BGP Confederations
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
BGP Confederations
A BGP autonomous system supports confederations of sub-autonomous
systems to reduce full mesh.
BGP confederations provide a way to divide an autonomous
system (AS) into two or more sub-autonomous systems (sub-AS) to
reduce the burden that the full mesh requirement for IBGP causes.
The firewalls (or other routing devices) within a sub-AS must still
have a full iBGP mesh with the other firewalls in the same sub-AS.
You need BGP peering between sub-autonomous systems for full connectivity
within the main AS. The firewalls peering with each other within
a sub-AS form an IBGP confederation peering. The firewall in one
sub-AS peering with a firewall in a different sub-AS form an EBGP
confederation peering. Two firewalls from different autonomous systems
that connect are EBGP peers.

Autonomous systems are identified with a public (globally-assigned)
AS number, such as AS 24 and AS 25 in the preceding figure. In a
PAN-OS environment, you assign each sub-AS a unique Confederation
Member AS number, which is a private number seen only within the
AS. In this figure, the confederations are AS 65100 and AS 65110.
(RFC6996,
Autonomous System (AS) Reservation for Private Use, indicates that
the IANA reserves AS numbers 64512-65534 for private use.)
The sub-AS confederations seem like full autonomous systems to
each other within the AS. However, when the firewall sends an AS
path to an EBGP peer, only the public AS number appears in the AS
path; no private sub-AS (Confederation Member AS) numbers are included.
BGP peering occurs between the firewall and R2; the firewall
in the figure has these relevant configuration settings:
- AS number—24
- Confederation Member AS—65100
- Peering Type—EBGP confed
- Peer AS—65110

Router 2 (R2) in AS 65110 is configured as follows:
- AS number—24
- Confederation Member AS—65110
- Peering Type—EBGP confed
- Peer AS—65100
BGP peering also occurs between the firewall and R1. The firewall
has the following additional configuration:
- AS number—24
- Confederation Member AS—65100
- Peering Type—IBGP confed
- Peer AS—65110
R1 is configured as follows:
- AS number—24
- Confederation Member AS—65110
- Peering Type—IBGP confed
- Peer AS—65100
BGP peering occurs between the firewall and R5. The firewall
has the following additional configuration:
- AS number—24
- Confederation Member AS—65100
- Peering Type—EBGP
- Peer AS—25
R5 is configured as follows:
- AS—25
- Peering Type—EBGP
- Peer AS—24
After the firewall is configured to peer with R1, R2, and R5,
its peers are visible on the
Peer Group
tab:
The firewall shows the R1, R2, and R5 peers:



To verify that the routes from the firewall to the peers are
established, on the virtual router’s screen, select
More
Runtime Stats
and select the Peer
tab.
Select the
Local RIB
tab to view information
about the routes stored in the Routing Information Base (RIB).
Then select the
RIB Out
tab.