Description
This article describes how to use 'remove-private-as' and 'set-aspath-action replace' to hide private AS in advertised BGP routes.
Scope
FortiGate.
Solution
BGP AS numbers are classified as private or public.
Private range: 64512 to 65535.
Public range: 1 – 64511.
Private AS numbers are not supposed to be leaked to a global BGP table because they are not unique.
But there are scenarios in which a FortiGate receives BGP updates from internal networks with private AS and needs to advertise them to an external BGP neighbor.
In such a case, the private AS has to be removed.
The option 'remove-private-as' can remove private AS numbers only when the BGP route contains an AS path with all AS numbers being private.
If there is a mix of both private and public AS numbers in the BGP path, FortiGate cannot remove the private AS.
Scenario 1.
The BGP path only has private AS, 'remove-private-as' can be enabled to prevent the private AS from being advertised.
Without any modification, Router1 receives a BGP update (originated from Router3) with an AS path of 1001 ('FGT') and private AS 65000 (Router3).
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
...
*> 10.22.22.0/24 10.90.1.2 0 0 1001 65000 ? <-/-> <----- Router1 can see RTR3's private AS 65000.
'FGT'.
edit "10.90.1.1"
set remove-private-as enable <-----
set soft-reconfiguration enable
set remote-as 1000
next
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.22.22.0/24 10.90.1.2 0 0 1001 ? <-/-> <----- RTR3's private AS65000 is replaced by FGT's public AS 1001.
'remove-private-as' will not work if there is mix of both private and public AS in the BGP path.
Router3 advertises BGP update with mix of both public (500 and 200) and private (65000) AS.
Router1 will still see the private AS even after 'remove-private-as' is enabled on FGT.
'FGT' cannot remove the private AS if there is a mix of both private and public AS.
Initially, Router1 advertises BGP routes with a mix of private AS (65531) and public AS (200).
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ? <----- Route from rtr1 is appended with FortiGate's AS 10000.
Create an AS path list to match AS 65531.
In this example, a second path list is also created to catch all other BGP routes (with AS '*') where AS will not be replaced.
edit "path-test"
config rule
edit 1
set action permit
set regexp "_65531_"
next
end
next
edit "path-test2"
config rule
edit 1
set action permit
set regexp ".*"
next
end
next
end
edit "aspath-test"
config rule
edit 1
set match-as-path "path-test"
set set-aspath-action replace
set set-aspath "10000"
next
edit 2
set match-as-path "path-test2"
next
end
next
end
edit "10.90.1.1"
set soft-reconfiguration enable
set remote-as 64716
set local-as 64524
set route-map-in "aspath-test"
next
end
The other BGP routes from Router1 without private AS 65531 are not affected and Router3 can still receive them without any modification.
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ? <----- Route from rtr1 without AS 65531 is not changed.
