BGP Commands (FRR)
In Fireware v12.9 or higher, Fireware uses the Free Range Routing (FRR) routing engine, which replaces Quagga. If your configuration includes Quagga commands for dynamic routing, those commands work after you upgrade. Some FRR commands appear in a different section than in Quagga.
For BGP code samples, see Sample BGP Routing Configuration File (FRR).
To configure BGP, see Configure IPv4 and IPv6 Routing with BGP.
Fireware v12.8.x or lower uses the Quagga routing software suite. For a list of example Quagga commands, see BGP Commands (Quagga).
Example BGP Commands (FRR in Fireware v12.9 or Higher)
This list includes example FRR commands that you might include in your BGP configuration. For a complete list of FRR commands, see the FRRouting User Guide.
The sections must appear in the configuration file in the same order they appear in this table. Do not use BGP configuration parameters that you do not get from your ISP.
|Configure BGP Routing Daemon|
|router bgp [ASN]||Enable BGP daemon and set autonomous system number (ASN); this is supplied by your ISP.|
|bgp router-id [A.B.C.D]||Configure the router ID.|
|ipv6 bgp network [A:B:C:D:E:F:G:H/M]||Announce BGP on network.|
|ipv6 bgp aggregate-prefix [A:B:C:D:E:F:G:H/M]||Configure BGP aggregate entries.|
|timers bgp [keepalive] [holdtime]||Set the BGP keepalive time and the hold down time, in seconds. The default keepalive time is 60 seconds, and the default holdtime is 180 seconds. As a general rule, the holdtime should be three times the keepalive time.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] remote-as [ASN]||Set neighbor as a member of remote ASN.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] timers connect [time]||Set the BGP connection timer, in seconds.|
|neighbor[A.B.C.D|A:B:C:D:E:F:G:H] bfd||Set bidirectional forwarding (BFD) to detect faults between two routers or switches connected by a link (see Bidirectional Forwarding)|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] port 189||Set custom TCP port to communicate with BGP neighbor [A,B,C,D].|
|neighbor [A.B.C.D] password [password]||Set the password for MD5 authentication.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] ebgp-multihop||Set neighbor on another network using EBGP multi-hop.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] update-source [WORD]||Set the BGP session to use a specific interface for TCP connections.|
|Set Address Family Properties|
|network [A.B.C.D/M]||Announce BGP on network: A.B.C.D/M, identifies the subnet to advertise.|
|no network [A.B.C.D/M]||Disable BGP announcements on network A.B.C.D/M.|
|bgp network import-check||Enabled by default for new BGP configurations configured in Fireware v12.9 or higher. When this setting is enabled, routes created by the network command must be validated before those routes can be advertised to neighbors. If you add a new BGP configuration in Fireware v12.9 or higher, we recommend that you manually disable this setting so BGP peers can learn Firebox routes. To disable this setting, use the command no bgp network import-check.|
|no bgp network import-check||If your Firebox includes an existing BGP configuration, and you upgrade from Fireware v12.8.x or lower to Fireware v12.9 or higher, the configuration conversion automatically adds the command no bgp network import-check.|
|redistribute static||Redistribute static routes to BGP.|
|redistribute ripng||Redistribute RIPng routes to BGP.|
|redistribute ospf6||Redistribute OSPFv3 routes to BGP.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] default-originate||Announce default route to BGP neighbor [A,B,C,D]. In Fireware v12.5.6 or higher, if the BGP configuration on your Firebox includes this command, and if Link Monitor detects a link failure for all WAN connections, BGP does not announce the default route to neighbors.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] weight 1000||Set a default weight for neighbor's [A.B.C.D] routes.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] distribute-list [LISTNAME] [in|out]||Set distribute list and direction for peer.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] route-map [MAPNAME] [in|out]||To apply a route map to incoming or outgoing routes.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] filter-list [LISTNAME] [in|out]||To match an autonomous system path access list to incoming routes or outgoing routes.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] maximum-prefix [NUMBER]||
Set maximum number of prefixes allowed from this neighbor.
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] send-community||Set peer send-community.|
|neighbor [A.B.C.D|A:B:C:D:E:F:G:H] prefix-list [LISTNAME] [in|out]||To apply a prefix list to be matched to incoming advertisements or outgoing advertisements to that neighbor.|
|Set IPv6 Address Family command mode|
Enter the IPv6 address family command mode.
neighbor [A:B:C:D:E:F:G:H] activate
The neighbor activate command must be used in the address-family ipv6 mode.
This network statement here can replace the “ipv6 bgp network [A:B:C:D:E:F:G:H/M]” command. This works only within the address-family ipv6 mode.
|exit-address-family||Exit the IPv6 address family command mode.|
|bgp community-list [<1-99>|<100-199>] permit AA:NN||Specify community to accept autonomous system number and network number separated by a colon.|
|bgp cluster-id A.B.C.D||To configure the cluster ID if the BGP cluster has more than one route reflector.|
|neighbor [W.X.Y.Z|A:B:C:D:E:F:G:H] route-reflector-client||To configure the router as a BGP route reflector and configure the specified neighbor as its client.|
|Access Lists and IP Prefix Lists|
|ip prefix-list [PRELIST] permit A.B.C.D/M||Set IPv4 prefix list.|
|ipv6 prefix-list [PRELIST] [deny|permit] [A:B:C:D:E:F:G:H/M|Any]||Set IPv6 prefix list.|
|access-list NAME [deny|permit] A.B.C.D/M||Set IPv4 access list.|
|ipv6 access-list [NAME] [deny|permit] [A:B:C:D:E:F:G:H/M|Any]||Set IPv6 access list.|
|route-map [MAPNAME] [deny|permit] [N]||In conjunction with the "match" and "set" commands, this defines the conditions and actions for redistributing routes.|
|match ip address prefix-list [LISTNAME]||Match the specified access-list.|
|set community [A:B]||Set the BGP community attribute.|
|match community [N]||Match the specified community_list.|
|set local-preference [N]||Set the preference value for the autonomous system path.|
|Resource Public Key Infrastructure (RPKI)|
Enable the Resource Public Key Infrastructure (RPKI) configuration mode.
RPKI is a component of Route Origin Authorization (ROA). ROA verifies whether the origin autonomous system number (AS) of an IP prefix can legitimately announce that IP prefix. RPKI defines how cache servers and routers exchange AS information. BGP routers connect to RPKI cache servers to receive validated prefix-to-origin AS mappings.
For information about how to configure an RPKI cache server, see Configure RPKI Cache Servers in the FRR documentation.
To configure a route map to prefer valid routes over invalid prefixes, see Validating BGP Updates in the FRR documentation.
To see an RPKI configuration example for BGP, see RPKI Configuration Example in the FRR documentation.
For more information about RPKI, see the ARIN documentation.
|rpki polling_period (1–3600)||
Set the number of seconds the router waits until the router requests updated data from the cache server.
The default value is 300 seconds.
|rpki cache (A.B.C.D|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] [source A.B.C.D] PREFERENCE||Specify the connection information for an RPKI cache server.|