Cisco IOS Software Releases 12.0 S

Table Of Contents

BGP Enforce the First Autonomous System Path

Contents

How to Enable First AS Path Verification

Configuration Example for First AS Path Verification

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

bgp enforce-first-as

BGP Enforce the First Autonomous System Path

---

The BGP Enforce the First Autonomous System Path feature is used to configure a Border Gateway Protocol (BGP) routing process to discard updates received from an external BGP (eBGP) peers that do not list their autonomous system (AS) number as the first AS path segment in the AS_PATH attribute of the incoming route.

Feature History for BGP Enforce the First Autonomous System Path feature

Release	Modification
12.0(3)S	This feature was introduced.
12.0(26)S	The default behavior for this feature was changed to enabled in Cisco IOS Release 12.0(26)S.
12.2(18)S	This feature was integrated into Cisco IOS Release 12.2(18)S.
12.3(2)	This feature was integrated into Cisco IOS Release 12.3(2).
12.3(2)T	This feature was integrated into Cisco IOS Release 12.3(2)T.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•How to Enable First AS Path Verification

•Configuration Example for First AS Path Verification

•Additional References

•Command Reference

How to Enable First AS Path Verification

The BGP Enforce the First Autonomous System Path feature is used to deny incoming updates received from eBGP peers that do not list their AS number as the first segment in the AS_PATH attribute. Enabling this command prevents a misconfigured or unauthorized peer from misdirecting traffic (spoofing the local router) by advertising a route as if it was sourced from another autonomous system.

This feature is enabled globally. The behavior of this feature is enable by default in Cisco IOS software releases.

---

Note This feature is not enabled by default in software releases prior to Cisco IOS Release 12.0(26)S.

---

SUMMARY STEPS

1. enable

2. configure terminal

3. router bgp as-number

4. bgp enforce-first-as

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	router bgp as-number Example: Router(config)# router bgp 50000	Creates a BGP routing process, and enters router configuration mode.
Step 4	bgp enforce-first-as Example: Router(config-router)# bgp-first-as	Configures the BGP routing process to discard updates from eBGP peers that do not list their AS number as the first AS path segment in the AS_PATH attribute of the incoming update.

Configuration Example for First AS Path Verification

In the following example, all incoming updates from eBGP peers are examined to ensure that the first AS number in the AS_PATH is the local AS number of the transmitting peer. Updates from the 10.100.0.1 peer will be discarded if the first AS number is not 65001.

Router(config)# router bgp 50000 

Router(config-router)# bgp enforce-first-as 

Router(config-router)# address-family ipv4 

Router(config-router-af)# neighbor 10.100.0.1 remote-as 65001 

Router(config-router-af)# end 

Additional References

The BGP Enforce the First Autonomous System Path feature can be used to improve security for eBGP peering sessions. You can also configure AS path and prefix filters, MD5 authentication , and the Generalized TTL security mechanism to provide additional security. See the following references for more information:

Related Documents

Related Topic	Document Title
BGP configuration tasks and commands	•Cisco IOS IP Configuration Guide, Release 12.3 •Cisco IOS IP Command Reference, Volume 2 of 4: Routing Protocols, Release 12.3
Generalized TTL Security Mechanism	•BGP Support for TTL Security Check

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFCs	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents the bgp enforce-first-as command.

bgp enforce-first-as

To configure a router to deny an update received from an external BGP (eBGP) peer that does not list its autonomous system (AS) number at the beginning of the AS_PATH in the incoming update, use the bgp enforce-first-as command in router configuration mode. To disable this behavior, use the no form of this command.

bgp enforce-first-as

no bgp enforce-first-as

Syntax Description

This command has no arguments or keywords.

Defaults

The behavior of this command is enabled by default.

Command Modes

Router configuration

Command History

Release	Modification
12.0(3)S	This command was introduced.
12.0(26)S	The default behavior for this command was changed to enabled in Cisco IOS Release 12.0(26)S.
12.2(18)S	This command was integrated into Cisco IOS Release 12.2(18)S.
12.3(2)	This command was integrated into Cisco IOS Release 12.3(2).
12.3(2)T	This command was integrated into Cisco IOS Release 12.3(2)T.

Usage Guidelines

The bgp enforce-first-as command is used to deny incoming updates received from eBGP peers that do not list their AS number as the first segment in the AS_PATH attribute. Enabling this command prevents a misconfigured or unauthorized peer from misdirecting traffic (spoofing the local router) by advertising a route as if it was sourced from another autonomous system.

Examples

In the following example, all incoming updates from eBGP peers are examined to ensure that the first AS number in the AS_PATH is the local AS number of the transmitting peer. Updates from the 10.100.0.1 peer will be discarded if the first AS number is not 65001.

Router(config)# router bgp 50000 

Router(config-router)# bgp enforce-first-as 

Router(config-router)# address-family ipv4 

Router(config-router-af)# neighbor 10.100.0.1 remote-as 65001

Router(config-router-af)# end 

Copyright © 2005 Cisco Systems, Inc. All rights reserved.