R2 gets a route with AS path as 64512,65000 , it will not remove private AS?

Regards,
Siji Babu

Hello Siji

Yes, that is correct. This is done so that connectivity will not be lost between a directly connected private and public AS. In the same example, if R3 has an AS path of 2, 64512, 65000, the private AS would be removed since that AS is not of an eBGP neighbor because R3 and R1 are not eBGP neighbors.

I hope this has been helpful!

Laz.

Hi Rene,

As you mentioned:
“Cisco IOS routers support the remove-private-as command to achieve this”

I though that the cisco routers will automatically remove the private AS from the AS Path attribute as mentioned in the Private-AS lesson.

was it wrong and it only remove the private as path by using that command “remove-private-as”?

Hello Nitay

According to Cisco’s command reference, the remove-private-as command is deactivated by default. But, what does happen if you try to route private BGP AS’es over the Internet is that the Internet routers receiving the information will remove any AS’es within the private range and will not route traffic, just like private IP addresses are never routed over the Internet.

I hope this has been helpful!

Laz

1 Like

Hii.

i am confused with this statement.“If the AS path contains the AS number of the eBGP neighbor then it won’t be removed”
In your example we are applying "remove ptrivate-as all command on R2 which is in Public AS.and we are applying on Outbound towards R3. eventhough 64512 is neighbour AS to R2 it is removing Private AS and advertising to R3.

Please explain.

Regards,
Chandra

Hello Chandra

You are right, this is indeed confusing. I saw your concern, and it took me a while to understand why this is the case. Notice that the command to remove the private AS is the following:

R2(config-router)#neighbor 192.168.23.3 remove-private-as all

The restriction states that “If the AS path contains the AS number of the eBGP neighbor then it won’t be removed.” The question here is which eBGP neighbor?

Of course we say that AS 64512 is the AS of R1 which is a neighbor of R2, so why was it removed? However, the neighbor we are talking about is not R1 but R3. In the above command, the remove-private-as parameter was applied to 192.168.23.3 which is R3. So the condition is that the AS that must be removed (64512) must not be the AS of the neighbor (R3). In other words, the neighor on which this command is applied should not have a private AS.

In newer versions of IOS such as release 15SY, this is no longer a restriction as you can see from page two of the following Cisco documentation:

I hope this has been helpful!

Laz

Hiii

That means… the command we applied on R2 towards R3… so R2 should be Public AS which is mandatory & R3 should be either Public AS or Private AS.

My Example.
R1(AS 65530)->R2(AS 65531)->R3(AS 2) -> R4 (AS 65533) -> R5(AS 4)-> R6(AS5)

Subnet 6.6.6.0
I Applied R3(config-router)#neighbor 191.168.1.2 remove-private-as all replace-as" towards R4 which is in Private AS 65533.
I Got output on R6 as below"
Network Next Hop Metric LocPrf Weight Path
*> 6.6.6.0/24 190.168.1.1 0 4 65533 2 2 2 i
R6#

Above example states that. we have to apply “Remove-private as” command on Public AS only and forwarding AS may be Public or Private AS.

Please correct me if i am wrong.

Hello Chandrasekhar

The truth is I wasn’t clear in my explanation, and actually, I think I mislead you, and I apologize for that. Let’s look at your topology again:

R1(AS 65530)->R2(AS 65531)->R3(AS 2) -> R4 (AS 65533) -> R5(AS 4)-> R6(AS5)

and the command you issued on R3:

R3(config-router)#neighbor 191.168.1.2 remove-private-as all replace-as

The restriction as stated by Cisco is the following:

If the AS path contained the AS number of the eBGP neighbor, the private AS numbers would not be removed.

Applied to your topology, the restriction states that if the AS of R4 is contained within the AS path being advertised by R3, then the private AS numbers are not to be removed. So if 65533 exists in the AS path being advertised by R3 (which is 65530 65531 2), then the private AS’es will not be removed. But it does not exist in the AS path, so the private AS’es are removed (specifically 65530 and 65531 are removed) and the result is 0 4 65533 2 2 2 i. Note that the private AS 65533 is added by R4, so it is not subject to the command that was applied in R3.

So in your example, the restriction isn’t being triggered.

Still if it was, this restriction is no longer there in newer IOS versions as stated in the previous post.

I hope this has been helpful!

Laz

Hii

Thanks. i understood.

1 Like

Hi Rene,

You explained well but having one doubt, Actually in the post you mentioned a line i.e
‘‘the disadvantage is that if you ever plan to connect to another ISP, you should switch to a public AS number.’’ please explore it .

Hello Pradyumna

An ISP may use private ASNs for your edge network. These ASNs are managed and organized by the ISP itself. If you plan to change your ISP to another provider, you can no longer use that private ASN, because, even if the new ISP uses private ASNs, it is unlikely that it will be the same. This means that you will have to reconfigure all of your edge network equipment using the new ASN.

For this reason, if you are planning to change your provider, it is a good idea to use a public ASN so that the switch can take place smoothly, without the need for changing your ASN configuration.

I hope this has been helpful!

Laz

R3#show ip bgp
BGP table version is 12, local router ID is 192.168.23.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.1/32       192.168.23.2                           0 2 2 1 2 11 2 111 i

Can you explain the usefulness to configure the remove-private-as all replace-as to replace private AS with the same public AS?

Does This replacement create issues with split-horizon BGP Rule?

Hello Giovanni

In the example in the lesson, the remove-private-as all replace-as keywords have replaced all of the instances of a private AS with an AS of 2. Because many AS’es were prepended to the path the AS-path prepend feature, the result is a long list of AS’es in the path where 2 appears multiple times. The purpose of the lesson was to demonstrate the feature. It is not best practice to have such long paths with AS’es appearing multiple times.

The primary purpose of the remove-private-as all replace-as option is to remove private (non-unique) AS’es as well as to keep the AS path length unchanged. Remember that BGP’s metric is path length, and it is important to maintain a real path length in your advertisements, even if part of that path traverses a private AS.

The BGP split-horizon rule prevents an iBGP peer from redistributing routing information to other internal (to the AS) peers. The AS path attribute is not involved in that mechanism, as it is an attribute that is modified only when advertisements are sent to eBGP peers. The remove private AS feature is only used between eBGP neighbours.

I hope this has been helpful!

Laz