FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mtse
Staff
Staff
Article Id 192145

Description
This article describes how to use 'remove-private-as' and 'set-aspath-action replace' to hide private AS in advertised BGP routes.

Solution
BGP AS numbers are classified as private or public.

Private range:    64512 to 65535
Public range:    1 – 64511

Private AS numbers are not supposed to be leaked to a global BGP table because there are not unique.
But there are scenarios that a FortiGate receives BGP update from internal networks with private AS
and needs to advertise them to an external BGP neighbor.
In such case, the private AS has to be removed.


The option 'remove-private-as' can remove private AS number only when the BGP route contains AS path with all AS numbers being private.
If there is a mix of both private and public AS numbers in the BGP path, FortiGate cannot remove the private AS.


Scenario 1.
T
he BGP path only has private AS, 'remove-private-as' can be enabled to prevent the private AS from being advertised.

Without any modification, Router1 receives BGP update (originated from Router3) with AS path of 1001(FGT) and private AS 65000(Router3).



 
 

Router1 # get router info bgp nei 10.90.1.2 received-route
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
...
*> 10.22.22.0/24 10.90.1.2 0 0 1001 65000 ? <-/->          <----- Router1 can see RTR3's private AS 65000.

Now after enabling 'remove-private-as' on FGT’s neighbor to Router1, Router1 will not see the private AS 65000.
'FGT'
# config neighbor
    edit "10.90.1.1"
        set remove-private-as enable                       <-----
        set soft-reconfiguration enable
        set remote-as 1000
    next
Router1 # get router info bgp nei 10.90.1.2 received-route
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.22.22.0/24 10.90.1.2 0 0 1001 ? <-/->                <----- RTR3's private AS65000 is replaced by FGT's public AS 1001.

Scenario 2.
'remove-private-as' will not work if there is mix of both private and public AS in the BGP path.
Router3 advertises BGP update with mix of both public (500 and 200) and private (65000) AS.
Router1 will still see the private AS even after 'remove-private-as' is enabled on FGT.
FGT cannot remove the private AS if there is mix of both private and public AS.
 
 
 
 
Router1 # get router info bgp nei 10.90.1.2 received-route
BGP table version is 8, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
...
*> 10.22.22.0/24 10.90.1.2 0 0 1001 65000 500 200 ? <-/->
In scenario with both mix of private and public AS, use route-map to replace the private AS is possible.
 
Scenario 3.
Use route-map with the action of 'set-aspath-action replace' to replace the private AS.
Initially Router1 advertises BGP routes with mix of private AS (65531) and public AS (200).
Router3 can receive the BGP update from FGT with FGT’s AS (10000) appended.
 
 

 
 
Originally Router3 can receive BGP routes with both mix of public and private AS.
*> 10.20.20.0/24 10.91.1.1 0 0 10000 64524 64716 65531 200 ? <----- Route from rtr1 is appended with FGT's AS 10000.
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ?           <----- Route from rtr1 is appended with FGT's AS 10000.

Now use route-map with the option 'set-aspath-action replace' to remove private AS.
Create AS path list to match AS 65531.
In this example, a second path list is also created to catch all other BGP routes (with AS '*') where AS will not be replaced.
# config router aspath-list
    edit "path-test"
# config rule
    edit 1
        set action permit
        set regexp "_65531_"
    next
end
next
    edit "path-test2"
# config rule
    edit 1
        set action permit
        set regexp ".*"
    next
end
next
end

Create route-map to match AS 63353 with 'set-aspath-action replace' to replace the private AS with FGT’s own public AS 10000.
In this example, a second route-map is also created to catch all other BGP routes (AS '*') and allow them to be advertised without any modification.
# config router route-map
    edit "aspath-test"
# config rule
    edit 1
        set match-as-path "path-test"
        set set-aspath-action replace
        set set-aspath "10000"
    next
    edit 2
        set match-as-path "path-test2"
    next
end
next
end

Apply the route-map on the incoming direction of  FGT’s BGP neighbor to Router1.
# config neighbor
    edit "10.90.1.1"
        set soft-reconfiguration enable
        set remote-as 64716
        set local-as 64524
        set route-map-in "aspath-test"
    next
end
After above is applied, Router3 will no longer see the private AS 65531 which is replaced by FGT’s public AS 10000.
The other BGP routes from Router1 without private AS 65531 is not affected and Router3 can still receive them without any modification.

*> 10.20.20.0/24 10.91.1.1 0 0 10000 10000 ? <----- Route from rtr1 with AS 65531 is replaced by 10000.
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ? <----- Route from rtr1 without AS 65531 is not changed.
 
 




Contributors