BGP Remove Private AS

Private range AS numbers (64512 – 65535) should not be used on the Internet since they are not unique like public AS numbers.

Sometimes, private AS numbers are used for customer networks that are behind a single ISP. The advantage of doing this is that we will save some public AS numbers, the disadvantage is that if you ever plan to connect to another ISP, you should switch to a public AS number.

When the ISP forwards prefixes that it learns from the private AS, it will remove the private AS number before it forwards the prefix to other autonomous systems.

Cisco IOS routers support the remove-private-as command to achieve this. There are some restrictions however:

  • You can only use this for eBGP neighbors.
  • The private AS numbers are removed from outbound updates.
  • You can only have private AS numbers in the AS path, if you have a mix of public and private AS numbers then the router won’t remove anything (there’s a solution for this though that I will demonstrate).
  • If the AS path contains the AS number of the eBGP neighbor then it won’t be removed.
  • If there are confederations, BGP only removes private AS numbers after the confederation part in the AS path.

Let’s take a look at the configuration!

Configuration

I will use the following 3 routers for this:

BGP Remove Private AS Topology

R1 is in a private AS while R2 and R3 use public AS numbers. We’ll advertise the loopback interface on R1 in eBGP so that R2 and R3 can learn it. Here’s the BGP configuration of these routers:

R1#show run | section bgp
router bgp 64512
 bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
neighbor 192.168.12.2 remote-as 2
R2#show run | section bgp
router bgp 2
 bgp log-neighbor-changes
 neighbor 192.168.12.1 remote-as 64512
 neighbor 192.168.23.3 remote-as 3
R3#show run | section bgp
router bgp 3
 bgp log-neighbor-changes
 neighbor 192.168.23.2 remote-as 2

 Remove-Private-AS

Let’s take a look at R2 and R3, they should have learned about 1.1.1.1/32:

R2#show ip bgp
BGP table version is 2, local router ID is 192.168.23.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.1/32       192.168.12.1             0             0 64512 i
R3#show ip bgp
BGP table version is 2, local router ID is 192.168.23.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.1/32       192.168.23.2                           0 2 64512 i

In the AS path we see AS 2 and 64512, this is as expected. Now let’s configure R2 to remove the private AS number:

R2(config)#router bgp 2
R2(config-router)#neighbor 192.168.23.3 remove-private-as

We use the remove-private-as command for this. Let’s clear BGP to speed things up:

R2#clear ip bgp *

Now take a look at the BGP table of R3:

R3#show ip bgp
BGP table version is 5, local router ID is 192.168.23.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.1/32       192.168.23.2                           0 2 i

It’s only showing AS 2 in the AS path now, the private AS number has been removed. That’s easy enough, there are a few other things we can try however…

Remove-Private-AS All

Removing the private AS number(s) will only work if there are no public AS numbers in the AS path. To demonstrate this I will add extra AS numbers on the update from R1:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

539 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. hi Rene,

    couple of doubts on this concept :

    You said :
    "Removing the private AS number(s) will only work if there are no public AS numbers in the AS path. "
    but we have “2” which is public AS in the path right ? so why did privateAS 64512 got removed after applying the remove-priv-as command.

       Network          Next Hop            Metric LocPrf Weight Path
    *&gt; 1.1.1.1/32       192.168.23.2                           0 <strong>2 64512</strong> i
    
    1. should ping work from R3 to 1.1.1.1 using config you gave ?

    Thanks

  2. Hi Abhishek,

    It’s about the updates that R2 receives from R1, in this AS path you shouldn’t see any public AS numbers.

    If you do have any public AS numbers there then the router won’t remove them unless you use the remove-private-as all command.

    The ping will not work unless you advertise network 192.168.23.0/24 on R2 or R3 so that R1 can learn it. Otherwise, R1 doesn’t know how to reach 192.168.23.3.

    Rene

  3. Hello Rene,
    Great lesson however, I have a question if R3 learns about 1.1.1.1 from R1 then why do we need to remove private AS# command at R2. Please clarify.

    Thanks
    Hamood

  4. Hello Hamood

    R3 learns about 1.1.1.1 from R2. This can be seen in the output from the show ip bgp command executed on R3. The next hop IP is 192.168.23.2 which is that of R2. Also, when BGP neighbour relationships are configured, R3 and R2 are configured to be neighbours.

    So the remove private-as command that’s implemented at R2 will have the result of removing the private AS’s from BGP updates from R2 to R3.

    As a general rule, the remove private-as command is implemented on the router that is in a public AS but is directly connected to a router in a private

    ... Continue reading in our forum

  5. Hello Nitay

    According to Cisco’s command reference, the remove-private-as command is deactivated by default. But, what does happen if you try to route private BGP AS’es over the Internet is that the Internet routers receiving the information will remove any AS’es within the private range and will not route traffic, just like private IP addresses are never routed over the Internet.

    I hope this has been helpful!

    Laz

5 more replies! Ask a question or join the discussion by visiting our Community Forum