The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure BGP Autonomous System (AS) Override in Cisco Secure Firewall Threat Defense.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
For large enterprises with geographically dispersed locations, achieving end-to-end reachability can be challenging when multiple sites use the same Autonomous System (AS) number. Current BGP behavior is to discard the routing updates received if the AS path contains the AS number of its own, to avoid loops in the network.
The 7.6 release introduced as-override support specifically for SD-WAN-related use cases. However, starting with the 7.7 release, as-override support for eBGP is available for all deployments due to its core routing requirement. This enable you to have identical sites with same AS number.
Applications and Managers:
FMC on 7.7.0
FMC REST API
Yes
Yes
TopologyTopology
Note: The BGP AS Override feature is available for configuration via the Secure Firewall Management Center (FMC) only.
Step 1: Navigate to Devices > Device Management, and edit the threat defense device.
Step 2: Select Routing.
Step 3: (For a virtual-router-aware device) Under General Settings, click BGP.
Step 4: Check the Enable BGP check box to enable the BGP routing process.
Note: To configure BGP routing, you can refer to Cisco Secure Firewall Management Center Device Configuration Guide, 7.7
BGP IPv4 Neighbor
Enable AS OverrideEnable AS Override
Use this section to confirm that your configuration works properly.
FTD End:
FTD# show running-config router bgp all
router bgp 500
bgp log-neighbor-changes
address-family ipv4 unicast (Same applicable for IPv6 as well)
neighbor 192.0.2.2 remote-as 600
neighbor 192.0.2.2 update-source Outside-1
neighbor 192.0.2.2 activate
neighbor 198.51.100.2 remote-as 600
neighbor 198.51.100.2 update-source Outside-2
neighbor 198.51.100.2 activate
neighbor 198.51.100.2 as-override
no auto-summary
no synchronization
exit-address-family
FTD# show bgp ipv4 unicast neighbors 198.51.100.2
BGP neighbor is 198.51.100.2,vrf single_vf,remote AS 600, external link
BGP version 4, remote router ID 198.51.100.2
BGP state = Established, up for 01:13:02
Last read 00:00:07, last write 00:00:54, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
.
.
For address family: IPv4 Unicast
Session: 198.51.100.2
BGP table version 4, neighbor version 4/0
Output queue size : 0
Index 5
5 update-group member
Overrides the neighbor AS with my AS before sending updates
.
.
Transport(tcp) path-mtu-discovery is disabled
Graceful-Restart is disabled
FTD# show bgp ipv4 unicast neighbors 198.51.100.2 advertised-routes
BGP table version is 4, local router ID is 198.51.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
NetworkNext HopMetric LocPrf WeightPath
*> 10.1.1.1/32 192.0.2.20 0600 i
Total number of prefixes 1
Receivers End:
As-path for 10.1.1.1/32 prefix/route has been modified from 600 to 500 by FTD (where as-override is enabled)
Cisco_C1127#show bgp ipv4 unicast
BGP table version is 10, local router ID is 198.51.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
NetworkNext HopMetric LocPrf Weight Path
*> 10.1.1.1/32198.51.100.1 0 500 500 i
Cisco_C1127#show bgp ipv4 unicast 10.1.1.1
BGP routing table entry for 10.1.1.1/32, version 10
Paths: (1 available, best #1, table default)
Not advertised to any peer
Refresh Epoch 1
500 500
198.51.100.1 from 198.51.100.1 (198.51.100.1)
Origin IGP, localpref 100, valid, external, best
rx pathid: 0, tx pathid: 0x0
Updated on Apr 6 2025 17:02:24 UTC
show bgp <ipv4/ipv6> unicast neighbors on FTD must specify this text indicating that as-override is enabled -> Overrides the neighbor AS with my AS before sending updates.
debug ip bgp updates
debug ip bgp ipv6 unicast updates
debug ip bgp all updates
Note: There are no changes in the debugs before and after enablement of as-override.
This log file contains information related to deployment of as-override feautue from FMC.
/opt/CSCOpx/MDC/log/operation/vmsbesvcs.log
router bgp 500
address-family ipv4 unicast
neighbor 198.51.100.2 as-override
exit-address-family
Cisco Technical Support & Downloads
Cisco Secure Firewall Management Center Device Configuration Guide, 7.7
| Revision | Publish Date | Comments |
|---|---|---|
3.0 |
12-Apr-2025
|
Updated the Typographical Error |
1.0 |
08-Apr-2025
|
Initial Release |