Page MenuHomeVyOS Platform
Create Task
Maniphest T7985

bgp: enable enforce-first-as by default for BGP
Closed, DuplicatePublicBUG
Actions

Description

In FRR 10.0 this feature is now enabled by default: https://frrouting.org/release/10.0/

bgp enforce-first-as

To configure a router to deny an update received from an external BGP (eBGP) peer that does not list its autonomous system number at the beginning of the AS_PATH in the incoming update, use the bgp enforce-first-as command in router configuration mode.

In order to exclude an arbitrary neighbor from this enforcement, use the command no neighbor NAME enforce-first-as. And vice-versa if a global enforcement is disabled, you can override this behavior per neighbor too.

Default: enabled.

Note If you have a peering to RS (Route-Server), most likely you MUST disable the first AS enforcement.

The default in FRR changed - we need to address this change in VyOS

Details

Version
2025.11.02-0021-rolling
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

c-po created this task.Nov 2 2025, 6:46 AM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po added a project: VyOS 1.5 Circinus (1.5-stream-2025-Q4).
c-po closed this task as a duplicate of T7214: BGP: Add an option to disable "enforce-first-as".
pasik subscribed.Nov 2 2025, 8:36 AM