Configure IPv4 and IPv6 Routing with BGP

This topic explains how to configure BGP on your Firebox.

Before You Begin

Before you configure BGP, make sure you understand the following BGP requirements and options.

To participate in BGP with an ISP you must have a public autonomous system (AS) number. For internal BGP between private networks you must use a private AS number. For more information, see About Border Gateway Protocol (BGP). You can configure BGP to do dynamic routing for both IPv4 and IPv6 networks.

If you enable BGP for a FireCluster, you must set the router-id in the BGP configuration to the IP address of the Firebox interface that connects to the router. This is to make sure that the routing protocol does not try to use the FireCluster management IP address as the router-id. Do not use the FireCluster management IP address or cluster IP address as the router-id. To set the router-id, use the command bgp router-id <ip-address> in your BGP configuration, where ip-address is the IP address of the Firebox interface that connects to the router.

If your Firebox has multi-WAN enabled, you can configure a loopback interface, and use the IP address of the loopback interface instead of the IP address of the physical interfaces in the dynamic routing configuration. For more information, see Configure a Loopback Interface.

Free Range Routing (Fireware v12.9 or Higher)

In Fireware v12.9 or higher, Fireware uses the Free Range Routing (FRR) routing engine, which replaces Quagga. If your configuration includes Quagga commands for dynamic routing, those commands work after you upgrade. Some FRR commands appear in a different section than in Quagga.

In Fireware v12.9 or higher:

  • The network and redistribute BGP commands are under the address-family section. If your Firebox includes an existing BGP configuration, and you upgrade from Fireware v12.8.x or lower to Fireware v12.9 or higher, the configuration conversion automatically converts your existing Quagga commands. If you add new network and redistribute commands after you upgrade to Fireware v12.9, make sure to add those under the address-family section. For a code sample, see Sample BGP Routing Configuration File (FRR).
  • You can use a simplified implementation of bidirectional forwarding (BFD). You must configure a BGP policy for BFD traffic and enable BFD in the OSPF or BGP configuration on your Firebox. For information about how to implement BFD, see Bidirectional Forwarding.
  • The Firebox cannot learn or announce routes unless you add inbound or outbound BGP filtering policies for the eBGP session. If you prefer not to add BGP policies, you can enter the no bgp ebgp-requires-policy command, which removes the policy requirement. When you upgrade to Fireware v12.9, if you have an existing BGP configuration, the Firebox adds the no bgp ebgp-requires-policy command automatically. If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually enter the no bgp ebgp-requires-policy command to remove the policy requirement. If you do not enter this command, and you also do not configure BGP filterimng policies, the Firebox cannot learn routes from the BGP peer or announce routes to the BGP peer.
  • The bgp network import-check is enabled by default for new BGP configurations configured in Fireware v12.9 or higher. When this setting is enabled, routes created by the network command must be validated before those routes can be advertised to neighbors. If you add a new BGP configuration in Fireware v12.9 or higher, we recommend that you manually disable this setting so BGP peers can learn Firebox routes. To disable this setting, use the command no bgp network import-check. If your Firebox includes an existing BGP configuration, and you upgrade from Fireware v12.8.x or lower to Fireware v12.9 or higher, the configuration conversion automatically disables bgp network import-check.
  • You can use rpki commands for Resource Public Key Infrastructure (RPKI) configuration mode. RPKI is a component of Route Origin Authorization (ROA). ROA verifies whether the origin autonomous system number (AS) of an IP prefix can legitimately announce that IP prefix. BGP routers connect to RPKI cache servers to receive validated prefix-to-origin AS mappings. For more information, see RPKI Configuration Example in the FRR documentation.

For a routing configuration file sample, see Sample BGP Routing Configuration File (FRR).

For a list of commands, see BGP Commands (FRR).

Quagga (Fireware v12.8.x or Lower)

Quagga is the routing daemon in Fireware v12.8.x or lower.

For a sample routing configuration file, see Sample BGP Routing Configuration File (Quagga).

For a list of commands, see BGP Commands (Quagga).

Configure BGP

When you enable BGP, the Firebox automatically creates a dynamic routing policy called DR-BGP-Allow. By default, the DR-BGP-Allow policy allows traffic from the alias Any to the Firebox. As a best practice, we recommend that you edit this policy to add authentication and restrict the policy to listen on only the correct interfaces.

After you configure the Firebox and the BGP router, you can look at the routes table to verify that the Firebox has received route updates from the BGP router.

To see the dynamic routes, from Firebox System Manager select the Status Report tab.

To see the dynamic routes, from Fireware Web UI select System Status > Routes.

Related Topics

About Border Gateway Protocol (BGP)