Step 1 | On the Device Management page, click Routing. |
Step 2 | (For a virtual-router-aware device) From the virtual routers drop-down, choose the virtual router for which you are configuring BGP. |
Step 3 | Choose or IPv6. |
Step 4 | Click Neighbor. |
Step 5 | Click
Add to define BGP neighbors and neighbor settings.
|
Step 6 | Enter the BGP neighbor IP address. This IP address is added to the BGP neighbor table. When you are configuring BGP IPv6 on static VTI, enter the virtual tunnel IP address of the neighbor. |
Step 7 | Choose the BGP neighbor Interface.
Note |
The Interface field is only applicable to IPv6 settings.
|
|
Step 8 | Enter the autonomous system to which the BGP neighbor belongs, in the
Remote AS field. |
Step 9 | Check the Enabled address check box to enable communication with this BGP neighbor. Further neighbor settings will be configured only if the Enabled address check box is selected. |
Step 10 | (Optional) Check the Shutdown administratively check box to disable a neighbor or peer group. |
Step 11 | (Optional) Check the Configure graceful restart (failover / spanned mode) check box to enable configuration of the BGP graceful restart capability for this neighbor. After selecting this option, you must check the Enable graceful restart check box to specify whether graceful restart should be enabled or disabled for this neighbor.
Note |
-
The graceful restart is enabled only when the device is in HA mode or when L2 cluster (all nodes from the same network) is configured.
-
The graceful restart option for BGPv6 is enabled only on threat
defense Version 7.3+.
-
If you configure graceful restart only at General Settings and not at BGP IPv6, the global General Settings configuration persist.
-
If you configure graceful restart at General Settings and also at BGP IPv6, the global General Settings configuration is overridden by the BGP IPv6 configuration settings.
|
|
Step 12 | (Optional) To enable configuration of the BFD support for BGP, from the BFD Fallover drop-down list, choose the BFD type—single-hop, multi-hop, or auto-detect-hop. This selection registers the BGP neighbor to receive forwarding path detection failure messages from BFD. Choose None if you do not want to have BFD support. |
Step 13 | (Optional) Enter
a
Description for the BGP neighbor.
|
Step 14 | (Optional) From the Update Sourcedrop-down list, choose an interface to source the BGP packets.
You can choose a loopback address as this interface to overcome path failures. You can also choose any physical, port-channel, or a sub-interface.
|
Step 15 | (Optional) In Filtering Routes, use access lists, route maps, prefix lists and AS path filters as required, to distribute BGP Neighbor information. Update the following sections:
-
Choose or select the appropriate incoming or outgoing Access List to distribute BGP neighbor information.
Note |
Access lists are only applicable to IPv4 settings.
|
-
Choose or select the appropriate incoming or outgoing Route Maps to apply a route map to incoming or outgoing routes.
-
Choose or select the appropriate incoming or outgoing Prefix List to distribute BGP neighbor information.
-
Choose or select the appropriate incoming or outgoing AS
path filter to distribute BGP neighbor
information.
-
Check the check box of Limit the number of prefixes allowed from the neighbor to control the number of prefixes that can be received from a neighbor.
-
Enter the maximum number of prefixes allowed from a specific neighbor in the Maximum Prefixes field.
-
Enter the percentage (of maximum) at which the router starts to generate a warning message in the Threshold Level field. Valid values are integers between 1 and 100. The default value is 75.
-
Check the Control prefixes received from the
peer check box to specify additional controls for the
prefixes received from a peer. Do one of the following
-
Check the Terminate peering when prefix limit is
exceeded check box to stop the BGP neighbor
when the prefix limit is reached. Specify the interval after
which the BGP neighbor will restart in the
Restart interval field.
-
Check the Give only warning message when prefix
limit is exceeded check box to generate a
log message when the maximum prefix limit is exceeded. Here,
the BGP neighbor will not be terminated.
-
Click OK.
|
Step 16 | (Optional) In Routes, specify miscellaneous Neighbor route parameter. Proceed to update the following:
-
Enter the minimum interval (in seconds) between the sending of BGP routing updates in the Advertisement Interval field. Valid values are between 1 and 600.
-
Check the Remove private AS numbers from outbound routing updates check box to exclude the private AS numbers from being advertised on outbound routes.
-
Check the Generate default routes check box to allow the local router to send the default route 0.0.0.0 to a neighbor to use as a default route. Enter or Select the route map that allows the route 0.0.0.0 to be injected conditionally in the Route map field.
-
To add conditionally advertised routes, click Add Row +. In the Add Advertised Route dialog box, do the following:
-
Add or choose a route map in the Advertise Map field, that will be advertised if the conditions of the exist map or the non-exist map are met.
-
Click Exist Map and choose a route map from the Route Map Object Selector. This route map is compared with the routes in the BGP table, to determine whether the advertise map route is advertised.
-
Click Non-Exist Map and choose a route map from the Route Map Object Selector. This route map is compared with the routes in the BGP table, to determine whether the advertise map route is advertised.
-
Click OK.
|
Step 17 | In Timers, check the Set timers for the BGP peer check box to set the keepalive frequency, hold time and minimum hold time
-
Keep alive interval—Enter the frequency (in seconds) with which threat
defense sends keepalive messages to the neighbor. Valid values are
between 0 and 65535. The default value is 60 seconds.
-
Hold time—Enter the interval (in seconds) after not receiving a
keepalive message that threat
defense declares a peer dead. Valid values are between 0 and 65535. The
default value is 180 seconds.
-
Min hold time—(Optional) Enter the minimum interval (in seconds)
after not receiving a keepalive message that threat
defense declares a peer dead. Valid values are between 3 and 65535. The
default value is 3 seconds.
Note |
A hold time of less than 20 seconds increases the possibility of peer flapping.
|
|
Step 18 | In Advanced, update the following:
-
(Optional) Check the Enable Authentication check box to enable MD5 authentication on a TCP connection between two BGP peers.
-
Choose an encryption type from the Enable Encryption drop-down list.
-
Enter a password in the Password field. Reenter the password in the Confirm Password field. The password is case-sensitive and can be up to 25 characters long when the service password-encryption command is enabled and up to 81 characters long when the service password-encryption command is not enabled. The string can contain any alphanumeric characters, including spaces.
Note |
You cannot specify a password in the format number-space-anything. The space after the number can cause authentication to fail.
|
-
(Optional) Select the Send Community attribute to this neighbor check box to specify that communities attributes should be sent to the BGP neighbor
-
(Optional) Select the Use FTD as next hop for this
neighbor check box to configure the router as the
next-hop for a BGP speaking neighbor or peer group.
-
Select the Disable Connection Verification check
box to disable the connection verification process for eBGP peering
sessions that are reachable by a single hop but are configured on a
loopback interface or otherwise configured with a non-directly connected
IP address. When deselected (default), a BGP routing process will verify
the connection of single-hop eBGP peering session (TTL=254) to determine
if the eBGP peer is directly connected to the same network segment by
default. If the peer is not directly connected to same network segment,
connection verification will prevent the peering session from being
established.
-
Select Allow connections with neighbor that is not directly connected to accept and attempt BGP connections to external peers residing on networks that are not directly connected. (Optional) Enter the time-to-live in the TTL hopsfield. Valid values are between 1 and 255. Alternately, select Limited number of TTL hops to neighbor, to secure a BGP peering session. Enter the maximum number of hops that separate eBGP peers in the TTL hops field. Valid values are between 1 and 254.
-
(Optional) Select the Use TCP MTU path discovery check box to enable a TCP transport session for a BGP session.
-
Choose the TCP connection mode from the TCP Transport
Mode drop-down list. Options are Default, Active, or
Passive.
-
(Optional) Enter a Weight for the BGP neighbor connection.
-
Select the BGP Version that threat
defense will accept from the drop-down list. The version can be set to 4-Only
to force the software to use only Version 4 with the specified neighbor.
The default is to use Version 4 and dynamically negotiate down to
Version 2 if requested.
|
Step 19 | Update Migration, only if AS migration is considered.
Note |
The AS migration customization should be removed after transition has been completed.
|
-
(Optional) Check the Customize the AS number for routes received from the neighbor check box to customize the AS_PATH attribute for routes received from an eBGP neighbor.
-
Enter the local autonomous system number in the Local AS number field. Valid values are any valid autonomous system number from 1 to 4294967295 or 1.0 to 65535.65535.
-
(Optional) Check the Do not prepend local AS number to routes received from neighbor check box to prevent the local AS number from being prepended to any routes received from eBGP peer.
-
(Optional) Check the Replace real AS number with local AS number in routes received from neighbor check box to replace the real autonomous system number with the local autonomous system number in the eBGP updates. The autonomous system number from the local BGP routing process is not prepended.
-
(Optional) Check the Accept either real AS number or local AS number in routesreceived from neighbor check box to configure the eBGP neighbor to establish a peering session using the real autonomous system number (from the local BGP routing process) or by using the local autonomous system number.
|
Step 20 | Click
OK.
|
Step 21 | Click
Save.
|