BGP Confederations
Focus
Focus

BGP Confederations

Table of Contents

BGP Confederations

A BGP autonomous system supports confederations of sub-autonomous systems to reduce full mesh.
BGP confederations provide a way to divide an autonomous system (AS) into two or more sub-autonomous systems (sub-AS) to reduce the burden that the full mesh requirement for IBGP causes. The firewalls (or other routing devices) within a sub-AS must still have a full iBGP mesh with the other firewalls in the same sub-AS. You need BGP peering between sub-autonomous systems for full connectivity within the main AS. The firewalls peering with each other within a sub-AS form an IBGP confederation peering. The firewall in one sub-AS peering with a firewall in a different sub-AS form an EBGP confederation peering. Two firewalls from different autonomous systems that connect are EBGP peers.
Autonomous systems are identified with a public (globally-assigned) AS number, such as AS 24 and AS 25 in the preceding figure. In a PAN-OS environment, you assign each sub-AS a unique Confederation Member AS number, which is a private number seen only within the AS. In this figure, the confederations are AS 65100 and AS 65110. (RFC6996, Autonomous System (AS) Reservation for Private Use, indicates that the IANA reserves AS numbers 64512-65534 for private use.)
The sub-AS confederations seem like full autonomous systems to each other within the AS. However, when the firewall sends an AS path to an EBGP peer, only the public AS number appears in the AS path; no private sub-AS (Confederation Member AS) numbers are included.
BGP peering occurs between the firewall and R2; the firewall in the figure has these relevant configuration settings:
  • AS number—24
  • Confederation Member AS—65100
  • Peering Type—EBGP confed
  • Peer AS—65110
Router 2 (R2) in AS 65110 is configured as follows:
  • AS number—24
  • Confederation Member AS—65110
  • Peering Type—EBGP confed
  • Peer AS—65100
BGP peering also occurs between the firewall and R1. The firewall has the following additional configuration:
  • AS number—24
  • Confederation Member AS—65100
  • Peering Type—IBGP confed
  • Peer AS—65110
R1 is configured as follows:
  • AS number—24
  • Confederation Member AS—65110
  • Peering Type—IBGP confed
  • Peer AS—65100
BGP peering occurs between the firewall and R5. The firewall has the following additional configuration:
  • AS number—24
  • Confederation Member AS—65100
  • Peering Type—EBGP
  • Peer AS—25
R5 is configured as follows:
  • AS—25
  • Peering Type—EBGP
  • Peer AS—24
After the firewall is configured to peer with R1, R2, and R5, its peers are visible on the Peer Group tab:
The firewall shows the R1, R2, and R5 peers:
To verify that the routes from the firewall to the peers are established, on the virtual router’s screen, select More Runtime Stats and select the Peer tab.
Select the Local RIB tab to view information about the routes stored in the Routing Information Base (RIB).
Then select the RIB Out tab.