Solution | Currently, FortiOS supports 'remove-private-as' in BGP only for 16-bit AS.
 Details:
Configure BGP to bring up neighborship between FortiGates and advertise one network with a 4-byte AS number.
Topology:
FGT1(AS 4245670009) -> BGP -> FGT2(AS 65001) -> BGP -> FGT3(AS 65003).
FGT1:
FGT1 (root) # get sys status
Version: FortiGate-VM64-KVM v7.4.8,build2795,250523 (GA.M)
FGT2:
FGT2 # get sys status
Version: FortiGate-VM64-KVM v7.6.5,build3651,251210 (GA.M)
FGT3:
FGT3 # get sys status
Version: FortiGate-VM64-KVM v7.2.11,build1740,250210 (GA.M)
Demonstration:
Bring up EBGP peers between FGT1 -> FGT2, and FGT2 -> FGT3. Advertise one network (1.1.1.1/32) from FGT1 -> FGT2 -> FGT3. FGT1 has a 4 byte ASN, so FGT2 receives the network with a 4 byte ASN and advertises to FGT3. Advertise one network(2.2.2.2/32) from FGT3 -> FGT2 -> FGT1. FGT3 has a 2 byte ASN, so FGT2 receives the network with a 2 byte ASN and advertises to FGT1. Now configure remove-private-as for both neighbors on FGT2 and clear the BGP neighborship with both peers. After the neighborship is created, 2.2.2.2/32 is received on FGT1 with a 65002 2 byte AS removed by FGT2, honoring the configuration, but 1.1.1.1/32 is received on FGT3 with a 4 byte private AS, not removed by FGT2, so firewall FGT2 does not honor the configuration.
Configuration:
FGT1 BGP configuration:
FGT1 (root) # show router bgp
config router bgp
set as 4245670009
config neighbor
edit "10.14.17.91"
set remote-as 65001
next
end
config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
end
FGT2 BGP configuration:
FGT2 # show router bgp
config router bgp
set as 65001
config neighbor
edit "10.14.17.82"
set remove-private-as enable <-----
set remote-as 4245670009
next
edit "10.68.17.109"
set remove-private-as enable <-----
set remote-as 65002
next
end
FGT3 BGP configuration:
FGT3 # show router bgp
config router bgp
set as 65002
config neighbor
edit "10.68.17.91"
set remote-as 65001
next
end
config network
edit 1
set prefix 2.2.2.2 255.255.255.255
next
end
Validation:
FGT1 (root) # get router info bgp network
VRF 0 BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
> 1.1.1.1/32 0.0.0.0 100 32768 0 i <-/1>
*> 2.2.2.2/32 10.14.17.91 0 0 0 65001 i <-/1> <----- AS path has only FGT2 AS number
FGT2 # get router info bgp network
Status codes: s suppressed, d damped, h history, valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
VRF 0 BGP table version is 3, local router ID is 10.68.17.91
Network Next Hop Metric LocPrf Weight RouteTag Path
> 1.1.1.1/32 10.14.17.82 0 0 0 4245670009 i <-/1>
*> 2.2.2.2/32 10.68.17.109 0 0 0 65002 i <-/1>
Total number of prefixes 2
FGT3 # get router info bgp network
VRF 0 BGP table version is 3, local router ID is 10.68.17.109
Status codes: s suppressed, d damped, h history, valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
> 1.1.1.1/32 10.68.17.91 0 0 0 65001 4245670009 i <-/1> <<< 4 bytes AS is not removed from AS path by FGT2.
*> 2.2.2.2/32 0.0.0.0 100 32768 0 i <-/1>
Total number of prefixes 2
Information:
4245670009 is a private AS number in the 32-bit category Perform the same tests by configuring FGT2 with local AS as a 2-byte private ASN, a 2-byte public ASN, a 4-byte private ASN, and a 4-byte public ASN. In all of these situations, the firewall behaves the same way: it removes private AS only when 2-byte ASNs are in the AS path. If the AS path has 4-byte ASNs or a mix of 4-byte and 2-byte ASNs, the firewall never touches the AS path to remove private ASNs.
|
