Allowas-In
This scenario demonstrates how to configure the allowas-in feature for a BGP neighbor. By default, BGP rejects routes that contain its own AS number in the AS_PATH to prevent loops. The allowas-in feature allows a router to accept routes with its own AS in the path up to a specified number of occurrences, which is useful in hub-and-spoke eBGP topologies where the same AS may appear multiple times legitimately.
Test eBGP - Allowas-in enabled
Description
Test to verify that allowas-in allows routes with own AS in the AS_PATH. DUT0 is configured with allowas-in number 3. DUT0 should now accept the route even though it contains its own AS number.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 100 neighbor peer allowas-in number 3 set protocols bgp 100 neighbor peer remote-address 10.10.0.200 set protocols bgp 100 neighbor peer remote-as 200 set protocols bgp 100 neighbor peer route-map export ALLOW-ALL set protocols bgp 100 neighbor peer route-map import ALLOW-ALL set protocols route-map ALLOW-ALL rule 10 action permit set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 200 neighbor peer remote-address 10.10.0.100 set protocols bgp 200 neighbor peer remote-as 100 set protocols bgp 200 neighbor peer route-map export prepend-as set protocols bgp 200 redistribute connected set protocols route-map prepend-as rule 10 action permit set protocols route-map prepend-as rule 10 set as-path prepend 100 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify eBGP session establishes between DUT0 and DUT1.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*EstablishedShow output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 100 VRF default vrf-id 0 BGP table version 0 RIB entries 0, using 0 bytes of memory Peers 1, using 24 KiB of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 200 3 5 0 0 0 00:00:00 Established 0 0 N/A Total number of neighbors 1
Note
With allowas-in enabled, DUT0 should accept route 1.1.1.0/24 despite containing its own AS.
Step 4: Run command protocols bgp show ip at DUT0 and check if output matches the following regular expressions:
1.1.1.0/24Show output
BGP table version is 2, local router ID is 10.10.0.100, vrf id 0 Default local pref 100, local AS 100 local address - Status codes: s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *u 1.1.1.0/24 10.10.0.200 0 0 200 100 ? *u 10.10.0.0/24 10.10.0.200 0 0 200 100 ? Displayed 2 routes and 2 total paths
Attention
Verify the AS_PATH contains the local AS (100) prepended by DUT1.
Step 5: Run command protocols bgp show ip 1.1.1.0/24 at DUT0 and check if output matches the following regular expressions:
200 100Show output
BGP routing table entry for 1.1.1.0/24, version 1 Paths: (1 available, best #1, table default) Advertised to peers: 10.10.0.200 200 100 10.10.0.200 from 10.10.0.200 (10.10.0.200) Origin incomplete, metric 0, valid, external, best (First path received) Last update: Thu Mar 5 14:38:50 2026
Test eBGP - Allowas-in disabled (default)
Description
Test to verify that by default BGP rejects routes containing its own AS in the AS_PATH. DUT1 prepends DUT0’s AS (100) to the AS_PATH, simulating a route that has traversed DUT0’s AS. DUT0 should reject this route because it contains its own AS number.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 100 neighbor peer remote-address 10.10.0.200 set protocols bgp 100 neighbor peer remote-as 200 set protocols bgp 100 neighbor peer route-map export ALLOW-ALL set protocols bgp 100 neighbor peer route-map import ALLOW-ALL set protocols route-map ALLOW-ALL rule 10 action permit set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 200 neighbor peer remote-address 10.10.0.100 set protocols bgp 200 neighbor peer remote-as 100 set protocols bgp 200 neighbor peer route-map export prepend-as set protocols bgp 200 redistribute connected set protocols route-map prepend-as rule 10 action permit set protocols route-map prepend-as rule 10 set as-path prepend 100 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify eBGP session establishes between DUT0 and DUT1.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*EstablishedShow output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 100 VRF default vrf-id 0 BGP table version 0 RIB entries 0, using 0 bytes of memory Peers 1, using 24 KiB of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 200 3 5 0 0 0 00:00:00 Established 0 0 N/A Total number of neighbors 1
Note
DUT0 should NOT receive route 1.1.1.0/24 because it contains its own AS (100) in the AS_PATH.
Step 4: Run command protocols bgp show ip at DUT0 and check if output does not match the following regular expressions:
1.1.1.0/24Show output
No BGP prefixes displayed, 0 exist