Configure BGP on an Advanced Routing Engine
Configure BGP for a logical router on an Advanced Routing
Engine.
Perform the following task to configure BGP
for a logical router on an Advanced Routing Engine.
Before
you configure BGP, consider the many useful routing profiles and filters that you
can apply to BGP peer groups, peers, redistribution rules, and aggregate
route policies, and thereby save configuration time and maintain
consistency. You can create profiles and filters in advance or as
you progress through configuring BGP.
- Enable BGP and configure general BGP settings.
- Selectand select a logical router.NetworkRoutingLogical Routers
- SelectandBGPGeneralEnableBGP for this logical router.
- Assign aRouter IDto BGP for the logical router, which is typically an IPv4 address to ensure the Router ID is unique.
- Assign theLocal AS, which is the number of the AS to which the logical router belongs; range is 1 to 4,294,967,295.
- If you want to apply BFD to BGP, forGlobal BFD Profileselect a BFD profile you created, or select thedefaultprofile, or create a new BFD profile; default isNone (Disable BFD).
- SelectInstall Routeto install learned BGP routes into the global routing table; default is disabled.
- SelectFast Failoverto have BGP terminate a session with an adjacent peer if the link to that peer goes down, without waiting for the Hold Time to expire; default is enabled.
- SelectGraceful Shutdownto have BGP lower the preference of eBGP peering links during a maintenance operation so that BGP can choose and propagate alternative paths, based on RFC 8326; default is disabled.
- SelectECMP Multiple AS Supportif you configured ECMP and you want to run ECMP over multiple BGP autonomous systems; default is disabled.
- Enforce First ASto cause the firewall to drop an incoming Update packet from an eBGP peer that does not list the eBGP peer’s own AS number as the first AS number in the AS_PATH attribute; default is enabled.
- Specify theDefault Local Preferencethat can be used to determine preferences among different paths; range is 0 to 4,294,967,295; default is 100.
- EnableGraceful Restart and configure the following timers:
- Stale Route Time (sec)—Specifies the length of time, in seconds, that a route can stay in the stale state (range is 1 to 3,600; default is 120).
- Max Peer Restart Time (sec)—Specifies the maximum length of time, in seconds, that the local device accepts as a grace period restart time for peer devices (range is 1 to 3,600; default is 120).
- Local Restart Time—Specifies the length of time, in seconds, that the local device waits to restart. This value is advertised to peers (range is 1 to 3,600; default is 120).
- ForPath Selection:
- Always Compare MED—Enable this comparison to choose paths from neighbors in different autonomous systems; default is disabled.
- Deterministic MED Comparison—Enable this comparison to choose between routes that are advertised by IBGP peers (BGP peers in the same autonomous system); default is enabled.
- ClickOK.
- Configure a BGP peer group.
- Selectand select a logical router.RoutingLogical Routers
- SelectandBGPPeer GroupAdda BGP peer group byName(maximum of 63 characters). TThe name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed. The name must be unique within the logical router and across all logical routers.
- Enablethe peer group.
- Select theTypeof peer group:IBGPorEBGP.
- To specify manyIPv4 Address Familyoptions for the peer group, select anAFI Profilethat you created, select thedefaultprofile, or create a new BGP Address Family profile; the default isNone.
- To specify manyIPv6 Address Familyoptions for the peer group, select anAFI Profilethat you created, select thedefaultprofile, or create a new BGP Address Family profile; the default isNone.
- To applyIPv4 Filtering Profileoptions to the peer group, select aBGP Filtering Profilethat you created or create a new BGP Filtering profile; the default isNone.A BGP Filtering Profile describes how to configure many BGP options for IPv4, such as import or export BGP routes, accept or prevent routes being added to the local BGP RIB, conditionally advertise routes, and unsuppress dampened or summarized routes.
- To applyIPv6 Filtering Profileoptions to the peer group, select aBGP Filtering Profilethat you created or create a new BGP Filtering profile; the default isNone.A BGP Filtering Profile describes how to configure many BGP options for IPv6, such as import or export BGP routes, accept or prevent routes being added to the local BGP RIB, conditionally advertise routes, and unsuppress dampened or summarized routes.
- For Connection Options, select anAuth Profileor create a new BGP Authentication profile to control MD5 authentication between BGP peers in the peer group. Default isNone.
- Select aTimer Profileor create a new BGP Timer Profile to control various BGP timers that affect keepalive and update messages that advertise routes. Default isNone.
- SetMulti Hop—the time-to-live (TTL) value in the IP header (range is 0 to 255; default is 0). The default value of 0 means 1 for eBGP. The default value of 0 means 255 for iBGP.
- Select aDampening Profileor create a new Dampening Profile to determine how to penalize a flapping route to suppress it from being used until it stabilizes. Default isNone.
- Add a BGP peer to the peer group.
- Adda peer byName(maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed. The name must be unique within the logical router and across all logical routers.
- Enablethe peer; default is enabled.
- SelectPassiveto prevent the peer from initiating a session with its neighbors; default is disabled.
- Enter thePeer ASto which the peer belongs; range is 1 to 4,294,967,295.
- SelectAddressingand select whether the peer willInheritIPv4 and IPv6 AFI and filtering profiles from the peer group:Yes(default) orNo.
- If you choseYes, specify the following for the peer:
- ForLocal Address, select theInterfacefor which you are configuring BGP. If the interface has more than one IP address, select theIP Addressfor that interface to be the BGP peer.
- ForPeer Address, select eitherIPand select the IP address or select or create an address object, or selectFQDNand enter the FQDN or address object that is type FQDN.
The firewall uses only one IP address (from each IPv4 or IPv6 address type) from the DNS resolution of the FQDN. If the DNS resolution returns more than one address, the firewall uses the preferred IP address that matches the IP family type (IPv4 or IPv6) configured for the BGP peer. The preferred IP address is the first address the DNS server returns in its initial response. The firewall retains this address as preferred as long as the address appears in subsequent responses regardless of its order. - If you choseNoforInheritaddressing from the peer group, specify the following for the peer:
- To specify manyIPv4 Address Familyoptions for the peer, select anAFI Profilethat you created, select thedefaultprofile, selectinherit (Inherit from Peer-Group), or create a new BGP Address Family profile; the default isnone (Disable IPv4 AFI).The AFI Profile allows you to specify that the peer is a Route Reflector client. The Route Reflector reflects all the advertisements from all its peers to all the other peers, thus avoiding the need for the iBGP to be fully meshed. If you declare the peer a Route Reflector client, the BGP process reflects all of the updates to that peer.
- To specify manyIPv6 Address Familyoptions for the peer, select anAFI Profilethat you created, selectinherit (Inherit from Peer-Group), or create a new BGP Address Family profile; the default isnone (Disable IPv6 AFI).The AFI Profile allows you to specify that the peer is a Route Reflector client. The Route Reflector reflects all the advertisements from all its peers to all the other peers, thus avoiding the need for the iBGP to be fully meshed. If you declare the peer a Route Reflector client, the BGP process reflects all of the updates to that peer.
- To applyIPv4 Filtering Profileoptions to the peer, select aBGP Filtering Profilethat you created, selectinherit (Inherit from Peer-Group), or create a new BGP Filtering profile; the default isnone (Disable IPv4 Filtering).
- To applyIPv6 Filtering Profileoptions to the peer, select aBGP Filtering Profilethat you created, selectinherit (Inherit from Peer-Group), or create a new BGP Filtering profile; the default isnone (Disable IPv6 Filtering).
- ForLocal Address, select theInterfacefor which you are configuring BGP. If the interface has more than one IP Address, select theIP addressfor that interface to be the BGP peer.
- ForPeer Address, select eitherIPand select the IP address or select or create an address object, or selectFQDNand enter the FQDN or address object that is type FQDN.
A BGP peer group (or a peer) can have both an IPv4 Address Family profile and an IPv6 Address Family profile applied to it. All peers belonging to that peer group will automatically have Addressing set to InheritNo. All peers in the peer group will also have IPv4 Address Family profile, IPv6 Address Family profile, IPv4 Filtering Profile, and IPv6 Filtering Profile set tononeby default. In order for routing to function properly, the peering interface must have both an IPv4 address and IPv6 address assigned. You can select inherit (Inherit from Peer-Group) or override the peer group by selecting a specific profile for the peer. For example, you can configure a peer toinheritthe IPv4 Address Family profile andinheritthe IPv4 Filtering Profile, and select an IPv6 Address Family profile and IPv6 Filtering Profile to override those profiles from the peer group. - SelectConnection Optionsfor the peer in order to apply settings that differ from those of the peer group.
- Select anAuth Profile,inherit (Inherit from Peer-Group)(the default), or create a new BGP Authentication profile to control MD5 authentication between BGP peers.
- Select aTimer Profile,inherit (Inherit from Peer-Group)(the default), create a new BGP Timer Profile, or select thedefaultprofile to control various BGP timers that affect keepalive and update messages that advertise routes.
- SetMulti Hop, which is the time-to-live (TTL) value in the IP header (range is 0 to 255). The default setting isinherit (Inherit from Peer-Group).
- Select aDampening Profile,inherit (Inherit from Peer-Group)(the default), or create a new Dampening Profile to determine how to penalize a flapping route to suppress it from being used until it stabilizes.
- SelectAdvancedandEnable Sender Side Loop Detectionto have the firewall check the AS_PATH attribute of a route in its FIB before it sends the route in an Update, to ensure that the peer AS number is not on the AS_PATH list. If it is, the firewall removes the AS number to prevent a routing loop.
- To apply aBFD Profileto the peer (which overrides the BFD setting for BGP, as long as BFD is not disabled for BGP at the logical router level), select one of the following:
- Thedefaultprofile.
- An existing BFD profile.
- Inherit-lr-global-setting (Inherit Protocol’s Global BFD Profile)(default)—Peer inherits the BFD profile that you selected globally for BGP for the logical router.
- None (Disable BFD)for the peer.
- ClickOK.
- Specify network prefixes to advertise to neighbors.TheNetworkfunctionality is especially helpful after moving a firewall to a different subnet or after a temporary change in a network.
- SelectNetwork.
- Always Advertise Network Route(default is enabled) to always advertise the configured network routes to BGP peers, regardless of whether they are reachable or not. If this is unchecked, the firewall advertises the network routes only if they are resolved using the local route table.
- SelectIPv4orIPv6to select type of prefix.
- AddaNetworkprefix to advertise to neighbors.
- SelectUnicastto advertise this network route in the Unicast Address Family; default is enabled. If unchecked, the firewall does not advertise the route in the Unicast SAFI.
- (IPv4 only) Select Multicast to advertise this network route into the Multicast Address Family. Default is disabled; the firewall does not advertise this network route in the Multicast SAFI.
- (IPv4 only) SelectBackdoorto prevent BGP from advertising the prefix outside of the AS and instead to keep the route within the AS. A backdoor is a BGP route that has a higher administrative distance than an IGP route. Internally, the administrative distance for the prefix is increased so that the prefix isn’t preferred, but is still available if needed, in the event of a link failure elsewhere. Default is disabled.
- Redistribute static, connected, OSPF, OSPFv3, or RIPv2 routes into BGP.Within a BGP Redistribution Profile, use the flexibility of route maps to specify conditions that determine which routes to redistribute and to specify which attributes to set.
- SelectRedistribution.
- To redistribute IPv4 routes, forIPv4 Redistribution Profile -- Unicast, select a BGP Redistribution profile or create a new Redistribution profile; default isNone.
- To redistribute IPv6 routes, forIPv6 Redistribution Profile -- Unicast, select a BGP Redistribution profile or create a new Redistribution profile; default isNone.<