Discussion:
[j-nsp] as-path rewrite
Sorin CONSTANTINESCU
2005-09-27 11:16:53 UTC
Permalink
Hi, all.

I have the following topology:

AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET

My customer (AS2 - public AS Number) buys from the company i work for
2 services:

1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).

The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use

a at R1# set loops ?
Possible completions:
<loops> Maximum number of times this AS can be in an AS
path (1..10)
[edit routing-options autonomous-system]
a at R1# set loops

... but i don't consider this an option.

Has anyone ever ran into this problem? As far as i see it, i have the
following options:

- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH

I wish i could AS-PATH rewrite :))

Thanks,
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
Jaroslaw Adam Gralak
2005-09-27 12:04:55 UTC
Permalink
Post by Sorin CONSTANTINESCU
Hi, all.
AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET
My customer (AS2 - public AS Number) buys from the company i work for
1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).
The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use
a at R1# set loops ?
<loops> Maximum number of times this AS can be in an AS
path (1..10)
[edit routing-options autonomous-system]
a at R1# set loops
... but i don't consider this an option.
Has anyone ever ran into this problem? As far as i see it, i have the
- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH
I wish i could AS-PATH rewrite :))
You probably looking for:

as-override Replace neighbor AS number with our AS number

Best regards,
--
Jaroslaw Adam Gralak
Technical University of Szczecin / Academic Center of Computer Science
JG1991-RIPE * http://www.man.szczecin.pl http://www.aci.com.pl
Sorin CONSTANTINESCU
2005-09-27 12:43:56 UTC
Permalink
Post by Jaroslaw Adam Gralak
Post by Sorin CONSTANTINESCU
Hi, all.
AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET
My customer (AS2 - public AS Number) buys from the company i work for
1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).
The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use
a at R1# set loops ?
<loops> Maximum number of times this AS can be in an AS
path (1..10)
[edit routing-options autonomous-system]
a at R1# set loops
... but i don't consider this an option.
Has anyone ever ran into this problem? As far as i see it, i have the
- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH
I wish i could AS-PATH rewrite :))
as-override Replace neighbor AS number with our AS number
Thanks, i'm working on it :)
Post by Jaroslaw Adam Gralak
Best regards,
--
Jaroslaw Adam Gralak
Technical University of Szczecin / Academic Center of Computer Science
JG1991-RIPE * http://www.man.szczecin.pl http://www.aci.com.pl
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
Rafal Szarecki (WA/EPO)
2005-09-27 12:14:14 UTC
Permalink
Sorin,

The juniper "set loops 2" is the same as ciscos "allow-in". So What do not use them if you use allows-in?

Try to use AS-overide on ebgp session. this has to be don on AS2 CE on session to global instance.

"local-as" do not solve your problem. This do not overwrite real AS. thay just add "virtual" AS in between neighbors. If you define AS3 as local AS between AS 1 and AS 99, on path you will see "1 3 99 2".

Rewrittink of AS-PATH is impossible. And this is good. Let imagine World wide inconsistency. AS pre RFC1771 AS-PATH attribute is used to AVOID LOOPS. So any misteak here can ...

The other concept is to as customer to:
do not advertize prefixes lerned from VPN to Internet connection (wuith AS1 on path)
create aggregate route on CE in AS2 which represent whole AS1.

Sorin, are you work for ROMTELECOM?

Rafal Jan Szarecki JNCIE #136
Senior Consultant - Datacom Networks
Ericsson Poland EPO/S/D
Office: +48 22 6916635
ECN: 837 6635
Mobile: +48 602418971
Skype: callto://Rafal_Szarecki <callto://Rafal_Szarecki/>
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of
Sorin CONSTANTINESCU
Sent: Tuesday, September 27, 2005 12:17 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] as-path rewrite
Hi, all.
AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET
My customer (AS2 - public AS Number) buys from the company i work for
1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).
The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use
a at R1# set loops ?
<loops> Maximum number of times this AS can be in an AS
path (1..10)
[edit routing-options autonomous-system]
a at R1# set loops
... but i don't consider this an option.
Has anyone ever ran into this problem? As far as i see it, i have the
- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH
I wish i could AS-PATH rewrite :))
Thanks,
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
Sorin CONSTANTINESCU
2005-09-27 13:15:42 UTC
Permalink
Post by Rafal Szarecki (WA/EPO)
Sorin,
The juniper "set loops 2" is the same as ciscos "allow-in". So What do not use them if you use allows-in?
I didn't find a per-neighbor setting of loops.
Post by Rafal Szarecki (WA/EPO)
Try to use AS-overide on ebgp session. this has to be don on AS2 CE on session to global instance.
"local-as" do not solve your problem. This do not overwrite real AS. thay just add "virtual" AS in between neighbors. If you define AS3 as local AS between AS 1 and AS 99, on path you will see "1 3 99 2".
I had a hunch...
Post by Rafal Szarecki (WA/EPO)
Rewrittink of AS-PATH is impossible. And this is good. Let imagine World wide inconsistency. AS pre RFC1771 AS-PATH attribute is used to AVOID LOOPS. So any misteak here can ...
I can definatelly see the advantage of not rewriting the AS-PATH.
Post by Rafal Szarecki (WA/EPO)
do not advertize prefixes lerned from VPN to Internet connection (wuith AS1 on path)
create aggregate route on CE in AS2 which represent whole AS1.
AS1 has 2 transit providers (AS2 is one of them). If AS2 aggregates
the prefix received from AS1, wouldn't there be a problem that the
same prefix have origin in AS1 and AS2?
The ugly solution that the customer agreed to configure on his routers
was an EBGP Multihop session between 2 routers in AS1/AS2.
Post by Rafal Szarecki (WA/EPO)
Sorin, are you work for ROMTELECOM?
No. Why do you ask?
PS: Brick asks you if you threw his jacket :)
Post by Rafal Szarecki (WA/EPO)
Rafal Jan Szarecki JNCIE #136
Senior Consultant - Datacom Networks
Ericsson Poland EPO/S/D
Office: +48 22 6916635
ECN: 837 6635
Mobile: +48 602418971
Skype: callto://Rafal_Szarecki <callto://Rafal_Szarecki/>
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of
Sorin CONSTANTINESCU
Sent: Tuesday, September 27, 2005 12:17 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] as-path rewrite
Hi, all.
AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET
My customer (AS2 - public AS Number) buys from the company i work for
1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).
The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use
a at R1# set loops ?
<loops> Maximum number of times this AS can be in an AS
path (1..10)
[edit routing-options autonomous-system]
a at R1# set loops
... but i don't consider this an option.
Has anyone ever ran into this problem? As far as i see it, i have the
- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH
I wish i could AS-PATH rewrite :))
Thanks,
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
Peter Lundqvist
2005-09-27 13:24:55 UTC
Permalink
Post by Sorin CONSTANTINESCU
Post by Rafal Szarecki (WA/EPO)
Sorin,
The juniper "set loops 2" is the same as ciscos "allow-in". So What do not use them if you use allows-in?
I didn't find a per-neighbor setting of loops.
lunkan at junos_access# set routing-options autonomous-system 1111 loops 2
Post by Sorin CONSTANTINESCU
Post by Rafal Szarecki (WA/EPO)
Try to use AS-overide on ebgp session. this has to be don on AS2 CE on session to global instance.
lunkan at junos_access# set routing-instances vrf_1 protocols bgp group x
as-override
Post by Sorin CONSTANTINESCU
Post by Rafal Szarecki (WA/EPO)
"local-as" do not solve your problem. This do not overwrite real AS. thay just add "virtual" AS in between neighbors. If you define AS3 as local AS between AS 1 and AS 99, on path you will see "1 3 99 2".
I had a hunch...
Post by Rafal Szarecki (WA/EPO)
Rewrittink of AS-PATH is impossible. And this is good. Let imagine World wide inconsistency. AS pre RFC1771 AS-PATH attribute is used to AVOID LOOPS. So any misteak here can ...
I can definatelly see the advantage of not rewriting the AS-PATH.
and the possability for doing mistakes :)
Post by Sorin CONSTANTINESCU
Post by Rafal Szarecki (WA/EPO)
do not advertize prefixes lerned from VPN to Internet connection (wuith AS1 on path)
create aggregate route on CE in AS2 which represent whole AS1.
AS1 has 2 transit providers (AS2 is one of them). If AS2 aggregates
the prefix received from AS1, wouldn't there be a problem that the
same prefix have origin in AS1 and AS2?
The ugly solution that the customer agreed to configure on his routers
was an EBGP Multihop session between 2 routers in AS1/AS2.
Post by Rafal Szarecki (WA/EPO)
Sorin, are you work for ROMTELECOM?
No. Why do you ask?
PS: Brick asks you if you threw his jacket :)
Post by Rafal Szarecki (WA/EPO)
Rafal Jan Szarecki JNCIE #136
Senior Consultant - Datacom Networks
Ericsson Poland EPO/S/D
Office: +48 22 6916635
ECN: 837 6635
Mobile: +48 602418971
Skype: callto://Rafal_Szarecki <callto://Rafal_Szarecki/>
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of
Sorin CONSTANTINESCU
Sent: Tuesday, September 27, 2005 12:17 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] as-path rewrite
Hi, all.
AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET
My customer (AS2 - public AS Number) buys from the company i work for
1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).
The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use
a at R1# set loops ?
<loops> Maximum number of times this AS can be in an AS
path (1..10)
[edit routing-options autonomous-system]
a at R1# set loops
... but i don't consider this an option.
Has anyone ever ran into this problem? As far as i see it, i have the
- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH
I wish i could AS-PATH rewrite :))
Thanks,
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
--
Peter Lundqvist - Beta Engineering
Juniper Networks
Mobile: +46702060472
URL : http://www.juniper.net
Rafal Szarecki (WA/EPO)
2005-09-27 14:21:27 UTC
Permalink
Sorin. You are form GTS.
On 9/27/05, Rafal Szarecki (WA/EPO)
Post by Rafal Szarecki (WA/EPO)
Sorin,
The juniper "set loops 2" is the same as ciscos "allow-in".
So What do not use them if you use allows-in?
I didn't find a per-neighbor setting of loops.
Post by Rafal Szarecki (WA/EPO)
do not advertize prefixes lerned from VPN to Internet
connection (wuith AS1 on path)
Post by Rafal Szarecki (WA/EPO)
create aggregate route on CE in AS2 which represent whole AS1.
AS1 has 2 transit providers (AS2 is one of them). If AS2 aggregates
the prefix received from AS1, wouldn't there be a problem that the
same prefix have origin in AS1 and AS2?
Yes, that is complication.
The ugly solution that the customer agreed to configure on his routers
was an EBGP Multihop session between 2 routers in AS1/AS2.
I scare that this is best solution...
Let's think about CoC VPN. withh LSP tunnel connecting AS1 to AS2. In this case there will be not a risk for routing inconsistency in VRF against what is announced in multihop BGP.
The CoC is as name pointing solution for Carriers. And AS2 is a carrier in this case.
An last but not least you relax VRF from Internet feed.
Post by Rafal Szarecki (WA/EPO)
Sorin, are you work for ROMTELECOM?
No. Why do you ask?
Last week I work in Bucaresti for ROMTELECOM account. But realyy AFAIK thay have no M/T in network.
If when I comme back to Romania we can go for beer/wine. Do you think?
PS: Brick asks you if you threw his jacket :)
Of course.
Rafal Jan Szarecki JNCIE #136
Skype: callto://Rafal_Szarecki <callto://Rafal_Szarecki/>
Pedro Roque Marques
2005-09-27 18:05:18 UTC
Permalink
Post by Sorin CONSTANTINESCU
Hi, all.
AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET
My customer (AS2 - public AS Number) buys from the company i work for
1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).
The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use
Has anyone ever ran into this problem? As far as i see it, i have the
- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH
I wish i could AS-PATH rewrite :))
There is another option, which is pass the iBGP information of your
customer transparently across the VPN network. i.e. the routes on the
customer side will not see the AS(es) that are used on the VPN network.

On juniper boxes you can do this by configuring a VRF such that:

routing-instance {
customer {
routing-options autonomous-system <customer-as> independent-domain;
protocols {
bgp {
group pe-ce {
type internal;
neighbor <x.x.x.x>;
}
}
}
}
}

This will instruct the PE to transport the customer network BGP
attributes transparently over the VPN infraestructure. The protocol
extension is documented in draft-marques-l3vpn-ibgp-01.

Pedro.
Sorin CONSTANTINESCU
2005-09-27 18:15:04 UTC
Permalink
Post by Pedro Roque Marques
Post by Sorin CONSTANTINESCU
Hi, all.
AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET
My customer (AS2 - public AS Number) buys from the company i work for
1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).
The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use
Has anyone ever ran into this problem? As far as i see it, i have the
- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH
I wish i could AS-PATH rewrite :))
There is another option, which is pass the iBGP information of your
customer transparently across the VPN network. i.e. the routes on the
customer side will not see the AS(es) that are used on the VPN network.
routing-instance {
customer {
routing-options autonomous-system <customer-as> independent-domain;
protocols {
bgp {
group pe-ce {
type internal;
neighbor <x.x.x.x>;
}
}
}
}
}
This will instruct the PE to transport the customer network BGP
attributes transparently over the VPN infraestructure. The protocol
extension is documented in draft-marques-l3vpn-ibgp-01.
Thanks very much! It's indeed a very useful feature.
Post by Pedro Roque Marques
Pedro.
Regards,
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
Doug Marschke
2005-09-27 19:19:14 UTC
Permalink
You can also look at local-as private
private-Hide the local AS in paths learned from this peering

So in your example below if you define AS3 local as private it will be
stripped off when you advertise the route to a BGP neighbor.


Doug Marschke



-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Rafal Szarecki
(WA/EPO)
Sent: Tuesday, September 27, 2005 5:11 AM
To: Sorin CONSTANTINESCU; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] as-path rewrite

Sorin,

The juniper "set loops 2" is the same as ciscos "allow-in". So What do not
use them if you use allows-in?

Try to use AS-overide on ebgp session. this has to be don on AS2 CE on
session to global instance.

"local-as" do not solve your problem. This do not overwrite real AS. thay
just add "virtual" AS in between neighbors. If you define AS3 as local AS
between AS 1 and AS 99, on path you will see "1 3 99 2".

Rewrittink of AS-PATH is impossible. And this is good. Let imagine World
wide inconsistency. AS pre RFC1771 AS-PATH attribute is used to AVOID LOOPS.
So any misteak here can ...

The other concept is to as customer to:
do not advertize prefixes lerned from VPN to Internet connection (wuith AS1
on path)
create aggregate route on CE in AS2 which represent whole AS1.

Sorin, are you work for ROMTELECOM?

Rafal Jan Szarecki JNCIE #136
Senior Consultant - Datacom Networks
Ericsson Poland EPO/S/D
Office: +48 22 6916635
ECN: 837 6635
Mobile: +48 602418971
Skype: callto://Rafal_Szarecki <callto://Rafal_Szarecki/>
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of
Sorin CONSTANTINESCU
Sent: Tuesday, September 27, 2005 12:17 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] as-path rewrite
Hi, all.
AS1 - AS99 (L3 Mpls VPN) - AS2 - AS99 - INTERNET
My customer (AS2 - public AS Number) buys from the company i work for
1) Internet Access
2) VPN between his location, and AS1 (also public AS Number).
The problem i have is that when i receive a prefix originated by AS1
on the Internet Transit BGP session, the AS-PATH is: 1 99 2 . Our
network is a mixture of Juniper and Cisco routers. I used "allowas-in"
on the neighbor to the customer, but the Juniper routers won't import
this prefix throughout the network. I know i can use
a at R1# set loops ?
<loops> Maximum number of times this AS can be in an AS
path (1..10)
[edit routing-options autonomous-system]
a at R1# set loops
... but i don't consider this an option.
Has anyone ever ran into this problem? As far as i see it, i have the
- use private "local-as" for the BGP sessions between AS99 and AS1/AS2
for the MPLS VPN BGP sessions (haven't tested this one so far)
- ask the customer to configure EBGP Multihop between AS1 and AS2, so
that my own AS won't be in the AS-PATH
I wish i could AS-PATH rewrite :))
Thanks,
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
Sorin CONSTANTINESCU
2005-09-27 19:36:12 UTC
Permalink
Thanks all for your replies. Your answers were very helpful.

Regards,
--
Sorin CONSTANTINESCU
Cisco CCNP / JNCIA #845
consta at gmail.com

Loading...