Created on 06-26-2020 04:14 AM Edited on 06-09-2022 03:18 PM By Anonymous
Description
This article describes how to use 'remove-private-as' and 'set-aspath-action replace' to hide private AS in advertised BGP routes.
Solution
BGP AS numbers are classified as private or public.
Private range: 64512 to 65535
Public range: 1 – 64511
Private AS numbers are not supposed to be leaked to a global BGP table because there are not unique.
But there are scenarios that a FortiGate receives BGP update from internal networks with private AS and needs to advertise them to an external BGP neighbor.
In such case, the private AS has to be removed.
The option 'remove-private-as' can remove private AS number only when the BGP route contains AS path with all AS numbers being private.
If there is a mix of both private and public AS numbers in the BGP path, FortiGate cannot remove the private AS.
Scenario 1.
The BGP path only has private AS, 'remove-private-as' can be enabled to prevent the private AS from being advertised.
Without any modification, Router1 receives BGP update (originated from Router3) with AS path of 1001(FGT) and private AS 65000(Router3).
Router1 # get router info bgp nei 10.90.1.2 received-route
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
...
*> 10.22.22.0/24 10.90.1.2 0 0 1001 65000 ? <-/-> <----- Router1 can see RTR3's private AS 65000.
# config neighbor
edit "10.90.1.1"
set remove-private-as enable <-----
set soft-reconfiguration enable
set remote-as 1000
next
Router1 # get router info bgp nei 10.90.1.2 received-route
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.22.22.0/24 10.90.1.2 0 0 1001 ? <-/-> <----- RTR3's private AS65000 is replaced by FGT's public AS 1001.
Router1 # get router info bgp nei 10.90.1.2 received-routeIn scenario with both mix of private and public AS, use route-map to replace the private AS is possible.
BGP table version is 8, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
...
*> 10.22.22.0/24 10.90.1.2 0 0 1001 65000 500 200 ? <-/->
*> 10.20.20.0/24 10.91.1.1 0 0 10000 64524 64716 65531 200 ? <----- Route from rtr1 is appended with FGT's AS 10000.
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ? <----- Route from rtr1 is appended with FGT's AS 10000.
# config router aspath-list
edit "path-test"
# config rule
edit 1
set action permit
set regexp "_65531_"
next
end
next
edit "path-test2"
# config rule
edit 1
set action permit
set regexp ".*"
next
end
next
end
# config router route-map
edit "aspath-test"
# config rule
edit 1
set match-as-path "path-test"
set set-aspath-action replace
set set-aspath "10000"
next
edit 2
set match-as-path "path-test2"
next
end
next
end
# config neighborAfter above is applied, Router3 will no longer see the private AS 65531 which is replaced by FGT’s public AS 10000.
edit "10.90.1.1"
set soft-reconfiguration enable
set remote-as 64716
set local-as 64524
set route-map-in "aspath-test"
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.