Hi, I have some ipv4 pool with 2 diffent route originate ASNs I wnat to announce IPs from both ASNs
I have already announced 2 subnets under AS4567 (4567 is just a place holder) and peered with AS1234
xx.xx.112.0/24
xx.xx.113.0/24
Now I also need to announce 2 additional subnets under AS9999 (9999 is just a place holder) and peer with AS1234 using same neighbor IP and ASN
yy.yy.20.0/24
yy.yy.21.0/24
What changes do I need to make to do this?
How can I just set the origin AS for some specific subnets and living others alone?
Is there any way to better manage this settings?
create prefix lists with your Networks and link them in the neighbor > address-family > ipv4-unicast settings to export only these Networks to the specific peer
for one of the neighbors you have to set the “local-as” Statement to override your system-as
You have two ASN yourself which you want to peer with AS1234 from the same VyOS box.
That is as AS4567 you want to announce:
x.x.112.0/24
x.x.113.0/24
And as AS9999 you want to announce:
x.x.20.0/24
x.x.21.0/24
Is the above correct?
Im not sure what would be the best option here since there are a couple of limits.
Even if you can peer with two different neighbors over the same physical link the router bgp daemon at VyOS (as with any other vendor) only supports a single ASN to be configured with.
There are however ways to rewrite this but its dependent on that its two different neighbor IP’s that you peer with.
Something like (assuming your “router bgp” is configured with AS4567):
The above from the AS1234 point of view would give that you have two BGP sessions where the AS1234 must listen on both 192.0.2.1 and 192.0.2.2.
The stuff going through 192.0.2.1 is with your regular ASN as sender that is AS4567 (same as your “router bgp” is configured with).
While stuff going through 192.0.2.2 will display yourself as AS9999 but the original path will remain. If you remove that “no-prepend” it should just inject the AS9999 before AS4567 in the AS-PATH while with the “no-prepend” the AS4567 will not be seen at all for the peering with 192.0.2.2.
If two different neighbors isnt an option for you then are left with whatever rewrites (if any) the ROUTE-MAPs can bring you. Or use a 2nd VyOS box to deal with that ASN9999 (that is the neighbor will use a single IP but you at your end will have two IP’s one for the VyOS box dealing with ASN4567 and the other IP for the VyOS box dealing with ASN9999).
Thank you for the write up I really appreciate it.
Okay so from this I came to know that i’ll need 2 seperate BGP sessions to my upstream provider to directly establish peering with each asn.
In that case to maintain redundancy, I’ll need to ask them to make changes in existing arrangements.
Instead can I do it this way?
AS4567 is already connected to AS1234 (The upstream provider)
Can I establish a bgp connection between AS9999 and AS4567 and have AS4567 to export the routes from both AS9999 and AS4567 to the upstream provider AS1234? I know doing this should be trivial with 2 seperate VyOS boxes. Can we do thease things from the same vyos box because I want to have all the ipblocks accessable from this box.
So that from AS1234’s perspective it will look like that AS9999 is connected via AS4567 to AS1234
Routes:
x.x.20.0/24
x.x.21.0/24
Originating from AS9999 and connected to AS4567 and finally export it to AS1234
And Routes
x.x.112.0/24
x.x.113.0/24
Are Originating from AS4567 and directly connected to AS1234
Sorry if I missed it, but I’m unclear on why you want to have some prefixes with the different as-paths. What are you trying to achieve? What’s your end goal?
I ask because if you’re trying to do this for filtering or path selection, you may want to look into communities instead of using your spare AS in this way. This would save that additional AS for dedicated future use.
As far as what you and Apachez are discussing, it’s a simple manner of prepending. Here’s what it would generally look like:
set policy prefix-list PP_PFX rule 10 action 'permit'
set policy prefix-list PP_PFX rule 10 prefix '10.0.20.0/24'
set policy prefix-list PP_PFX rule 20 action 'permit'
set policy prefix-list PP_PFX rule 20 prefix '10.0.21.0/24'
set policy route-map PP_RM rule 10 action 'permit'
set policy route-map PP_RM rule 10 match ip address prefix-list 'PP_PFX'
set policy route-map PP_RM rule 10 set as-path prepend '9999'
set policy route-map PP_RM rule 20 action 'permit'
set protocols bgp neighbor 10.3.4.4 address-family ipv4-unicast route-map export 'PP_RM'
set protocols bgp neighbor 10.3.4.4 remote-as '1234'
set protocols bgp system-as '4567'
And here is what the prefixes look like on the ISP’s router:
vyos@ISP:~$ show ip bgp
BGP table version is 7, local router ID is 10.3.4.4, vrf id 0
Default local pref 100, local AS 1234
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.0.20.0/24 10.3.4.3 0 0 4567 9999 ?
*> 10.0.21.0/24 10.3.4.3 0 0 4567 9999 ?
*> 10.0.112.0/24 10.3.4.3 0 0 4567 ?
*> 10.0.113.0/24 10.3.4.3 0 0 4567 ?
*> 10.3.4.0/24 10.3.4.3 0 0 4567 ?
Displayed 5 routes and 5 total paths
@L0crian gave a good example of the route-map method so it boils down to how the downstream from your AS4567 router works if its BGP or static or something else.
After taking approvals from my upstream provider. I was finally able to try it out today.
And I can confirm its working well.
I confirmed it using a BGP looking glass service.
