HI Toshi Esumi,

 

Finally someone response the topic.

 

Thanks for reply and information with the link.

 

Unfortunately, the link don't include how to strip/hide the AS-path include private and public. In my case similar the scenario 2. I' wondering is there anyway can achieve it in fortigate firewall or it's fortigate feature limitation. In PAN or cisco, they are able completed hide/strip AS-path include private and public.

 

If anyone of you or fortinet employee know there is other way could achieve it or FGT feature limitation, please share with it. I'm appreciate it.

 

 

Why would you strip a public AS from a AS_path string? I don't think I ever heard of anybody removing a public-as_path and replacing it, we typically drop the prefix from that path or d-preference it to a ridiculous value like 1 or 10 if you have other bgp routes for that same destination.

 

As far as removing private-as, you should be able to do that per-neighbor statement that KB seems to be incorrect and the 1st example does have a mix of public-private ASN 

 

I would test it for sure and grab  the received prefixes after applying.

 

ken Felix

 

 

Probably Ken can tell exactly how it would work, but based on the description in the KB, if the patterns of AS path you want to remove are not too many or at least they should have only a few in the immediate neighbors, I would assume you could match those with regex described in senario2 then replace it with NULL. Or in the worst case you can at least prepend with 64999.

Unless R1 has different paths to get to 64999, that additional/duplicate 64999 shouldn't affect R1's routing decisions.

 

In any case, if I were you I would  just open a ticket with TAC to ask. Then you can get exact answers you want to know.

 

Toshi

Here's what happens,  see the diagram it shows the priv-AS65001 peering with 5706 who peers with ATT and NTT, with the remote-priavte-as on 5706 neighbor statement, I will drop the 65001 on any update that it sends to ATT 7018 or NTT 2914

 

So the BGP update from 192.0.2.1/31 does not need to be aware of this, this happening upstream at the ISP on the edge. We do exactly the above in my day job fwiw to avoid leaking private 65412-65535 into the global BGP table

 

Ken Felix

 

HI @Toshi Esumi

 

You are make a good point. As i mentioned, my case like scenario 2, my R3 include public AS and Private AS and advertised out to FGT and R1 received the path. "Removing private-as" will not work if the unit include public and private. Also, i did log case to TAC, unfortunately, the response is slow.

 

HI @Ken Felix,

 

We need it the feature due to PAN migration to FGT. In PAN, there is feature call "Remove". In R3 include public AS and Private AS, PAN able to removed it and R1 only see PAN AS number which is 64999 only (currently going replace FGT). You may refer the attachment of PAN. Without remove it, R1 will see one more path in the BGP table which is cause delay or one more path to go. Below include the table example. 

 

Yeah, the method of KB will work with your diagram with separate unit point to AS5706 (Assume it's my FGT(64999)). Unfortunately, my case is R3 include public As and itself private AS. Please see the attachment on next post

 

I try to achieve below. 

 

Currently Problem, it's see a lot AS path in R1 Router1 # get router info bgp nei x.x.x.x received-route Network Next Hop Metric LocPrf Weight RouteTag Path

*> 10.22.22.0/24 10.90.1.2 0 0 64111 64888 200 300? <-/->

*> 10.22.22.0/24 10.90.1.2 0 0 64111 64888 200 300? <-/->

 

Apply the KB article with scenario 2, There is duplicate or one more path in R1

Router1 # get router info bgp nei x.x.x.x received-route Network Next Hop Metric LocPrf Weight RouteTag Path

*> 10.22.22.0/24 10.90.1.2 0 0 64111 64111? <-/->

*> 10.22.22.0/24 10.90.1.2 0 0 64111 64111 ? <-/->

Target Achieve - Only show FGT itself ASN instead include R3 (private and public AS) (it's work in PAN) Router1 # get router info bgp nei x.x.x.x received-route Network Next Hop Metric LocPrf Weight RouteTag Path

*> 10.22.22.0/24 10.90.1.2 0 0 64111 ? <-/->

*> 10.22.22.0/24 10.90.1.2 0 0 64111 ? <-/->

 

So, I also would want to know anyone know there is other way could achieve it or confirm it FGT feature limitation. If it's limitation, i may think other way to solved it instead.

 

I'm appreciate it, if anyone of you could give me know.

 

With attachment of BGP diagram.

 

FYI Ken Felix, Toshi

If the FGT is the only next hop for R1 to reach R3 and R4, there is no difference if R1 sees the route with one AS hop (not path) or 2 or 3 AS hops in the path. Only if another router R5 or FGT2 provides the second path from R1 to reach R3, or R4 directly, bypassing FGT/6499, R1 compares two routes with the AS hop counts, then if one has one hop (6499) and the other has 3 hops (65xx 6488 200), the first route is the winner as long as other metrics are tie.

 

I still believe you can remove those if you still want to remove them with the aspath-list and route-map in much more flexible way. You will here from TAC.

My thoughts

 

If the path is really that and we are not talking internet-bgp connectivity as in an upstream SP/ISP, I would not even waste my time filtering priv-ASN. Filtering priv-AS is practice at the internet edge and public-bgp domain.

 

 

Also in a real internet bgp-domain, nobody connects a public AS to priv-as  and then to a public domain from my experience.

 

e.g 

 

 

AS200-64512-6500-2914-internet

 

Also you never ever ever connect a privASN to 2 different public-AS ISP providers

 

e.g

   

 

65100----isp1-2914

    |

    |_____isp2-7018

 

Ken Felix