More Private AS Numbers

Have you ever tried to implement a large-scale DMVPN or MPLS/VPN network using BGP as the routing protocol? If you tried to stitch more than ~1000 sites together you’re well aware of all the pain caused by a small range of private AS numbers defined in RFC 1930. We can kludge our way around the limitation by reusing the same AS number on multiple sites (and using allowas-in when we need full routing information on every site), but such a design clearly sucks.

RFC 6996 (published a few days ago) neatly solves the problem: it adds a new range of 32-bit private AS numbers from 4200000000 to 4294967294. I’m positive I won’t be able to remember the number of zeroes in the first number, but fortunately we can still use asdot notation (even though it’s been discouraged by RFC 5396), where the private AS numbers go from 64086.59904 to 65535.65534. For all practical purposes, you could use 65000.1 through 65500.65500 and have enough AS numbers to address all your future DMVPN-connected sites throughout the solar system.

And finally, a few warnings:

  • Your CE-routers obviously have to support 4-byte AS numbers, which means you need reasonably new Cisco IOS (or IOS XE).
  • The BGP code dealing with private AS numbers (example: neighbor remove-private-as functionality) might not recognize the 32-bit private AS numbers. As always, it might be worthwhile testing stuff in a lab before a production deployment.

4 comments:

  1. . Don’t use the 32-bit private AS numbers if there’s a direct path of BGP speakers between your sites and the public internet.

    why? what happens when one router doesn't understand the large as numbers? or is it because they don't diferenciate a 32bit private as from a 32 bit public as?

    best regards
    Replies
    1. My thinking went along the lines of "current router software probably cannot differentiate between 32-bit private and public AS numbers, so the private 32-bit AS numbers will stay in the AS path"
  2. Despite there being hate for BGP, I do like it and am glad to see it is still evolving.

    Nice article Ivan.
  3. Having BGP AS for each branch sounds a bit clunky.

    Why not just ignore the ISP that can't provide a L2 link's over MPLS and run GRE tunnel overlay on ISP.
    Only IP's on ISP BGP network is endpoint IP's, could probably even use DMVPN to do it dynamically.

    Thus treat ISP as if they are the internet as well, and run DMVPN everywhere with ospf etc.

    This also protects against Provider Routing problems and black-holes.
Add comment
Sidebar