Configure BGP ASN Sets

Published April 5, 2023 | Last modified March 14, 2025

Objective

This document provides instructions on how to create BGP Autonomous System Number (ASN) sets and apply them to service policies to control application traffic originating or reaching the Autonomous Systems identified by the ASNs in F5® Distributed Cloud Services. To know more about service policies, see Service Policy.

Using the instructions provided in this guide, you can create BGP ASN sets and configure a service policy to allow traffic for one ASN and drop for another ASN.

Prerequisites

The following prerequisites apply:

  • An F5 Distributed Cloud Account. If you do not have an account, see Getting Started with Console.

  • An application running on vK8s or deployed on an edge site. If you do not have an application running on vK8s or on an edge site, see vK8s Deployment.

  • ASN Standard supported: RFC 4893 - 4-byte BGP ASN nomenclature. Note that autonomous system dot notation (asdot) is used only for display.

Configuration

Configuration Sequence

Configuring BGP ASN sets and applying them in service policy requires performing the following sequence of actions:

PhaseDescription
Create BGP ASN SetsCreate BGP ASN sets from the security options in the F5 Distributed Cloud Console.
Create Service Policy RulesCreate a policy rule to permit traffic from one BGP ASN and drop traffic from another BGP ASN set.
Create a Service PolicyCreate a policy with the configured rules.

Create BGP ASN Sets

BGP can be viewed and managed in multiple services: Multi-Cloud Network Connect, Multi-Cloud App Connect, Web App & API Protection, Distributed Apps, and Shared Configuration.

This example shows BGP setup in Shared Configuration.

Step 1: Log into F5® Distributed Cloud Console, select Add BGP ASN set.
  • Open F5® Distributed Cloud Console homepage, select Shared Configuration box.
Figure: Homepage

Figure: Homepage

Note: Confirm Namespace feature, if available in service, is on correct namespace, drop-down selector located in upper-left corner.

  • Select Manage in left column menu > select Firewall > BGN ASN Sets.

Note: If options are not showing available select Advanced nav options visible Show link in bottom left corner. Select Hide to minimize options from Advanced nav options mode if needed.

  • Select Add BGN ASN set button.
Figure: F5® Distributed Cloud Console

Figure: F5® Distributed Cloud Console

Note: You can also change to load balancers and create the ASN set.

Step 2: Create BGN ASN Set.

  • Enter Name, enter Labels and Description as needed.

  • Enter AS Numbers in box in List of AS Numbers section.

Note: Enter the numbers of ASNs from which you want to allow traffic.

  • Select Add Item button to add more AS Numbers options.

  • Select Save and Exit button.

Step 3: Repeat Step 1 and 2 to create another BGP ASN set with the numbers of ASNs from which you want to block the traffic.

  • Repeat step 1: Log into F5® Distributed Cloud Console, select Add BGP ASN set.

  • Repeat step 2: Create BGN ASN Set.

  • Select traffic you want to block.

Create Service Policy Rules

Service policy rules are used in controlling the traffic based on various conditions. This example shows how to allow or reject traffic coming from specific ASNs. For more information on service policies and rules, see Create Service Policy Rule.

Step 1: Select location of where you want to create your Service Policy.

  • Select the namespace where you want to create your Service Policy. Select Security from the configuration menu and Network Security from the options pane. Select Service Policy Rules and select Add service policy rule. The policy rule creation form gets loaded.

  • Select Multi-Cloud Network Connect > Select Manage.

Figure: Homepage

Figure: Homepage

  • Select Firewall > Service Policies > Add Service Policy button.

  • Configure link in Rules box.

  • Select + Add Item button in Rules page.

  • Enter Name, enter Description as needed.

  • Select Configure link in Rules Specification box in new Rules page.

  • Select Allow in Action box.

  • Toggle Show Advanced Fields in Clients box in new page.

  • Select Source ASN Match drop-down menu.

    • Select BGN ASN Sets > + Select ASN Set button > check box of ASN or Add new BGN Asn set button.

    • Enter Name, AS Numbers > Continue button > Select ASN Set button.

    • Select ASN List option.

    • AS Numbers box appears.

    • Select Apply button.

Step 2: Enter a name and select Allow in Action box.

  • Enter name.

  • Select Allow in Action box.

Step 3: Select ASN Matcher to open the form to apply BGP ASN set. Select Select ASN set, and select the set you created in the Create BGP ASN Sets chapter.

  • Select ASN Matcher.

  • Select ASN set created from BGP ASN Set setup.

Figure: Service Policy Rule AS Matcher

Figure: Service Policy Rule AS Matcher

Step 4: Select Select ASN set, and Apply to apply the ASN set to the service policy rule.

  • Select ASN set.

  • Apply ASN set to Service policy rule.

Step 5: Select Add service policy rule to complete creating service policy rule.

  • Select Add service policy rule.

  • Enter info as needed.

Step 6: Repeat Step 1 to Step 5.

  • Repeat Step 1 to Step 5 for creating a rule to block traffic from the second ASN set created in the Create BGP ASN Sets chapter.

  • Ensure that you set the Action as Deny.

Create a Service Policy

Service policies apply rules in the order as per the specified configuration. For more information on service policies, see Configure Service Policy.

Step 1: Select location of Service Policy Rule.

  • Select the same namespace where you created your service policy rule.

  • Select Security from the configuration menu and Network Security from the options pane.

  • Select Service Policies and select Add service policy.

  • Policy creation form gets loaded.

Step 2: Enter a name for the policy, and set First Rule Match for the Rule Combining Algorithm field.

  • Enter name for policy.

  • Set First Rule Match in Rule Combining Algorithm box.

Step 3: Select rule, and add the rules created in the Create Service Policy Rules chapter.

  • Select rule.

  • Add rules created in Create Service Policy Rules chapter.

  • Select rule.

Note: It is recommended to first add the rule that allows traffic from Autonomous Systems and then add the rule that drops traffic from the other set of Autonomous Systems.

Step 4: Select Add service policy to complete service policy creation.

  • Select Add service policy.

  • Complete service policy creation.

Note: You can use other fields of service policy creation such as Server Name Matcher for granular control. For more information, see Configure Service Policy.

You can use this policy in a service policy set and apply the BGP ASN sets to control your application traffic. For more information on service policy set configuration, see Configure Service Policy Set.

Concepts

API References

On this page: