BGP Enforce the First Autonomous System Path

Similar documents
Suppress BGP Advertisement for Inactive Routes

OSPF Incremental SPF

IS-IS Incremental SPF

PPPoE Session Recovery After Reload

DHCP Lease Limit per ATM/RBE Unnumbered Interface

SSG Service Profile Caching

Generic Routing Encapsulation Tunnel IP Source and Destination VRF Membership

IMA Dynamic Bandwidth

VPDN Group Session Limiting

Configuring Route Maps to Control the Distribution of MPLS Labels Between Routers in an MPLS VPN

OSPF RFC 3623 Graceful Restart Helper Mode

DHCP Option 82 Support for Routed Bridge Encapsulation

Configuring Multiple Basic Service Set Identifiers and Microsoft WPS IE SSIDL

RADIUS NAS-IP-Address Attribute Configurability

PPPoE Client DDR Idle Timer

Logging to Local Nonvolatile Storage (ATA Disk)

Configuring an Intermediate IP Multicast Helper Between Broadcast-Only Networks

Protocol-Independent MAC ACL Filtering on the Cisco Series Internet Router

Cisco Unity Express Voic System User s Guide

QoS Child Service Policy for Priority Class

PPP/MLP MRRU Negotiation Configuration

Installing IEC Rack Mounting Brackets on the ONS SDH Shelf Assembly

Configuring MPLS Multi-VRF (VRF-lite)

MPLS MTU Command Changes

RADIUS Tunnel Preference for Load Balancing and Fail-Over

DHCP Relay MPLS VPN Support

Per IP Subscriber DHCP Triggered RADIUS Accounting

Cisco Voice Applications OID MIB

DHCP ODAP Server Support

IP SLAs Random Scheduler

ISSU and SSO DHCP High Availability Features

Cisco Smart Business Communications System Teleworker Set Up

IP Event Dampening. Feature History for the IP Event Dampening feature

Modified LNS Dead-Cache Handling

Contextual Configuration Diff Utility

Using Application Level Gateways with NAT

Configuring the Cisco IOS DHCP Relay Agent

Frame Relay Conditional Debug Support

Extended NAS-Port-Type and NAS-Port Support

VPDN LNS Address Checking

PPPoE Session Limits per NAS Port

Route Processor Redundancy Plus (RPR+)

MPLS VPN: VRF Selection Based on Source IP Address

Application Firewall Instant Message Traffic Enforcement

Packet Classification Using the Frame Relay DLCI Number

Cisco Software Licensing Information for Cisco Unified Communications 500 Series for Small Business

RADIUS Logical Line ID

BECN and FECN Marking for Frame Relay over MPLS

This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.

Cisco Aironet Directional Antenna (AIR-ANT-SE-WiFi-D)

Troubleshooting ISA with Session Monitoring and Distributed Conditional Debugging

Configuring Virtual Interfaces

Wireless LAN Error Messages

Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs

Cisco 806, Cisco 820 Series, Cisco 830 Series, SOHO 70 Series and SOHO 90 Series Routers ROM Monitor Download Procedures

Chunk Validation During Scheduler Heapcheck

Low Latency Queueing with Priority Percentage Support

Installing the Cisco ONS Deep Door Kit

Configuring Token Ring LAN Emulation for Multiprotocol over ATM

Cisco Unified MeetingPlace for Microsoft Office Communicator

Connecting Cisco DSU/CSU High-Speed WAN Interface Cards

MPLS VPN OSPF and Sham-Link Support

Cisco Report Server Readme

LAN Emulation Overview

Configuring ISA Accounting

RSVP Message Authentication

Exclusive Configuration Change Access and Access Session Locking

Wireless LAN Overview

White Paper: Using Microsoft Windows Server 2003 with Cisco Unity 4.0(4)

ATM VP Average Traffic Rate

PPPoE Service Selection

Cisco Unified Mobile Communicator 3.0 User Portal Guide

Release Notes for Cisco Aironet Client Utility and Driver, Version 3.0 for Mac OS

Maintenance Checklists for Cisco Unity VPIM Networking (with Microsoft Exchange)

PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement

Cisco Aironet 1500 Series Access Point Large Pole Mounting Kit Instructions

IP SLAs Proactive Threshold Monitoring

Release Notes for Cisco Security Agent for Cisco Unified MeetingPlace Release 6.0(7)

Maintenance Checklists for Microsoft Exchange on a Cisco Unity System

Using Microsoft Outlook to Schedule and Join Cisco Unified MeetingPlace Express Meetings

Connecting Cisco 4-Port FXS/DID Voice Interface Cards

Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA USA

QoS: Color-Aware Policer

Site Preparation and Network Communications Requirements

Configuration Replace and Configuration Rollback

This module was first published on May 2, 2005, and last updated on May 2, 2005.

Connecting Cisco WLAN Controller Enhanced Network Modules to the Network

Cisco Video Surveillance Virtual Matrix Client Configuration Guide

Support of Provisionable QoS for Signaling Traffic

MIB Quick Reference for the Cisco ONS Series

Cisco BTS Softswitch Site Preparation and Network Communications Requirements, Release 6.0. Safety and Compliance

MPLS Traffic Engineering Fast Reroute Link Protection

Protected URL Database

Release Notes for Cisco ONS MA Release 9.01

MPLS Traffic Engineering (TE) Scalability Enhancements

This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.

Maintenance Checklists for Active Directory on a Cisco Unity System with Exchange as the Message Store

Cisco Registered Envelope Recipient Guide

QoS: Classification of Locally Sourced Packets

Cisco 10-Gigabit Fibre Channel X2 Transceiver Module Installation Note

Transcription:

BGP Enforce the First Autonomous System Path The BGP Enforce the First Autonomous System Path feature is used to configure a Border Gateway Protocol (BGP) routing process to discard updates received from an external BGP (ebgp) peers that do not list their autonomous system (AS) number as the first AS path segment in the AS_PATH attribute of the incoming route. Feature History for BGP Enforce the First Autonomous System Path feature Release Modification 12.0(3)S This feature was introduced. 12.0(26)S The default behavior for this feature was changed to enabled in Cisco IOS Release 12.0(26)S. 12.2(18)S This feature was integrated into Cisco IOS Release 12.2(18)S. 12.3(2) This feature was integrated into Cisco IOS Release 12.3(2). 12.3(2)T This feature was integrated into Cisco IOS Release 12.3(2)T. Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Contents How to Enable First AS Path Verification, page 2 Configuration Example for First AS Path Verification, page 2 Additional References, page 3 Command Reference, page 4 Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Copyright 2004 Cisco Systems, Inc. All rights reserved.

How to Enable First AS Path Verification BGP Enforce the First Autonomous System Path How to Enable First AS Path Verification The BGP Enforce the First Autonomous System Path feature is used to deny incoming updates received from ebgp peers that do not list their AS number as the first segment in the AS_PATH attribute. Enabling this command prevents a misconfigured or unauthorized peer from misdirecting traffic (spoofing the local router) by advertising a route as if it was sourced from another autonomous system. This feature is enabled globally. The behavior of this feature is enable by default in Cisco IOS software releases. Note This feature is not enabled by default in software releases prior to Cisco IOS Release 12.0(26)S. SUMMARY STEPS 1. enable 2. configure terminal 3. router bgp as-number 4. DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Router# configure terminal router bgp as-number Router(config)# router bgp 50000 Router(config-router)# bgp-first-as Creates a BGP routing process, and enters router configuration mode. Configures the BGP routing process to discard updates from ebgp peers that do not list their AS number as the first AS path segment in the AS_PATH attribute of the incoming update. Configuration Example for First AS Path Verification In the following example, all incoming updates from ebgp peers are examined to ensure that the first AS number in the AS_PATH is the local AS number of the transmitting peer. Updates from the 10.100.0.1 peer will be discarded if the first AS number is not 65001. Router(config)# router bgp 50000 Router(config-router)# 2

BGP Enforce the First Autonomous System Path Additional References Router(config-router)# address-family ipv4 Router(config-router-af)# neighbor 10.100.0.1 remote-as 65001 Router(config-router-af)# end Additional References The BGP Enforce the First Autonomous System Path feature can be used to improve security for ebgp peering sessions. You can also configure AS path and prefix filters, MD5 authentication, and the Generalized TTL security mechanism to provide additional security. See the following references for more information: Related Documents Related Topic Document Title BGP configuration tasks and commands Cisco IOS IP Configuration Guide, Release 12.3 Cisco IOS IP Command Reference, Volume 2 of 4: Routing Protocols, Release 12.3 Generalized TTL Security Mechanism BGP Support for TTL Security Check Standards Standards No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. Title MIBs MIBs No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. MIBs Link To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. Title 3

Command Reference BGP Enforce the First Autonomous System Path Technical Assistance Description Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. Link http://www.cisco.com/public/support/tac/home.shtml Command Reference This section documents the command. 4

BGP Enforce the First Autonomous System Path To configure a router to deny an update received from an external BGP (ebgp) peer that does not list its autonomous system (AS) number at the beginning of the AS_PATH in the incoming update, use the bgp enforce-first-as command in router configuration mode. To disable this behavior, use the no form of this command. no Syntax Description This command has no arguments or keywords. Defaults The behavior of this command is enabled by default. Command Modes Router configuration Command History Release Modification 12.0(3)S This command was introduced. 12.0(26)S The default behavior for this command was changed to enabled in Cisco IOS Release 12.0(26)S. 12.2(18)S This command was integrated into Cisco IOS Release 12.2(18)S. 12.3(2) This command was integrated into Cisco IOS Release 12.3(2). 12.3(2)T This command was integrated into Cisco IOS Release 12.3(2)T. Usage Guidelines The command is used to deny incoming updates received from ebgp peers that do not list their AS number as the first segment in the AS_PATH attribute. Enabling this command prevents a misconfigured or unauthorized peer from misdirecting traffic (spoofing the local router) by advertising a route as if it was sourced from another autonomous system. Examples In the following example, all incoming updates from ebgp peers are examined to ensure that the first AS number in the AS_PATH is the local AS number of the transmitting peer. Updates from the 10.100.0.1 peer will be discarded if the first AS number is not 65001. Router(config)# router bgp 50000 Router(config-router)# Router(config-router)# address-family ipv4 Router(config-router-af)# neighbor 10.100.0.1 remote-as 65001 Router(config-router-af)# end 5

BGP Enforce the First Autonomous System Path CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) Copyright 2005 Cisco Systems, Inc. All rights reserved. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback