Interior Vs Exterior - Learning Module

Loading content...

0/228

AS Boundaries

Where Worlds Meet

At the edge of every Autonomous System, a profound transition occurs. Inside, routers speak the language of IGPs—exchanging topology information, calculating shortest paths, optimizing for performance metrics. Outside, the conversation shifts to BGP—policy-driven, path-aware, navigating the complex politics of inter-organizational connectivity.

The AS boundary is where these worlds meet. It's where your network's internal efficiency connects to the global Internet's scalability. It's where technical metrics give way to business policies. It's where the decisions you make propagate outward to affect routing across the entire Internet.

Understanding AS boundaries is essential for anyone designing, operating, or securing Internet-connected infrastructure. These demarcation points are simultaneously the most critical and most vulnerable parts of any network architecture.

What You Will Learn

By the end of this page, you will understand the types of routers at AS boundaries (ASBR, ABR), how interior and exterior routing protocols interact, the critical role of next-hop resolution, route redistribution and filtering at boundaries, security considerations for edge routers, the business and policy implications of AS interconnection, and real-world architecture patterns for AS edge design.

Anatomy of an AS Boundary

An AS boundary is not a single device but an architectural zone where multiple functions converge. Let's dissect its components:

Key Roles at AS Boundaries:

Router Roles at AS Boundaries
Role	Protocol Context	Function
ASBR (AS Boundary Router)	BGP + IGP	Connects to external AS; runs eBGP with external peers, IGP internally
ABR (Area Border Router)	OSPF	Connects OSPF areas; summarizes routes between areas
L1/L2 Router	IS-IS	Connects IS-IS levels; similar function to OSPF ABR
Route Reflector	iBGP	Reduces iBGP full mesh by reflecting routes centrally
PE Router	MPLS VPN	Provider Edge; terminates customer connections with MP-BGP

The ASBR in Detail:

The Autonomous System Boundary Router (ASBR) is the critical device at every AS edge. It performs multiple simultaneous roles:

BGP Speaker: Maintains eBGP sessions with external peers and iBGP sessions with internal routers
Protocol Bridge: Translates between IGP's metric-based world and BGP's attribute-based world
Policy Enforcement Point: Applies import/export policies that implement business decisions
Security Perimeter: First line of defense against external routing attacks
Traffic Entry/Exit Point: Handles all traffic entering and leaving the AS

A typical ASBR runs:

eBGP to one or more external peers
iBGP to internal routers or route reflectors
An IGP (OSPF, IS-IS, EIGRP) for internal reachability
Often MPLS for traffic engineering or VPN services

Converting Mermaid diagram...

OSPF ASBR Definition

In OSPF terminology, an ASBR is specifically a router that injects external routes into OSPF—via redistribution from BGP, another routing protocol, or static routes. All ASBRs in the BGP sense are ASBRs in the OSPF sense, but OSPF also considers any router redistributing routes (even from connected interfaces or static routes) as an ASBR.

How IGP and BGP Interact at Boundaries

IGP and BGP serve complementary purposes but must work together at AS boundaries. Understanding their interaction is crucial for correct operation.

The Division of Labor:

IGP Responsibilities

•Distribute routes to internal networks
•Provide next-hop reachability for BGP routes
•Calculate optimal internal paths
•Enable iBGP session connectivity
•Respond to internal topology changes

BGP Responsibilities

•Distribute routes to external networks
•Carry policy information (AS_PATH, communities)
•Enable traffic engineering for external destinations
•Provide redundancy across multiple upstream paths
•Respond to external topology/policy changes

Critical Interaction: NEXT_HOP Resolution

One of the most important IGP-BGP interactions is next-hop resolution. When BGP learns a route, the NEXT_HOP attribute tells where to forward traffic. But this next-hop IP must be reachable:

For eBGP: The next-hop is typically the eBGP peer's IP address, which is usually directly connected (or via a static route for multi-hop eBGP)
For iBGP: By default, iBGP doesn't change the NEXT_HOP. If Router A learns a route via eBGP with NEXT_HOP 203.0.113.1, it advertises that same next-hop to iBGP peers. Those peers must have IGP reachability to 203.0.113.1.

Common Solutions for iBGP Next-Hop:

Include edge networks in IGP: Advertise the eBGP peering subnets via OSPF/IS-IS
Use next-hop-self: ASBR changes NEXT_HOP to its own address when advertising to iBGP
Redistribute connected: Include directly connected networks in IGP redistribution

If NEXT_HOP is unreachable, the BGP route is invalid and not installed in the routing table—a common troubleshooting scenario.

IGP-BGP Interaction Configuration

Cisco IOS

! ASBR Configuration showing IGP-BGP interaction
 
! === IGP Configuration (OSPF) ===
router ospf 1
 router-id 1.1.1.1
 ! Internal infrastructure networks
 network 10.0.0.0 0.255.255.255 area 0
 ! Include loopback for BGP peering
 network 192.168.255.0 0.0.0.255 area 0
 ! eBGP peering interface - needed for next-hop reachability
 ! (Alternative: use next-hop-self in BGP)
 network 203.0.113.0 0.0.0.3 area 0
 ! Mark router as ASBR (done automatically when redistributing)
 
! === BGP Configuration ===
router bgp 65000
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 
 ! eBGP peer (external)
 neighbor 203.0.113.2 remote-as 65001
 neighbor 203.0.113.2 description ISP-A-Primary
 neighbor 203.0.113.2 password MDFauth123
 
 ! iBGP peer (internal - via route reflector)
 neighbor 192.168.255.254 remote-as 65000  ! Same AS = iBGP
 neighbor 192.168.255.254 update-source Loopback0
 neighbor 192.168.255.254 description Route-Reflector
 neighbor 192.168.255.254 next-hop-self  ! Change NEXT_HOP for iBGP
 
 ! Address family configuration
 address-family ipv4 unicast
  neighbor 203.0.113.2 activate
  neighbor 192.168.255.254 activate
 exit-address-family

Synchronization Rule (Historical Note):

Older BGP implementations enforced "synchronization"—BGP wouldn't advertise a route unless it was also in the IGP. This prevented black-holing when internal routers didn't know how to reach the BGP next-hop. Modern networks disable synchronization (no synchronization) and rely on proper iBGP design (full mesh or route reflectors) instead.

The Black Hole Trap

If iBGP propagates a route but internal routers can't reach the next-hop, traffic is black-holed: the router accepts the packet (it has a route) but can't forward it (the next-hop is unreachable). This is why next-hop-self or IGP advertisement of edge networks is essential. Always verify next-hop reachability when troubleshooting BGP.

Route Redistribution at AS Boundaries

At AS boundaries, routes must often flow between protocols—IGP routes advertised via BGP, BGP routes injected into IGP for internal consumption. This redistribution is powerful but requires careful design.

Common Redistribution Scenarios:

Redistribution Directions and Considerations
Direction	Purpose	Considerations
IGP → BGP	Advertise internal networks externally	Filter carefully; only advertise intended public prefixes
BGP → IGP	Make external routes known internally	Usually avoided; prefer iBGP. If needed, filter and summarize
Static → BGP	Advertise static routes (often aggregates)	Common pattern for advertising aggregate prefixes
Connected → BGP	Advertise directly connected networks	Use with caution; often done via network command instead

IGP to BGP Redistribution:

When advertising your internal networks to the Internet, you typically don't redistribute all IGP routes. Instead, you:

Use BGP network statements: Explicitly specify prefixes to advertise
Aggregate at the boundary: Advertise summary routes (e.g., /22 instead of four /24s)
Filter with route-maps: If redistributing, control exactly what's included

BGP to IGP Redistribution (Caution!):

Redistributing BGP routes into IGP is generally avoided because:

Scale: The full Internet table (900,000+ prefixes) would overwhelm most IGPs
Stability: BGP churn would cause constant IGP reconvergence
iBGP exists: Internal distribution of external routes is iBGP's job

However, limited redistribution may be appropriate:

Small stub networks without iBGP capability
Injecting a default route into IGP
Specific external prefixes needed in IGP (partner networks, cloud connections)

AS Boundary Redistribution Examples

Cisco IOS

! === Advertising Internal Networks to BGP ===
! Method 1: Network statement (preferred - explicit control)
router bgp 65000
 ! Only advertise specific prefixes (must exist in routing table)
 network 198.51.100.0 mask 255.255.255.0
 network 198.51.101.0 mask 255.255.255.0
 ! Advertise aggregate
 aggregate-address 198.51.100.0 255.255.254.0 summary-only
 
! Method 2: Redistribution with strict filtering (use cautiously)
ip prefix-list ADVERTISE-TO-INTERNET seq 10 permit 198.51.100.0/23 le 24
ip prefix-list ADVERTISE-TO-INTERNET seq 100 deny 0.0.0.0/0 le 32
 
route-map OSPF-TO-BGP permit 10
 match ip address prefix-list ADVERTISE-TO-INTERNET
 set origin igp
 
router bgp 65000
 redistribute ospf 1 route-map OSPF-TO-BGP
 
! === Injecting Default Route into IGP ===
! Only if internal routers need default via IGP (not preferred)
router ospf 1
 default-information originate always
 
! === Limited BGP to IGP Redistribution ===
! Only redistribute specific external prefixes (e.g., cloud provider)
ip prefix-list AWS-PREFIXES seq 10 permit 52.94.0.0/20
ip prefix-list AWS-PREFIXES seq 20 permit 54.239.0.0/18
 
route-map BGP-TO-OSPF permit 10
 match ip address prefix-list AWS-PREFIXES
 set metric 100
 set metric-type type-2
 
router ospf 1
 redistribute bgp 65000 subnets route-map BGP-TO-OSPF

Aggregate Responsibly

Aggregation at AS boundaries reduces the global routing table size—a community benefit. If you own 198.51.100.0/24 through 198.51.103.0/24, advertise 198.51.100.0/22 rather than four /24s. Use the 'summary-only' keyword to suppress the component prefixes. However, ensure your aggregate doesn't include address space you don't control, which would cause traffic black-holing.

Filtering at AS Boundaries

Filtering at AS boundaries is essential for security, policy enforcement, and protecting the global routing system. Both inbound (routes you accept) and outbound (routes you advertise) filtering are critical.

Inbound Filtering (What You Accept):

Essential Inbound Filters

•Your own prefixes — Reject routes to your own address space from external peers (hijack protection)
•Bogon prefixes — Reject RFC 1918 (10/8, 172.16/12, 192.168/16), RFC 5737 (documentation), unallocated space
•Too-specific prefixes — Reject prefixes longer than /24 (or your policy threshold) to limit table size
•Too-short prefixes — Reject prefixes shorter than /8 to avoid hijacking large swaths of address space
•AS_PATH anomalies — Filter routes with private ASNs, excessively long AS_PATHs, or your own ASN in path
•RPKI-invalid routes — If deploying RPKI, reject routes that fail origin validation

Outbound Filtering (What You Advertise):

Essential Outbound Filters

•Only your prefixes — Advertise only address space you legitimately control; never leak learned routes
•Aggregate when possible — Advertise summary routes rather than individual /24s
•No customer routes to peers — Follow routing policies; customer routes should not transit via peering links (unless you're paid for transit)
•No internal/infrastructure — Don't advertise your internal management networks
•Consistent announcements — Advertise the same prefixes to all peers (unless doing traffic engineering)

AS Boundary Filtering Example

Cisco IOS

! === Inbound Filter from eBGP Peer ===
! Define bogon and unroutable prefixes
ip prefix-list BOGONS seq 5 deny 0.0.0.0/8 le 32         ! "This" network
ip prefix-list BOGONS seq 10 deny 10.0.0.0/8 le 32       ! RFC 1918
ip prefix-list BOGONS seq 15 deny 127.0.0.0/8 le 32      ! Loopback
ip prefix-list BOGONS seq 20 deny 169.254.0.0/16 le 32   ! Link-local
ip prefix-list BOGONS seq 25 deny 172.16.0.0/12 le 32    ! RFC 1918
ip prefix-list BOGONS seq 30 deny 192.0.0.0/24 le 32     ! IETF Protocol
ip prefix-list BOGONS seq 35 deny 192.0.2.0/24 le 32     ! TEST-NET-1
ip prefix-list BOGONS seq 40 deny 192.168.0.0/16 le 32   ! RFC 1918
ip prefix-list BOGONS seq 45 deny 198.18.0.0/15 le 32    ! Benchmarking
ip prefix-list BOGONS seq 50 deny 198.51.100.0/24 le 32  ! TEST-NET-2
ip prefix-list BOGONS seq 55 deny 203.0.113.0/24 le 32   ! TEST-NET-3
ip prefix-list BOGONS seq 60 deny 224.0.0.0/4 le 32      ! Multicast
ip prefix-list BOGONS seq 65 deny 240.0.0.0/4 le 32      ! Reserved
ip prefix-list BOGONS seq 100 permit 0.0.0.0/0 le 24     ! Allow up to /24
 
! Deny our own prefixes (hijack protection)
ip prefix-list DENY-OUR-PREFIX seq 10 deny 198.51.100.0/23 le 32
ip prefix-list DENY-OUR-PREFIX seq 100 permit 0.0.0.0/0 le 32
 
! Combined inbound filter
route-map INBOUND-FROM-PEER deny 10
 match ip address prefix-list BOGONS
route-map INBOUND-FROM-PEER deny 20
 match ip address prefix-list DENY-OUR-PREFIX
route-map INBOUND-FROM-PEER permit 100
 ! Optionally set LOCAL_PREF based on peer type
 set local-preference 100
 
! === Outbound Filter (Only Our Prefixes) ===
ip prefix-list OUR-PREFIXES seq 10 permit 198.51.100.0/23
ip prefix-list OUR-PREFIXES seq 20 permit 198.51.100.0/24
ip prefix-list OUR-PREFIXES seq 30 permit 198.51.101.0/24
 
route-map OUTBOUND-TO-PEER permit 10
 match ip address prefix-list OUR-PREFIXES
 
! Apply to BGP neighbor
router bgp 65000
 neighbor 203.0.113.2 route-map INBOUND-FROM-PEER in
 neighbor 203.0.113.2 route-map OUTBOUND-TO-PEER out
 neighbor 203.0.113.2 prefix-list BOGONS in     ! Additional safety
 neighbor 203.0.113.2 maximum-prefix 100000 80  ! Alert at 80%, drop at 100k

The Leak That Broke the Internet

In 2019, a small ISP accidentally leaked over 20,000 BGP routes through their network. Traffic for major providers like Amazon and Cloudflare was misrouted through this small network, which couldn't handle the load. The result: widespread outages. This happened because upstream providers didn't filter properly. Your outbound filters protect you; your inbound filters protect others from your mistakes.

Security Considerations at AS Boundaries

AS boundaries are high-value targets for attackers. Compromising or manipulating routing at these points can enable traffic interception, denial of service, or credential theft. Security must be layered and comprehensive.

BGP Session Security:

BGP Security Mechanisms
Mechanism	Protection	Configuration
MD5 Authentication	Session hijacking	neighbor x.x.x.x password <secret>
TCP-AO	Stronger than MD5, key rollover	Newer IOS versions; requires configuration
TTL Security (GTSM)	Remote session spoofing	neighbor x.x.x.x ttl-security hops 1
Maximum Prefix Limits	Table overflow DoS	neighbor x.x.x.x maximum-prefix <limit>
Prefix Filtering	Unauthorized announcements	route-maps, prefix-lists (as shown above)
RPKI/ROV	Origin hijacking	Router integration with RPKI validators

RPKI (Resource Public Key Infrastructure):

RPKI provides cryptographic verification of who is authorized to originate a prefix:

Route Origin Authorizations (ROAs): Signed attestations that AS X can originate prefix Y
RPKI Validators: Software that fetches and validates ROAs from trust anchors (RIRs)
Route Origin Validation (ROV): Routers query validators to classify routes as:
- Valid: ROA exists and matches
- Invalid: ROA exists but doesn't match (likely hijack)
- Not Found: No ROA exists (can't be validated)

RPKI Deployment:

RPKI and Security Configuration

Cisco IOS-XR

! === RPKI/ROV Configuration (IOS-XR) ===
router bgp 65000
 rpki server 192.168.100.10
  transport tcp port 3323
  refresh-time 300
 !
 rpki server 192.168.100.11  ! Redundant validator
  transport tcp port 3323
 !
 address-family ipv4 unicast
  ! Policy for RPKI-invalid routes
  route-policy RPKI-POLICY
   if validation-state is invalid then
    drop                           ! Reject hijacks
   elseif validation-state is valid then
    set local-preference 200       ! Prefer validated routes
   else
    pass                           ! Not Found - accept but no preference boost
   endif
  end-policy
 
! === Additional Security Best Practices ===
! 1. Control Plane Policing (CoPP) - protect router CPU
control-plane
 service-policy input COPP-POLICY
 
! 2. Strict uRPF on customer-facing interfaces
interface GigabitEthernet0/0/0/1
 ipv4 verify unicast source reachable-via rx  ! Strict uRPF
 
! 3. BGP session protection
router bgp 65000
 neighbor 203.0.113.2 password encrypted <hash>
 neighbor 203.0.113.2 session-open-mode passive-only  ! Only accept, don't initiate
 neighbor 203.0.113.2 ttl-security            ! GTSM for eBGP
 neighbor 203.0.113.2 maximum-prefix 100000 90 restart 30  ! Restart session after 30 min

Additional AS Boundary Security Measures

•Separate management plane — Edge routers should have out-of-band management access; don't rely on the production network for management
•Rate limiting — Limit BGP update rates, ICMP, and other control plane traffic to prevent DoS
•Logging and monitoring — Log all BGP state changes, authentication failures, and prefix limit warnings
•Peer validation — Verify peer identity out-of-band before establishing sessions; use PeeringDB for validation
•Incident response plan — Have documented procedures for hijacking incidents, including contacts at upstreams and peers

MANRS: Mutually Agreed Norms for Routing Security

MANRS is an industry initiative promoting routing security best practices. Participants commit to: filtering (prevent route leaks), anti-spoofing (prevent IP spoofing), coordination (maintain contact information), and global validation (publish routing data, implement RPKI). Consider joining MANRS as a statement of your organization's commitment to routing security.

Business and Policy Implications

AS boundaries are where technical routing meets business reality. The configurations you apply encode business decisions about which paths traffic should take, who pays whom, and how relationships are prioritized.

Types of BGP Relationships:

BGP Business Relationships
Relationship	Traffic Flow	Payment Flow	Typical LOCAL_PREF
Customer	Traffic TO or FROM customer	Customer pays you	Highest (e.g., 200)
Peer	Traffic TO or FROM peer's customers only	Settlement-free (no payment)	Medium (e.g., 150)
Transit/Upstream	Traffic anywhere on Internet	You pay them	Lowest (e.g., 100)

Encoding Business Relationships in BGP:

LOCAL_PREF is the primary tool for encoding relationship preferences:

Customer routes get highest LOCAL_PREF: You're paid to carry this traffic; prefer it
Peer routes get medium LOCAL_PREF: You've agreed to exchange traffic; use when available
Transit routes get lowest LOCAL_PREF: You're paying; use only when necessary

This implements the customer > peer > transit preference hierarchy that drives Internet economics.

Outbound Policy Considerations:

To Transit Providers: Advertise only your prefixes and customer prefixes (you're selling transit)
To Peers: Advertise your prefixes and customer prefixes (mutual exchange)
To Customers: Advertise everything—your routes, peer routes, and other transit routes (full table or default)

Valley-Free Routing:

A BGP path should follow "valley-free" rules:

Traffic goes UP (to transit), can go SIDEWAYS (between peers), then must go DOWN (to customer)
Customer → Transit → Transit → Customer is valid
Transit → Peer → Transit is NOT valid (you'd be providing free transit via peering)

Violating valley-free usually indicates a route leak.

Converting Mermaid diagram...

Contracts and SLAs

BGP relationships are backed by legal contracts. Transit agreements specify committed bandwidth, burst capacity, SLAs for latency and availability, and financial terms. Peering agreements define traffic ratios, interconnection points, and conditions for termination. Always understand the contractual implications of your BGP configurations—a misconfiguration might violate contractual terms.

AS Edge Architecture Patterns

Designing the AS edge involves selecting an architecture that balances redundancy, performance, manageability, and cost. Here are common patterns:

Pattern 1: Dual-Homed with Single ASBR per Provider

         ISP-A                ISP-B
           │                    │
         ASBR-1               ASBR-2
           │                    │
           └────── Core ─────────┘

Characteristics:

Simple, common for small-medium enterprises
Each ASBR connects to one ISP
Single point of failure per upstream
Route selection based on LOCAL_PREF per provider

Pattern 2: Dual-Homed with Dual ASBRs per Provider

         ISP-A                ISP-B
         ╱    ╲              ╱    ╲
     ASBR-1  ASBR-2      ASBR-3  ASBR-4
         ╲    ╱              ╲    ╱
           Core ──────────── Core

Characteristics:

High redundancy (no single point of failure)
More complex configuration
Better load distribution
Common for larger enterprises and service providers

Pattern 3: IXP Peering Architecture

        IXP Fabric
        ╱    │    ╲
    Peer1  Peer2  Peer3 ... PeerN
        ╲    │    ╱
         ASBR (at IXP)
              │
         Core Network

Characteristics:

Single presence at IXP, multiple peering relationships
Route servers simplify configuration
Cost-effective for many peering sessions
Colocation and cross-connect costs vs. individual peering circuits

Architecture Pattern Selection
Scenario	Recommended Pattern	Key Considerations
Small enterprise, 2 ISPs	Single ASBR per provider	Simplicity over redundancy
Medium enterprise, SLA-critical	Dual ASBR per provider	Full redundancy, more cost
Content provider, many destinations	IXP + transit	Reduce transit costs via peering
CDN/hyperscale	Multiple IXPs + private peering + transit	Maximum coverage and control
Regional ISP	Upstream transit + local IXP	Serve local traffic locally

Multi-Provider Edge Configuration

Cisco IOS

! === Dual-ISP Edge Configuration with Preference ===
 
router bgp 65000
 bgp router-id 1.1.1.1
 
 ! ISP-A: Primary Provider (higher LOCAL_PREF)
 neighbor 203.0.113.2 remote-as 65001
 neighbor 203.0.113.2 description ISP-A-Primary
 neighbor 203.0.113.2 route-map ISP-A-IN in
 neighbor 203.0.113.2 route-map OUTBOUND out
 
 ! ISP-B: Backup Provider (lower LOCAL_PREF)
 neighbor 198.51.100.2 remote-as 65002
 neighbor 198.51.100.2 description ISP-B-Backup
 neighbor 198.51.100.2 route-map ISP-B-IN in
 neighbor 198.51.100.2 route-map OUTBOUND out
 
! Primary provider gets highest preference
route-map ISP-A-IN permit 10
 set local-preference 200
 set community 65000:100
 
! Backup provider gets lower preference
route-map ISP-B-IN permit 10
 set local-preference 100
 set community 65000:200
 
! Outbound: advertise our prefixes
route-map OUTBOUND permit 10
 match ip address prefix-list OUR-PREFIXES
 
! For traffic engineering inbound, prepend to ISP-B
route-map OUTBOUND-TO-BACKUP permit 10
 match ip address prefix-list OUR-PREFIXES
 set as-path prepend 65000 65000    ! Make path look longer
 
! === iBGP to Distribute Routes Internally ===
 neighbor 10.255.255.253 remote-as 65000   ! Route Reflector
 neighbor 10.255.255.253 update-source Loopback0
 neighbor 10.255.255.253 next-hop-self

Capacity Planning at the Edge

Edge routers must handle: (1) Full BGP tables (900K+ IPv4, 150K+ IPv6 prefixes), (2) eBGP and iBGP sessions, (3) IGP adjacencies, (4) Line-rate traffic forwarding, (5) Potentially MPLS, BFD, and other protocols. Budget CPU, memory, and forwarding capacity accordingly. Undersized edge routers become bottlenecks or cause instability under load.

Summary: Mastering AS Boundaries

We've thoroughly explored the critical demarcation points where Autonomous Systems connect to the wider Internet. Let's consolidate the essential knowledge:

Key Takeaways

•AS boundaries are architectural zones — ASBRs simultaneously run eBGP, iBGP, and IGP, bridging internal and external routing domains.
•IGP and BGP have distinct roles — IGP handles internal paths and next-hop reachability; BGP distributes external routes with policy information.
•Next-hop resolution is critical — iBGP routes must have reachable next-hops via IGP; use next-hop-self or include edge networks in IGP.
•Redistribution requires care — Prefer explicit BGP network statements over redistribution; filter strictly if redistributing.
•Filtering protects everyone — Inbound filters protect you; outbound filters protect the Internet from your mistakes.
•Security must be layered — MD5/TCP-AO, GTSM, prefix limits, RPKI, and operational practices all contribute to secure boundaries.
•BGP encodes business relationships — LOCAL_PREF implements customer > peer > transit preferences that drive Internet economics.
•Architecture patterns vary by needs — Choose edge designs that balance redundancy, complexity, and cost for your specific requirements.

Module Complete:

With this page, we've completed our exploration of the Interior vs. Exterior routing distinction. You now understand:

How Autonomous Systems organize the Internet
The characteristics of IGP protocols (RIP, OSPF, IS-IS, EIGRP)
How BGP works as the Internet's exterior routing protocol
How to select the right routing protocol for any scenario
The architectural and operational considerations at AS boundaries

This knowledge forms the foundation for everything else in routing—from designing enterprise networks to understanding how traffic flows across the global Internet.

Module Complete

Congratulations! You've mastered the fundamental distinction between interior and exterior routing—the organizational principle that makes the Internet work. You understand Autonomous Systems, can select appropriate routing protocols, and know how to design and secure AS boundaries. This knowledge is essential for any network engineer working with Internet-connected infrastructure.

AS Boundaries

Where Worlds Meet

What You Will Learn

Anatomy of an AS Boundary

An AS boundary is not a single device but an architectural zone where multiple functions converge. Let's dissect its components:

Key Roles at AS Boundaries:

Router Roles at AS Boundaries
Role	Protocol Context	Function
ASBR (AS Boundary Router)	BGP + IGP	Connects to external AS; runs eBGP with external peers, IGP internally
ABR (Area Border Router)	OSPF	Connects OSPF areas; summarizes routes between areas
L1/L2 Router	IS-IS	Connects IS-IS levels; similar function to OSPF ABR
Route Reflector	iBGP	Reduces iBGP full mesh by reflecting routes centrally
PE Router	MPLS VPN	Provider Edge; terminates customer connections with MP-BGP

The ASBR in Detail:

The Autonomous System Boundary Router (ASBR) is the critical device at every AS edge. It performs multiple simultaneous roles:

BGP Speaker: Maintains eBGP sessions with external peers and iBGP sessions with internal routers
Protocol Bridge: Translates between IGP's metric-based world and BGP's attribute-based world
Policy Enforcement Point: Applies import/export policies that implement business decisions
Security Perimeter: First line of defense against external routing attacks
Traffic Entry/Exit Point: Handles all traffic entering and leaving the AS

A typical ASBR runs:

eBGP to one or more external peers
iBGP to internal routers or route reflectors
An IGP (OSPF, IS-IS, EIGRP) for internal reachability
Often MPLS for traffic engineering or VPN services

Converting Mermaid diagram...

OSPF ASBR Definition

How IGP and BGP Interact at Boundaries

IGP and BGP serve complementary purposes but must work together at AS boundaries. Understanding their interaction is crucial for correct operation.

The Division of Labor:

IGP Responsibilities

•Distribute routes to internal networks
•Provide next-hop reachability for BGP routes
•Calculate optimal internal paths
•Enable iBGP session connectivity
•Respond to internal topology changes

BGP Responsibilities

•Distribute routes to external networks
•Carry policy information (AS_PATH, communities)
•Enable traffic engineering for external destinations
•Provide redundancy across multiple upstream paths
•Respond to external topology/policy changes

Critical Interaction: NEXT_HOP Resolution

One of the most important IGP-BGP interactions is next-hop resolution. When BGP learns a route, the NEXT_HOP attribute tells where to forward traffic. But this next-hop IP must be reachable:

For eBGP: The next-hop is typically the eBGP peer's IP address, which is usually directly connected (or via a static route for multi-hop eBGP)
For iBGP: By default, iBGP doesn't change the NEXT_HOP. If Router A learns a route via eBGP with NEXT_HOP 203.0.113.1, it advertises that same next-hop to iBGP peers. Those peers must have IGP reachability to 203.0.113.1.

Common Solutions for iBGP Next-Hop:

Include edge networks in IGP: Advertise the eBGP peering subnets via OSPF/IS-IS
Use next-hop-self: ASBR changes NEXT_HOP to its own address when advertising to iBGP
Redistribute connected: Include directly connected networks in IGP redistribution

If NEXT_HOP is unreachable, the BGP route is invalid and not installed in the routing table—a common troubleshooting scenario.

IGP-BGP Interaction Configuration

Cisco IOS

! ASBR Configuration showing IGP-BGP interaction
 
! === IGP Configuration (OSPF) ===
router ospf 1
 router-id 1.1.1.1
 ! Internal infrastructure networks
 network 10.0.0.0 0.255.255.255 area 0
 ! Include loopback for BGP peering
 network 192.168.255.0 0.0.0.255 area 0
 ! eBGP peering interface - needed for next-hop reachability
 ! (Alternative: use next-hop-self in BGP)
 network 203.0.113.0 0.0.0.3 area 0
 ! Mark router as ASBR (done automatically when redistributing)
 
! === BGP Configuration ===
router bgp 65000
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 
 ! eBGP peer (external)
 neighbor 203.0.113.2 remote-as 65001
 neighbor 203.0.113.2 description ISP-A-Primary
 neighbor 203.0.113.2 password MDFauth123
 
 ! iBGP peer (internal - via route reflector)
 neighbor 192.168.255.254 remote-as 65000  ! Same AS = iBGP
 neighbor 192.168.255.254 update-source Loopback0
 neighbor 192.168.255.254 description Route-Reflector
 neighbor 192.168.255.254 next-hop-self  ! Change NEXT_HOP for iBGP
 
 ! Address family configuration
 address-family ipv4 unicast
  neighbor 203.0.113.2 activate
  neighbor 192.168.255.254 activate
 exit-address-family

Synchronization Rule (Historical Note):

The Black Hole Trap

Route Redistribution at AS Boundaries

Common Redistribution Scenarios:

Redistribution Directions and Considerations
Direction	Purpose	Considerations
IGP → BGP	Advertise internal networks externally	Filter carefully; only advertise intended public prefixes
BGP → IGP	Make external routes known internally	Usually avoided; prefer iBGP. If needed, filter and summarize
Static → BGP	Advertise static routes (often aggregates)	Common pattern for advertising aggregate prefixes
Connected → BGP	Advertise directly connected networks	Use with caution; often done via network command instead

IGP to BGP Redistribution:

When advertising your internal networks to the Internet, you typically don't redistribute all IGP routes. Instead, you:

Use BGP network statements: Explicitly specify prefixes to advertise
Aggregate at the boundary: Advertise summary routes (e.g., /22 instead of four /24s)
Filter with route-maps: If redistributing, control exactly what's included

BGP to IGP Redistribution (Caution!):

Redistributing BGP routes into IGP is generally avoided because:

Scale: The full Internet table (900,000+ prefixes) would overwhelm most IGPs
Stability: BGP churn would cause constant IGP reconvergence
iBGP exists: Internal distribution of external routes is iBGP's job

However, limited redistribution may be appropriate:

Small stub networks without iBGP capability
Injecting a default route into IGP
Specific external prefixes needed in IGP (partner networks, cloud connections)

AS Boundary Redistribution Examples

Cisco IOS

! === Advertising Internal Networks to BGP ===
! Method 1: Network statement (preferred - explicit control)
router bgp 65000
 ! Only advertise specific prefixes (must exist in routing table)
 network 198.51.100.0 mask 255.255.255.0
 network 198.51.101.0 mask 255.255.255.0
 ! Advertise aggregate
 aggregate-address 198.51.100.0 255.255.254.0 summary-only
 
! Method 2: Redistribution with strict filtering (use cautiously)
ip prefix-list ADVERTISE-TO-INTERNET seq 10 permit 198.51.100.0/23 le 24
ip prefix-list ADVERTISE-TO-INTERNET seq 100 deny 0.0.0.0/0 le 32
 
route-map OSPF-TO-BGP permit 10
 match ip address prefix-list ADVERTISE-TO-INTERNET
 set origin igp
 
router bgp 65000
 redistribute ospf 1 route-map OSPF-TO-BGP
 
! === Injecting Default Route into IGP ===
! Only if internal routers need default via IGP (not preferred)
router ospf 1
 default-information originate always
 
! === Limited BGP to IGP Redistribution ===
! Only redistribute specific external prefixes (e.g., cloud provider)
ip prefix-list AWS-PREFIXES seq 10 permit 52.94.0.0/20
ip prefix-list AWS-PREFIXES seq 20 permit 54.239.0.0/18
 
route-map BGP-TO-OSPF permit 10
 match ip address prefix-list AWS-PREFIXES
 set metric 100
 set metric-type type-2
 
router ospf 1
 redistribute bgp 65000 subnets route-map BGP-TO-OSPF

Aggregate Responsibly

Filtering at AS Boundaries

Inbound Filtering (What You Accept):

Essential Inbound Filters

•Your own prefixes — Reject routes to your own address space from external peers (hijack protection)
•Bogon prefixes — Reject RFC 1918 (10/8, 172.16/12, 192.168/16), RFC 5737 (documentation), unallocated space
•Too-specific prefixes — Reject prefixes longer than /24 (or your policy threshold) to limit table size
•Too-short prefixes — Reject prefixes shorter than /8 to avoid hijacking large swaths of address space
•AS_PATH anomalies — Filter routes with private ASNs, excessively long AS_PATHs, or your own ASN in path
•RPKI-invalid routes — If deploying RPKI, reject routes that fail origin validation

Outbound Filtering (What You Advertise):

Essential Outbound Filters

•Only your prefixes — Advertise only address space you legitimately control; never leak learned routes
•Aggregate when possible — Advertise summary routes rather than individual /24s
•No customer routes to peers — Follow routing policies; customer routes should not transit via peering links (unless you're paid for transit)
•No internal/infrastructure — Don't advertise your internal management networks
•Consistent announcements — Advertise the same prefixes to all peers (unless doing traffic engineering)

AS Boundary Filtering Example

Cisco IOS

! === Inbound Filter from eBGP Peer ===
! Define bogon and unroutable prefixes
ip prefix-list BOGONS seq 5 deny 0.0.0.0/8 le 32         ! "This" network
ip prefix-list BOGONS seq 10 deny 10.0.0.0/8 le 32       ! RFC 1918
ip prefix-list BOGONS seq 15 deny 127.0.0.0/8 le 32      ! Loopback
ip prefix-list BOGONS seq 20 deny 169.254.0.0/16 le 32   ! Link-local
ip prefix-list BOGONS seq 25 deny 172.16.0.0/12 le 32    ! RFC 1918
ip prefix-list BOGONS seq 30 deny 192.0.0.0/24 le 32     ! IETF Protocol
ip prefix-list BOGONS seq 35 deny 192.0.2.0/24 le 32     ! TEST-NET-1
ip prefix-list BOGONS seq 40 deny 192.168.0.0/16 le 32   ! RFC 1918
ip prefix-list BOGONS seq 45 deny 198.18.0.0/15 le 32    ! Benchmarking
ip prefix-list BOGONS seq 50 deny 198.51.100.0/24 le 32  ! TEST-NET-2
ip prefix-list BOGONS seq 55 deny 203.0.113.0/24 le 32   ! TEST-NET-3
ip prefix-list BOGONS seq 60 deny 224.0.0.0/4 le 32      ! Multicast
ip prefix-list BOGONS seq 65 deny 240.0.0.0/4 le 32      ! Reserved
ip prefix-list BOGONS seq 100 permit 0.0.0.0/0 le 24     ! Allow up to /24
 
! Deny our own prefixes (hijack protection)
ip prefix-list DENY-OUR-PREFIX seq 10 deny 198.51.100.0/23 le 32
ip prefix-list DENY-OUR-PREFIX seq 100 permit 0.0.0.0/0 le 32
 
! Combined inbound filter
route-map INBOUND-FROM-PEER deny 10
 match ip address prefix-list BOGONS
route-map INBOUND-FROM-PEER deny 20
 match ip address prefix-list DENY-OUR-PREFIX
route-map INBOUND-FROM-PEER permit 100
 ! Optionally set LOCAL_PREF based on peer type
 set local-preference 100
 
! === Outbound Filter (Only Our Prefixes) ===
ip prefix-list OUR-PREFIXES seq 10 permit 198.51.100.0/23
ip prefix-list OUR-PREFIXES seq 20 permit 198.51.100.0/24
ip prefix-list OUR-PREFIXES seq 30 permit 198.51.101.0/24
 
route-map OUTBOUND-TO-PEER permit 10
 match ip address prefix-list OUR-PREFIXES
 
! Apply to BGP neighbor
router bgp 65000
 neighbor 203.0.113.2 route-map INBOUND-FROM-PEER in
 neighbor 203.0.113.2 route-map OUTBOUND-TO-PEER out
 neighbor 203.0.113.2 prefix-list BOGONS in     ! Additional safety
 neighbor 203.0.113.2 maximum-prefix 100000 80  ! Alert at 80%, drop at 100k

The Leak That Broke the Internet

Security Considerations at AS Boundaries

BGP Session Security:

BGP Security Mechanisms
Mechanism	Protection	Configuration
MD5 Authentication	Session hijacking	neighbor x.x.x.x password <secret>
TCP-AO	Stronger than MD5, key rollover	Newer IOS versions; requires configuration
TTL Security (GTSM)	Remote session spoofing	neighbor x.x.x.x ttl-security hops 1
Maximum Prefix Limits	Table overflow DoS	neighbor x.x.x.x maximum-prefix <limit>
Prefix Filtering	Unauthorized announcements	route-maps, prefix-lists (as shown above)
RPKI/ROV	Origin hijacking	Router integration with RPKI validators

RPKI (Resource Public Key Infrastructure):

RPKI provides cryptographic verification of who is authorized to originate a prefix:

Route Origin Authorizations (ROAs): Signed attestations that AS X can originate prefix Y
RPKI Validators: Software that fetches and validates ROAs from trust anchors (RIRs)
Route Origin Validation (ROV): Routers query validators to classify routes as:
- Valid: ROA exists and matches
- Invalid: ROA exists but doesn't match (likely hijack)
- Not Found: No ROA exists (can't be validated)

RPKI Deployment:

RPKI and Security Configuration

Cisco IOS-XR

! === RPKI/ROV Configuration (IOS-XR) ===
router bgp 65000
 rpki server 192.168.100.10
  transport tcp port 3323
  refresh-time 300
 !
 rpki server 192.168.100.11  ! Redundant validator
  transport tcp port 3323
 !
 address-family ipv4 unicast
  ! Policy for RPKI-invalid routes
  route-policy RPKI-POLICY
   if validation-state is invalid then
    drop                           ! Reject hijacks
   elseif validation-state is valid then
    set local-preference 200       ! Prefer validated routes
   else
    pass                           ! Not Found - accept but no preference boost
   endif
  end-policy
 
! === Additional Security Best Practices ===
! 1. Control Plane Policing (CoPP) - protect router CPU
control-plane
 service-policy input COPP-POLICY
 
! 2. Strict uRPF on customer-facing interfaces
interface GigabitEthernet0/0/0/1
 ipv4 verify unicast source reachable-via rx  ! Strict uRPF
 
! 3. BGP session protection
router bgp 65000
 neighbor 203.0.113.2 password encrypted <hash>
 neighbor 203.0.113.2 session-open-mode passive-only  ! Only accept, don't initiate
 neighbor 203.0.113.2 ttl-security            ! GTSM for eBGP
 neighbor 203.0.113.2 maximum-prefix 100000 90 restart 30  ! Restart session after 30 min

Additional AS Boundary Security Measures

•Separate management plane — Edge routers should have out-of-band management access; don't rely on the production network for management
•Rate limiting — Limit BGP update rates, ICMP, and other control plane traffic to prevent DoS
•Logging and monitoring — Log all BGP state changes, authentication failures, and prefix limit warnings
•Peer validation — Verify peer identity out-of-band before establishing sessions; use PeeringDB for validation
•Incident response plan — Have documented procedures for hijacking incidents, including contacts at upstreams and peers

MANRS: Mutually Agreed Norms for Routing Security

Business and Policy Implications

Types of BGP Relationships:

BGP Business Relationships
Relationship	Traffic Flow	Payment Flow	Typical LOCAL_PREF
Customer	Traffic TO or FROM customer	Customer pays you	Highest (e.g., 200)
Peer	Traffic TO or FROM peer's customers only	Settlement-free (no payment)	Medium (e.g., 150)
Transit/Upstream	Traffic anywhere on Internet	You pay them	Lowest (e.g., 100)

Encoding Business Relationships in BGP:

LOCAL_PREF is the primary tool for encoding relationship preferences:

Customer routes get highest LOCAL_PREF: You're paid to carry this traffic; prefer it
Peer routes get medium LOCAL_PREF: You've agreed to exchange traffic; use when available
Transit routes get lowest LOCAL_PREF: You're paying; use only when necessary

This implements the customer > peer > transit preference hierarchy that drives Internet economics.

Outbound Policy Considerations:

To Transit Providers: Advertise only your prefixes and customer prefixes (you're selling transit)
To Peers: Advertise your prefixes and customer prefixes (mutual exchange)
To Customers: Advertise everything—your routes, peer routes, and other transit routes (full table or default)

Valley-Free Routing:

A BGP path should follow "valley-free" rules:

Traffic goes UP (to transit), can go SIDEWAYS (between peers), then must go DOWN (to customer)
Customer → Transit → Transit → Customer is valid
Transit → Peer → Transit is NOT valid (you'd be providing free transit via peering)

Violating valley-free usually indicates a route leak.

Converting Mermaid diagram...

Contracts and SLAs

AS Edge Architecture Patterns

Designing the AS edge involves selecting an architecture that balances redundancy, performance, manageability, and cost. Here are common patterns:

Pattern 1: Dual-Homed with Single ASBR per Provider

         ISP-A                ISP-B
           │                    │
         ASBR-1               ASBR-2
           │                    │
           └────── Core ─────────┘

Characteristics:

Simple, common for small-medium enterprises
Each ASBR connects to one ISP
Single point of failure per upstream
Route selection based on LOCAL_PREF per provider

Pattern 2: Dual-Homed with Dual ASBRs per Provider

         ISP-A                ISP-B
         ╱    ╲              ╱    ╲
     ASBR-1  ASBR-2      ASBR-3  ASBR-4
         ╲    ╱              ╲    ╱
           Core ──────────── Core

Characteristics:

High redundancy (no single point of failure)
More complex configuration
Better load distribution
Common for larger enterprises and service providers

Pattern 3: IXP Peering Architecture

        IXP Fabric
        ╱    │    ╲
    Peer1  Peer2  Peer3 ... PeerN
        ╲    │    ╱
         ASBR (at IXP)
              │
         Core Network

Characteristics:

Single presence at IXP, multiple peering relationships
Route servers simplify configuration
Cost-effective for many peering sessions
Colocation and cross-connect costs vs. individual peering circuits

Architecture Pattern Selection
Scenario	Recommended Pattern	Key Considerations
Small enterprise, 2 ISPs	Single ASBR per provider	Simplicity over redundancy
Medium enterprise, SLA-critical	Dual ASBR per provider	Full redundancy, more cost
Content provider, many destinations	IXP + transit	Reduce transit costs via peering
CDN/hyperscale	Multiple IXPs + private peering + transit	Maximum coverage and control
Regional ISP	Upstream transit + local IXP	Serve local traffic locally

Multi-Provider Edge Configuration

Cisco IOS

! === Dual-ISP Edge Configuration with Preference ===
 
router bgp 65000
 bgp router-id 1.1.1.1
 
 ! ISP-A: Primary Provider (higher LOCAL_PREF)
 neighbor 203.0.113.2 remote-as 65001
 neighbor 203.0.113.2 description ISP-A-Primary
 neighbor 203.0.113.2 route-map ISP-A-IN in
 neighbor 203.0.113.2 route-map OUTBOUND out
 
 ! ISP-B: Backup Provider (lower LOCAL_PREF)
 neighbor 198.51.100.2 remote-as 65002
 neighbor 198.51.100.2 description ISP-B-Backup
 neighbor 198.51.100.2 route-map ISP-B-IN in
 neighbor 198.51.100.2 route-map OUTBOUND out
 
! Primary provider gets highest preference
route-map ISP-A-IN permit 10
 set local-preference 200
 set community 65000:100
 
! Backup provider gets lower preference
route-map ISP-B-IN permit 10
 set local-preference 100
 set community 65000:200
 
! Outbound: advertise our prefixes
route-map OUTBOUND permit 10
 match ip address prefix-list OUR-PREFIXES
 
! For traffic engineering inbound, prepend to ISP-B
route-map OUTBOUND-TO-BACKUP permit 10
 match ip address prefix-list OUR-PREFIXES
 set as-path prepend 65000 65000    ! Make path look longer
 
! === iBGP to Distribute Routes Internally ===
 neighbor 10.255.255.253 remote-as 65000   ! Route Reflector
 neighbor 10.255.255.253 update-source Loopback0
 neighbor 10.255.255.253 next-hop-self

Capacity Planning at the Edge

Summary: Mastering AS Boundaries

We've thoroughly explored the critical demarcation points where Autonomous Systems connect to the wider Internet. Let's consolidate the essential knowledge:

Key Takeaways

•AS boundaries are architectural zones — ASBRs simultaneously run eBGP, iBGP, and IGP, bridging internal and external routing domains.
•IGP and BGP have distinct roles — IGP handles internal paths and next-hop reachability; BGP distributes external routes with policy information.
•Next-hop resolution is critical — iBGP routes must have reachable next-hops via IGP; use next-hop-self or include edge networks in IGP.
•Redistribution requires care — Prefer explicit BGP network statements over redistribution; filter strictly if redistributing.
•Filtering protects everyone — Inbound filters protect you; outbound filters protect the Internet from your mistakes.
•Security must be layered — MD5/TCP-AO, GTSM, prefix limits, RPKI, and operational practices all contribute to secure boundaries.
•BGP encodes business relationships — LOCAL_PREF implements customer > peer > transit preferences that drive Internet economics.
•Architecture patterns vary by needs — Choose edge designs that balance redundancy, complexity, and cost for your specific requirements.

Module Complete:

With this page, we've completed our exploration of the Interior vs. Exterior routing distinction. You now understand:

How Autonomous Systems organize the Internet
The characteristics of IGP protocols (RIP, OSPF, IS-IS, EIGRP)
How BGP works as the Internet's exterior routing protocol
How to select the right routing protocol for any scenario
The architectural and operational considerations at AS boundaries

This knowledge forms the foundation for everything else in routing—from designing enterprise networks to understanding how traffic flows across the global Internet.

Module Complete