BGP Peer Does NOT Remove Private AS Number from the AS Path List

BGP Peer Does NOT Remove Private AS Number from the AS Path List

12140
Created On 10/02/20 16:32 PM - Last Modified 06/05/23 07:36 AM


Symptom


BGP peer does NOT remove private AS number from the AS path list for all the prefixes

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS.
  • BGP configured.

Cause


Topology:
  
  +-----------+                     +-----------+                     +-----------+                           +-----------+
  |           |                     |           |                     |           |                           |           |
  | PA-820    +---------------------+ PA-850-1  +---------------------+ PA-850-2  +---------------------------+ PA-850-3  |
  | BGP 65003 |                     | BGP 65001 |                     | BGP 65002 |                           | BGP 123   |
  |           |                     |           |                     |           |                           |           |
  +-----------+                     +-----------+                     +-----------+                           +-----------+


PA-820 running BGP in AS 65003
PA-850-1 running BGP in AS 65001
PA-850-2 running BGP in AS 65002
PA-850-3 running BGP in AS 123

PA-850-2 redistributes a static route 10.0.0.0/8 into BGP and advertises it to PA-850-1
PA-850-3 redistributes a static route 172.16.0.0/12 into BGP and advertises it to PA-850-2


Scenario 1: PA-850-1 has 'Remove Private AS' feature disabled

If we look into the BGP table on PA-820 we see complete AS path for both prefixes:

admin@PA-820> show routing protocol bgp loc-rib

VIRTUAL ROUTER: default (id 1)
  ==========
  Prefix             Nexthop          Peer       Weight   LocPrf Org      MED flap AS-Path
 *10.0.0.0/8         192.168.1.1      BGP-65001       0      100 i/c        0    0 65001,65002
 *172.16.0.0/12      192.168.1.1      BGP-65001       0      100 i/c        0    0 65001,65002,123
 
Scenario 2: PA-850-1 has 'Remove Private AS' feature enabled:

If we look into the BGP table on PA-820 we see AS 65002 is stripped from the AS Path for prefix 10.0.0.0/8 but for prefix 172.16.0.0/12 we have a complete AS path list. In other words AS 65002 was not removed from the AS path list.

admin@PA-820> show routing protocol bgp loc-rib


VIRTUAL ROUTER: default (id 1)
  ==========
  Prefix             Nexthop          Peer       Weight   LocPrf Org      MED flap AS-Path
 *10.0.0.0/8         192.168.1.1      BGP-65001       0      100 i/c        0    0 65001
 *172.16.0.0/12      192.168.1.1      BGP-65001       0      100 i/c        0    0 65001,65002,123 <<<<
If we check BGP advertised routes towards PA-820 from PA-850-1 we can confirm that for prefix 10.0.0.0/8 AS 65002 is removed while for prefix 172.16.0.0/12 the AS path is not modified.
admin@PA-850-1> show routing protocol bgp rib-out


VIRTUAL ROUTER: default (id 1)
  ==========
  Prefix             Nexthop          Peer       Originator       Adv Status  Aggr Status     AS-Path
 10.0.0.0/8          192.168.1.1      BGP-PEER-65003 0.0.0.0          advertised  no aggregation  65001
 172.16.0.0/12       192.168.1.1      BGP-PEER-65003 0.0.0.0          advertised  no aggregation  65001,65002,123


 

Resolution


This behavior is as per RFC6996. This behavior is open for interpretation for the vendors. Other vendors have implemented this feature the same way.

"Some existing implementations that remove Private Use ASNs from the  AS_PATH are known to not remove Private Use ASNs if the AS_PATH  contains a mixture of Private Use and Non-Private Use ASNs."

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB2sCAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language