Create BGP Routing Profiles
Use BGP routing profiles to easily configure settings
and route redistribution.
On an Advanced Routing Engine, BGP has many
settings that you can easily configure in a profile and then apply
to a BGP peer group or peer or to redistribution rules. Reuse profiles
to apply them to multiple logical routers and virtual systems. Create
multiple profiles of the same type to handle different peer groups
and peers differently. BGP peer groups and peers inherit global
profiles; you can also create a profile for a BGP peer group to
override the global profile, and create a profile for a BGP peer,
which overrides the profile for the peer group to which the peer
belongs.
This topic describes the BGP routing profiles and
how to create them.
- BGP Authentication Profiles—Specify the Secret key for MD5 authentication, which is used between BGP peers during negotiation to determine whether they can communicate with each other. Reference the profile in a BGP peer group or peer configuration.
- BGP Timer Profiles— Control various BGP timers that affect keepalive and update messages that advertise routes. Reference the profile in a BGP peer group or peer configuration.
- BGP Address Family Profiles—Determine the behavior of IPv6 or IPv4 when a BGP autonomous system uses both types of address. Reference the profile in a BGP peer group or peer configuration.
- BGP Dampening Profiles—Determine how to penalize a flapping route to suppress it from being used until it stabilizes. Reference the profile in a BGP peer group or peer configuration.
- BGP Redistribution Profiles—Redistribute static, connected, OSPF, OSPFv3, or RIP routes (that meet the criteria of the assigned route map) into BGP and apply the route map Set attributes to the redistributed routes. Reference the profile on.NetworkRoutingLogical RoutersBGPRedistribution
- BGP Filtering Profiles—Simultaneously apply multiple filters to a peer group or peer to do the following:
- Accept routes that came from a specific AS Path (based on the AS Path access list).
- Advertise routes that have a specific AS Path (based on the AS Path access list).
- Accept routes to the local BGP RIB based on either a distribute list or prefix list (not both in the same Filtering Profile). A distribute list is based on source IP address with wildcard mask to get a prefix range. A prefix list is based on network address/prefix length.
- Advertise routes from the local BGP RIB based on a distribute list or prefix list (not both in the same Filtering Profile).
- Accept routes that meet route map attribute criteria into the local BGP RIB, and optionally set attributes.
- Advertise routes that meet route map attribute criteria, and optionally set attributes.
- Conditionally advertise routes that exist (satisfy exist criteria).
- Conditionally advertise routes other than those that meet criteria (satisfy non-exist criteria).
- Unsuppress dampened or summarized routes.
- Create a BGP Authentication profile.
- Select.NetworkRoutingRouting ProfilesBGP
- AddaBGP Auth ProfilebyName(a maximum of 63 characters) to identify the profile. The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
- Enter theSecretandConfirm Secret. The Secret is used as a key in MD5 authentication.
- ClickOK.
- Create a BGP Timer profile.
- Select.NetworkRoutingRouting ProfilesBGP
- In the BGP Timer Profiles window, select thedefaultBGP Timer Profile to see the default profile settings:
- If the default BGP Timer Profile settings are not what you need,AddaBGP Timer ProfilebyName(a maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
- Set theKeep Alive Interval (sec)—the interval, in seconds, at which the BGP speaker sends Keepalives to the peer (range is 0 to 1,200; default is 30). If no Keepalive is received from a peer during a Hold Time interval, the BGP peering is closed. Often, the Hold Time is three times the Keep Alive Interval to allow for three missed Keepalives before BGP peering is brought down.
- Set theHold Time (sec)—the length of time, in seconds, that may elapse between successive Keepalive or Update messages from the peer before the peer connection is closed (range is 3 to 3,600; default is 90).
- Set theReconnect Retry Interval—the number of seconds to wait in Idle state before retrying to connect to the peer (range is 1 to 3,600; default is 15).
- Set theOpen Delay Time (sec)—the number of seconds of delay between opening the TCP connection to the peer and sending the first BGP Open message to establish a BGP connection (range is 0 to 240; default is 0).
- Set theMinimum Route Advertise Interval (sec)—the minimum amount of time, in seconds, that must elapse between an advertisement and/or withdrawal of routes to a particular destination by a BGP speaker to a peer (range is 1 to 600; default is 30).
- ClickOK.
- To use MP-BGP, create a BGP Address Family Identifier (AFI) profile of shared attributes.
- Select.NetworkRoutingRouting ProfilesBGP
- AddaBGP Address Family ProfilebyName(a maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
- SelectIPv4orIPv6AFI to specify the type of profile.
- Selectunicastormulticast.Multicastis supported only for anIPv4AFI profile.
- On theunicasttab,Enable SAFIto enable the unicast SAFI for the profile. On themulticasttab,Enable SAFIto enable the multicast SAFI for the profile. IfEnable SAFIis checked for bothunicastandmulticast, both SAFI are enabled. At least one SAFI must be enabled for the BGP profile to be valid.
- SelectSoft reconfiguration of peer with stored routesto cause the firewall to perform a soft reset of itself after settings of any of its BGP peers are updated. (Enabled by default.)
- Advertise all paths to peers— to have BGP advertise all known paths to neighbor in order to preserve multipath capabilities inside a network.
- Advertise the bestpath for each neighboring ASto have BGP advertise the best known paths to neighbors in order to preserve multipath capabilities inside a network. Disable this if you want to advertise the same path to all autonomous systems.
- Override ASNs in outbound updates if AS-Path equals Remote-AS—This setting is helpful if you have multiple sites belonging to the same AS number (AS 64512, for example) and there is another AS between them. A router between the two sites receives an Update advertising a route that can access AS 64512. To avoid the second site dropping the Update because it is also in AS 64512, the intermediate router replaces AS 64512 with its own AS number (ASN), AS 64522, for example.
- EnableRoute Reflector Clientto make the BGP peer a Route Reflector client in an IBGP network.
- Originate Default Route—Select to generate a default route and place it in the local BGP RIB.
- Default Originate Route-Map—Select or create a route map to control the attributes of the default route.
- Allow AS in:
- Origin—Accept routes even if the firewall’s own AS is present in the AS_PATH.
- Occurrence—Number of times the firewall’s own AS can be in the AS_PATH.
- None—(default setting) No action taken.
- Number Prefixes—Maximum number of prefixes to accept (learn) from the peer. Range is 1 to 4,294,967,295; default is 1,000.
- Threshold—Percentage of the maximum number of prefixes. The prefixes are added to the BGP local RIB. If the peer advertises more than the threshold, the firewall takes the specified action (Warning OnlyorRestart). Range is 1 to 100; default is 100.
- Action—Warning Onlymessage in system logs orRestartthe BGP peer connection after the maximum number of prefixes is exceeded.
- Select theNext Hop:
- Self—Causes the firewall to change the Next Hop address (in Updates it receives) to its own IP address in the Update before sending it on. This is helpful when the firewall is communicating with an EBGP router (in another AS) and with an IBGP router (in its own AS). For example, suppose the Next Hop address in a BGP Update that arrives at AS 64512 is the IP address of the egress interface of Router 2 where the Update egressed AS 64518. The Update indicates that to reach networks that Router 2 is advertising, use the Next Hop address of Router 2. However, if the firewall sends that Update to an iBGP neighbor in AS 64512, the unchanged Next Hop of Router 2 is outside AS 64512 and the iBGP neighbor does not have a route to it. When you selectSelf, the firewall changes the Next Hop to its own IP address so that an iBGP neighbor can use that Next Hop to reach the firewall, which in turn can reach the eBGP router.
- Self Force—Force set the next hop to self for the reflected routes.
- None—(default setting) Keep the original Next Hop in the attribute.
- To have BGP remove private AS numbers from the AS_PATH attribute in Updates that the firewall sends to a peer in another AS, inRemove Private AS, select one of the following:
- All—Remove all private AS numbers.
- Replace AS—Replace all private AS numbers with the firewall’s AS number.
- None—(default setting) No action taken.
- ForSend Community, select the type of BGP community attribute to send in outbound Update packets:
- ForORF List—Advertise the ability of the peer group or peer to send a prefix list and/or receive a prefix list to implement outbound route filtering (ORF) at the source, and thereby minimize sending or receiving unwanted prefixes in Updates. Select an ORF capability setting:
- none—(default setting) The peer group or peer (where this AFI profile is applied) has no ORF capability.
- both—Advertise that the peer group or peer (where this AFI profile is applied) cansenda prefix list andreceivea prefix list to implement ORF.
- receive—Advertise that the peer group or peer (where this AFI profile is applied) can receive a prefix list to implement ORF. The local peer receives the remote peer’s ORF capability and prefix list, which it implements as an outbound route filter.
- send—Advertise that the peer group or peer (where this AFI profile is applied) can send a prefix list to implement ORF. The remote peer (with receive capability) receives the ORF capability and implements the prefix list it received as an outbound route filter when advertising routes to the sender.
ORF is a solution to two potential problems: a) wasting bandwidth by advertising unwanted routes and b) filtering route prefixes that perhaps the receiving peer wants. Implement ORF by doing the following:- Specify ORF capability in the Address Family profile.
- For a peer group or peer that is a sender (sendorbothcapability), create a prefix list containing the set of prefixes the peer group/peer wants to receive.
- Create a BGP Filtering profile and in the Inbound Prefix List, select the prefix list you created.
- For the BGP peer group, select the Address Family profile you created to apply it to the peer group. In the case of the sender, also select the Filtering Profile you created (which indicates the prefix list). If the peer group or peer is an ORF receiver only, it does not need the Filtering Profile; it needs only the Address Family profile to indicate ORFreceivecapability.
- ClickOK.
- Create a BGP Dampening Profile.
- Select.NetworkRoutingRouting ProfilesBGP
- AddaBGP Dampening ProfilebyName. The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
- Enter a helpfulDescription.
- Suppress Limit— Enter the suppress value (cumulative value of the penalties for flapping), at which point all the routes coming from a peer are dampened. Range is 1 to 20,000; default is 2,000.
- Reuse Limit—Enter the value that controls when a route can be reused based on the procedure described forHalf Life. Range is 1 to 20,000; default is 750.
- Half Life (min)—Enter the number of minutes for the half life time to control the stability metric (penalty) applied to a flapping route. Range is 1 to 45; default is 15. The stability metric starts at 1,000. After a penalized route stabilizes, the half life timer counts down until it expires, at which point the next stability metric applied to the route is only half of the previous value (500). Successive cuts continue until the stability metric is less than half of the Reuse Limit, and then the stability metric is removed from the route.
- Maximum Suppress Time (min)—Enter the maximum number of minutes a route can be suppressed, regardless of how unstable it has been. Range is 1 to 255; default is 60.
- ClickOK.
- Create a BGP Redistribution Profile to redistribute static, connected, and OSPF routes (that match the corresponding route map) to BGP.
- Select.NetworkRoutingRouting ProfilesBGP
- AddaBGP Redistribution ProfilebyName(a maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
- Select theAFIof routes to redistribute:IPv4orIPv6.
- SelectStaticto configure static route redistribution.
- Enableredistribution of IPv4 or IPv6 static routes (based on the AFI you selected).
- Configure theMetricto apply to the static routes being redistributed into BGP (range is 1 to 65,535).
- Select aRoute-Mapto specify the match criteria that determine which static routes to redistribute. Default isNone. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
- SelectConnectedto configure connected route redistribution.
- Enableredistribution of locally connected IPv4 or IPv6 routes (based on the AFI you selected).
- Configure theMetricto apply to the connected routes being redistributed into BGP (range is 1 to 65,535).
- Select aRoute Mapto specify the match criteria that determine which connected routes to redistribute. Default is None. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
- (IPv4 AFI only) SelectOSPFv2to configure OSPFv2 route redistribution.
- Enableredistribution of OSPFv2 routes.
- Configure theMetricto apply to the OSPF routes being redistributed into BGP (range is 1 to 65,535).
- Select aRoute-Mapto specify the match criteria that determine which OSPF routes to redistribute. Default isNone. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
- (IPv4 AFI only) SelectRIPv2to configure RIPv2 route redistribution.
- Enableredistribution of RIPv2 routes.
- Configure theMetricto apply to the RIP routes being redistributed into BGP (range is 1 to 65,535).
- Select aRoute-Mapto specify the match criteria that determine which RIP routes to redistribute. Default isNone. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
- (IPv6 AFI only) SelectOSPFv3to configure OSPFv3 route redistribution.
- Enableredistribution of OSPFv3 routes.
- Configure theMetricto apply to the OSPFv3 routes being redistributed into BGP (range is 1 to 65,535).
- Select aRoute-Mapto specify the match criteria that determine which OSPFv3 routes to redistribute. Default isNone. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
- ClickOK.
- Create a BGP Filtering Profile.
- Select.NetworkRoutingRouting ProfilesBGP
- AddaBGP Filtering ProfilebyName(a maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
- Enter a helpfulDescription.
- SelectIPv4orIPv6Address Family Identifier (AFI) to indicate the type of route to filter.
- SelectUnicastorMulticastSubsequent Address Family Identifier (SAFI).