Sample BGP Routing Configuration File (FRR)

Applies To: Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

To use the Border Gateway Protocol (BGP) dynamic routing protocol with Fireware, you must type BGP configuration commands or import a configuration file on the Network > Dynamic Routing page. This topic includes a sample configuration file. To use this configuration file as a starting point for your BGP configuration, copy the text into a text editor application and edit the parameters to meet your business requirements.

In Fireware v12.9 or higher, Fireware uses the Free Range Routing (FRR) routing engine, which replaces Quagga. If your configuration includes Quagga commands for dynamic routing, those commands work after you upgrade. Some FRR commands appear in a different section than in Quagga.

For information about BGP requirements and how to configure BGP, go to Configure IPv4 and IPv6 Routing with BGP.

In Fireware v12.8.x or lower, Fireware uses the Quagga routing engine. For a sample routing configuration file for Fireware v12.8.x or lower, go to Sample BGP Routing Configuration File (Quagga). For a list of Quagga commands, go to BGP Commands (Quagga).

IPv4 Sample

This configuration sample shows how to configure some common IPv4 BGP commands that you might include in your BGP configuration in Fireware v12.9 or higher. Your configuration file might include other commands.

For descriptions of common commands, go to BGP Commands (FRR). For a complete list of FRR commands, go to the FRRouting User Guide.

If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually add these commands:

• To disable the requirement to add BGP filtering policies: no bgp ebgp-requires-policy
  If this setting is enabled and an inbound or outbound BGP policy does not exist for the eBGP session, the Firebox cannot learn or announce routes.
• To disable the import check setting: no bgp network import-check
  If this setting is enabled and the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.

! SECTION 1

! Enable the BGP daemon and set local ASN to 100.

router bgp 100

! The Firebox cannot learn or announce routes unless you add an inbound or outbound BGP policy for the eBGP session. 
! To remove the policy requirement, enter the command 'no bgp ebgp-requires-policy'.

no bgp ebgp-requires-policy

! When import-check is enabled, if the route for the network does not exist in IGP, the network is marked as invalid and is not advertised. 

no bgp network import-check

! Set neighbor (192.0.2.1) as member of remote ASN (200).

neighbor 192.0.2.1 remote-as 200

! Enable Bidirectional Forwarding (BFD).

neighbor 192.0.2.1 bfd

! Set custom TCP port 189 to communicate with BGP neighbor (192.0.2.1). Default port is TCP 179.

neighbor 192.0.2.1 port 189

! Set neighbor (203.0.113.1) on another network using EBGP multi-hop.

neighbor 203.0.113.1 remote-as 300

neighbor 203.0.113.1 ebgp-multihop 255

! Set BGP version (4, 4-) for communication with a neighbor; default is 4.

neighbor 192.0.2.1 version 4-

! Apply a route map on the specified neighbor for the direction in.

neighbor 203.0.113.1 route-map RPKI in 

 

! SECTION 2

address-family ipv4 unicast

! Announce local network 192.0.2.0/24 to all neighbors defined in this configuration.

network 10.2.0.0/24

! Redistribute static routes to BGP.

redistribute static

! Redistribute rip routes to BGP.

redistribute rip

! Redistribute ospf routes to BGP.

redistribute ospf

! Announce default route to BGP neighbor (192.0.2.1).

neighbor 192.0.2.1 default-originate

! Set maximum number of prefixes allowed from this neighbor.

neighbor 192.0.2.1 maximum-prefix 1000000

! Set a default weight for neighbor (192.0.2.1) routes.

neighbor 192.0.2.1 weight 1000

! Set distribute list and direction for peer.

neighbor 192.0.2.1 distribute-list DIST-IN in

neighbor 203.0.113.1 distribute-list DIST-OUT out

! To apply a route map to incoming or outgoing routes.

neighbor 192.0.2.1 route-map LOCAL-PREF out

! Apply filter lists with explicit names and directions.

neighbor 192.0.2.1 filter-list AS-FILTER in

neighbor 203.0.113.1 filter-list AS-FILTER out

exit-address-family

exit

 

! SECTION 3

! Set access list.

access-list DIST-IN seq 5 deny 192.0.2.128/25

access-list DIST-IN seq 10 permit 192.0.2.0/25

access-list DIST-OUT seq 5 permit 203.0.113.0/24

 

! SECTION 4

! Set prefix list.

ip prefix-list PRELIST-IN seq 5 permit 10.0.0.0/8

ip prefix-list PRELIST-OUT seq 10 permit 203.0.113.0/24

 

! SECTION 5

! Create route map for local preference tuning and allow a priority of 10.

route-map LOCAL-PREF permit 10

set local-preference 200

! Create a route map and allow a priority of 10. Valid routes are kept.

route-map RPKI-IN permit 10

match rpki valid

IPv6 Sample

This configuration sample shows how to configure some common IPv6 BGP comands that you might include in your BGP configuration in Fireware v12.9 or higher. Your configuration file might include other commands. For descriptions of common comands, go to BGP Commands (FRR). For a complete list of FRR commands, go to the FRRouting User Guide.

If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually add these commands:

• To disable the requirement to add BGP filtering policies: no bgp ebgp-requires-policy
  If this setting is enabled and an inbound or outbound BGP policy does not exist for the eBGP session, the Firebox cannot learn or announce routes.
• To disable the import check setting: no bgp network import-check
  If this setting is enabled and the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.

! SECTION 1

! Enable the BGP daemon and set local ASN to 100.

router bgp 100

! set route id for bgp.

bgp router-id 1.1.1.1 

! The Firebox cannot learn or announce routes unless you add an inbound or outbound BGP policy for the eBGP session. 
! To remove the policy requirement, enter the command 'no bgp ebgp-requires-policy'.

no bgp ebgp-requires-policy

! When import-check is enabled, if the route for the network does not exist in IGP, the network is marked as invalid 
in BGP routes and is not advertised. In FRR, import-check is enabled by default. 

no bgp network import-check

! Set neighbor (2000::2) as member of remote ASN (200).

neighbor 2000::2 remote-as 200

! Enable Bidirectional Forwarding (BFD).

neighbor 2000::2 bfd

 

! SECTION 2: Enter IPv6 Address Family command mode.

address-family ipv6

! Announce local network 3344::/64 to all neighbors.

network 3344::/64

! Redistribute static routes to BGP.

redistribute static

! Redistribute ripng routes to BGP.

redistribute ripng

! Redistribute ospfv3 routes to BGP.

redistribute ospf6

! Activate neighbor 2000::2

neighbor 2000::2 activate 

! Announce default route to BGP neighbor (2000::2).

neighbor 2000::2 default-originate

neighbor 2000::2 filter-list AS-FILTER in

! To apply a route map to incoming or outgoing routes.

! To match an autonomous system path access list to incoming or outgoing routes.

neighbor 2000::2 route-map LOCAL-PREF out

! Set distribute list and direction for peer.

neighbor 2000::2 distribute-list DIST-IN in

! To apply a prefix list to be matched to incoming or outgoing advertisements to that neighbor.

neighbor 2000::2 prefix-list PRELIST-IN in

exit-address-family

exit

 

! SECTION 3: Announcement filtering

! Set access list.

ipv6 access-list DIST-IN deny 4000::/64

ipv6 access-list DIST-IN permit 4000::/25

 

! SECTION 4: Set prefix lists.

ipv6 prefix-list PRELIST-IN permit 3000::/64

ipv6 prefix-list PRELIST-OUT permit 5000::/64

 

! SECTION 5: Create a route map and allow with a priority of 10 (1-199).

route-map LOCAL-PREF permit 10

! Set local preference for failover.

set local-preference 200

! Match IPv6 access list

match ipv6 address DIST-IN

exit

IPv4 and IPv6 Sample

This configuration sample shows how to configure some common IPv4 and IPv6 BGP comands that you might include in your BGP configuration in Fireware v12.9 or higher. Your configuration file might include other commands. For descriptions of common commands, go to BGP Commands (FRR). For a complete list of FRR commands, go to the FRRouting User Guide.

If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually add these commands:

• To disable the requirement to add BGP filtering policies: no bgp ebgp-requires-policy
  If this setting is enabled and an inbound or outbound BGP policy does not exist for the eBGP session, the Firebox cannot learn or announce routes.
• To disable the import check setting: no bgp network import-check
  If this setting is enabled and the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.

! SECTION 1

router bgp 65534

bgp router-id 10.15.1.1

no bgp ebgp-requires-policy

no bgp network import-check

neighbor 172.16.255.2 remote-as 65535

neighbor 172.16.255.2 timers connect 5

neighbor fd00::25 remote-as 65535

neighbor fd00::25 timers connect 5

 

! SECTION 2

address-family ipv4

network 10.15.2.0/24

exit-address-family

 

! SECTION 3:

address-family ipv6

! network 1500::0/64  

neighbor fd00::25 activate  

exit-address-family

ECMP and Multi-Path Sample

This configuration sample describes how to configure the BGP protocol to support Equal-Cost Multi-Path (ECMP) routing. With this configuration, traffic is distributed across multiple paths that have the same routing cost. Because routers can use multiple BGP routes to the same destination simultaneously, this approach improves network performance, redundancy, and load balancing.

If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually add these commands:

• To disable the requirement to add BGP filtering policies: no bgp ebgp-requires-policy
  If this setting is enabled and an inbound or outbound BGP policy does not exist for the eBGP session, the Firebox cannot learn or announce routes.
• To disable the import check setting: no bgp network import-check
  If this setting is enabled and the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.

• To relax the AS-path check for multipath, and enable ECMP across routes that differ in AS-path but are otherwise equally good: bgp bestpath as-path multipath-relax

! Start BGP.

router bgp 10001

! Disable eBGP policy requirement and permit advertisement of routes.

no bgp ebgp-requires-policy

no bgp network import-check

! Set the maximum path value.

maximum-paths 2

! Configure the first neighbor.

neighbor 198.51.100.253 remote-as 7224

neighbor 198.51.100.253 activate

neighbor 198.51.100.253 timers 10 30

! Configure the second neighbor.

neighbor 198.51.100.161 remote-as 7224

neighbor 198.51.100.161 activate

! Advertise the local network.

network 10.0.1.0/24

! Exit BGP mode.

exit

Failover that Uses Weight and AS Path Prepending Sample

This configuration sample describes how to set up a BGP failover strategy that uses a combination of local preference (weight) and AS path prepending to influence route selection both locally and remotely.

If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually add these commands:

• To disable the requirement to add BGP filtering policies: no bgp ebgp-requires-policy
  If this setting is enabled and an inbound or outbound BGP policy does not exist for the eBGP session, the Firebox cannot learn or announce routes.
• To disable the import check setting: no bgp network import-check
  If this setting is enabled and the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.

! Start BGP.

router bgp 10001

! Disable eBGP policy requirement and permit advertisement of routes.

no bgp ebgp-requires-policy

no bgp network import-check

! Configure the first neighbor as the primary route path with the highest weight.

neighbor 198.51.100.253 remote-as 7224

neighbor 198.51.100.253 activate

neighbor 198.51.100.253 timers 10 30

neighbor 198.51.100.253 weight 2000

! Configure the second neighbor as the backup route path with a lower weight.

neighbor 198.51.99.161 remote-as 7224

neighbor 198.51.99.161 activate

neighbor 198.51.99.161 timers 10 30

neighbor 198.51.99.161 weight 1000

! Apply a route-map to increase the length of the AS path from prepending.

neighbor 198.51.99.161 route-map PREPEND out

! Advertise the local network.

network 10.0.1.0/24

! Prepend the AS path three additional times to the existing AS path.

route-map PREPEND permit 10

set as-path prepend 10001 10001 10001

! Exit BGP mode.

exit

Related Topics

About Border Gateway Protocol (BGP)