Removing Private AS Numbers in BGP

Removing Private AS Numbers in BGP

74795
Created On 09/25/18 17:42 PM - Last Modified 06/07/23 06:14 AM


Resolution


Details

There are two types of BGP Autonomous system numbers: Private and Public. The Public AS numbers range from 1 to 64511 and the Private AS numbers range from 64512 to 65535.

 

The Private AS numbers are used to divide large AS into many small AS numbers for the sole purpose of conserving Public AS numbers. As with the concept of private and public IP addresses, the Private AS numbers should not be leaked to the internet. Therefore, it is essential to remove these Private AS numbers before updates are sent to the global BGP mesh, which is the internet.

 

Topology

In the example below, network R1 uses private AS number 65001. The firewall and the Service Provider router (R2) use Public AS numbers AS 500 and AS 100, respectively.

 

1.JPG

Configuration

Go to Network > Virtual Routers > default > BGP > Peer Group. Click Add to create a new peer group and check Remove Private AS.

2.JPG

 

Working

Below are the sequence of events that occur when Router 1 advertises a network 10.1.1.0/24 when the firewall peer group for AS 100 is configured with the "Remove Private AS" option enabled:

  1. R1 advertises the network 10.1.1.0/24 with the AS path attribute 65001 to the firewall.
  2. Firewall which is in AS 500 receives the update from R1 and makes an entry for the network 10.1.1.0 /24 in its global routing table with the next hop as 192.168.1.2. This is the interface of R1 connected directly to the firewall, so that it uses 192.168.1.2 as the gateway to reach the 10.1.1.0/24 network.
  3. The firewall, while sending the update of the 10.1.1.0/24 network to the Service Provider in AS 100, strips off the private AS number 65001 and constructs a new update packet with its own AS number (AS 500 as the AS path attribute for the 10.1.1.0/24 network) and sends the same to the Service Provider R2. This will be sent as an eBGP update, as the update is between two different AS numbers (AS 500 and AS 100).
  4. Service Provider R1 receives this update for the network 10.1.1.0/24 and makes an entry in its routing table with the next hop as 200.1.1.2, which is the e1/1 interface of the firewall. The AS path attribute for this network as seen on R1 is AS 500 which is the firewall's AS.

 

Thus, the private AS numbers are prevented from entering the BGP tables of the Internet.

 

owner: dantony
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClIn&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language