Remove-Private-As

Scenario to verify BGP peer-group remove-private-as inheritance. When remove-private-as is configured on a peer-group, private AS numbers are stripped from the AS-path before advertising routes to members of the group.

../../../../_images/remove-private-as2.svg

Test eBGP - Without remove-private-as shows private AS in path

Description

Baseline test showing default behavior where private AS numbers are visible in the AS-path. DUT1 uses private AS 65001 and originates route 192.168.100.0/24. DUT0 (AS 100) forwards to DUT2 (member of peer-group without remove-private-as). DUT2 should see the full AS-path including the private AS number.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.10.0.100/24
set interfaces ethernet eth1 address 20.20.0.100/24
set protocols bgp 100 neighbor dut1 remote-address 10.10.0.200
set protocols bgp 100 neighbor dut1 remote-as 65001
set protocols bgp 100 neighbor dut1 route-map import PERMIT
set protocols bgp 100 neighbor dut2 peer-group MYGROUP
set protocols bgp 100 neighbor dut2 remote-address 20.20.0.200
set protocols bgp 100 peer-group MYGROUP remote-as 200
set protocols bgp 100 peer-group MYGROUP route-map export PERMIT
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 192.168.100.1/24
set interfaces ethernet eth0 address 10.10.0.200/24
set protocols bgp 65001 neighbor peer remote-address 10.10.0.100
set protocols bgp 65001 neighbor peer remote-as 100
set protocols bgp 65001 neighbor peer route-map export PERMIT
set protocols bgp 65001 redistribute connected
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 20.20.0.200/24
set protocols bgp 200 neighbor peer remote-address 20.20.0.100
set protocols bgp 200 neighbor peer remote-as 100
set protocols bgp 200 neighbor peer route-map import PERMIT
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify eBGP sessions establish on DUT0.

Step 4: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

20.20.0.200.*Established[\s\S]*10.10.0.200.*Established
Show output
IPv4 Unicast Summary:
BGP router identifier 20.20.0.100, local AS number 100 VRF default vrf-id 0
BGP table version 2
RIB entries 3, using 384 bytes of memory
Peers 2, using 47 KiB of memory
Peer groups 1, using 64 bytes of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
20.20.0.200     20.20.0.100     4        200         2         2        0    0    0 00:00:01  Established (Policy)        0 N/A
10.10.0.200     10.10.0.100     4      65001         6         6        2    0    0 00:00:02  Established        2 (Policy) N/A

Total number of neighbors 2

Attention

Verify DUT2 receives route 192.168.100.0/24 with private AS 65001 in path.

Step 5: Run command protocols bgp show ip 192.168.100.0/24 at DUT2 and check if output matches the following regular expressions:

100 65001
Show output
BGP routing table entry for 192.168.100.0/24, version 2
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  100 65001
    20.20.0.100 from 20.20.0.100 (20.20.0.100)
      Origin incomplete, valid, external, best (First path received)
      Last update: Thu Mar  5 15:54:21 2026

Test eBGP - Peer-group remove-private-as strips private AS from path

Description

Test that remove-private-as configured on a peer-group strips private AS numbers from the AS-path. DUT1 (AS 65001) originates 192.168.100.0/24. DUT0 forwards to DUT2 (member of peer-group with remove-private-as). DUT2 should see only AS 100 in the path, without the private AS 65001.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.10.0.100/24
set interfaces ethernet eth1 address 20.20.0.100/24
set protocols bgp 100 neighbor dut1 remote-address 10.10.0.200
set protocols bgp 100 neighbor dut1 remote-as 65001
set protocols bgp 100 neighbor dut1 route-map import PERMIT
set protocols bgp 100 neighbor dut2 peer-group MYGROUP
set protocols bgp 100 neighbor dut2 remote-address 20.20.0.200
set protocols bgp 100 peer-group MYGROUP remote-as 200
set protocols bgp 100 peer-group MYGROUP remove-private-as
set protocols bgp 100 peer-group MYGROUP route-map export PERMIT
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces dummy dum0 address 192.168.100.1/24
set interfaces ethernet eth0 address 10.10.0.200/24
set protocols bgp 65001 neighbor peer remote-address 10.10.0.100
set protocols bgp 65001 neighbor peer remote-as 100
set protocols bgp 65001 neighbor peer route-map export PERMIT
set protocols bgp 65001 redistribute connected
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 20.20.0.200/24
set protocols bgp 200 neighbor peer remote-address 20.20.0.100
set protocols bgp 200 neighbor peer remote-as 100
set protocols bgp 200 neighbor peer route-map import PERMIT
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify eBGP sessions establish on DUT0.

Step 4: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

20.20.0.200.*Established[\s\S]*10.10.0.200.*Established
Show output
IPv4 Unicast Summary:
BGP router identifier 20.20.0.100, local AS number 100 VRF default vrf-id 0
BGP table version 2
RIB entries 3, using 384 bytes of memory
Peers 2, using 47 KiB of memory
Peer groups 1, using 64 bytes of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
20.20.0.200     20.20.0.100     4        200         3         4        0    0    0 00:00:01  Established (Policy)        0 N/A
10.10.0.200     10.10.0.100     4      65001         6         6        2    0    0 00:00:02  Established        2 (Policy) N/A

Total number of neighbors 2

Attention

Verify DUT2 sees only AS 100 in the path (private AS was removed).

Step 5: Run command protocols bgp show ip 192.168.100.0/24 at DUT2 and check if output matches the following regular expressions:

(?m)^\s+100$
Show output
BGP routing table entry for 192.168.100.0/24, version 2
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  100
    20.20.0.100 from 20.20.0.100 (20.20.0.100)
      Origin incomplete, valid, external, best (First path received)
      Last update: Thu Mar  5 15:54:36 2026