CiscoCCNPAdvanced RoutingAdvanced22 min read

What Is BGP Confederations in Networking?

Also known as: BGP Confederations, BGP scalability, IBGP confederation, sub-AS, CCNP ENARSI

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

BGP Confederations help manage large networks by breaking a big autonomous system into smaller, more manageable pieces. This allows routers inside the same overall network to treat each other as if they are in different systems for routing purposes, reducing the number of connections needed. It simplifies configuration and improves scalability without changing how the network looks to the outside world.

Must Know for Exams

BGP Confederations appear prominently in Cisco CCNP Enterprise (350-401 ENCOR and 300-410 ENARSI) exams, as well as CCIE lab exams. The Cisco exam blueprint for ENARSI explicitly includes BGP path selection, IBGP and EBGP scalability, and advanced BGP concepts, with confederations listed as a key scalability technique. In these exams, you are expected to understand not only how to configure confederations but also how they affect BGP attributes like AS_PATH, NEXT_HOP, and MED.

Multiple-choice questions often test your knowledge of the differences between confederations and Route Reflectors, such as which one preserves the NEXT_HOP attribute unchanged (confederations do, Route Reflectors do not). You might be asked to identify the correct configuration snippet for enabling a confederation, including the proper use of the bgp confederation identifier and bgp confederation peers commands. Troubleshooting scenarios are common, where a candidate must determine why routes are not being propagated correctly within a confederation.

For example, a question may present a network diagram with three sub-AS numbers, and ask why a router in sub-AS 64510 cannot see routes from sub-AS 64530. The answer could involve missing peering statements, incorrect AS numbers, or missing next-hop reachability. In the CCIE lab, confederations can appear as part of a larger design task, requiring candidates to integrate them with other features like Route Reflectors, prefix lists, and route maps.

The exam also tests your understanding of the AS_PATH manipulation: the confederation AS numbers are enclosed in parentheses in the show ip bgp output, and you must interpret that correctly. Study tips for exams include practicing configuration on Cisco IOS or IOS-XE devices, using GNS3 or EVE-NG, and comparing confederation behaviour with Route Reflectors in a lab. Memorising the command syntax and the order of operations is critical.

Because confederations are less commonly deployed than Route Reflectors, many learners overlook them, making them a high-value exam topic. Being well-prepared in this area can differentiate your score and demonstrate mastery of advanced routing.

Simple Meaning

Think of BGP Confederations like a large company that has several smaller regional offices, but all offices share the same company name and branding to customers. In networking, an autonomous system (AS) is like a company with a unique ID number. Normally, all routers inside one AS must talk to every other router directly, which is called a full mesh.

This works for small networks but becomes a huge burden as the network grows, because each router must maintain many connections. A BGP Confederation solves this by dividing the big AS into smaller sub-AS numbers, each like a regional office with its own internal number. Routers inside one sub-AS talk to each other with normal internal BGP rules.

When they need to talk to routers in a different sub-AS, they use a special kind of communication that looks like external BGP between companies, but with a twist: the routing information is still treated as internal. To the outside world, the entire network still appears as a single AS, just like the company uses one name publicly. So you get the benefit of reduced connections and simpler management without breaking how other networks see you.

This is extremely useful for large service providers or enterprises that have hundreds of routers in one AS. It allows them to scale efficiently without redesigning their whole routing architecture. The approach uses standard BGP rules with some modifications, making it a well-understood and reliable technique for advanced network design.

Full Technical Definition

BGP Confederations are a scalability enhancement for Internal BGP (IBGP) that reduces the number of required IBGP peering sessions within a single autonomous system. In standard IBGP, all routers inside the same AS must form a full mesh of TCP connections because IBGP does not re-advertise routes received from one IBGP peer to another IBGP peer, by default. This full mesh requirement becomes impractical in large networks, as the number of connections grows quadratically with the number of routers.

BGP Confederations address this by subdividing the autonomous system into multiple smaller sub-autonomous systems, each identified by a unique confederation AS number. Within each sub-AS, routers operate under standard IBGP rules, maintaining a full mesh among themselves. When a router in one sub-AS sends a route to a router in another sub-AS, the communication uses a mechanism similar to External BGP (EBGP).

However, several important differences exist. The next hop, AS_PATH, and MED (Multi-Exit Discriminator) attributes are preserved across sub-AS boundaries, unlike standard EBGP. The AS_PATH is prepended with the confederation AS numbers, but these are enclosed in special brackets (e.

g., [64510 64520]) and are removed before the route is advertised to external EBGP peers. This ensures that external networks see only the global AS number, not the internal confederation structure.

BGP Confederations require that all sub-AS numbers are from the private AS range (64512 to 65534) to avoid conflict with public AS numbers. Configuration involves enabling the BGP confederation identifier (the global AS number) and listing the member sub-AS numbers under the BGP process. Additionally, the peering between sub-AS uses the update-source and ebgp-multihop commands if routers are not directly connected.

The BGP confederation peer is defined using the neighbor command with the sub-AS number, not the global AS. Confederations are considered an alternative to Route Reflectors, another IBGP scaling technique. While Route Reflectors are more common in modern networks, Confederations offer better control over routing policy and can be combined with Route Reflectors for even greater scalability.

Real implementations are found in large ISP backbones and multi-tenant data centers where administrative domains must be segmented but still appear unified externally. Understanding BGP Confederations is essential for CCNP and CCIE candidates, as Cisco exams test the configuration, behaviour, and troubleshooting of confederation scenarios.

Real-Life Example

Imagine a large university campus with many separate buildings, like the library, the science block, and the student union. Each building has its own internal security team that manages access to rooms inside that building. The library uses key cards that work only for library rooms, and the science block uses a different set of key cards.

However, all these buildings are part of the same university, and visitors from outside see only one university name on the map. In this analogy, the whole university is the autonomous system (AS). Each building is a sub-AS within the confederation.

The internal security teams inside each building represent IBGP peers that talk to each other using normal rules. When a student from the library needs to access a room in the science block, the library security contacts the science block security using a special protocol that respects both building policies but still looks like an internal transfer to the university administration. To an outside visitor, the student just moves between university buildings seamlessly, and they never see the separate building security groups.

This is exactly how BGP Confederations work. Routers inside one sub-AS (building) peer using IBGP. When they need to send routes to another sub-AS, they use a special EBGP-like communication that keeps the routing information consistent.

External networks (visitors) see only the global AS number (university name) and have no idea about the internal sub-AS structure. The benefit is that the university can manage security locally in each building without needing a single central security team that talks to every door, which is the full mesh problem. This makes the system scalable and easier to administer, just as confederations make large BGP networks manageable.

Why This Term Matters

BGP Confederations matter because they solve a real scalability problem in large networks. In any network with more than a handful of routers, the requirement for a full mesh of IBGP sessions becomes a massive administrative and resource burden. Each router must maintain a TCP session with every other router in the AS, which consumes CPU, memory, and bandwidth.

With hundreds of routers, the number of sessions can reach thousands, making configuration error-prone and troubleshooting difficult. BGP Confederations break this problem into smaller pieces, allowing network engineers to manage groups of routers independently while maintaining a consistent routing policy across the entire organization. This is particularly important for Internet Service Providers (ISPs) and large enterprises that operate backbone networks spanning multiple geographic regions or administrative domains.

Without confederations or an alternative like Route Reflectors, these networks would be unmanageable. Confederations also provide finer control over routing policy because each sub-AS can implement its own local policies, such as route filtering or preference adjustments, before passing routes to the larger confederation. This flexibility is valuable in multi-tenant environments, data centers, and cloud infrastructure where different departments or customers require distinct routing behaviour but must still appear as a single network to the outside.

From a career perspective, understanding BGP Confederations distinguishes a junior network engineer from a senior architect. Many enterprises still use confederations in legacy designs, and knowing how to configure, troubleshoot, and migrate them is a sought-after skill. For anyone pursuing Cisco certifications, particularly CCNP Enterprise or CCIE, confederations are a core topic that demonstrates deep knowledge of BGP internals.

In summary, this concept matters because it directly impacts the stability, scalability, and manageability of real-world routing infrastructures.

How It Appears in Exam Questions

In certification exams, BGP Confederations appear in several distinct question patterns. The first is conceptual multiple-choice questions that test your understanding of why confederations are used. For instance, a question might ask: Which BGP scalability technique divides an AS into smaller sub-AS numbers?

The correct answer is BGP Confederations, while distractors might include Route Reflectors, Communities, or Prefix Lists. Another common pattern asks about the difference between confederations and Route Reflectors. You might be given a scenario with network metrics and asked which technique preserves the NEXT_HOP attribute unchanged across sub-AS boundaries.

The answer is confederations, because confederation EBGP does not modify the next hop, whereas Route Reflectors do. Configuration questions expect you to identify the correct commands. For example: Which command is used to define the global AS number in a BGP confederation?

The answer is bgp confederation identifier 65000. You might also see a fill-in-the-blank or drag-and-drop question asking you to order the steps for configuring a confederation. Troubleshooting questions are common and often involve a network diagram.

A typical scenario: R1 in sub-AS 64510 is not learning routes from R3 in sub-AS 64520. The question provides partial show ip bgp output and asks for the root cause. Possible answers include missing neighbor command under BGP, incorrect sub-AS number in the neighbor statement, or missing bgp confederation peers list.

Another pattern tests your ability to interpret the AS_PATH output. You might see show ip bgp output showing AS_PATH [64510 64520] 100 and be asked which AS numbers are confederation sub-AS numbers versus global AS numbers. The correct interpretation is that values inside brackets are confederation sub-AS numbers, and values outside are global AS numbers.

Design questions appear in advanced exams, where you must choose the best scalability solution given network requirements. For example, a question may describe a large ISP with multiple regional divisions that each require independent routing policies but must appear as one AS externally. The best answer would be BGP Confederations, not Route Reflectors, because confederations allow policy control per sub-AS.

Finally, there are comparison questions: How does confederation EBGP differ from standard EBGP? Key points include: confederation EBGP does not change next hop, does not reset TTL to 1, and preserves MED, while standard EBGP does the opposite. Mastering these question patterns helps you tackle any BGP confederation problem on the exam.

Study enarsi

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine a global e-commerce company with offices in New York, London, and Tokyo. The company uses a single autonomous system AS 65000 for its entire network. Each office has a cluster of routers that need to exchange routing information.

Setting up a full mesh of IBGP sessions would require every router in New York to peer with every router in London and Tokyo, creating dozens of connections that are hard to manage. The network team decides to use BGP Confederations. They assign each office a private sub-AS number: New York gets sub-AS 64512, London gets 64513, and Tokyo gets 64514.

All routers within the New York office peer with each other using standard IBGP. Similarly, London and Tokyo routers peer internally. For communication between offices, routers use confederation EBGP.

For example, a border router in New York peers with a border router in London using the sub-AS numbers, not the global AS 65000. The NEXT_HOP attribute stays unchanged, so routing updates from London keep the original next hop IP, which avoids unnecessary routing issues. To the outside world, when this company advertises its networks to its ISP, the confederation AS numbers are stripped from the AS_PATH, so the ISP sees only AS 65000.

This makes the whole network appear as a single entity externally. In this scenario, the company benefits from reduced peering sessions, local policy control per office, and seamless external connectivity. If a problem occurs, such as London not receiving routes from Tokyo, the engineer checks the confederation peers list and the neighbor statements, ensuring that both sides have the correct sub-AS numbers configured.

This scenario is typical of what you might encounter in a real network or exam question.

Common Mistakes

Assuming that BGP Confederations change the NEXT_HOP attribute, just like Route Reflectors do.

In BGP Confederations, the NEXT_HOP attribute is preserved across sub-AS boundaries because the peering is similar to EBGP but with modified rules. Route Reflectors, on the other hand, do not change the NEXT_HOP only when the client and non-client are in the same AS. This distinction is critical for exam accuracy.

Remember that confederation EBGP does not modify next hop. It keeps the original next hop router IP, so there is no need for additional next-hop resolution steps between sub-AS.

Using the global AS number in neighbor statements for peering between sub-AS routers.

Peering between different sub-AS within a confederation must use the private sub-AS number, not the global confederation identifier. Using the global AS number would make the router think it is peering within the same IBGP, breaking the confederation logic.

Configure the neighbor remote-as command using the sub-AS number of the remote router, not the global AS. For example, if the global AS is 65000 and sub-AS is 64510, use neighbor 10.0.0.2 remote-as 64510.

Forgetting to include all sub-AS numbers in the bgp confederation peers list on every router.

Without listing the sub-AS numbers under the bgp confederation peers command, the router will not recognize that it is peering with a confederation member and will treat the session as standard EBGP, causing attribute inconsistencies and routing problems.

Under the BGP router configuration, add the command bgp confederation peers <sub-AS-numbers> with all relevant sub-AS numbers separated by spaces. For example: bgp confederation peers 64510 64520 64530.

Confusing the confederation identifier with the sub-AS number when configuring the bgp confederation identifier command.

The bgp confederation identifier is the global AS number that the entire network uses externally. If you mistakenly configure a sub-AS number as the identifier, external peers will see an incorrect or private AS, potentially causing reachability issues.

Set bgp confederation identifier to the actual public or private global AS number, such as 65000. Use separate sub-AS numbers (from private range) for each member sub-AS.

Assuming that confederation EBGP resets the TTL to 1, just like standard EBGP.

Standard EBGP sets the TTL to 1 for directly connected peers, but confederation EBGP does not reset the TTL. It uses the same TTL as IBGP, which is typically 255. This is because confederation peers are often not directly connected and may require multiple hops.

When configuring peering between sub-AS, use the neighbor ebgp-multihop command only if the peers are not directly connected. Remember that the TTL behaviour is like IBGP, not EBGP.

Exam Trap — Don't Get Fooled

A multiple-choice question asks: 'In a BGP confederation, which attribute is changed when a route crosses from one sub-AS to another?' The options include NEXT_HOP, AS_PATH, LOCAL_PREF, and MED. Many learners choose NEXT_HOP because they associate EBGP with next-hop change.

Memorise the key differences: confederation EBGP does not change next hop, does not reset TTL, and preserves MED. It only modifies the AS_PATH by adding sub-AS numbers in brackets. Practice configuration and verification commands to reinforce this behaviour.

Commonly Confused With

BGP ConfederationsvsRoute Reflectors

Route Reflectors reduce IBGP peering by allowing a single router (the reflector) to re-advertise routes learned from one IBGP peer to others without a full mesh. Confederations divide the AS into sub-AS. The main difference is that Route Reflectors modify the NEXT_HOP attribute in certain cases, while confederations do not. Also, confederations provide sub-AS policy control, whereas Route Reflectors are simpler to configure but offer less granularity.

In a network with ten routers, a Route Reflector can reduce sessions from 45 to about 9, while a confederation with two sub-AS might reduce sessions similarly but allows each sub-AS to apply different routing policies.

BGP ConfederationsvsBGP Communities

BGP Communities are tags attached to routes to influence routing decisions, such as filtering or preference. They do not reduce peering sessions or change the AS structure. Confederations are a structural scalability method, while communities are a policy tool. They can work together, but they solve different problems.

If you want to mark routes from New York as preferred, you use a community string. If you want to break the network into smaller management units, you use a confederation.

BGP ConfederationsvsBGP Confederations vs AS Confederation

These terms are often used interchangeably, but technically 'BGP Confederations' refers to the Cisco implementation of the concept defined in RFC 5065. Some literature uses 'AS Confederation' to mean the same thing. There is no practical difference; they describe the same mechanism of subdividing an AS.

Both terms describe the same configuration: you use bgp confederation identifier and bgp confederation peers.

Step-by-Step Breakdown

1

Identify the Need for Scalability

Determine that the number of IBGP peers in your autonomous system is too large to manage with a full mesh. This usually occurs when you have more than a handful of routers. Decide whether to use Route Reflectors, Confederations, or a combination. Confederations are chosen when you need sub-AS policy separation.

2

Assign Sub-AS Numbers

Divide your global AS into smaller sub-AS numbers, using private AS numbers from the range 64512 to 65534. Each sub-AS represents a group of routers that will form a full mesh internally. For example, sub-AS 64510 for the core, 64520 for the edge.

3

Configure the Confederation Identifier

On every router in the confederation, enter BGP router configuration mode and set the global AS using the bgp confederation identifier command. This must be the same on all routers and should match the AS number you use externally. For example: router bgp 64510 followed by bgp confederation identifier 65000.

4

List Confederation Peers

On each router, use the bgp confederation peers command followed by the sub-AS numbers of all other sub-AS in the confederation. This tells the router which sub-AS are part of the same confederation. For example: bgp confederation peers 64520 64530.

5

Configure IBGP Within Each Sub-AS

Set up full mesh IBGP peering among all routers inside the same sub-AS using the neighbor remote-as command with the local sub-AS number. For example, inside sub-AS 64510, all routers peer with remote-as 64510.

6

Configure Confederation EBGP Between Sub-AS

For each router that needs to peer with a router in another sub-AS, use the neighbor remote-as command with the remote sub-AS number. Also consider using neighbor ebgp-multihop if the peers are not directly connected. Ensure update-source is set to the correct interface if needed.

7

Verify and Troubleshoot

Use commands like show ip bgp summary, show ip bgp, and show ip bgp neighbors to verify that peering sessions are established. Check that routes are propagating correctly and that the AS_PATH shows confederation sub-AS numbers in brackets, like [64510 64520]. Troubleshoot any missing routes by checking the confederation peers list and neighbor configurations.

Practical Mini-Lesson

BGP Confederations are one of the two main methods for scaling IBGP in a large autonomous system, the other being Route Reflectors. In practice, network professionals must evaluate which method best fits their operational needs. Confucian wisdom says, 'choose the right tool for the job.'

Route Reflectors are easier to configure and are the default choice in many modern networks, especially when traffic engineering is not complex. However, confederations offer superior policy control because each sub-AS can have its own routing policies, such as different route redistribution rules, prefix filters, or local preference settings. This is particularly useful in service provider environments where different regions or business units require autonomy.

For instance, a global ISP might have separate sub-AS for North America, Europe, and Asia, each with distinct peering agreements and customer requirements. To configure a confederation, start with the global AS number using the bgp confederation identifier command. Then list all member sub-AS using bgp confederation peers.

Each router must be in one sub-AS, and within that sub-AS, IBGP full mesh is required. Peering between sub-AS uses the same neighbor commands but with the remote sub-AS number. A common mistake is forgetting to include the neighbor ebgp-multihop command when the peer routers are multiple hops away.

Since confederation EBGP does not set TTL to 1 by default, this command is needed for non-directly connected peers. Another practical consideration is the interaction with BGP attributes. As mentioned, NEXT_HOP is preserved, which can cause issues if routers in one sub-AS do not have a route to the next hop interface in another sub-AS.

This is often solved by ensuring that the underlying IGP (like OSPF or IS-IS) has routes to all loopback addresses used for peering. The AS_PATH attribute includes the sub-AS numbers in brackets, which are stripped before advertising to external EBGP peers. This is important for loop prevention within the confederation.

From a troubleshooting perspective, the show ip bgp command is your best friend. Look for the brackets in the AS_PATH column. If you see numbers without brackets, the confederation peer list might be missing or configured incorrectly.

Also verify that the BGP session state is 'Established' using show ip bgp summary. If a session is stuck in 'Active', check the reachability and the remote-as configuration. In a lab environment, you can practice by setting up three routers with two sub-AS, configure confederation, and observe how routes propagate.

Try to add a Route Reflector inside a sub-AS to see how both technologies can coexist. This combination is advanced but appears in CCIE labs. The key takeaway is that confederations give you scalability plus policy granularity, but they require more careful planning and configuration than Route Reflectors.

Mastery of confederations demonstrates a solid understanding of BGP internals and network design principles.

Memory Tip

Remember: 'Confederations keep the Next Hop, change AS_PATH, and use private sub-AS numbers.' This three-point rule covers the most exam-critical behaviours.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is a sub-AS in BGP Confederations?

A sub-AS is a smaller autonomous system created by dividing a larger AS. Each sub-AS uses a private AS number and maintains a full IBGP mesh internally. Routers in different sub-AS peer using confederation EBGP.

How does confederation EBGP differ from standard EBGP?

Confederation EBGP preserves the NEXT_HOP attribute, does not reset TTL to 1, and retains MED attributes. Standard EBGP changes next hop, sets TTL to 1, and resets MED. The AS_PATH in confederation uses bracketed sub-AS numbers.

Can I use Route Reflectors inside a BGP Confederation?

Yes, you can combine both. Route Reflectors can be used inside each sub-AS to further reduce IBGP sessions. This is an advanced design pattern tested in CCIE labs.

What is the bgp confederation identifier command used for?

The bgp confederation identifier command sets the global AS number that the confederation appears as to external peers. All routers in the confederation must use the same identifier.

Why are private AS numbers used for confederation sub-AS?

Private AS numbers (64512-65534) are used because they are not globally unique and will not conflict with public AS numbers. External peers never see these private numbers; they are stripped before external advertisement.

What happens if I forget the bgp confederation peers command?

Without bgp confederation peers, routers treat inter-sub-AS sessions as standard EBGP, leading to incorrect AS_PATH handling, next-hop changes, and potential routing loops. Routes may not propagate correctly or may be filtered.

How do I verify BGP Confederations are working?

Use show ip bgp and look for AS_PATH entries with brackets, like [64510 64520]. Also use show ip bgp summary to check that sessions with sub-AS numbers are in the Established state.

Is BGP Confederations still relevant in modern networks?

While Route Reflectors are more common, confederations are still used in networks requiring strict policy separation between regions or business units. They are also a key topic for CCNP and CCIE exams.

Summary

BGP Confederations provide a powerful method to scale IBGP by dividing a large autonomous system into smaller sub-AS, each with its own full mesh, while externally appearing as a single AS. This reduces the number of required peering sessions, simplifies management, and allows granular policy control per sub-AS. Key characteristics include preservation of the NEXT_HOP attribute, bracketing of sub-AS numbers in the AS_PATH, and the use of private AS numbers.

For certification exams, understand the differences between confederations and Route Reflectors, the specific configuration commands (bgp confederation identifier, bgp confederation peers), and common troubleshooting scenarios. Avoid mistakes like using the global AS for peering, forgetting the peers list, or thinking NEXT_HOP changes. Practice with lab simulations to cement your understanding.

This topic is tested in CCNP ENCOR, ENARSI, and CCIE exams, often in conceptual, configuration, and troubleshooting questions. Mastering BGP Confederations not only helps you pass exams but also equips you to design and manage large-scale routing infrastructures effectively.