BGP
Border Gateway Protocol (BGP) is an inter-AS protocol, meaning that it can be deployed within and between autonomous systems (AS). An autonomous system is a set of routers under a single technical administration. An AS uses an interior gateway protocol and common metrics to route packets within an AS; it uses an exterior routing protocol to route packets to other ASes.
|
Note - This implementation supports BGP version 4.
|
GP sends update messages that consist of network number-AS path pairs. The AS path contains the string of ASes through which the specified network can be reached. An AS path has some structure in order to represent the results of aggregating dissimilar routes. These update messages are sent over TCP transport mechanism to ensure reliable delivery. BGP contrasts with IGPs, which build their own reliability on top of a datagram service.
As a path-vector routing protocol, BGP limits the distribution of router reachability information to its peer or neighbor routers.
You can run BGP over a route-based VPN by enabling BGP on a virtual tunnel interface (VTI).
Support for BGP-4
Gaia implements BGP-4 to support multiprotocol extensions, as described in RFCs 2545, 2858, and 3392.
You must use an IPv4 address for the router ID (BGP identifier). After the BGP session is up, prefixes can be advertised and withdrawn by sending normal UPDATE messages that include either or both of the new multiprotocol attributes MP_REACH_NLRI (used to advertise reachability of routes) and MP_UNREACH_NLRI (used to withdraw routes).
The new attributes are backward compatible. If two routers have a BGP session and only one supports the multiprotocol attributes, they can still exchange unicast IPv4 routes.
On each peer you configure IPv4 unicast routes that should be exchanged between peers.
For peering to be established, the routers must share a capability.
BGP Sessions (Internal and External)
BGP supports two basic types of sessions between neighbors: internal (sometimes referred to as IBGP) and external (EBGP). Internal sessions run between routers in the same autonomous systems, while external sessions run between routers in different autonomous systems. When sending routes to an external peer, the local AS number is prepended to the AS path. Routes received from an internal neighbor have, in general, the same AS path that the route had when the originating internal neighbor received the route from an external peer.
BGP sessions might include a single metric (Multi-Exit Discriminator or MED) in the path attributes. Smaller values of the metric are preferred. These values are used to break ties between routes with equal preference from the same neighbor AS.
Internal BGP sessions carry at least one metric in the path attributes that BGP calls the local preference. The size of the metric is identical to the MED. Use of these metrics is dependent on the type of internal protocol processing.
BGP implementations expect external peers to be directly attached to a shared subnet and expect those peers to advertise next hops that are host addresses on that subnet. This constraint is relaxed when the multihop option is enabled in the BGP peer template during configuration.
Type internal groups determine the immediate next hops for routes. They do this by using the next hop received with a route from a peer as a forwarding address, and use this to look up an immediate next hop in IGP routes. Type internal groups support distant peers, but they need to be informed of the IGP whose routes they are using to determine immediate next hops.
Where possible, for internal BGP group types, a single outgoing message is built for all group peers based on the common policy. A copy of the message is sent to every peer in the group, with appropriate adjustments to the next hop field to each peer. This minimizes the computational load of running large numbers of peers in these types of groups.
Preventing Private AS Numbers from Propagating
An ISP can assign private AS numbers (64512 to 65535) to a customer in order to conserve globally unique AS numbers. When an ISP does so, a BGP update from a customer network to the ISP has the private AS number in its AS_PATH attribute. When the ISP propagates its network information to other ISPs, the private AS number would normally be included. To avoid this, you can configure Gaia to remove the private AS number from BGP update messages to external peers.
To configure Gaia to remove private AS numbers from BGP updates, enable the Remove Private AS option on the configuration page for an external peer.
If you enable this option, private AS numbers are removed from BGP updates according to the following rules:
- If the AS_PATH includes both public and private AS numbers, the private AS numbers are not removed.
- If the AS_PATH contains the AS number of the destination peer, private AS numbers are not removed.
- If the AS_PATH includes confederations and all the AS numbers in the AS_PATH are private, all the private AS numbers are removed.
BGP Route Refresh
Gaia supports the ability to dynamically request BGP route updates from peers and to respond to requests for BGP route updates. For example, if you change the inbound routing policy, you can request that a peer readvertise its previously advertised routes so that the routes can be checked against the new policy. This feature is often referred to as a soft reset because it provides the ability to refresh routes received from a peer without tearing down the established session.
To configure BGP route updates in the:
- CLI - Run these commands:
set bgp external remote-as as_number peer ip_address send-route-refresh
set bgp internal peer ip_address send-route-refresh - WebUI - Click the appropriate buttons in the page, in the section .
These options work only with peers that support the same capabilities. Gaia systems can also peer with systems that do not support these options.
BGP Path Attributes
A path attribute is a list of AS numbers that a route has traversed to reach a destination. BGP uses path attributes to provide more information about each route and to help prevent routing loops in an arbitrary topology. You can also use path attributes to determine administrative preferences.
BGP collapses routes with similar path attributes into a single update for advertisement. Routes that are received in a single update are readvertised in a single update. The churn caused by the loss of a neighbor is minimized, and the initial advertisement sent during peer establishment is maximally compressed.
BGP does not read information that the kernel forms message by message. Instead, it fills the input buffer. BGP processes all complete messages in the buffer before reading again. BGP also performs multiple reads to clear all incoming data queued on the socket.
|
Note - This feature might cause a busy peer connection to block other protocols for prolonged intervals.
|
The following table displays the path attributes and their definitions
Path Attribute
|
Definition
|
AS_PATH
|
Identifies the autonomous systems through which routing information carried in an UPDATE message passed. Components of this list can be AS_SETs or AS_SEQUENCES.
|
NEXT_HOP
|
Defines the IP address of the border router that should be used as the next hop to the destinations listed in the UPDATE message.
|
MULTI_EXIT_DISC
|
Discriminates among multiple exit or entry points to the same neighboring autonomous system. Used only on external links.
|
LOCAL_PREF
|
Determines which external route should be taken and is included in all IBGP UPDATE messages. The assigned BGP speaker sends this message to BGP speakers within its own autonomous system but not to neighboring autonomous systems. Higher values of a LOCAL_PREF are preferred.
|
ATOMIC_AGGREGATE
|
Specifies to a BGP speaker that a less specific route was chosen over a more specific route. The BGP speaker attaches the ATOMIC_AGGREGATE attribute to the route when it reproduces it to other BGP speakers. The BGP speaker that receives this route cannot remove the ATOMIC_AGGREGATE attribute or make any Network Layer Reachability Information (NLRI) of the route more specific. This attribute is used only for debugging purposes.
|
All unreachable messages are collected into a single message and are sent before reachable routes during a flash update. For these unreachable announcements, the next hop is set to the local address on the connection, no metric is sent, and the path origin is set to incomplete. On external connections, the AS path in unreachable announcements is set to the local AS. On internal connections, the AS path length is set to zero.
Routing information shared between peers in BGP has two formats: announcements and withdrawals. A route announcement indicates that a router either learned of a new network attachment or made a policy decision to prefer another route to a network destination. Route withdrawals are sent when a router makes a new local decision that a network is no longer reachable.
BGP Multi-Exit Discriminator
Multi-exit Discriminator (MED) values are used to help external neighbors decide which of the available entry points into an AS are preferred. A lower MED value is preferred over a higher MED value and breaks the tie between two or more preferred paths.
|
Note - A BGP session does not accept MEDs from an external peer unless the Accept MED field is set for an external peer.
|
BGP Interactions with IGPs
All transit ASes must be able to carry traffic that originates from locations outside of that AS, is destined to locations outside of that AS, or both. This requires a certain degree of interaction and coordination between BGP and the Interior Gateway Protocol (IGP) that the particular AS uses. In general, traffic that originates outside of a given AS passes through both interior gateways (gateways that support the IGP only) and border gateways (gateways that support both the IGP and BGP). All interior gateways receive information about external routes from one or more of the border gateways of the AS that uses the IGP.
Depending on the mechanism used to propagate BGP information within a given AS, take special care to ensure consistency between BGP and the IGP, since changes in state are likely to propagate at different rates across the AS. A time window might occur between the moment when some border gateway (A) receives new BGP routing information (which was originated from another border gateway (B) within the same AS) and the moment the IGP within this AS can route transit traffic to the border gateway (B). During that time window, either incorrect routing or black holes can occur.
To minimize such routing problems, border gateway (A) should not advertise to any of its external peers a route to some set of exterior destinations associated with a given address prefix using border gateway (B) until all the interior gateways within the AS are ready to route traffic destined to these destinations by using the correct exit border gateway (B). Interior routing should converge on the proper exit gateway before advertising routes that use the exit gateway to external peers.
If all routers in an AS are BGP speakers, no interaction is necessary between BGP and an IGP. In such cases, all routers in the AS already have full knowledge of all BGP routes. The IGP is then only used for routing within the AS, and no BGP routes are imported into the IGP. The user can perform a recursive lookup in the routing table. The first lookup uses a BGP route to establish the exit router, while the second lookup determines the IGP path to the exit router.
Inbound BGP Route Filters
BGP routes can be filtered, or redistributed by AS number or AS path regular expression, or both.
BGP stores rejected routes in the routing table with a negative preference. A negative preference prevents a route from becoming active and prevents it from being installed in the forwarding table or being redistributed to other protocols. This behavior eliminates the need to break and re-establish a session upon reconfiguration if importation policy is changed.
The only attribute that can add or modify when you import from BGP is the local preference. The local preference parameter assigns a BGP local preference to the imported route. The local preference is a 32-bit unsigned value, with larger values preferred. This is the preferred way to bias a routing subsystem preference for BGP routes.
Redistributing Routes to BGP
Redistributing to BGP is controlled by an AS. The same policy is applied to all firewalls in the AS. BGP metrics are 16-bit, unsigned quantities; that is, they range from 0 to 65535 inclusive, with zero being the most attractive. While BGP version 4 supports 32-bit unsigned quantities, routed does not.
|
Note - To define a redistribution policy, use in the WebUI, or routemaps in the CLI.
|
Communities
BGP communities allow you to group a set of IP addresses and apply routing decisions based on the identity of the group or community.
To implement this feature, map a set of communities to certain BGP local preference values. Then you can apply a uniform BGP configuration to the community as a whole as opposed to each router within the community. The routers in the community can capture routes that match their community values.
Use community attributes to can configure your BGP speaker to set, append, or modify the community of a route that controls which routing information is accepted, preferred, or distributed to other neighbors. The following table displays some special community attributes that a BGP speaker can apply.
Community attribute
|
Description
|
NO_EXPORT (0xFFFFFF01)
|
Not advertised outside a BGP confederation boundary. A stand-alone autonomous system that is not part of a confederation should be considered a confederation itself.
|
NO_ADVERTISE (0xFFFFFF02)
|
Not advertised to other BGP peers.
|
NO_EXPORT_SUBCONFED(0xFFFFFF03)
|
Not advertised to external BGP peers. This includes peers in other members’ autonomous systems inside a BGP confederation.
|
For more about communities, see RFCs 1997 and 1998.
Route Reflection
Generally, all border routers in a single AS need to be internal peers of each other; all non-border routers frequently need to be internal peers of all border routers. While this configuration is usually acceptable in small networks, it can lead to unacceptably large internal peer groups in large networks. To help address this problem, BGP supports route reflection for internal and routing peer groups (BGP version 4).
When using route reflection, the rule that specifies that a router cannot readvertise routes from internal peers to other internal peers is relaxed for some routers called route reflectors. A typical use of route reflection might involve a core backbone of fully meshed routers. This means that all the routers in the fully meshed group peer directly with all other routers in the group. Some of these routers act as route reflectors for routers that are not part of the core group.
Two types of route reflection are supported. By default, all routes received by the route reflector that originate from a client are sent to all internal peers (including the client group but not the client). If the no-client reflect option is enabled, routes received from a route reflection client are sent only to internal peers that are not members of the client group. In this case, the client group must be fully meshed. In either case, all routes received from a non-client internal peer are sent to all route reflection clients.
Typically, a single router acts as the reflector for a set, or cluster, of clients; for redundancy, two or more routers can also be configured to be reflectors for the same cluster. In this case, a cluster ID should be selected to identify all reflectors serving the cluster, using the cluster ID keyword.
|
Note - We recommend that you not use multiple redundant reflectors unnecessarily as it increases the memory required to store routes on the peers of redundant reflectors.
|
No special configuration is required on the route reflection clients. From a client perspective, a route reflector is a normal IBGP peer. Any BGP version 4 speaker should be able to be a reflector client.
For further details, refer to the route reflection specification document (RFC 2796 as of this writing).
Confederations
An alternative to route reflection is BGP confederations. As with route reflectors, you can partition BGP speakers into clusters where each cluster is typically a topologically close set of routers. With confederations, this is accomplished by subdividing the autonomous system into multiple, smaller ASes that communicate among themselves. The internal topology is hidden from the outside world, which perceives the confederation to be one large AS.
Each distinct sub-AS within a confederation is referred to as a routing domain (RD). Routing domains are identified by using a routing domain identifier (RDI). The RDI has the same syntax as an AS number, but as it is not visible outside of the confederation, it does not need to be globally unique, although it does need to be unique within the confederation. Many confederations find it convenient to select their RDIs from the reserved AS space (ASes 64512 through 65535 (see RFC 1930). RDIs are used as the ASes in BGP sessions between peers within the confederation.
The confederation as a whole, is referred to by a confederation identifier. This identifier is used as the AS in external BGP sessions. As far as the outside world is concerned, the confederation ID is the AS number of the single, large AS. For this reason, the confederation ID must be a globally unique, normally assigned AS number.
|
Note - Do not nest confederations.
|
For further details, refer to the confederations specification document (RFC 1965).
EBGP Multihop Support
Connections between BGP speakers of different ASes are referred to as EBGP connections. BGP enforces the rule that peer routers for EBGP connections need to be on a directly attached network. If the peer routers are multiple hops away from each other or if multiple links are between them, you can override this restriction by enabling the EBGP multihop feature. TCP connections between EBGP peers are tied to the addresses of the outgoing interfaces. Therefore, a single interface failure severs the session even if a viable path exists between the peers.
EBGP multihop support can provide redundancy so that an EBGP peer session persists even in the event of an interface failure. Using an address assigned to the loopback interface for the EBGP peering session ensures that the TCP connection stays up even if one of the links between them is down, provided the peer loopback address is reachable. In addition, you can use EBGP multihop support to balance the traffic among all links.
|
Important - Enabling multihop BGP connections is dangerous because BGP speakers might establish a BGP connection through a third-party AS. This can violate policy considerations and introduce forwarding loops.
|
Route Dampening
Route dampening lessens the propagation of flapping routes. A flapping route is a route that repeatedly becomes available then unavailable. Without route dampening, autonomous systems continually send advertisement and withdrawal messages each time the flapping route becomes available or unavailable. As the Internet has grown, the number of announcements per second has grown as well and caused performance problems within the routers.
Route dampening enables routers to keep a history of the routes that are flapping and prevent them from consuming significant network bandwidth. This is achieved by measuring how often a given route becomes available and then unavailable. When a set threshold is reached, that route is no longer considered valid, and is no longer propagated for a given period of time, usually about 30 minutes. If a route continues to flap even after the threshold is reached, the time out period for that route grows in proportion to each additional flap. Once the threshold is reached, the route is dampened or suppressed. Suppressed routes are added back into the routing table once the penalty value is decreased and falls below the reuse threshold.
Route dampening can cause connectivity to appear to be lost to the outside world but maintained on your own network because route dampening is only applied to BGP routes. Because of increasing load on the backbone network routers, most NSPs (MCI, Sprint, UUNet etc.) have set up route suppression.
TCP MD5 Authentication
The Internet is vulnerable to attack through its routing protocols and BGP is no exception. External sources can disrupt communications between BGP peers by breaking their TCP connection with spoofed RST packets. Internal sources, such as BGP speakers, can inject bogus routing information from any other legitimate BGP speaker. Bogus information from either external or internal sources can affect routing behavior over a wide area in the Internet.
The TCP MD5 option allows BGP to protect itself against the introduction of spoofed TCP segments into the connection stream. To spoof a connection using MD5 signed sessions, the attacker not only has to guess TCP sequence numbers, but also the password included in the MD5 digest.
Note - TCP MD5 authentication for BGP is not supported on 64-bit Gaia or on a 32/64-bit Gaia VSX cluster.
Configuring BGP - WebUI
This section gives per-field help for the fields in the Advanced Routing > BGP section of the Gaia WebUI.
|
Note - Not all fields are shown in all cases.
|
BGP Global Settings
Parameter
|
Description
|
|
The Router ID uniquely identifies the router in the autonomous system. The router ID is used by the BGP and OSPF protocols. We recommend setting the router ID rather than relying on the default setting. This prevents the router ID from changing if the interface used for the router ID goes down. Use an address on a loopback interface that is not the loopback address (127.0.0.1). In a cluster, you must select a router ID and make sure that it is the same on all cluster members.
- Range: Dotted-quad.([0-255].[0-255].[0-255].[0-255]). Do not use 0.0.0.0
- Default: The interface address of one of the local interfaces.
|
|
The cluster ID used for route reflection. The default cluster ID is the router ID. You must override this default value if the cluster contains more than one route reflector.
Typically, a single router acts as the reflector for a set, or cluster, of clients. However, for redundancy two or more routers can also be configured as reflectors for the same cluster. In this case, you must select a cluster ID to identify all reflectors serving the cluster.
Gratuitous use of multiple redundant reflectors is not advised, for this situation can cause an increase in the memory required to store routes on the redundant reflectors peers.
- Range: Dotted-quad ([0-255].[0-255].[0-255].[0-255])
- Default: Router ID
|
|
The local autonomous system number of the router.
|
Change Local System Identification
Parameter
|
Description
|
|
|
|
|
|
The local autonomous system number of the router. This setting is mutually exclusive from the and . The router can be configured with either the autonomous system number or the member of confederation, not both.
Caution: When you change the autonomous system number, all current peer sessions are reset and all BGP routes are deleted.
- Range: 1-65535
- Default: No default
|
|
|
The identifier for the entire confederation system. This identifier is used as the AS in external BGP sessions. To the outside world, the confederation ID is the AS number of the single, large AS. For this reason, the confederation ID must be a globally unique, normally assigned AS number.
- Range: 1-65535
- Default: No default
|
|
|
For the confederation: The number of times the local autonomous system can appear in an AS path for BGP-learned routes. If the number of times the local autonomous system appears in an AS path is more than the number in this field, the corresponding routes are discarded or rejected.
|
|
|
The routing domain identifier (RDI) of this router. This value is required only if BGP confederations are in use. The RDI does not have to be globally unique since it is never used outside the domain of the confederation system. However, the configured RDI must be unique within the confederation. The routing-domain identifier and autonomous system number are mutually exclusive values; that is, the router can be configured with either the autonomous system number or the member of confederation, not both. If confederations are in use, the RDI is used wherever the autonomous system would be used to communicate with peers within the confederation, including group-type confederation peers and the various internal-type peers. For correct operation of the router in confederations you must configure both the routing-domain identifier and the confederation.
- Range: 1-65535
- Default: No default
|
|
|
For the routing domain identifier: The number of times the local autonomous system can appear in an AS path for BGP-learned routes. If the number of times the local autonomous system appears in an AS path is more than the number in this field, the corresponding routes are discarded or rejected.
|
BGP Miscellaneous Settings
Parameter
|
Description
|
|
|
Defines the metric (MED) used when advertising routes through BGP. If you do not specify a value, no metric is propagated. A metric specified on the neighbor configuration or in the redistribution configuration might override the metric you configure.
|
|
|
A default route is generated when any BGP peer is up. This route has a higher rank than the default configured in the static routing page. If a specific BGP peer should not be considered for generating the default route, you should explicitly suppress the option in the peer-specific configuration.
- Range: Dotted-quad ([0-255].[0-255].[0-255].[0-255]).
- No Default.
|
|
|
Select this option to make internal and configured BGP peers check for a matching route from IGP protocols before installing a given route.
|
|
|
Enables communities-based policy options.
|
|
|
Weighted route dampening minimizes the propagation of flapping routes across an internetwork. A route is considered to be flapping when it is repeatedly transitioning from available to unavailable or vice versa. Only routes learned through BGP are subjected to weighted route dampening.
|
|
|
The value of the instability metric at which a suppressed route becomes unsuppressed if it is reachable but currently suppressed. The value assigned to the reuse-below metric must be less than the suppress-above value.
|
|
|
The value of the instability metric at which a route is suppressed; a route is not installed in the FIB or announced even if it is reachable during the period that it is suppressed.
|
|
|
The upper limit of the instability. The value must be higher than one plus the suppress-above value. The metric assigned to the suppress-above, reuse-below, and max-flap metric values is a floating point number, in units of flaps. Each time a route becomes unreachable, one is added to the current instability metric.
|
|
|
A value that determines the length of time it takes for the instability metric value to reach one half of its current value when the route is reachable. This half-life value determines the rate at which the metric value is decayed. A smaller half-life value makes a suppressed route reusable sooner than a larger value.
|
|
|
The rate at which the instability metric is decayed when a route is unreachable. This value must be equal to or greater than the reach-decay value.
- Range: 1-2700
- Default: 900
|
|
|
The period over which the route flapping history is maintained for a given route. The size of the configuration arrays described below is directly affected by this value.
- Range: 2-5400
- Default: 1800
|
BGP AS Peer Groups
Parameter
|
Description
|
|
|
The autonomous system number of the external peer group. Enter an integer from 1‑65535.
|
|
|
One of
- Unconfigured
- Local Autonomous System Number
- Confederation
|
|
|
A free-text description of the peer group.
|
|
|
Note:
- Use this option only in a lab environment with the firewall turned off.
- Do not use in a cluster configuration.
Select this option to force this router to use VRRP virtual IP address as the local endpoint for TCP connections. Only the VRRP master will establish BGP sessions. To enable this option, the local address must be configured.
|
|
|
The address used on the local end of the TCP connection with the peer. For external peers that do not have multihop enabled, the local address must be on an interface that is shared with the peer or with the peer's gateway when the gateway parameter is used. A session with an external peer is opened only when an interface with a local address through which the peer or gateway address is directly reachable is operating.
For other types of peers, a peer session is maintained when any interface with the specified local address is operating. In either case, incoming connections are recognized as matching a configured peer only if they are addressed to the configured local address.
Note: If running BGP in a cluster you must not configure the local address.
|
|
|
The length of time in seconds that a route must be present in the routing database before it is redistributed to BGP. This value applies to all neighbors configured in this group. The default value is zero, which means that this feature is disabled. This feature dampens route fluctuations.
|
|
|
Configure peers. Each peer inherits as defaults all parameters configured on a group. To change the values of a peer's parameters, select the peer and click .
|
BGP Remote Peers
Parameter
|
Description
|
|
|
|
|
|
A free-text description of the remote peer.
|
Advanced Settings
Multiprotocol Capabilities
Parameter
|
Description
|
|
|
Specifies if IPv4 unicast routes can be sent to and received from this peer.
|
|
|
Specifies if IPv6 unicast routes can be sent to and received from this peer.
|
Local Address
Parameter
|
Description
|
|
|
The address used on the local end of the TCP connection with the peer. For external peers that do not have multihop enabled, the local address must be on an interface that is shared with the peer or with the peer's gateway when the gateway parameter is used. A session with an external peer is opened only when an interface with a local address through which the peer or gateway address is directly reachable is operating.
For other types of peers, a peer session is maintained when any interface with the specified local address is operating. In either case, incoming connections are recognized as matching a configured peer only if they are addressed to the configured local address.
Note: If running BGP in a cluster you must not configure the local address.
Default: None
|
Weight
Parameter
|
Description
|
|
|
The default weight associated with each route accepted from this peer. This value can be overridden by the weight specified in the import policy.
|
MED
Parameter
|
Description
|
|
|
MED should be accepted from this external neighbor. MEDs are always accepted from routing-type and confederation neighbors. If this parameter is not used with an external neighbor, the MED is stripped before the update is added to the routing table. If this parameter is added or deleted and routed is reconfigured, the affected peering sessions are automatically restarted.
|
|
|
The primary metric used on all routes sent to the specified peer. This metric overrides the default metric on any route specified by the redistribute policy.
- Range: 0-4294967294
- Default: 4294967294
|
Next Hop and Time to Live
Parameter
|
Description
|
|
|
Multihop is used to set up EBGP peering connections with peers that are not directly connected. You can also use this option, which relies on an IGP to find the route to the peer, to set up peers to perform EBGP load balancing. You can refine the multihop session by configuring the TTL, that is, the number of hops to the EBGP peer. The TTL has a default value of 64.
|
|
|
You can use the TTL (time to live parameter) to limit the number of hops over which the EBGP multihop session is established. You can configure the TTL only if multihop is enabled.
|
Aggregator
Parameter
|
Description
|
|
|
Select to force this router to specify the router ID in the aggregator attribute as zero, rather than the actual router ID. This option prevents different routers in an AS from creating aggregate routes with different AS paths.
|
ASPATH
Parameter
|
Description
|
|
|
The number of times this router adds to the AS path on EBGP external or CBGP confederation sessions. Use this setting to bias the degree of preference some downstream routers have for the routes originated by this router. Some implementations prefer to select routes with shorter AS paths. This parameter has no effect when used with IBGP peers.
|
Private AS
Parameter
|
Description
|
|
|
Remove private AS numbers from the outgoing updates to this peer. Following conditions apply when this feature is enabled:
- If the AS path includes both public and private AS numbers, private AS numbers will not be removed.
- If the AS path contains the AS number of the destination peer, private AS numbers will not be removed.
- If the AS path contains only confederations and private AS numbers, private AS numbers will be removed.
|
Timers
Parameter
|
Description
|
|
|
An alternative way to specify a value, in seconds, to use when negotiating the connection with this peer. The keepalive interval equals one-third the value of the holdtime. The keepalive interval is often used instead of the holdtime value, but you can specify both values, provided the value for the holdtime is three times the keepalive interval. The value must be 0, that is, no keepalives are sent, or at least 2.
- Range: 0, 2-21845
- Default: 60
|
|
|
The BGP holdtime value, in seconds, to use when negotiating a connection with this peer. According to the specification, if the BGP speaker does not receive a keepalive update or notification message from its peer within the period specified by the holdtime value in the BGP Open message, the BGP connection is closed. The value must be either 0, that is, no keepalives are sent, or at least 6.
- Range: 0, 6-65535
- Default: 180
|
Needed when Peering with Route Server
Parameter
|
Description
|
|
|
Select to force this router to ignore the first AS number in the AS_PATH for routes learned from the corresponding peer. Select this option only if you are peering with a route server in so-called transparent mode, that is, when the route server is configured to redistribute routes from multiple ASes without prepending its own AS number.
|
Keep Alive
Parameter
|
Description
|
|
|
Select to force this router always to send keepalives even when an update can substitute. This setting allows interoperability with routers that do not completely adhere to the protocol specifications on this point.
|
Routes
Parameter
|
Description
|
|
|
Routes received from peer routes are accepted if there is an inbound BGP route policy. If an inbound policy to accept the route does not exist, you can select All or None.
- All - Specifies to accept and install routes with an invalid preference. Depending on the local BGP inbound policy the routes could become active or inactive.
- None - Specifies to delete routes learned from a peer when no explicit local BGP inbound policy exists. This option is used to save memory overhead when many routes are rejected because there is no local policy. These routes can be relearned only by restarting the BGP session.
|
Allows Accept TCP Sessions from Your Peer
Parameter
|
Description
|
|
|
Select to force this router to wait for the peer to issue an open. By default all explicitly configured peers are active and periodically send open messages until the peer responds. Modifying this option will reset the peer connection.
|
Authentication
Parameter
|
Description
|
|
|
The type of authentication scheme to use between given peers. In general peers must agree on the authentication configuration to form peer adjacencies. This feature guarantees that routing information is accepted only from trusted peers. If the Auth type selected is MD5 the field appears. When you enter a password, MD5 authentication is used with the given peer.
Note - TCP MD5 authentication for BGP is not supported on 64-bit Gaia or on a 32/64-bit Gaia VSX cluster.
- Options: None / MD5
- Default: None
|
Limit BGP Updates Send to a Peer
Parameter
|
Description
|
|
|
Throttles the network traffic when there are many BGP peers. Throttle count determines the number of BGP updates sent at a time.
- Range: 0-65535
- Default: No default
|
Route Refresh
Parameter
|
Description
|
|
|
Route refresh is used to either re-learn routes from the BGP peer or to refresh the routing table of the peer without tearing down the BGP session. Both peers must support the BGP route refresh capability and should have advertised this at the time peering was established.
Re-learning of routes previously sent by the peer is accomplished by sending a BGP route refresh message. The peer responds to the message with the current routing table. Similarly, if a peer sends a route refresh request the current routing table is re-sent.
You can also trigger a route update without having to wait for a route refresh request from the peer.
Both peers must support the same address and subsequent address families. For example a request for IPv6 unicast routes from a peer that did not advertise the capability during session establishment will be ignored.
Note: Clicking a button sends a trigger to the routing daemon. It does not change the configuration of the router.
|
Graceful Restart
Parameter
|
Description
|
|
|
Routes received from peer are preserved if the peer goes down till either the session is re-established (OPEN message is received from the peer after it comes back up) or the graceful restart timer expires.
|
|
|
Maximum time for which routes previously received from a restarting router are kept unless they are re-validated. The timer is started after the peer sends indication that it is up again.
- Range: 60 - 65535
- Default: 360
|
Logging
Parameter
|
Description
|
|
|
Select to force this router to log a message whenever a BGP peer enters or leaves the ESTABLISHED state.
|
|
|
Select to force this router to log a message whenever a warning scenario is encountered in the codepath.
|
Trace Options
|
|
Parameter
|
Description
|
The tracing options for BGP. The BGP implementation inherits the default values for global trace options. You can override these values on a group or neighbor basis. Log messages are saved in var/log/routed.log
|
|
|
Trace all message types.
|
|
|
Trace messages related to Route and Normal.
|
|
|
Trace all the BGP keepalive messages to this peer, which are used to verify peer reachability.
|
|
|
Trace normal protocols occurrences. Abnormal protocol occurrences are always traced.
|
|
|
Trace all the BGP open messages to this peer, which are used to establish a peer relationship.
|
|
|
Trace all the BGP packets to this peer.
|
|
|
Trace application of protocol and user-specified policy to routes being imported and exported.
|
|
|
Trace routing table changes for routes installed by this peer.
|
|
|
Trace state machine transitions in the protocol.
|
|
|
Trace system interface and processing associated with this peer.
|
|
|
Trace timer usage by this peer.
|
|
|
Trace all the BGP update messages to this peer, which are used to pass network reachability information.
|
Configuring BGP - CLI (bgp)
External BGP
Use the following commands to configure external sessions of the protocol, that is, between routers in different autonomous systems.
set bgp external remote‑as as_number
<on | off>
aspath‑prepend‑count <1‑25 | default>
description text
local‑address ip_address <on | off>
virtual-address <on | off>
outdelay <0‑65535>
outdelay off
|
Parameter
|
Description
|
as_number <on | off>
|
The autonomous system number of the external peer group. Enter an integer from 1‑65535.
|
aspath‑prepend‑count <1‑25 | default>
|
The number of times this router adds to the autonomous system path on external BGP sessions. Use this option to bias the degree of preference some downstream routers have for the routes originated by this router. Some implementations prefer to select paths with shorter autonomous system paths. Default is 1.
|
description text
|
You can enter a brief text description of the group.
|
local‑address ip_address <on | off>
|
The address used on the local end of the TCP connection with the peer. For external peers that do not have multihop enabled, the local address must be on an interface that is shared with the peer or with the peer's gateway when the gateway parameter is used. A session with an external peer is opened only when an interface with a local address through which the peer or gateway address is directly reachable is operating.
For other types of peers, a peer session is maintained when any interface with the specified local address is operating. In either case, incoming connections are recognized as matching a configured peer only if they are addressed to the configured local address.
Note: If running BGP in a cluster you must not configure the local address.
Default: Off
|
virtual-address <on | off>
|
Note:
- Use this option only in a lab environment with the firewall turned off.
- Do not use in a cluster configuration.
Use the VRRP virtual IP address as the local endpoint for TCP connections, for this router. You must also configure a local address to enable this option. See the command above. You can configure this option only on a VRRP master.
|
outdelay <0‑65535>
|
The amount of time in seconds that a route must be present in the routing database before it is redistributed to BGP. The configured value applies to all peers configured in this group. This feature dampens route fluctuation. The value zero (0) disables this feature.
Default: 0
|
outdelay off
|
Disables outdelay.
|
BGP Peers
Use the following commands to configure BGP peers. Gaia supports IPv4 addresses for BGP peers.
set bgp external remote‑as as_number peer ip_address
<on | off>
med‑out <0—4294967294 | default>
accept‑med <on | off>
multihop <on | off>
no‑aggregator‑id <on | off>
holdtime <6—65535 | default>
keepalive <2—21845 | default>
ignore‑first‑ashop <on | off>
send‑keepalives <on | off>
send-route-refresh [request | route-update] [unicast]
route-refresh <on | off>
accept‑routes <all | none>
passive‑tcp <on | off>
removeprivateas <on | off>
authtype none
authtype md5 secret secret
throttle‑count <0—65535 | off>
ttl <1-255 | default>
suppress‑default‑originate <on | off>
log‑state‑transitions <on | off>
log‑warnings <on | off>
trace bgp_traceoption <on | off>
graceful-restart-helper <on | off>
graceful-restart-helper-stalepath-time seconds
|
Parameter
|
Description
|
ip_address <on | off>
|
Specifies a specific peer <ip_address> for the group.
|
med‑out <0‑4294967294 | default>
|
Specifies the multi‑exit discriminator (MED) metric used as the primary metric on all routes sent to the specified peer address. This metric overrides the default metric on any metric specified by the redistribute policy. External peers use MED values to decide which of the available entry points into an autonomous system is preferred. A lower MED value is preferred over a higher MED value.
Default: 4294967294
|
accept‑med <on | off>
|
Specifies that MED be accepted from the specified peer address. If you do not set this option, the MED is stripped from the advertisement before the update is added to the routing table.
|
multihop <on | off>
|
Enables multihop connections with external BGP peers more than one hop away. By default, external BGP peers are expected to be directly connected. This option can also be used for external load‑balancing.
|
no‑aggregator‑id <on | off>
|
Specifies the router’s aggregate attribute as zero (rather than the router ID value). This option prevents different routers in an AS from creating aggregate routes with different AS paths.
|
holdtime <6‑65535 | default>
|
Specifies the BGP holdtime interval, in seconds, when negotiating a connection with the specified peer. If the BGP speaker does not receive a keepalive update or notification message from its peer within the period specified in the holdtime field of the BGP open message, the BGP connection is closed.
Default: 180 seconds
|
keepalive <2‑21945 |default>
|
The keepalive option is an alternative way to specify a holdtime value in seconds when negotiating a connection with the specified peer. You can use the keepalive interval instead of the holdtime interval. You can also use both intervals, but the holdtime value must be 3 times the keepalive interval value.
Default: 60 seconds
|
ignore‑first‑ashop <on | off>
|
Specifies to ignore the first autonomous system number in the autonomous system path for routes learned from the corresponding peer. Set this option only if you are peering with a route server in transparent mode, that is, when the route server is configured to redistribute routes from multiple other autonomous systems without prepending its own autonomous system number.
|
send‑keepalives <on | off>
|
Specifies for this router always to send keepalive messages even when an update message is sufficient. This option allows interoperability with routers that do not strictly adhere to protocol specifications regarding updates.
|
send-route-refresh [request | route-update] [unicast]
|
Specifies that the router dynamically request BGP route updates from peers or respond to requests for BGP route updates.
|
route-refresh <on | off>
|
Re-learns routes previously sent by the BGP peer or refreshes the routing table of the peer. The peer responds to the message with the current routing table. Similarly, if a peer sends a route refresh request the current routing table is re-sent. A user can also trigger a route update without having to wait for a route refresh request from the peer.
|
accept‑routes <all | none>
|
Specifies an inbound BGP policy route if one is not already configured.
Enter all to specify accepting routes and installing them with an invalid preference. Depending on the local inbound route policy, these routes are then made active or inactive.
Enter none to delete routes learned from a peer. This option saves memory overhead when many routes are rejected because no inbound policy exists.
|
passive‑tcp <on | off>
|
Specifies for the router to wait for the specified peer to issue an open message. No tcp connections are initiated by the router.
|
removeprivateas <on | off>
|
Remove private AS numbers from BGP update messages to external peers.
|
authtype none
|
Specifies not to use an authentication scheme between peers. Using an authentication scheme guarantees that routing information is accepted only from trusted peers.
Default: none
|
authtype md5 secret secret
|
Specifies to use md5 authentication between peers. In general, peers must agree on the authentication configuration to and from peer adjacencies. Using an authentication scheme guarantees that routing information is accepted only from trusted peers.
|
throttle‑count <0‑65535 | off>
|
Specifies number of BGP updates to send at one time. This option limits the number of BGP updates when there are many BGP peers. Off disables the throttle count option.
|
ttl <1-255 | default>
|
Specifies the value of the TTL (time to live) parameter, the number of hops over which the external BGP multihop session is established. Configure this value only if the multihop option is enabled.
Default: 64
|
suppress‑default‑originate <on | off>
|
Specifies NOT to generate a default route when the peer receives a valid update from its peer.
|
log‑state‑transitions <on | off>
|
Specifies for the router to log a message whenever a peer enters or leave the established state.
|
log‑warnings <on | off>
|
Specifies for the router to log a message whenever a warning scenario is encountered in the codepath.
|
trace bgp_traceoption <on | off>
|
Specifies tracing options for your BGP implementation. Log messages are saved in the var/log/routed directory. Enter the following words to set each trace option.
packets — Trace all BGP packets to this peer.
open — Trace all BGP open messages to this peer.
update — Trace all BGP update messages to this peer.
keepalive — Trace all keepalive messages to this peer.
all — Trace all message types.
general — Trace message related to Route and Normal.
route — Trace routing table changes for routes installed by this peer.
normal — Trace normal protocol occurrences. Abnormal protocol occurrences are always traced.
state — Trace state machine transitions in the protocol.
policy — Trace application of the protocol and user‑specified policy to routes being imported and exported.
|
graceful-restart-helper <on | off>
|
Specifies whether the Check Point system should maintain the forwarding state advertised by peer routers even when they restart to minimize the negative effects caused by peer routers restarting.
|
graceful-restart-helper-stalepath-time seconds
|
Specifies the maximum amount of time that routes previously received from a restarting router are kept so that they can be revalidated. The timer is started after the peer sends an indication that it has recovered.
|
BGP Confederations
Use the following commands to configure BGP confederations. You can configure a BGP confederation in conjunction with external BGP.
set bgp
confederation identifier as_number
confederation identifier off
confederation aspath‑loops‑permitted <1‑10>
confederation aspath‑loops‑permitted default
routing‑domain identifier as_number
routing‑domain identifier off
routing‑domain aspath‑loops‑permitted <1‑10>
routing‑domain aspath‑loops‑permitted default
synchronization <on | off>
|
Arguments
Parameter
|
Description
|
confederation identifier as_number
|
Specifies the identifier for the entire confederation. This identifier is used as the autonomous system number in external BGP sessions. Outside the confederation, the confederation id is the autonomous system number of a single, large autonomous system. Thus the confederation id must be a globally unique, typically assigned autonomous system number.
|
confederation identifier off
|
Disables the confederation identifier.
|
confederation aspath‑loops permitted <1‑10>
|
Specifies the number of times the local autonomous system can appear in an autonomous system path for BGP‑learned routes. If this number is higher than the number of times the local autonomous system appears in an autonomous system path, the corresponding routes are discarded or rejected.
|
confederation aspath loops‑permitted default
|
Specifies a value of 1.
|
routing‑domain identifier as_number
|
Specifies the routing domain identifier (RDI) for this router. You must specify the RDI if you are using BGP confederations. The RDI does not need to be globally unique since it is used only within the domain of the confederation.
|
routing‑domain identifier off
|
Disables the routing‑domain identifier
|
routing‑domain aspath‑loops‑permitted <1‑10>
|
Specifies the number of times the local autonomous system can appear in an autonomous system path for BGP‑learned routes. If this number is higher than the number of times the local autonomous system appears in an autonomous system path, the corresponding routes are discarded or rejected.
|
routing‑domain aspath‑loops‑permitted default
|
Specifies a value of 1.
|
synchronization <on | off>
|
Enables IGP synchronization. Set this option On to cause internal and confederation BGP peers to check for a matching route from IGP protocol before installing a BGP learned route.
|
BGP Route Reflection
Use the following commands to configure BGP route reflection. You can configure route reflection as an alternative to BGP confederations. Route reflection supports both internal and external BGP routing groups.
set bgp
cluster‑id ip_address
cluster‑id off
default‑med <0‑65535>
default‑med off
default‑route‑gateway ip_address
default‑route‑gateway off
|
Parameter
|
Description
|
cluster‑id ip_address
|
Specifies the cluster ID used for route reflection. The cluster ID default is that of the router id. Override the default if the cluster has more than one route reflector
|
cluster‑id off
|
Disables the cluster ID.
|
default‑med <0‑65535>
|
Specifies the multi‑exit discriminator (MED) metric used to advertise routes through BGP.
|
default‑med off
|
Disables the specified MED metric.
|
default‑route‑gateway ip_address
|
Specifies the default route. This route has a higher rank than any configured default static route for this router. If you do not want a BGP peer considered for generating the default route, use the peer <ip_address> suppress‑default‑originate on command.
|
default‑route‑gateway off
|
Disables the configured default BGP route.
|
BGP Route Dampening
Use the following commands to configure BGP route dampening. BGP route dampening maintains a history of flapping routes and prevents advertising these routes. A route is considered to be flapping when it is repeatedly transitioning from available to unavailable or vice versa.
set bgp dampening
<on | off>
suppress‑above <2‑32>
suppress‑above default
reuse‑below <1‑32>
reuse‑below default
max-flat <3‑64>
max‑flat default
reachable‑decay <1‑900>
reachable‑decay default
unreachable‑decay <1‑2700>
unreachable‑decay default
keep‑history <2‑5400>
keep‑history default
|
Parameter
|
Description
|
<on | off>
|
Specifies whether to enable or disable BGP route dampening.
|
suppress‑above <2‑32>
|
Specifies the value of the instability metric at which route suppression takes place. A route is not installed in the forwarding table or announced even if it reachable during the period that it is suppressed.
|
suppress‑above default
|
Specifies an instability metric value for suppressing routes of 3.
|
reuse‑below metric <1‑32>
|
Specifies the value of the instability metric at which a suppressed route becomes unsuppressed if it is reachable but currently suppressed. The value assigned to the reuse‑below metric must be lower than the suppress‑above value.
|
reuse‑below metric default
|
Specifies an instability metric value for announcing previously suppressed routes of 2.
|
max‑flap <3‑64>
|
Specifies the upper limit of the instability metric. The value must be greater than the suppress‑above value plus 1. Each time a route becomes unreachable, 1 is added to the current instability metric.
|
max‑flat default
|
Specifies the upper limit of the instability metric as 16.
|
reachable‑decay <1‑900>
|
Specifies the time for the instability metric to reach half of its value when the route is reachable. The smaller the value the sooner a suppressed route becomes reusable.
|
reachable‑decay default
|
Specifies a value of 300.
|
unreachable‑decay <1‑2700>
|
Specifies the time for the instability metric to reach half its value when the route is NOT reachable. The value must be equal to or higher than the reachable‑decay value.
|
unreachable‑decay default
|
Specifies a value of 900
|
keep‑history <2‑5400>
|
Specifies the period for which route flapping history is maintained for a given route.
|
keep‑history default
|
Specifies a value of 1800.
|
Internal BGP
Use the following commands to configure internal BGP sessions, that is, between routers within the same autonomous system.
set bgp internal
<on | off>
description text
med <0‑65535>
med default
outdelay <0‑65535>
outdelay off
nexthop‑self <on | off>
local‑address ip_address <on | off>
virtual-address <on | off>
interface [all | if_name] <on | off>
protocol [all | bgp_internal_protocol] <on | off>
graceful-restart-helper <on | off>
graceful-restart-helper-stalepath-time seconds
route-refresh <on | off>
|
set bgp internal peer ip_address
peer_type <on | off>
weight <0‑65535>
weight off
no‑aggregator id <on | off>
holdtime <6‑65535>
holdtime default
keepalive <2‑21845>
keepalive default
ignore‑first‑ashop <on | off>
send‑keepalives <on | off>
send-route-refresh [request | route-update] [unicast]
accept‑routes all
accept‑routes none
passive‑tcp <on | off>
authtype none
authtype md5 secret secret
throttle‑count <0‑65535>
throttle count off
log‑state‑transitions <on | off>
log‑warnings <on | off>
trace bgp_traceoption <on | off>
|
Parameter
|
Description
|
<on | off>
|
Specifies whether to enable or disable an internal BGP group.
|
description text
|
You can enter a brief text description of the group.
|
med <0‑65535>
|
|
med default
|
|
outdelay <0‑65535>
|
Specifies the amount of time in seconds that a route must be present in the routing database before it is redistributed to BGP. The configured value applies to all peers configured in this group. This feature dampens route fluctuation. Zero (0), which means that this feature is disabled.
Default: 0
|
outdelay off
|
Disables outdelay.
|
nexthop‑self <on | off>
|
Specifies for this router to send one of its own IP addresses as the BGP next hop.
Default: off
|
local‑address ip_address <on | off>
|
The address used on the local end of the TCP connection with the peer. For external peers that do not have multihop enabled, the local address must be on an interface that is shared with the peer or with the peer's gateway when the gateway parameter is used. A session with an external peer is opened only when an interface with a local address through which the peer or gateway address is directly reachable is operating.
For other types of peers, a peer session is maintained when any interface with the specified local address is operating. In either case, incoming connections are recognized as matching a configured peer only if they are addressed to the configured local address.
Note: If running BGP in a cluster you must not configure the local address.
Default: Off
|
virtual-address <on | off>
|
Note:
- Use this option only in a lab environment with the firewall turned off.
- Do not use in a cluster configuration.
Specifies for this router to use the VRRP virtual IP address as the local endpoint for TCP connections. You must also configure a local address to enable this option. See the command above. You can configure this option only on a VRRP master.
Default: off.
|
interface [all | if_name] <on | off>
|
Specifies whether to enable the specified internal peer group on all interfaces or a specific interface.
|
protocol [all bgp_internal_protocol] <on | off>
|
Specifies whether to enable all internal routing protocols on the specified internal peer group or specific internal protocols. You can enter the following specific internal protocols: direct, rip, static, ospf, and ospfase.
|
peer ip_address peer_type <on | off>
|
Specifies an internal peer address and peer type. Enter reflector‑client to specify that the local router acts as a route reflector for the group of peers named. That is, the local router is the route reflection server, and the named peers are route reflection clients. Normally, the routing daemon readvertises, or reflects, routes it receives from one of its clients to all other IBGP peers, including the other peers in that client's group.
Enter no‑client‑reflector to specify that a reflection client's routes are reflected only to internal BGP peers in other groups. Clients in the group are assumed to be direct IBGP peers of each other.
Enter none if you do not want to specify route reflection.
|
peer_ip_address weight <0‑65535>
|
Specifies the weight associated with the specified peer. BGP implicitly stores any rejected routes by not mentioning them in a route filter. BGP explicitly mentions them within the routing table by using a restrict keyword with a negative weight. A negative weight prevents a route from becoming active, which prevents it from being installed in the forwarding table or exported to other protocols. This eliminates the need to break and reestablish a session upon reconfiguration if import route policy is changed.
|
peer ip_address weight off
|
Disables the weight associated with the specified peer.
|
peer ip_address aggregator id <on | off>
|
Specifies the router’s aggregate attribute as zero (rather than the router ID value). This option prevents different routers in an AS from creating aggregate routes with different AS paths
Default: off
|
peer ip_address holdtime <6‑65535>
|
Specifies the BGP holdtime interval, in seconds, when negotiating a connection with the specified peer. If the BGP speaker does not receive a keepalive update or notification message from its peer within the period specified in the holdtime field of the BGP open message, the BGP connection is closed.
|
peer ip_address holdtime default
|
Specifies a holdtime of 180 seconds.
|
peer ip_address keepalive <2‑21845>
|
The keepalive option is an alternative way to specify a holdtime value in seconds when negotiating a connection with the specified peer. You can use the keepalive interval instead of the holdtime interval. You can also use both interval, but the holdtime value must be 3 times the keepalive interval value.
|
peer ip_address_keepalive default
|
Specifies a keepalive interval of 60 seconds.
|
peer ip_address ignore‑first‑ashop <on | off>
|
Specifies to ignore the first autonomous system number in the autonomous system path for routes learned from the corresponding peer. Set this option only if you are peering with a route server in transparent mode, that is, when the route server is configured to redistribute routes from multiple other autonomous systems without prepending its own autonomous system number.
|
peer ip_address send‑keepalives <on | off>
|
Specifies for this router always to send keepalive messages even when an update message is sufficient. This option allows interoperability with routers that do not strictly adhere to protocol specifications regarding update.
|
send-route-refresh [request | route-update] [unicast]
|
Specifies that the router dynamically request BGP route updates from peers or respond to requests for BGP route updates.
|
peer ip_address accept‑routes all
|
Specifies an inbound BGP policy route if one is not already configured. Enter all to specify accepting routes and installing them with an invalid preference. Depending on the local inbound route policy, these routes are then made active or inactive.
|
peer ip_address accept‑routes none
|
Specifies an inbound BGP policy route if one is not already configured. Enter none to specify deleting routes learned from a peer. This option saves memory overhead when many routes are rejected because no inbound policy exists.
|
peer ip_address passive‑tcp <on | off>
|
Specifies for the router to wait for the specified peer to issue an open message. No tcp connections are initiated by the router.
Default: off
|
peer ip_address authtype none
|
Specifies not to use an authentication scheme between peers. Using an authentication scheme guarantees that routing information is accepted only from trusted peers.
|
peer ip_address authtype md5 secret secret
|
Specifies to use md5 authentication between peers. In general, peers must agree on the authentication configuration to and from peer adjacencies. Using an authentication scheme guarantees that routing information is accepted only from trusted peers.
Note - TCP MD5 authentication for BGP is not supported on 64-bit Gaia or on a 32/64-bit Gaia VSX cluster.
|
peer ip_address throttle‑count <0‑65535>
|
Specifies the number of BGP updates to send at one time. The throttle count option limits the number of BGP updates when there are many BGP peers.
|
peer ip_address throttle count off
|
Disables the throttle count option.
|
peer ip_address log‑state‑transitions <on | off>
|
Specifies for the router to log a message whenever a peer enters or leave the established state.
|
peer ip_address log‑warnings <on | off>
|
Specifies for the router to log a message whenever a warning scenario is encountered in the codepath.
|
peer ip_address trace bgp_traceoption <on | off>
|
Specifies tracing options for your BGP implementation. Log messages are saved in the var/log/routed directory. Enter the following words to set each trace option. Enter packets to trace all BGP packets to this peer. Enter open to trace all the BGP open messages to this peer. Enter update to trace all the BGP update messages to this peer. Enter keepalive to trace all the keepalive messages to this peer. Enter all to trace all the message types. Enter general to trace message related to Route and Normal. Enter route to trace routing table changes for routes installed by this peer. Enter normal to trace normal protocol occurrences. Abnormal protocol occurrences are always traced. Enter state to trace state machine transitions in the protocol. Enter policy to trace application of the protocol and user‑specified policy to routes being imported and exported.
|
graceful-restart-helper <on | off>
|
Specifies whether the Check Point system should maintain the forwarding state advertised by peer routers even when they restart to minimize the negative effects caused by peer routers restarting.
|
graceful-restart-helper-stalepath-time seconds
|
Specifies the maximum amount of time that routes previously received from a restarting router are kept so that they can be revalidated. The timer is started after the peer sends an indication that it has recovered.
|
route-refresh <on | off>
|
Re-learns routes previously sent by the BGP peer or refreshes the routing table of the peer. The peer responds to the message with the current routing table. Similarly, if a peer sends a route refresh request the current routing table is re-sent. A user can also trigger a route update without having to wait for a route refresh request from the peer.
|
BGP Communities
Use the following command to configure BGP communities. A BGP community is a group of destinations that share the same property. However, a community is not restricted to one network or autonomous system. Use communities to simplify the BGP inbound and route redistribution policies. Use the BGP communities commands together with inbound policy and route redistribution.
set bgp communities <on | off>
|
Parameter
|
Description
|
<on | off>
|
Enable or disable BGP policy options based on communities.
|
BGP Show Commands
Use the following commands to monitor and troubleshoot your BGP implementation.
show bgp
show bgp
groups
memory
errors
paths
stats
peers
peers detailed
peer ip_address detailed
peers established
peer ip_address advertise
peer ip_address received
summary
|
|
|
