MPLS Layer 3 VPN BGP AS Override

This topic is to discuss the following lesson:

Hi Rene,

So I’ve learned so far that BGP Allow_AS_IN and BPG Override achieve a similar outcome when confronted with using same ASes for MPLS VPN customer sites that use eBGP for the last mile, but from different end points: CE vs PE. So my question is, is there an advantage/disadvantage using one over another? Or in what context would one method be preferred over another?



This is a good question, and there is a lot going on behind the scene to answer it. As you know, AllowAS-In and AS-Override are both essentially tricks that can be used to deal with what would normally be considered a BGP looped route (since the ASN number will appear in the AS Path).

The important consideration is whether the BGP “loop” route will actually be filtered on the PE side or the CE side. AllowAS-In assumes the filtering is being done on the CE side, but in reality, most PEs would have already filtered the route before it got to the CE.

For example, in IOS-XR, the default behavior in this situation is different than the regular IOS. With IOS-XR, the PE would do the filtering because it is more efficient to do this. The logic is that the PE router knows what the CE’s ASN is, so why bother sending it a BGP router that it “knows” the CE will filter anyway?

For this reason, it is probably best to have the PE control this situation, and therefore, use AS-Override instead of AllowAS-In.

Hi Andrew,

Awesome response & much appreciated! It’s clear now, thank you.



Hi Rene,
Thanks for your nice article !
Is AS Override only support on MPLS environment ??


Hi Zaman,

It is a BGP feature so it’s not only for MPLS. MPLS VPN however is one of those situations where this can be useful.


Hi Rene,
Got your point . Many Thanks


Hi Rene,

Thanks for the Great explanation. I was wondering how does MPLS work & configured between different autonomous systems. Like when there are more than 2 Service providers involved. I checked in google but couldn’t find any article in simple terms… Could you please help ?

Thank you

Hello Kapil

Rene doesn’t yet have a lesson on MPLS connectivity via dual ISPs, however, take a look at Cisco’s latest design guide concerning such a scenario.

(see pg 21)

If you would like Rene to take a more detailed look at the specific scenario in a future lesson, feel free to make a suggestion at the Lesson Ideas page of the Network Lessons forum:

Here you can suggest additional topics to be covered in the future.

I hope this has been helpful!


Doesn’t using the Allow_AS_IN option set yourself up for a routing loop? What if CE2 received an update that included its own AS# and that update actually originated on that router? It just seems like the safest option would be to configure as-override on the PE router. Am I missing something?

Hello Andy

Take a look at @andrew’s response to a similar question below:

If you have further questions, don’t hesitate to ask!

I hope this has been helpful!


Thanks Lazaros. Makes sense now.

Just being picky :smile: , I believe that “If you take a closer look, you can see that AS number 1 has been replaced with AS number 234.” should be replaced with “If you take a closer look, you can see that AS number 12 has been replaced with AS number 234.” Also the picture and interfaces from Configurations files are not the same (in this lesson and also the previous one).

A question would be why the PE routers are not configured as BGP neighbors with P router? I guess the MPLS VPN does the trick (haven’t read the MPLS lessons yet).

You make great lessons and comments! Thank you all,

Hi Stefanita,

Thanks for letting me know about this error, I just fixed it.

About your question, it’s indeed MPLS VPN that does the trick. The P routers only do label switching, they only need to know how to reach the PE routers. The PE routers require iBGP to exchange VPN routes. If you haven’t seen it before, take a look at this explanation:

That should help :slight_smile:


1 Like

I´ve used as-override in vpnv4 links, but now i am trying to apply it to ipv4 link and is not workng… are you sure it can be used whether the link is vpnv4 or ipv4 ?

Hello Juan

When you say that it is not working, is the CLI not accepting the command or are the routers just not exchanging the expected prefixes?


As-override apply if I have another customer site CE3 with the AS number 12 in the same vrf connected to PE1 ? I mean, Will I have connectivity without AS -override between CE1 and CE3 even if they area connected to the same PE1 router?

Hello Rodrigo

If you have another customer site C3 connected to PE1 on the same VRF, you would still have the same problem because CE3 would still see its own AS in the AS path since the communication takes place from CE1 to PE1 to CE3, which means the AS path is 12 234 12, causing the loop mechanism to kick in.

I hope this has been helpful!


Hi Laz ,
if we are talking about as-path override allowed-as in concept for the same topology , should I use both or can use only one ?
Either configure allowed-as in @CE side or can ok with configuration with as-path override @PE side.
which one is better & scalable ?

Thank you!


Hello Tanmoy

Let’s look at how each one functions. Both of these features are used in order to deal with BGP’s loop prevention mechanism which states “do not accept a prefix over eBGP that contains your AS in its path”.

Allow-AS in will cause the CE router to “make an exception” to the loop preventing rule and accept the prefix, even though its own AS is in the path. This is configured on CE routers.

AS override will bypass the loop prevention mechanism by changing the AS so that no loop condition will ever occur in the first place. This is configured on P routers.

Although you can, there’s no need to configure both, because if you do, AS override will change the AS anyway, so you will never have a case where Allow-AS would be triggered.

To be honest, even though the mechanism of each is different, there is very little difference to the end result. Personally, I think that which you will use depends primarily on your network topology. If you have more CE routers than P routers, then choose AS override. It’s just a matter of administrative overhead. Both are equally scalable.

I hope this has been helpful! Stay healthy and safe!