OcNOS-SP : Key Features : Enhanced Security and Performance : Hide the Remote AS using the neighbor local-as Command
Hide the Remote AS using the neighbor local-as Command
Overview
In a network, an Autonomous System (AS) is available to define a set of IP routing prefixes that are under a common administration policy control. These defined routing policies are used by other connected routers o n the Internet. When an AS is configured in Border Gateway Protocol (BGP), it is used to share routing information to connected peers. The neighbor local-as CLI command configures the AS number to be used with External Border Gateway Protocol (EBGP) peers. By default, the configured AS number is included in the AS-PATH message that is exchanged between the peers.
When a BGP router, configured in one network, connects to another router on the network, it will automatically share routing information with the AS number of both the local and remote routers in the AS-PATH message with other connected, external peers. For example, if a router ISP1-R, accesses services from another router, ISP2-R, ISP1-R router will share routing information with local and remote AS numbers in the AS-PATH message when services are merged. This allows the external peers to learn the AS numbers of remote routers not connected to it (in this case, the AS number of ISP2-R). It is not desirable to disclose the AS number of remote routers to external peers.
To avoid advertising the remote peer’s AS number, OcNOS provides an option in the neighbor local-as CLI to not include (no-prepend) the remote AS number and replace (replace-as) it with alternate AS number. Configuring an alternate AS in the BGP neighbor system, provides the ability to hide the AS number of the remote router that actually shares the services. Thus, the AS number of the BGP router that is actually providing services is unknown to the external peer.
Hence, the existing neighbor local-as CLI command has been modified in this release.
Feature Characteristics
The neighbor local-as CLI is enhanced to hide and replace the AS number of the remote routers not connected to external peer. Two new options ‘no-prepend’ and ‘replace-as’ have been added. These options replace the AS number with an alternate AS number in the AS_PATH and BGP OPEN message. Hence, the AS of the remote router is unknown to the respective neighbor peer.
Benefits
The actual Autonomous System number is never shared to the external network.
Configuration
The following configuration assumes the router R1 and R2 is assigned with AS300 and AS100 respectively.
Topology
Disparate Autonomous System Number
R1
Perform the following configuration on R1 router.
#configure terminal
Enter configure mode.
R1(config)#router bgp 300
Start the BGP process with the Autonomous System number 300
R1(config-router)#neighbor 10.10.10.2 remote-as 200
Establish BGP session with neighbor that has AS number 200
R1(config-router)#address-family ipv4 unicast
Enter address-family ipv4 unicast mode
R1(config-router-af)#neighbor 10.10.10.2 activate
Enable the neighbor 10.10.10.2 router to exchange address family routes
R1(config-router-af)#redistribute connected
Redistribute information from connected routes
R1(config-router-af)#exit-address-family
Exit address-family IPv4 unicast mode
R1(config-router)#commit
Commit the configurations
 
R2
Perform the following configuration on R2 router.
#configure terminal
Enter configure mode
R2(config)#router bgp 100
Start the BGP process with the Autonomous System number 100
R2(config-router)#neighbor 10.10.10.1 remote-as 300
Establish BGP session with neighbor 10.10.10.1 that has AS number 300
R2(config-router)#neighbor 10.10.10.1 local-as 200 no-prepend replace-as
Replace the AS number 300 with AS number 200 that should be used with the neighbor 10.10.10.1
R2(config-router)#address-family ipv4 unicast
Enable the neighboring router to exchange address family routes
R2(config-router-af)#neighbor 10.10.10.2 activate
Enable the neighbor 10.10.10.2 router to exchange address family routes
R2(config-router-af)#redistribute connected
Redistribute information from the connected routes
R2(config-router-af)#exit-address-family
Exit address-family ipv4 unicast mode
R2(config-router)#commit
Commit the configurations
Validation
Check the AS number 300 running on R1. It has established a BGP connection with 10.10.10.2 router that has AS number of 200.
R1
OcNOS#show running-config bgp
!
router bgp 300
neighbor 10.10.10.2 remote-as 200
!
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 10.10.10.2 activate
exit-address-family
!
 
OcNOS#
OcNOS#show ip bgp summary
BGP router identifier 10.10.10.1, local AS number 300
BGP table version is 4
2 BGP AS-PATH entries
0 BGP community entries
 
Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.2 4 200 185 181 3 0 0 00:00:28 2
 
Total number of neighbors 1
 
Total number of Established sessions 1
OcNOS#
 
OcNOS#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
 
IP Route Table for VRF "default"
C 10.10.10.0/24 is directly connected, ce1, 1d14h18m
B 30.30.30.0/24 [20/0] via 10.10.10.2, ce1, 00:00:18
C 40.40.40.0/24 is directly connected, xe33, 1d13h40m
C 127.0.0.0/8 is directly connected, lo, 1d14h23m
Gateway of last resort is not set
 
OcNOS#
Check if the AS number 100 for R2 has been replaced with AS number 200 before sharing the information with R1.
R2
 
OcNOS#show running-config bgp
!
router bgp 100
neighbor 10.10.10.1 remote-as 300
neighbor 10.10.10.1 local-as 200
!
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 10.10.10.1 activate
exit-address-family
!
OcNOS#
OcNOS#show ip bgp summary
BGP router identifier 10.10.10.2, local AS number 100
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries
 
Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.1 4 300 180 186 2 0 0 00:00:39 2
 
Total number of neighbors 1
 
Total number of Established sessions 1
 
Check if the AS number for R2 is changed to 100 and R1 shares AS 100 in the AS-PATH message.
R1
 
OcNOS#
OcNOS#
OcNOS#show ip bgp
BGP table version is 4, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, a add-path, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
 
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 0.0.0.0 0 100 32768 ?
* 10.10.10.2 0 100 0 200 100 ?
*> 30.30.30.0/24 10.10.10.2 0 100 0 200 100 ?
*> 40.40.40.0/24 0.0.0.0 0 100 32768 ?
 
Total number of prefixes 3
 
neighbor local-as
Use this command to specify an Autonomous System (AS) number to use with a BGP neighbor.
Use the no parameter with this command to disable this command.
Command Syntax
neighbor (A.B.C.D|X:X::X:X|WORD) local-as <1-4294967295> (no-prepend|) (replace-as|)
no neighbor (A.B.C.D|X:X::X:X|WORD) local-as <1-4294967295>
no neighbor (A.B.C.D|X:X::X:X|WORD) local-as <1-4294967295> no-prepend
no neighbor (A.B.C.D|X:X::X:X|WORD) local-as <1-4294967295> replace-as
 
For BGP unnumbered mode:
neighbor WORD local-as <1-4294967295> (no-prepend|) (replace-as|)
no neighbor WORD local-as <1-4294967295>
no neighbor WORD local-as <1-4294967295> no-prepend
no neighbor WORD local-as <1-4294967295> replace-as
Parameters
A.B.C.D
Address of the BGP neighbor in IPv4 format
X:X::X:X
Address of the BGP neighbor in IPv6 format
WORD
Name of a BGP peer group created with the neighbor WORD peer-group command. When you specify this parameter, the command applies to all peers in the group.
<1-4294967295>
 
A neighbor’s AS number when extended capabilities are configured
no-prepend
Do not prepend local-as to update from EBGP peers
replace-as
Replace actual AS with local AS in the EBGP update
Note: The AS number 23456 is a reserved 2-byte AS number. An old BGP speaker (2-byte implementation) should be configured with 23456 as its remote AS number while peering with a non-mappable new BGP speaker (4-byte implementation).
Default
By default, local-as is disabled.
Command Mode
Router mode and Address Family-VRF mode and BGP unnumbered mode
Applicability
This command was introduced before OcNOS version 1.3. The new version of the command with “no-prepend” and “replace-as“ option is introduced in OcNOS version 6.4.1.
Example
The following example show a sample configuration command.
#configure terminal
(config)#router bgp 100
(config-router)#neighbor 20.1.1.3 remote-as 300
(config-router)#neighbor 20.1.1.3 local-as 200 no-prepend replace-as
 
(config)#router bgp 100
(config-router)#address-family ipv6 vrf VRF_A
(config-router-af)#neighbor 3ffe:15:15:15:15::0 remote-as 300
(config-router-af)#neighbor 3ffe:15:15:15:15::0 local-as 200
 
For unnumbered peer below configuration is given in BGP unnumbered-mode.
(config)#router bgp 100
(config-router)#bgp unnumbered-mode
(config-router-unnum)#neighbor eth1 local-as 300
Abbreviations
 
Acronym
Description
ASN
Autonomous System Number
EBGP
External Border Gateway Protocol