Private range AS numbers (64512 – 65535) should not be used on the Internet since they are not unique like public AS numbers.
Sometimes, private AS numbers are used for customer networks that are behind a single ISP. The advantage of doing this is that we will save some public AS numbers, the disadvantage is that if you ever plan to connect to another ISP, you should switch to a public AS number.
When the ISP forwards prefixes that it learns from the private AS, it will remove the private AS number before it forwards the prefix to other autonomous systems.
Cisco IOS routers support the remove-private-as command to achieve this. There are some restrictions however:
- You can only use this for eBGP neighbors.
- The private AS numbers are removed from outbound updates.
- You can only have private AS numbers in the AS path, if you have a mix of public and private AS numbers then the router won’t remove anything (there’s a solution for this though that I will demonstrate).
- If the AS path contains the AS number of the eBGP neighbor then it won’t be removed.
- If there are confederations, BGP only removes private AS numbers after the confederation part in the AS path.
Let’s take a look at the configuration!
I will use the following 3 routers for this:
R1 is in a private AS while R2 and R3 use public AS numbers. We’ll advertise the loopback interface on R1 in eBGP so that R2 and R3 can learn it. Here’s the BGP configuration of these routers:
R1#show run | section bgp router bgp 64512 bgp log-neighbor-changes network 18.104.22.168 mask 255.255.255.255 neighbor 192.168.12.2 remote-as 2
R2#show run | section bgp router bgp 2 bgp log-neighbor-changes neighbor 192.168.12.1 remote-as 64512 neighbor 192.168.23.3 remote-as 3
R3#show run | section bgp router bgp 3 bgp log-neighbor-changes neighbor 192.168.23.2 remote-as 2
Let’s take a look at R2 and R3, they should have learned about 22.214.171.124/32:
R2#show ip bgp BGP table version is 2, local router ID is 192.168.23.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 126.96.36.199/32 192.168.12.1 0 0 64512 i
R3#show ip bgp BGP table version is 2, local router ID is 192.168.23.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 188.8.131.52/32 192.168.23.2 0 2 64512 i
In the AS path we see AS 2 and 64512, this is as expected. Now let’s configure R2 to remove the private AS number:
R2(config)#router bgp 2 R2(config-router)#neighbor 192.168.23.3 remove-private-as
We use the remove-private-as command for this. Let’s clear BGP to speed things up:
R2#clear ip bgp *
Now take a look at the BGP table of R3:
R3#show ip bgp BGP table version is 5, local router ID is 192.168.23.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 184.108.40.206/32 192.168.23.2 0 2 i
It’s only showing AS 2 in the AS path now, the private AS number has been removed. That’s easy enough, there are a few other things we can try however…
Removing the private AS number(s) will only work if there are no public AS numbers in the AS path. To demonstrate this I will add extra AS numbers on the update from R1:
couple of doubts on this concept :
You said :
"Removing the private AS number(s) will only work if there are no public AS numbers in the AS path. "
but we have “2” which is public AS in the path right ? so why did privateAS 64512 got removed after applying the remove-priv-as command.
It’s about the updates that R2 receives from R1, in this AS path you shouldn’t see any public AS numbers.
If you do have any public AS numbers there then the router won’t remove them unless you use the remove-private-as all command.
The ping will not work unless you advertise network 192.168.23.0/24 on R2 or R3 so that R1 can learn it. Otherwise, R1 doesn’t know how to reach 192.168.23.3.
Great lesson however, I have a question if R3 learns about 220.127.116.11 from R1 then why do we need to remove private AS# command at R2. Please clarify.
R3 learns about 18.104.22.168 from R2. This can be seen in the output from the
show ip bgpcommand executed on R3. The next hop IP is 192.168.23.2 which is that of R2. Also, when BGP neighbour relationships are configured, R3 and R2 are configured to be neighbours.
remove private-ascommand that’s implemented at R2 will have the result of removing the private AS’s from BGP updates from R2 to R3.
As a general rule, the... Continue reading in our forum
remove private-ascommand is implemented on the router that is in a public AS but is directly connected to a router in a private
why we remove the private as ? it create any problem ?