BGP Confederations
Table of Contents
BGP Confederations
A BGP autonomous system supports confederations of sub-autonomous
systems to reduce full mesh.
BGP confederations provide a way to divide an autonomous
system (AS) into two or more sub-autonomous systems (sub-AS) to
reduce the burden that the full mesh requirement for IBGP causes.
The firewalls (or other routing devices) within a sub-AS must still
have a full iBGP mesh with the other firewalls in the same sub-AS.
You need BGP peering between sub-autonomous systems for full connectivity
within the main AS. The firewalls peering with each other within
a sub-AS form an IBGP confederation peering. The firewall in one
sub-AS peering with a firewall in a different sub-AS form an EBGP
confederation peering. Two firewalls from different autonomous systems
that connect are EBGP peers.
Autonomous systems are identified with a public (globally-assigned)
AS number, such as AS 24 and AS 25 in the preceding figure. In a
PAN-OS environment, you assign each sub-AS a unique Confederation
Member AS number, which is a private number seen only within the
AS. In this figure, the confederations are AS 65100 and AS 65110.
(RFC6996,
Autonomous System (AS) Reservation for Private Use, indicates that
the IANA reserves AS numbers 64512-65534 for private use.)
The sub-AS confederations seem like full autonomous systems to
each other within the AS. However, when the firewall sends an AS
path to an EBGP peer, only the public AS number appears in the AS
path; no private sub-AS (Confederation Member AS) numbers are included.
BGP peering occurs between the firewall and R2; the firewall
in the figure has these relevant configuration settings:
- AS number—24
- Confederation Member AS—65100
- Peering Type—EBGP confed
- Peer AS—65110
Router 2 (R2) in AS 65110 is configured as follows:
- AS number—24
- Confederation Member AS—65110
- Peering Type—EBGP confed
- Peer AS—65100
BGP peering also occurs between the firewall and R1. The firewall
has the following additional configuration:
- AS number—24
- Confederation Member AS—65100
- Peering Type—IBGP confed
- Peer AS—65110
R1 is configured as follows:
- AS number—24
- Confederation Member AS—65110
- Peering Type—IBGP confed
- Peer AS—65100
BGP peering occurs between the firewall and R5. The firewall
has the following additional configuration:
- AS number—24
- Confederation Member AS—65100
- Peering Type—EBGP
- Peer AS—25
R5 is configured as follows:
- AS—25
- Peering Type—EBGP
- Peer AS—24
After the firewall is configured to peer with R1, R2, and R5,
its peers are visible on the
Peer Group
tab:
The firewall shows the R1, R2, and R5 peers:
To verify that the routes from the firewall to the peers are
established, on the virtual router’s screen, select
More
Runtime Stats
and select the Peer
tab.
Select the
Local RIB
tab to view information
about the routes stored in the Routing Information Base (RIB).
Then select the
RIB Out
tab.