Description
The article describes how the correct AS paths can be advertised in case of scenarios where multiple local AS needs to be configured.
This might be useful for example in a situation when two companies need to peer, and by chance both are using the same private AS number.
If this would occur it would only be possible to perform an iBGP peering, but we require an eBGP peering instead.
Scope
Note:
This article only concerns versions greater than or equal to v5.4.2 since the local-AS functionality has only been implemented since that version.
Solution
BGP routers advertise routes that originate within its autonomous system (AS) with an AS path length of one, listing only its own AS number specified under BGP configuration (e.g. set as 12345).
By default, the ‘local-as’ command does not replace the AS number advertised to peers, it prepends it to the actual AS number, resulting in an AS path length of two.
Routes advertised to neighbors with a local AS configured will appear to arrive via the specified AS, but will still be known to have originated from the actual AS.
The below topology has been used for the demonstration:
BGP Configuration:
config router bgp
set as 65533
set router-id 10.0.0.252
config neighbor
edit "172.17.97.199"
set next-hop-self enable
set remote-as 65534
set local-as 65530
next
end
config network
edit 1
set prefix 10.1.1.1 255.255.255.255
next
edit 2
set prefix 10.1.1.2 255.255.255.255
next
edit 3
set prefix 10.1.1.3 255.255.255.255
next
edit 4
set prefix 10.1.1.4 255.255.255.255
next
end
The output below shows the routes received on the remote BGP Peer from the local FortiGate, these routes have the configured local-as added in their AS-path:
Gate # get router info bgp neighbors 172.17.97.198 routes
VRF 0 BGP table version is 12, local router ID is 10.0.0.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.1.1.1/32 172.17.97.198 0 0 0 65530 65533 i <-/1>
*> 10.1.1.2/32 172.17.97.198 0 0 0 65530 65533 i <-/1>
*> 10.1.1.3/32 172.17.97.198 0 0 0 65530 65533 i <-/1>
*> 10.1.1.4/32 172.17.97.198 0 0 0 65530 65533 i <-/1>
Total number of prefixes 4
Similarly, when the local FortiGate receives routes from the remote BGP peer, the as-path also includes the configured local-as as shown below:
FortiGate-80F # get router info bgp neighbors 172.17.97.199 routes
VRF 0 BGP table version is 2, local router ID is 10.0.0.252
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.1.2.1/32 172.17.97.199 0 0 0 65530 65534 i <-/1>
*> 10.1.2.2/32 172.17.97.199 0 0 0 65530 65534 i <-/1>
*> 10.1.2.3/32 172.17.97.199 0 0 0 65530 65534 i <-/1>
Total number of prefixes 3
Two commands are available when ‘local-as’ is set in the BGP neighbor configuration. One is ‘local-as-replace-as’ and the other is ‘local-as-no-prepend’.
Now if ‘local-as-replace-as' is enabled alongside the ‘local-as’ as shown below:
config neighbor
edit "172.17.97.199"
set next-hop-self enable
set remote-as 65534
set local-as 65530
set local-as-replace-as enable
next
end
This will replace the actual AS configured under ‘config router bgp’ with the configured local-as or the outgoing updates. The remote BGP peer will receive the routes with an as-path length of one, as shown in the below output:
Gate # get router info bgp neighbors 172.17.97.198 routes
VRF 0 BGP table version is 14, local router ID is 10.0.0.253
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.1.1.1/32 172.17.97.198 0 0 0 65530 i <-/1>
*> 10.1.1.2/32 172.17.97.198 0 0 0 65530 i <-/1>
*> 10.1.1.3/32 172.17.97.198 0 0 0 65530 i <-/1>
*> 10.1.1.4/32 172.17.97.198 0 0 0 65530 i <-/1>
Total number of prefixes 4
This is also required if both peers are using originally the same AS, because if the peers see the same AS number on the prefixes advertised by the neighbor, the prefix will not be installed as it will be perceived as a loop, since the AS number is visible on the prefix update.
AS_PATH is BGP number one loop prevention mechanism.
The ‘local-as-no-prepend’ command works for the inbound updates received by the remote BGP peer.
config neighbor
edit "172.17.97.199"
set next-hop-self enable
set remote-as 65534
set local-as 65530
set local-as-no-prepend enable
next
end
This will remove the local-as from the as-path for any routes received from the remote BGP peer, as shown in the below output:
FortiGate-80F # get router info bgp neighbors 172.17.97.199 routes
VRF 0 BGP table version is 4, local router ID is 10.0.0.252
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.1.2.1/32 172.17.97.199 0 0 0 65534 i <-/1>
*> 10.1.2.2/32 172.17.97.199 0 0 0 65534 i <-/1>
*> 10.1.2.3/32 172.17.97.199 0 0 0 65534 i <-/1>
Total number of prefixes 3
Notes:
- This particular configuration can only be done over the CLI until FortiOS v7.0.
- This option is made available on GUI also from FortiOS version 7.2.0 and above.
- Specifying only the local-as alone and leaving the global command 'set as 12345' will not work as the global command is required to initiate the BGP session.
- In the context of a BGP neighbor group, it is not possible to set the local AS under the neighbor group configuration. Instead, BGP routers advertise routes originating within their own autonomous system (AS) using their own AS number, which is specified in the BGP configuration.
Related article:
