Home / Network / VPNv4 BGP AS-Override Feature into play!

VPNv4 BGP AS-Override Feature into play!

September 17, 2017

Let’s put into play AS-Override feature in BGP: see when it applies and how it works.

First, AS-Override feature applies to sites that have the same AS number but are linked by another different domain with different AS number, as in the next figure. In our example AS number 1 has neighborship (E-BGP links) to two AS with the same number…

We recall that in BGP, loop prevention would prevent any site from learning other site routes due to the presence of the same AS number in the AS_PATH of the advertised routes. Thus any route (route information) received by CE2 that has originated in CE1 would be rejected (by CE2 BGP processing configured with ID 65001, the same) due to the presence of AS number 65001 in the AS-PATH attribute attached to this route.

Fig. 1: setup network

When AS Override is applied under the VPNv4 address-family, any site AS number occurrence in the announced AS_PATH would be replaced by the linking AS (here AS number 1) number and thus, allowing routes to be learnt at the other site.

Let us check step-by-step how this feature could help in a situation similar to the network of figure 1. Routers are Cisco 7206VXR GNS3 emulated and run C7200 ADVENTERPRISEK9-M IOS version 15.3(3)XB12.

The PE routers are in the same AS and establish a neighborship directly under the VPNv4 address-family. The PE-CE neighborships are configured under the corresponding IPv4 VRF address-families.

CE1 announces a route to RT57:57.0.0.0/24 network into BGP to PE1.

We check as in figure 2, that RT57 related updates are being dropped at CE2 due to “AS-PATH contains our own AS”.

In figure 3, we check that RT57 is learnt at PE2 from PE1 with CE1’s AS#65001 prepended.

Fig. 3: check CE1’AS prepended to RT57 at PE2

We configure next, as-override feature on PE2 neighborship to CE2. In figure 4, we can check under the corresponding neighbor statement that the feature is enabled.

Fig. 4: check AS-Override feature enabled

RT57 corresponding update is now being accepted by CE2 from PE2 as in figure 5.

Fig. 5: check RT57 accepted at CE2

We change CE1 AS number to 65002 and and configure it to open a session to PE as if it was from AS#65001 (local-AS feature).

At the same time we build an eBGP neighborship between CE1b and CE1. CE1b is in AS#65001 like in figure 6. We annouce RT75: 75.0.0.0/24 from CE1b to the rest of the network.

Fig. 6: second network setup

We check in figure 7 that all occurrences of CE1 AS, that is the same AS as CE2, numbers in RT57 are being replaced by PE2 AS number.

Fig. 7: check CE1 AS number replaced in RT57 updates at CE2

In figure 8, we change CE2 AS number to 65002.

Fig. 8: third network setup

In figure 9, we check that AS#65002 gets replaced by PE2 AS number independently of its position in the advertised AS-PATH to CE2.

Fig. 9: CE2 AS number replacement in RT updates from PE2

As a conclusion, PE2 replaces all occurrences of its peer CE2 AS number in the updates it sends by its own number and independently of their occurrence position in AS_PATH.

It is to note that this feature applies only to the VPNv4 address-family either by configuring a PE-to-PE neighborship directly under the VPNv4 address-family or on the corresponding IPv4 VRF address-family in VRF-Lite fashion.

The latter case would require PE-to-PE dedicated links to VRFs. The PE-CE neighborships are still configured in both cases under the corresponding IPv4 VRF address-families.

It could seem contradictory to see that this feature is not supported on IPv4 address-family and at the same time being supported on a VRF-Lite similar to IPv4 address-family deployment.

In figure 10, we check that this feature is not supported on test routers and installed IOS versions.

Fig. 10: AS-Override feature not supported IPv4

In this case, one could argue that this is an enhancement to the actual BGP implementation but the 4271 RFC states clearly that AS_PATH is modified based on the location of the BGP speaker and in our case by prepending its own AS number as the last element of the sequence to updates sent on an eBGP neighborship.

This feature could prevent CE router detect BGP routing loops in case sites are configured with backdoor links (iBGP as an example). Site-Of-Origin feature implementation could help tag those routes and prevent their re-announcement.

To achieve the same result, we could configure the Allow-AS feature on CE. As in the previous case, some filtering is required to prevent routing loops.

Another possibility is to use iBGP to build CE-PE links. The advantage of such configuration is that the same AS number is used transparently among all VRFs. PE-PE neighborship is built under VPNv4 address-family. However, we still need control over iBGP route-reflection and next-hop advertisements.

atlink'admin

Related Posts

Let’s find out about (static) MPLS… from the start!
October 13, 2024
An IPv6 home network is possible
October 8, 2024
Multicast: Hold ASM for a moment, let’s do SSM!… Part 4
August 27, 2024

Leave a Reply

  • Transmit Power Control in IEEE 802.11 Cisco WLAN networks
    TPC stands for Transmit Power Control. It’s a one of Cisco RRM, Radio Resources Management, techniques that are aimed at tackling interference, cross and co-channel, in Wlan networks. RRM: TPC, CHD and DCA It works tightly with CHD, Covergate Hole Detection, to optimize transmit power. TPC tends to minimize the transmit power and CHD to eliminate
  • 10 security measures against 10 attacks in a LAN network – Part I
    An Ethernet switch is the central element of a LAN network and operates at data link OSI layer. Every switch port defines a collision domain and can extend a broadcast or broadcast frame domain that is stopped by a router routed interface that operates at network OSI layer. By default switches support one broadcast domain
  • Understand how Aruba ARMizes your WLAN for sure!
    Presenting ARM In this post, that is a part of a serie of post that discuss how Wlan to radio ressources management, we talk of Aruba way of doing it. The figure shows a simple wlan network of 6 AP or access points. This is heatmap showing that radio signal is very strong (in red)
  • Understand RIP Routing Timers All in One Shot!
    This post is part of a series of posts about dynamic routing protocols and especially RIP. We’ll try to get a deep understanding of its operation and function as an introductory to dynamic routing logic in general. You’ll see that what we think easy may hide an incrementing complexity… a little introduction Berfore we start
  • DUAL route FSM Processing of EIGRP Queries
    This blog is a part of series of posts about EIGRP routing protocol. Let’s recall that EIGRP is one of the so called IGP routing protocols. IGP stands for interior routing protocols as opposed to EGP or exterior routing protocols. In addition EIGRP is a hybrid as it borrows some similiarities to distance-vector and link-state
June 2025
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
30