1. No category

PDF

BGP Enforce the First Autonomous System Path
The BGP Enforce the First Autonomous System Path feature is used to configure a Border Gateway
Protocol (BGP) routing process to discard updates received from an external BGP (eBGP) peers that do
not list their autonomous system (AS) number as the first AS path segment in the AS_PATH attribute of
the incoming route.
Feature History for BGP Enforce the First Autonomous System Path feature
Release
Modification
12.0(3)S
This feature was introduced.
12.0(26)S
The default behavior for this feature was changed to enabled in Cisco IOS
Release 12.0(26)S.
12.2(18)S
This feature was integrated into Cisco IOS Release 12.2(18)S.
12.3(2)
This feature was integrated into Cisco IOS Release 12.3(2).
12.3(2)T
This feature was integrated into Cisco IOS Release 12.3(2)T.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
•
How to Enable First AS Path Verification, page 2
•
Configuration Example for First AS Path Verification, page 2
•
Additional References, page 3
•
Command Reference, page 4
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
BGP Enforce the First Autonomous System Path
How to Enable First AS Path Verification
How to Enable First AS Path Verification
The BGP Enforce the First Autonomous System Path feature is used to deny incoming updates received
from eBGP peers that do not list their AS number as the first segment in the AS_PATH attribute.
Enabling this command prevents a misconfigured or unauthorized peer from misdirecting traffic
(spoofing the local router) by advertising a route as if it was sourced from another autonomous system.
This feature is enabled globally. The behavior of this feature is enable by default in Cisco IOS software
releases.
Note
This feature is not enabled by default in software releases prior to Cisco IOS Release 12.0(26)S.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
router bgp as-number
4.
bgp enforce-first-as
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
Step 3
router bgp as-number
Creates a BGP routing process, and enters router
configuration mode.
Example:
Router(config)# router bgp 50000
Step 4
bgp enforce-first-as
Example:
Router(config-router)# bgp-first-as
Configures the BGP routing process to discard updates from
eBGP peers that do not list their AS number as the first AS
path segment in the AS_PATH attribute of the incoming
update.
Configuration Example for First AS Path Verification
In the following example, all incoming updates from eBGP peers are examined to ensure that the first
AS number in the AS_PATH is the local AS number of the transmitting peer. Updates from the
10.100.0.1 peer will be discarded if the first AS number is not 65001.
Router(config)# router bgp 50000
Router(config-router)# bgp enforce-first-as
Cisco IOS Release 12.0(3)S, 12.0(26)S, 12.2(18)S, 12.3(2), and 12.3(2)T
2
BGP Enforce the First Autonomous System Path
Additional References
Router(config-router)# address-family ipv4
Router(config-router-af)# neighbor 10.100.0.1 remote-as 65001
Router(config-router-af)# end
Additional References
The BGP Enforce the First Autonomous System Path feature can be used to improve security for eBGP
peering sessions. You can also configure AS path and prefix filters, MD5 authentication , and the
Generalized TTL security mechanism to provide additional security. See the following references for
more information:
Related Documents
Related Topic
BGP configuration tasks and commands
Generalized TTL Security Mechanism
Document Title
•
Cisco IOS IP Configuration Guide, Release 12.3
•
Cisco IOS IP Command Reference, Volume 2 of 4: Routing
Protocols, Release 12.3
•
BGP Support for TTL Security Check
Standards
Standards
Title
No new or modified standards are supported by this
—
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs
MIBs Link
No new or modified MIBs are supported by this
feature, and support for existing MIBs has not been
modified by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS
release, and to download MIB modules, go to the Cisco MIB website
on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
RFCs
Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—
Cisco IOS Release 12.0(3)S, 12.0(26)S, 12.2(18)S, 12.3(2), and 12.3(2)T
3
BGP Enforce the First Autonomous System Path
Command Reference
Technical Assistance
Description
Link
Technical Assistance Center (TAC) home page,
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
http://www.cisco.com/public/support/tac/home.shtml
Command Reference
This section documents the bgp enforce-first-as command.
Cisco IOS Release 12.0(3)S, 12.0(26)S, 12.2(18)S, 12.3(2), and 12.3(2)T
4
BGP Enforce the First Autonomous System Path
bgp enforce-first-as
bgp enforce-first-as
To configure a router to deny an update received from an external BGP (eBGP) peer that does not list its
autonomous system (AS) number at the beginning of the AS_PATH in the incoming update, use the bgp
enforce-first-as command in router configuration mode. To disable this behavior, use the no form of this
command.
bgp enforce-first-as
no bgp enforce-first-as
Syntax Description
This command has no arguments or keywords.
Defaults
The behavior of this command is enabled by default.
Command Modes
Router configuration
Command History
Release
Modification
12.0(3)S
This command was introduced.
12.0(26)S
The default behavior for this command was changed to enabled in
Cisco IOS Release 12.0(26)S.
12.2(18)S
This command was integrated into Cisco IOS Release 12.2(18)S.
12.3(2)
This command was integrated into Cisco IOS Release 12.3(2).
12.3(2)T
This command was integrated into Cisco IOS Release 12.3(2)T.
Usage Guidelines
The bgp enforce-first-as command is used to deny incoming updates received from eBGP peers that do
not list their AS number as the first segment in the AS_PATH attribute. Enabling this command prevents
a misconfigured or unauthorized peer from misdirecting traffic (spoofing the local router) by advertising
a route as if it was sourced from another autonomous system.
Examples
In the following example, all incoming updates from eBGP peers are examined to ensure that the first
AS number in the AS_PATH is the local AS number of the transmitting peer. Updates from the
10.100.0.1 peer will be discarded if the first AS number is not 65001.
Router(config)# router bgp 50000
Router(config-router)# bgp enforce-first-as
Router(config-router)# address-family ipv4
Router(config-router-af)# neighbor 10.100.0.1 remote-as 65001
Router(config-router-af)# end
Cisco IOS Release 12.0(3)S, 12.0(26)S, 12.2(18)S, 12.3(2), and 12.3(2)T
5
BGP Enforce the First Autonomous System Path
bgp enforce-first-as
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Cisco IOS Release 12.0(3)S, 12.0(26)S, 12.2(18)S, 12.3(2), and 12.3(2)T
6

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz