Description
This article describes how to use 'remove-private-as' and 'set-aspath-action replace' to hide private AS in advertised BGP routes.
Scope
FortiGate.
Solution
BGP AS numbers are classified as private or public.
Private range: 64512 to 65535.
Public range: 1 – 64511.
Private AS numbers are not supposed to be leaked to a global BGP table because they are not unique.
But there are scenarios in which a FortiGate receives BGP updates from internal networks with private AS and needs to advertise them to an external BGP neighbor.
In such a case, the private AS has to be removed.
The option 'remove-private-as' can remove private AS numbers only when the BGP route contains an AS path with all AS numbers being private.
If there is a mix of both private and public AS numbers in the BGP path, FortiGate cannot remove the private AS.
Scenario 1.
The BGP path only has private AS, 'remove-private-as' can be enabled to prevent the private AS from being advertised. For IPv6, use the command "remove-private-as6".
Without any modification, Router1 receives a BGP update (originated from Router3) with an AS path of 1001 ('FGT') and private AS 65000 (Router3).
Router1 # get router info bgp nei 10.90.1.2 received-route
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
...
*> 10.22.22.0/24 10.90.1.2 0 0 1001 65000 ? <-/-> <----- Router1 can see RTR3's private AS 65000.
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
...
*> 10.22.22.0/24 10.90.1.2 0 0 1001 65000 ? <-/-> <----- Router1 can see RTR3's private AS 65000.
Now after enabling 'remove-private-as' on FortiGate’s neighbor to Router1, Router1 will not see the private AS 65000.
'FGT'.
'FGT'.
config neighbor
edit "10.90.1.1"
set remove-private-as enable <-----
set soft-reconfiguration enable
set remote-as 1000
next
edit "10.90.1.1"
set remove-private-as enable <-----
set soft-reconfiguration enable
set remote-as 1000
next
Router1 # get router info bgp nei 10.90.1.2 received-route
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.22.22.0/24 10.90.1.2 0 0 1001 ? <-/-> <----- RTR3's private AS65000 is replaced by FGT's public AS 1001.
BGP table version is 13, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.22.22.0/24 10.90.1.2 0 0 1001 ? <-/-> <----- RTR3's private AS65000 is replaced by FGT's public AS 1001.
Scenario 2.
'remove-private-as' will not work if there is mix of both private and public AS in the BGP path.
Router3 advertises BGP update with mix of both public (500 and 200) and private (65000) AS.
Router1 will still see the private AS even after 'remove-private-as' is enabled on FGT.
'FGT' cannot remove the private AS if there is a mix of both private and public AS.
'remove-private-as' will not work if there is mix of both private and public AS in the BGP path.
Router3 advertises BGP update with mix of both public (500 and 200) and private (65000) AS.
Router1 will still see the private AS even after 'remove-private-as' is enabled on FGT.
'FGT' cannot remove the private AS if there is a mix of both private and public AS.
Router1 # get router info bgp nei 10.90.1.2 received-route
BGP table version is 8, local router ID is 10.30.30.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
...
*> 10.22.22.0/24 10.90.1.2 0 0 1001 65000 500 200 ? <-/->
In this scenario, with both a mix of private and public AS, using route-map to replace the private AS is possible.
Scenario 3.
Use route-map with the action of 'set-aspath-action replace' to replace the private AS.
Initially, Router1 advertises BGP routes with a mix of private AS (65531) and public AS (200).
Initially, Router1 advertises BGP routes with a mix of private AS (65531) and public AS (200).
Router3 can receive the BGP update from 'FGT' with FGT’s AS (10000) appended.
Originally, Router3 could receive BGP routes with both a mix of public and private AS.
*> 10.20.20.0/24 10.91.1.1 0 0 10000 64524 64716 65531 200 ? <----- Route from rtr1 is appended with FortiGate's AS 10000.
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ? <----- Route from rtr1 is appended with FortiGate's AS 10000.
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ? <----- Route from rtr1 is appended with FortiGate's AS 10000.
Now use route-map with the option 'set-aspath-action replace' to remove private AS.
Create an AS path list to match AS 65531.
In this example, a second path list is also created to catch all other BGP routes (with AS '*') where AS will not be replaced.
Create an AS path list to match AS 65531.
In this example, a second path list is also created to catch all other BGP routes (with AS '*') where AS will not be replaced.
config router aspath-list
edit "path-test"
config rule
edit 1
set action permit
set regexp "_65531_"
next
end
next
edit "path-test2"
config rule
edit 1
set action permit
set regexp ".*"
next
end
next
end
edit "path-test"
config rule
edit 1
set action permit
set regexp "_65531_"
next
end
next
edit "path-test2"
config rule
edit 1
set action permit
set regexp ".*"
next
end
next
end
Create route-map to match AS 63353 with 'set-aspath-action replace' to replace the private AS with FortiGate’s public AS 10000.
In this example, a second route-map is also created to catch all other BGP routes (AS '*') and allow them to be advertised without any modification.
config router route-map
edit "aspath-test"
config rule
edit 1
set match-as-path "path-test"
set set-aspath-action replace
set set-aspath "10000"
next
edit 2
set match-as-path "path-test2"
next
end
next
end
edit "aspath-test"
config rule
edit 1
set match-as-path "path-test"
set set-aspath-action replace
set set-aspath "10000"
next
edit 2
set match-as-path "path-test2"
next
end
next
end
Apply the route-map on the incoming direction of FortiGate's BGP neighbor to Router1.
config neighbor
edit "10.90.1.1"
set soft-reconfiguration enable
set remote-as 64716
set local-as 64524
set route-map-in "aspath-test"
next
end
edit "10.90.1.1"
set soft-reconfiguration enable
set remote-as 64716
set local-as 64524
set route-map-in "aspath-test"
next
end
After the above is applied, Router3 will no longer see the private AS 65531, which is replaced by FortiGate's public AS 10000.
The other BGP routes from Router1 without private AS 65531 are not affected, and Router3 can still receive them without any modification.
The other BGP routes from Router1 without private AS 65531 are not affected, and Router3 can still receive them without any modification.
*> 10.20.20.0/24 10.91.1.1 0 0 10000 10000 ? <----- Route from rtr1 with AS 65531 is replaced by 10000.
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ? <----- Route from rtr1 without AS 65531 is not changed.
*> 10.30.30.1/32 10.91.1.1 0 0 10000 64524 64716 ? <----- Route from rtr1 without AS 65531 is not changed.
