Introduction
This document describes the disable-peer-as-check command in Border Gateway Protocol (BGP) on Cisco Nexus family of Switches which run the NX-OS Operating System.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Nexus NX-OS Software.
- BGP Routing Protocol.
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Nexus 7000
- NXOS version 7.3(0)D1(1)
This document is not restricted to specific software and hardware versions.The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
When a network prefix is advertised to an eBGP peer, it's Autonomous System (AS) is always prepended last to the BGP's AS_PATH attribute list.
By default, Cisco Nexus NX-OS based Switches do not advertise network prefixes to eBGP peers whose AS is already found last in the BGP's network prefix AS_PATH attribute.
This behavior differs from Cisco IOS® (and Cisco IOS®-XE) based Routers and Switches where network prefixes are still advertised to eBGP peers even when the peer's AS is already in the network prefix AS_PATH attribute.
In this case, the BGP loop prevention mechanism discards the network prefix (by default) on the receiver peer and triggers an error message similar to "DENIED due to: AS-PATH contains our own AS" only when the appropriate debugs are enabled.
Note: Cisco IOS® XR based Routers behaves similarly to NX-OS by default. In Cisco IOS® XR, the command as-path-loopcheck out disable can be used to modify this behavior.
Network Diagram
Configurations
R1 - Cisco IOS® |
configure terminal
!
hostname R1
!
interface Loopback0
ip address 10.255.255.1 255.255.255.255
!
interface GigabitEthernet0/1
ip address 10.1.2.1 255.255.255.0
no shutdown
!
router bgp 64512
bgp log-neighbor-changes
network 10.255.255.1 mask 255.255.255.255
neighbor 10.1.2.2 remote-as 65535
!
end
|
N7K-2 - Nexus NX-OS |
configure terminal
!
hostname N7K-2
!
feature bgp
!
interface Ethernet2/1
no switchport
ip address 10.1.2.2/24
no shutdown
interface Ethernet2/2
no switchport
ip address 10.2.3.2/24
no shutdown
!
router bgp 65535
address-family ipv4 unicast
neighbor 10.1.2.1
remote-as 64512
address-family ipv4 unicast
neighbor 10.2.3.3
remote-as 64512
address-family ipv4 unicast ! end
|
R3 - Cisco IOS® |
configure terminal
!
hostname R3
!
interface GigabitEthernet0/1
ip address 10.2.3.3 255.255.255.0
no shutdown
!
router bgp 64512
bgp log-neighbor-changes
neighbor 10.2.3.2 remote-as 65535
!
end
|
Verify
Use this section in order to confirm that your configuration works properly.
The absence of the disable-peer-as-check command prevents N7K-2 which runs NX-OS in order to advertise the prefix 10.255.255.1/32 to Router R3 since R3's AS (64512) is found last in the AS_PATH attribute.
Note: The command disable-peer-as-check is disabled by default in the configuration. You must manually add the command in order to enable the feature.
When N7K-2 advertises the 10.255.255.1/32 to R3, it includes AS 64512 last in the AS_PATH attribute.
This AS 64512 is the same AS configured in R3.
N7K-2 - Nexus NX-OS |
N7K-2# show bgp ipv4 unicast
BGP routing table information for VRF default, address family IPv4 Unicast
BGP table version is 17, local router ID is 10.1.2.2
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i
njected
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup
Network Next Hop Metric LocPrf Weight Path
*>e10.255.255.1/32 10.1.2.1 0 0 64512 i
N7K-2#
|
Observe that on R3, the debug command debug bgp ipv4 unicast has been enabled.
In order to further confirm that the route is not received, the command clear bgp ipv4 unicast * soft is executed to force the routes to be exchanged again. R3 Routes does not receive the route.
R3 - Cisco IOS® |
R3#debug bgp ipv4 unicast BGP debugging is on for address family: IPv4 Unicast R3# R3#clear bgp ipv4 unicast * soft
R3#
*Jul 15 19:22:36.427: BGP: 10.2.3.2 sending REFRESH_REQ(5) for afi/safi: 1/1, refresh code is 0
R3#
|
The command disable-peer-as-check must be enabled on N7K-2 so it can advertise the network prefix to R3.
N7K-2 - Nexus NX-OS |
N7K-2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7K-2(config)# router bgp 65535
N7K-2(config-router)# neighbor 10.2.3.3
N7K-2(config-router-neighbor)# address-family ipv4 unicast
N7K-2(config-router-neighbor-af)# disable-peer-as-check
N7K-2(config-router-neighbor-af)#
|
With the disable-peer-as-check in place on N7K-2, the route is advertised to R3 but discarded by the expected BGP's loop prevention mechanism.
Observe "DENIED due to: AS-PATH contains our own AS" is seen in the debug output.
R3 - Cisco IOS® |
R3#
*Jul 15 19:29:06.440: BGP(0): 10.2.3.2 rcv UPDATE w/ attr: nexthop 10.2.3.2, origin i, originator 0.0.0.0, merged path 65535 64512, AS_PATH , community , extended community , SSA attribute
*Jul 15 19:29:06.442: BGPSSA ssacount is 0
*Jul 15 19:29:06.442: BGP(0): 10.2.3.2 rcv UPDATE about 10.255.255.1/32 -- DENIED due to: AS-PATH contains our own AS;
R3#
|
Note: If the AS of R3 is not found last in the AS_PATH attribute, N7K-2 does not need the command to advertise the route.
In thia example, another AS is prepended last in the AS_PATH attribute with the use of route-map and set as-path prepend commands. Now there is another AS before R3's AS in the AS_PATH.
The AS_PATH lists 65300 64512.
N7K-2 - Nexus NX-OS |
configure terminal
!
route-map TEST permit 10
set as-path prepend 65300
!
N7K-2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N7K-2(config)# router bgp 65535
N7K-2(config-router)# neighbor 10.1.2.1
N7K-2(config-router-neighbor)# address-family ipv4 unicast
N7K-2(config-router-neighbor-af)# route-map TEST in
N7K-2(config-router-neighbor-af)#
N7K-2#
N7K-2# show bgp ipv4 unicast
BGP routing table information for VRF default, address family IPv4 Unicast
BGP table version is 18, local router ID is 10.1.2.2
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-injected
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup
Network Next Hop Metric LocPrf Weight Path
*>e10.255.255.1/32 10.1.2.1 0 0 65300 64512 i
N7K-2#
|
Observe how N7K-2 advertised the route in this case without the need of disable-peer-as-check.
N7K-2 - Nexus NX-OS |
N7K-2# sh run bgp
!Command: show running-config bgp
!Time: Mon Jul 15 21:28:59 2019
version 7.3(0)D1(1)
feature bgp
router bgp 65535
address-family ipv4 unicast
neighbor 10.1.2.1
remote-as 64512
address-family ipv4 unicast
route-map TEST in
neighbor 10.2.3.3
remote-as 64512
address-family ipv4 unicast
N7K-2#
|
Notice "DENIED due to: AS-PATH contains our own AS" is seen in the debug output on R3.
R3 - Cisco IOS® |
R3#show debug
IP routing:
BGP debugging is on for address family: IPv4 Unicast
BGP updates debugging is on for address family: IPv4 Unicast
R3#
R3#clear bgp ipv4 unicast * soft
R3#
*Jul 15 21:33:11.309: BGP: 10.2.3.2 sending REFRESH_REQ(5) for afi/safi: 1/1, refresh code is 0
*Jul 15 21:33:12.312: BGP(0): 10.2.3.2 rcv UPDATE w/ attr: nexthop 10.2.3.2, origin i, originator 0.0.0.0, merged path 65535 65300 64512, AS_PATH , community , extended community , SSA attribute
*Jul 15 21:33:12.313: BGPSSA ssacount is 0
*Jul 15 21:33:12.313: BGP(0): 10.2.3.2 rcv UPDATE about 10.255.255.1/32 -- DENIED due to: AS-PATH contains our own AS;
R3#
|
Troubleshoot
This section provides information you can use in order to troubleshoot your configuration.
In order to confirm the BGP configuration requires the disable-peer-as-check command on NX-OS, turn on these debugs.
debug-filter bgp neighbor <eBGP_NEIGHBOR>
debug-filter bgp prefix <ROUTE_TO_BE_ADVERTISED>
debug bgp updates
debug logfile <FILE_NAME>
Observe that a message similar to "10.2.3.3 10.255.255.1/32 path-id 1 not sent to peer due to: advertising AS" is generated when there is a request to re-send the route.
N7K-2 - Nexus NX-OS |
N7K-2# debug-filter bgp neighbor 10.2.3.3 N7K-2# debug-filter bgp prefix 10.255.255.1/32 N7K-2# debug bgp updates N7K-2# N7K-2# debug logfile bgpdebug.log
N7K-2# show debug logfile bgpdebug.log 2019 Jul 15 21:38:12.586085 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] Continuing update run for peer 10.2.3.3 (#0) 2019 Jul 15 21:38:12.586129 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] consider sending 10.255.255.1/32 to peer 10.2.3.3, path-id 1, best-ext is off 2019 Jul 15 21:38:12.586145 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] 10.2.3.3 10.255.255.1/32 path-id 1 not sent to peer due to: advertising AS 2019 Jul 15 21:38:12.586160 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] 10.2.3.3: walked 0 nodes and packed 0/0 prefixes 2019 Jul 15 21:38:12.586177 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] Found marker dest 0xf35349f0 on xmitlist for peer 10.2.3.3 (sent prefixes: 0) 2019 Jul 15 21:38:12.586200 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] Created EOR marker UPDATE msg (len 23) to peer 10.2.3.3 afer sending 0 routes 2019 Jul 15 21:38:12.586213 bgp: 65535 [7848] (default) UPD: [IPv4 Unicast] (#24) Suspending update run for peer 10.2.3.3 (#24) N7K-2#
|
Once done, disable the debugs with these commands:
undebug all
no debug-filter all
clear debug logfile <FILE_NAME>