Focus

BGP Confederations

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
Networking
Version
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
Incidents & Alerts
Release Notes
Version
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW

Configure a BGP Peer with MP-BGP for IPv4 Multicast

IP Multicast

BGP Confederations

A BGP autonomous system supports confederations of sub-autonomous systems to reduce full mesh.

BGP confederations provide a way to divide an autonomous system (AS) into two or more sub-autonomous systems (sub-AS) to reduce the burden that the full mesh requirement for IBGP causes. The firewalls (or other routing devices) within a sub-AS must still have a full iBGP mesh with the other firewalls in the same sub-AS. You need BGP peering between sub-autonomous systems for full connectivity within the main AS. The firewalls peering with each other within a sub-AS form an IBGP confederation peering. The firewall in one sub-AS peering with a firewall in a different sub-AS form an EBGP confederation peering. Two firewalls from different autonomous systems that connect are EBGP peers.

Autonomous systems are identified with a public (globally-assigned) AS number, such as AS 24 and AS 25 in the preceding figure. In a PAN-OS environment, you assign each sub-AS a unique Confederation Member AS number, which is a private number seen only within the AS. In this figure, the confederations are AS 65100 and AS 65110. (RFC6996, Autonomous System (AS) Reservation for Private Use, indicates that the IANA reserves AS numbers 64512-65534 for private use.)

The sub-AS confederations seem like full autonomous systems to each other within the AS. However, when the firewall sends an AS path to an EBGP peer, only the public AS number appears in the AS path; no private sub-AS (Confederation Member AS) numbers are included.

BGP peering occurs between the firewall and R2; the firewall in the figure has these relevant configuration settings:

AS number—24
Confederation Member AS—65100
Peering Type—EBGP confed
Peer AS—65110

Router 2 (R2) in AS 65110 is configured as follows:

AS number—24
Confederation Member AS—65110
Peering Type—EBGP confed
Peer AS—65100

BGP peering also occurs between the firewall and R1. The firewall has the following additional configuration:

AS number—24
Confederation Member AS—65100
Peering Type—IBGP confed
Peer AS—65110

R1 is configured as follows:

AS number—24
Confederation Member AS—65110
Peering Type—IBGP confed
Peer AS—65100

BGP peering occurs between the firewall and R5. The firewall has the following additional configuration:

AS number—24
Confederation Member AS—65100
Peering Type—EBGP
Peer AS—25

R5 is configured as follows:

AS—25
Peering Type—EBGP
Peer AS—24

After the firewall is configured to peer with R1, R2, and R5, its peers are visible on the Peer Group tab:

The firewall shows the R1, R2, and R5 peers:

To verify that the routes from the firewall to the peers are established, on the virtual router’s screen, select More Runtime Stats and select the Peer tab.