Limit the maximum BGP AS-path length

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

BGP allows numerous attributes (including AS-path, metrics, local preference and communities) to be attached to every advertised IP prefix. The total length of BGP attributes attached to a single IP prefix can be very large (up to 64K bytes). IP prefixes with excessive amount of attribute data residing in the BGP table can results in significant memory utilization and trigger software bugs.

AS-path attribute having more than 255 AS numbers is expressed as multiple AS_SEQUENCE segments. This unusual AS-path composition is not handled properly by any Cisco IOS release up to (at least) 12.2SRC and 12.4T and results in continuously flapping BGP session. The hard-coded AS-path length limit (see below) avoids this behavior unless the route-map based AS-path prepending extends the AS-path length beyond 255 AS numbers.

The extended length bit in the BGP UPDATE message that has to be used when the AS-path length exceeds 128 AS numbers causes errors in older IOS releases (Cisco bug ID CSCdr54230).

Cisco IOS can limit the maximum length of the AS-path attribute with the bgp maxas-limit length router configuration command. It’s highly advisable that you use this command to reduce the impact of oversized AS-path attributes to the operation of your network. Without the bgp maxas-limit command, Cisco IOS will accept all inbound IP prefixes, but mark the paths where the AS-path lenght exceeds 254 AS numbers as invalid (CSCeh13489). These paths are entered in the BGP table but not used.

The maximum sensible length of the AS-path attribute depends on your position within the Internet. Core operators observe lower AS-path lengths than the edge points. Due to CSCdr54230, you should not accept AS-paths having more than approximately 100 AS numbers; reasonable values are usually much lower.

Configuring the bgp maxas-limit command does not impact the regular BGP operation. The maxas-limit is checked during the inbound update processing. Prefixes with oversized AS-path length are simply ignored; BGP sessions are not disrupted.

Contents

Test bed description

The bgp maxas-limit functionality can be easily demonstrated in a test bed consisting of only two routers (or a router and a Linux-based BGP server). The following network was used in the tests:

Figure 1: Sample network diagram

Router configurations

Configuration of R1

hostname R1
!
ip cef
!
interface Loopback0
 ip address 10.0.1.1 255.255.255.255
!
interface Serial1/0
 description Link to R2 s1/0
 ip address 10.0.7.13 255.255.255.252
 encapsulation ppp
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 network 10.1.1.0 mask 255.255.255.0
 network 10.1.2.0 mask 255.255.255.0
 neighbor 10.0.7.14 remote-as 65100
 neighbor 10.0.7.14 route-map prepend out
 no auto-summary
!
ip classless
!
ip route 10.1.1.0 255.255.255.0 Null0
ip route 10.1.2.0 255.255.255.0 Null0
!
ip prefix-list prepend seq 5 permit 10.1.2.0/24
!
route-map prepend permit 10
 match ip address prefix-list prepend
 set as-path prepend 65000 65000 65000 65000
!
route-map prepend permit 20
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 transport preferred none
 stopbits 1
!
ntp logging
end 

Configuration of R2

hostname R2
!
ip cef
!
interface Loopback0
 ip address 10.0.1.2 255.255.255.255
!
interface Serial1/0
 description Link to R1 s1/0
 ip address 10.0.7.14 255.255.255.252
 encapsulation ppp
!
router bgp 65100
 no synchronization
 bgp log-neighbor-changes
 bgp maxas-limit 3
 neighbor 10.0.7.13 remote-as 65000
 no auto-summary
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 transport preferred none
 stopbits 1
!
ntp logging
end 

Exception logging

The bgp maxas-limit functionality does not impact the regular BGP operation. Whenever an inbound BGP update is received with an oversized AS-path attribute, the router logs a warning message and ignores the update.

Log message generated after an inbound update has been ignored

%BGP-6-ASPATH: Long AS path 65000 65000 65000 65000 65000
 received from 10.0.7.13: More than configured MAXAS-LIMIT 

The AS-path length limiting functionality can also be observer with any of the debug ip bgp update commands. A sample printout is included below:

BGP debugging printout generated on R2

BGP(0): 10.0.7.13 rcv UPDATE w/ attr: nexthop 10.0.7.13, origin i,
  metric 0, originator 0.0.0.0, path 65000 65000 65000 65000 65000,
  community , extended community , SSA attribute
BGPSSA ssacount is 0
BGP(0): 10.0.7.13 rcv UPDATE about 10.1.2.0/24 -- DENIED due to:
  AS-PATH length over 4072;
BGP(0): 10.0.7.13 rcvd UPDATE w/ attr: nexthop 10.0.7.13, origin i,
  metric 0, path 65000
BGP(0): 10.0.7.13 rcvd 10.1.1.0/24...duplicate ignored 

Additional Resources  

Configuring BGP on Cisco Routers (BGP) course
Other links
Personal tools

CT3

Main menu