Limit the maximum BGP AS-path length
BGP allows numerous attributes (including AS-path, metrics, local preference and communities) to be attached to every advertised IP prefix. The total length of BGP attributes attached to a single IP prefix can be very large (up to 64K bytes). IP prefixes with excessive amount of attribute data residing in the BGP table can results in significant memory utilization and trigger software bugs.
The extended length bit in the BGP UPDATE message that has to be used when the AS-path length exceeds 128 AS numbers causes errors in older IOS releases (Cisco bug ID CSCdr54230).
Cisco IOS can limit the maximum length of the AS-path attribute with the bgp maxas-limit length router configuration command. It’s highly advisable that you use this command to reduce the impact of oversized AS-path attributes to the operation of your network. Without the bgp maxas-limit command, Cisco IOS will accept all inbound IP prefixes, but mark the paths where the AS-path lenght exceeds 254 AS numbers as invalid (CSCeh13489). These paths are entered in the BGP table but not used.
Configuring the bgp maxas-limit command does not impact the regular BGP operation. The maxas-limit is checked during the inbound update processing. Prefixes with oversized AS-path length are simply ignored; BGP sessions are not disrupted.
Test bed description
The bgp maxas-limit functionality can be easily demonstrated in a test bed consisting of only two routers (or a router and a Linux-based BGP server). The following network was used in the tests:
Configuration of R1
hostname R1 ! ip cef ! interface Loopback0 ip address 10.0.1.1 255.255.255.255 ! interface Serial1/0 description Link to R2 s1/0 ip address 10.0.7.13 255.255.255.252 encapsulation ppp ! router bgp 65000 no synchronization bgp log-neighbor-changes network 10.1.1.0 mask 255.255.255.0 network 10.1.2.0 mask 255.255.255.0 neighbor 10.0.7.14 remote-as 65100 neighbor 10.0.7.14 route-map prepend out no auto-summary ! ip classless ! ip route 10.1.1.0 255.255.255.0 Null0 ip route 10.1.2.0 255.255.255.0 Null0 ! ip prefix-list prepend seq 5 permit 10.1.2.0/24 ! route-map prepend permit 10 match ip address prefix-list prepend set as-path prepend 65000 65000 65000 65000 ! route-map prepend permit 20 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous transport preferred none stopbits 1 ! ntp logging end
Configuration of R2
hostname R2 ! ip cef ! interface Loopback0 ip address 10.0.1.2 255.255.255.255 ! interface Serial1/0 description Link to R1 s1/0 ip address 10.0.7.14 255.255.255.252 encapsulation ppp ! router bgp 65100 no synchronization bgp log-neighbor-changes bgp maxas-limit 3 neighbor 10.0.7.13 remote-as 65000 no auto-summary ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous transport preferred none stopbits 1 ! ntp logging end
The bgp maxas-limit functionality does not impact the regular BGP operation. Whenever an inbound BGP update is received with an oversized AS-path attribute, the router logs a warning message and ignores the update.
Log message generated after an inbound update has been ignored
%BGP-6-ASPATH: Long AS path 65000 65000 65000 65000 65000 received from 10.0.7.13: More than configured MAXAS-LIMIT
The AS-path length limiting functionality can also be observer with any of the debug ip bgp update commands. A sample printout is included below:
BGP debugging printout generated on R2
BGP(0): 10.0.7.13 rcv UPDATE w/ attr: nexthop 10.0.7.13, origin i, metric 0, originator 0.0.0.0, path 65000 65000 65000 65000 65000, community , extended community , SSA attribute BGPSSA ssacount is 0 BGP(0): 10.0.7.13 rcv UPDATE about 10.1.2.0/24 -- DENIED due to: AS-PATH length over 4072; BGP(0): 10.0.7.13 rcvd UPDATE w/ attr: nexthop 10.0.7.13, origin i, metric 0, path 65000 BGP(0): 10.0.7.13 rcvd 10.1.1.0/24...duplicate ignored