BGP Enforce the First Autonomous System Path The BGP Enforce the First Autonomous System Path feature is used to configure a Border Gateway Protocol (BGP) routing process to discard updates received from an external BGP (ebgp) peers that do not list their autonomous system (AS) number as the first AS path segment in the AS_PATH attribute of the incoming route. Feature History for BGP Enforce the First Autonomous System Path feature Release Modification 12.0(3)S This feature was introduced. 12.0(26)S The default behavior for this feature was changed to enabled in Cisco IOS Release 12.0(26)S. 12.2(18)S This feature was integrated into Cisco IOS Release 12.2(18)S. 12.3(2) This feature was integrated into Cisco IOS Release 12.3(2). 12.3(2)T This feature was integrated into Cisco IOS Release 12.3(2)T. Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Contents How to Enable First AS Path Verification, page 2 Configuration Example for First AS Path Verification, page 2 Additional References, page 3 Command Reference, page 4 Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Copyright 2004 Cisco Systems, Inc. All rights reserved.
How to Enable First AS Path Verification BGP Enforce the First Autonomous System Path How to Enable First AS Path Verification The BGP Enforce the First Autonomous System Path feature is used to deny incoming updates received from ebgp peers that do not list their AS number as the first segment in the AS_PATH attribute. Enabling this command prevents a misconfigured or unauthorized peer from misdirecting traffic (spoofing the local router) by advertising a route as if it was sourced from another autonomous system. This feature is enabled globally. The behavior of this feature is enable by default in Cisco IOS software releases. Note This feature is not enabled by default in software releases prior to Cisco IOS Release 12.0(26)S. SUMMARY STEPS 1. enable 2. configure terminal 3. router bgp as-number 4. DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Router# configure terminal router bgp as-number Router(config)# router bgp 50000 Router(config-router)# bgp-first-as Creates a BGP routing process, and enters router configuration mode. Configures the BGP routing process to discard updates from ebgp peers that do not list their AS number as the first AS path segment in the AS_PATH attribute of the incoming update. Configuration Example for First AS Path Verification In the following example, all incoming updates from ebgp peers are examined to ensure that the first AS number in the AS_PATH is the local AS number of the transmitting peer. Updates from the 10.100.0.1 peer will be discarded if the first AS number is not 65001. Router(config)# router bgp 50000 Router(config-router)# 2
BGP Enforce the First Autonomous System Path Additional References Router(config-router)# address-family ipv4 Router(config-router-af)# neighbor 10.100.0.1 remote-as 65001 Router(config-router-af)# end Additional References The BGP Enforce the First Autonomous System Path feature can be used to improve security for ebgp peering sessions. You can also configure AS path and prefix filters, MD5 authentication, and the Generalized TTL security mechanism to provide additional security. See the following references for more information: Related Documents Related Topic Document Title BGP configuration tasks and commands Cisco IOS IP Configuration Guide, Release 12.3 Cisco IOS IP Command Reference, Volume 2 of 4: Routing Protocols, Release 12.3 Generalized TTL Security Mechanism BGP Support for TTL Security Check Standards Standards No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. Title MIBs MIBs No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. MIBs Link To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. Title 3
Command Reference BGP Enforce the First Autonomous System Path Technical Assistance Description Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. Link http://www.cisco.com/public/support/tac/home.shtml Command Reference This section documents the command. 4
BGP Enforce the First Autonomous System Path To configure a router to deny an update received from an external BGP (ebgp) peer that does not list its autonomous system (AS) number at the beginning of the AS_PATH in the incoming update, use the bgp enforce-first-as command in router configuration mode. To disable this behavior, use the no form of this command. no Syntax Description This command has no arguments or keywords. Defaults The behavior of this command is enabled by default. Command Modes Router configuration Command History Release Modification 12.0(3)S This command was introduced. 12.0(26)S The default behavior for this command was changed to enabled in Cisco IOS Release 12.0(26)S. 12.2(18)S This command was integrated into Cisco IOS Release 12.2(18)S. 12.3(2) This command was integrated into Cisco IOS Release 12.3(2). 12.3(2)T This command was integrated into Cisco IOS Release 12.3(2)T. Usage Guidelines The command is used to deny incoming updates received from ebgp peers that do not list their AS number as the first segment in the AS_PATH attribute. Enabling this command prevents a misconfigured or unauthorized peer from misdirecting traffic (spoofing the local router) by advertising a route as if it was sourced from another autonomous system. Examples In the following example, all incoming updates from ebgp peers are examined to ensure that the first AS number in the AS_PATH is the local AS number of the transmitting peer. Updates from the 10.100.0.1 peer will be discarded if the first AS number is not 65001. Router(config)# router bgp 50000 Router(config-router)# Router(config-router)# address-family ipv4 Router(config-router-af)# neighbor 10.100.0.1 remote-as 65001 Router(config-router-af)# end 5
BGP Enforce the First Autonomous System Path CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) Copyright 2005 Cisco Systems, Inc. All rights reserved. 6