BGP Confederations

A BGP autonomous system supports confederations of sub-autonomous systems to reduce full mesh.
BGP confederations provide a way to divide an autonomous system (AS) into two or more sub-autonomous systems (sub-AS) to reduce the burden that the full mesh requirement for IBGP causes. The firewalls (or other routing devices) within a sub-AS must still have a full iBGP mesh with the other firewalls in the same sub-AS. You need BGP peering between sub-autonomous systems for full connectivity within the main AS. The firewalls peering with each other within a sub-AS form an IBGP confederation peering. The firewall in one sub-AS peering with a firewall in a different sub-AS form an EBGP confederation peering. Two firewalls from different autonomous systems that connect are EBGP peers.
bgp_confederations.png
Autonomous systems are identified with a public (globally-assigned) AS number, such as AS 24 and AS 25 in the preceding figure. In a PAN-OS environment, you assign each sub-AS a unique Confederation Member AS number, which is a private number seen only within the AS. In this figure, the confederations are AS 65100 and AS 65110. (RFC6996, Autonomous System (AS) Reservation for Private Use, indicates that the IANA reserves AS numbers 64512-65534 for private use.)
The sub-AS confederations seem like full autonomous systems to each other within the AS. However, when the firewall sends an AS path to an EBGP peer, only the public AS number appears in the AS path; no private sub-AS (Confederation Member AS) numbers are included.
BGP peering occurs between the firewall and R2; the firewall in the figure has these relevant configuration settings:
  • AS number—24
  • Confederation Member AS—65100
  • Peering Type—EBGP confed
  • Peer AS—65110
bgp_confed_as_num.png
Router 2 (R2) in AS 65110 is configured as follows:
  • AS number—24
  • Confederation Member AS—65110
  • Peering Type—EBGP confed
  • Peer AS—65100
BGP peering also occurs between the firewall and R1. The firewall has the following additional configuration:
  • AS number—24
  • Confederation Member AS—65100
  • Peering Type—IBGP confed
  • Peer AS—65110
R1 is configured as follows:
  • AS number—24
  • Confederation Member AS—65110
  • Peering Type—IBGP confed
  • Peer AS—65100
BGP peering occurs between the firewall and R5. The firewall has the following additional configuration:
  • AS number—24
  • Confederation Member AS—65100
  • Peering Type—EBGP
  • Peer AS—25
R5 is configured as follows:
  • AS—25
  • Peering Type—EBGP
  • Peer AS—24
After the firewall is configured to peer with R1, R2, and R5, its peers are visible on the Peer Group tab:
bgp_confed_peers.png
The firewall shows the R1, R2, and R5 peers:
bgp_confed_R1_peer.png
bgp_confed_R2_peer.png
bgp_confed_R5_peer.png
To verify that the routes from the firewall to the peers are established, on the virtual router’s screen, select More Runtime Stats and select the Peer tab.
bgp_confed_verify_peer.png
Select the Local RIB tab to view information about the routes stored in the Routing Information Base (RIB).
bgp_confed_verify_local_rib.png
Then select the RIB Out tab.
bgp_confed_verify_rib_out.png

Related Documentation