Document:PAN-OS® Networking Administrator’s Guide

BGP Confederations

Filter

Networking
- Networking Introduction
Configure Interfaces
- Tap Interfaces
- Virtual Wire Interfaces
- Layer 2 Interfaces
- Layer 3 Interfaces
  - Configure Layer 3 Interfaces
  - Manage IPv6 Hosts Using NDP
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
Virtual Routers
- Virtual Router Overview
- Configure Virtual Routers
Service Routes
- Service Routes Overview
- Configure Service Routes
Static Routes
- Static Route Overview
- Static Route Removal Based on Path Monitoring
- Configure a Static Route
- Configure Path Monitoring for a Static Route
RIP
- RIP Overview
- Configure RIP
OSPF
- OSPF Concepts
- Configure OSPF
- Configure OSPFv3
- Configure OSPF Graceful Restart
- Confirm OSPF Operation
BGP
- BGP Overview
- MP-BGP
- Configure BGP
- Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
- Configure a BGP Peer with MP-BGP for IPv4 Multicast
- BGP Confederations
IP Multicast
- IGMP
- PIM
- Configure IP Multicast
- View IP Multicast Information
Route Redistribution
- Route Redistribution Overview
- Configure Route Redistribution
GRE Tunnels
- GRE Tunnel Overview
- Create a GRE Tunnel
DHCP
- DHCP Overview
- Firewall as a DHCP Server and Client
- DHCP Messages
- DHCP Addressing
  - DHCP Address Allocation Methods
  - DHCP Leases
- DHCP Options
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCP Client
- Configure the Management Interface as a DHCP Client
- Configure an Interface as a DHCP Relay Agent
- Monitor and Troubleshoot DHCP
DNS
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
DDNS
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
NAT
- NAT Policy Rules
- Source NAT and Destination NAT
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
- Configure NAT
- NAT Configuration Examples
NPTv6
- NPTv6 Overview
  - Unique Local Addresses
  - Reasons to Use NPTv6
- How NPTv6 Works
- NDP Proxy
- NPTv6 and NDP Proxy Example
- Create an NPTv6 Policy
NAT64
- NAT64 Overview
- IPv4-Embedded IPv6 Address
- DNS64 Server
- Path MTU Discovery
- IPv6-Initiated Communication
- Configure NAT64 for IPv6-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication with Port Translation
ECMP
- ECMP Load-Balancing Algorithms
- Configure ECMP on a Virtual Router
- Enable ECMP for Multiple BGP Autonomous Systems
- Verify ECMP
LLDP
- LLDP Overview
- Supported TLVs in LLDP
- LLDP Syslog Messages and SNMP Traps
- Configure LLDP
- View LLDP Settings and Status
- Clear LLDP Statistics
BFD
- BFD Overview
- Configure BFD
- Reference: BFD Details
Session Settings and Timeouts
- Transport Layer Sessions
- TCP
- UDP
- ICMP
  - Security Policy Rules Based on ICMP and ICMPv6 Packets
  - ICMPv6 Rate Limiting
- Control Specific ICMP or ICMPv6 Types and Codes
- Configure Session Timeouts
- Configure Session Settings
- Session Distribution Policies
  - Session Distribution Policy Descriptions
  - Change the Session Distribution Policy and View Statistics
- Prevent TCP Split Handshake Session Establishment
Tunnel Content Inspection
- Tunnel Content Inspection Overview
- Configure Tunnel Content Inspection
- View Inspected Tunnel Activity
- View Tunnel Information in Logs
- Create a Custom Report Based on Tagged Tunnel Traffic
- Tunnel Acceleration Behavior
- Disable Tunnel Acceleration
Network Packet Broker
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker

BGP Confederations

A BGP autonomous system supports confederations of sub-autonomous systems to reduce full mesh.

BGP confederations provide a way to divide an autonomous system (AS) into two or more sub-autonomous systems (sub-AS) to reduce the burden that the full mesh requirement for IBGP causes. The firewalls (or other routing devices) within a sub-AS must still have a full iBGP mesh with the other firewalls in the same sub-AS. You need BGP peering between sub-autonomous systems for full connectivity within the main AS. The firewalls peering with each other within a sub-AS form an IBGP confederation peering. The firewall in one sub-AS peering with a firewall in a different sub-AS form an EBGP confederation peering. Two firewalls from different autonomous systems that connect are EBGP peers.

Autonomous systems are identified with a public (globally-assigned) AS number, such as AS 24 and AS 25 in the preceding figure. In a PAN-OS environment, you assign each sub-AS a unique Confederation Member AS number, which is a private number seen only within the AS. In this figure, the confederations are AS 65100 and AS 65110. (RFC6996, Autonomous System (AS) Reservation for Private Use, indicates that the IANA reserves AS numbers 64512-65534 for private use.)

The sub-AS confederations seem like full autonomous systems to each other within the AS. However, when the firewall sends an AS path to an EBGP peer, only the public AS number appears in the AS path; no private sub-AS (Confederation Member AS) numbers are included.

BGP peering occurs between the firewall and R2; the firewall in the figure has these relevant configuration settings:

AS number—24

Confederation Member AS—65100

Peering Type—EBGP confed

Peer AS—65110

Router 2 (R2) in AS 65110 is configured as follows:

AS number—24

Confederation Member AS—65110

Peering Type—EBGP confed

Peer AS—65100

BGP peering also occurs between the firewall and R1. The firewall has the following additional configuration:

AS number—24

Confederation Member AS—65100

Peering Type—IBGP confed

Peer AS—65110

R1 is configured as follows:

AS number—24

Confederation Member AS—65110

Peering Type—IBGP confed

Peer AS—65100

BGP peering occurs between the firewall and R5. The firewall has the following additional configuration:

AS number—24

Confederation Member AS—65100

Peering Type—EBGP

Peer AS—25

R5 is configured as follows:

AS—25

Peering Type—EBGP

Peer AS—24

After the firewall is configured to peer with R1, R2, and R5, its peers are visible on the

Peer Group

tab:

The firewall shows the R1, R2, and R5 peers:

To verify that the routes from the firewall to the peers are established, on the virtual router’s screen, select

More Runtime Stats

and select the

Peer

tab.

Select the

Local RIB

tab to view information about the routes stored in the Routing Information Base (RIB).

Then select the

RIB Out

tab.

Document:PAN-OS® Networking Administrator’s Guide

BGP Confederations

Table of Contents

BGP Confederations

Most Popular

Recommended For You

Document:PAN-OS® Networking Administrator’s Guide

BGP Confederations

Table of Contents

BGP Confederations

Most Popular

Recommended For You

Recommended Videos