BGP Neighbor Configuration¶
BGP Neighbors are managed at Services > FRR BGP on the Neighbors tab.
The Neighbors tab contains a list of current neighbors, if any, and controls
to manage the entries (e.g. edit, delete). The 
Add button creates
a new neighbor.
The remaining sections on this page cover the various options available when creating or editing a neighbor entry.
General Options¶
- Name/Address
The name of a peer group or IP address of a neighbor.
Enter a text name to define a Peer Group. Enter an IP Address to define a Peer.
Peer groups allow common options to be defined which may then be applied to multiple neighbors without manually placing the options on each neighbor.
- Description
A text description about this neighbor.
- Peer Group
A list of existing peer groups to which this neighbor can be added. Can only be used when defining a neighbor by IP address.
- Password
Sets a password used to secure communication with this neighbor using TCP MD5.
The operating system of the neighbor and its BGP support may restrict which of the password types can be used.
- FRR and setkey Bidirectional
Configures the password in FRR and at the operating system level in security policies for both inbound and outbound packets.
This is the best option to use when possible as it fully implements TCP MD5 at the operating system level and in FRR. Use this when both neighbors fully support TCP MD5 for both sending and receiving.
- FRR and setkey Outbound
Configures the password in FRR and at the operating system level in security policies, but only in the outbound direction.
This option does not validate TCP MD5 on inbound packets, but will add TCP MD5 information to packets sent to the neighbor. Use this if the neighbor is unable to properly send TCP MD5 which can be validated by this firewall.
- FRR Only
Configures the password only in FRR, not at the operating system level.
- setkey Only Outbound
Configures the password only at the operating system level in security policies, but only in the outbound direction.
- setkey Only Bidirectional
Configures the password at the operating system level in security policies for both inbound and outbound packets, but not in FRR.
Shutdown¶
- Neighbor Administrative Shutdown
When checked, the neighbor will be put into, and kept in, an administratively shutdown state.
- Shutdown Message
A text message sent to the neighbor while it is administratively shut down.
- Auto-Shutdown
- RTT
If the round-trip time to the neighbor exceeds this value it will be automatically shut down.
- Keep alive Count
If the neighbor fails to respond to this number of keep alive messages, it will be automatically shut down.
Basic Options¶
- Remote AS
Autonomous System (AS) Number for this neighbor. May be an integer from
1-4294967295,external, orinternal.- Update Source
These options control how FRR will communicate with the neighbor.
- IP Type
Sets the address family of the IP address to which FRR will bind for communicating to this neighbor, either IPv4 or IPv6.
- Local Source
Sets the specific IP address to use when communicating with the neighbor. This can be an interface address, an IP alias VIP, or a CARP VIP.
- Address Family
When set, the neighbor is allowed to advertise routes for both IPv4 and IPv6. Otherwise, the type of routes will be restricted to whichever IP type is set for the Update Source.
- Default Originate
These options control whether or not FRR will advertise itself as the default route for this neighbor.
- Originate Default to Neighbor
Sets the address family for which a default route will be sent to the neighbor, either IPv4, IPv6, or both.
- Route Map
A route map used to restrict default origination.
- Send Community
Sends the community attribute to this peer, limited to the specified types.
- Next Hop Self
Disables next hop calculation for this neighbor and uses the address of this router instead.
- Enabled
Uses the address of this router as the next hop in routes announced to this peer if they are learned via eBGP.
- Force
When set, also sets the next hop to the address of this router on reflected routes.
- Inbound Soft Reconfiguration
Allows the peer to send requests for soft reconfiguration, to apply changes to routes or new attributes without the need for a session reset.
- Timers
- Keep Alive Interval
Configures the interval between keep alive messages to wait for a response from this neighbor before considering the peer unreachable. This overrides the default values set on the BGP server itself.
- Hold Time
Configures how long to wait for a response from this neighbor before considering the peer unreachable. This overrides the default values set on the BGP server itself.
- Connect Timer
The amount of time, in seconds from
1-65535, in which a connection to this peer must be established or else it is considered unsuccessful.
Peer Filtering¶
These options control which routes may be sent to, or received from, this neighbor.
Note
The current FRR package does not exchange routes with BGP peers by default without being explicitly allowed to do so by a filter. This is secure behavior but requires manually specifying a filter to allow routes to be exchanged.
To replicate the behavior of older FRR versions, add a route map to permit all routes (Name: allow-all, Action:
Permit, Sequence: 100), then set that route map on BGP neighbors for
inbound and outbound peer filtering. For increased security, utilize route
maps which filter incoming and outgoing routes so they match more strictly.
- Distribute List Filter
Defines an access list which is used by BGP to filter route updates for this peer, in either the inbound or outbound direction.
- Prefix List Filter
Defines a prefix list which is used by BGP to filter route updates for this peer, in either the inbound or outbound direction.
- AS Path Filter
Defines an AS path list which is used by BGP to filter route updates by AS path in either the inbound or outbound direction.
- Route Map Filters
Defines a route map which is used by BGP to filter route updates for this peer, in either the inbound or outbound direction.
- Unsuppress Route Map
Configures a route map which BGP can use to unsuppress routes that would otherwise be suppressed by other configuration settings.
BFD¶
Configures Bidirectional Forwarding Detection (BFD) options for this peer.
- BFD Enable
Listen for BFD events registered on the same target as this BGP neighbor.
- BFD Check Control Plane Failure
Allow FRR to write CBIT independence in outgoing BFD packets. Also allow FRR to read both the CBIT value of BFD and lookup BGP peer status. This option allows BFD to ignore down events during a graceful restart of the remote peer if graceful restarts are enabled in BGP. When enabled, if BFD catches a down event it first checks if the BGP peer has requested that local the BGP daemon keep the remote BGP entries marked as stale. In that case it can safely ignore the event to allow the restart to happen gracefully (RFC 4724).
- BFD Peer
Selects a BFD peer to associate with this neighbor.
Graceful Restart¶
Graceful restart mode for this neighbor, may be one of:
- Default
Will use the default value for BGP graceful restart from Graceful Restart/Shutdown.
- Restart
Enables BGP graceful restart functionality for this peer.
- Helper
Enables BGP graceful restart helper only functionality for this peer.
- Disable
Disables all BGP graceful restart functionality for this peer.
Advanced Options¶
- Weight
Applies the given weight to routes received from this peer.
- Passive
When set, this router will not issue open requests to the neighbor on its own. The BGP daemon will only respond to remote open requests from this neighbor.
- Path Advertise
- All Paths
Advertise all known paths to this peer, instead of only advertising the base path.
- Best Path
Advertise only the best known base paths for each AS.
- Advertisement Interval
Minimal time (in seconds) between sending BGP routing updates to this neighbor.
- Allow AS Inbound
Allows routes to be received from this peer which are from the same AS of this router, but through a different path.
- Enabled
Always allow.
- Only if Origin
Accept the AS of this router in an AS path if the route originated in the AS of this router.
- Allow <number>x
Allowed number of AS occurrences, from
1-10.
- AS Override
Override ASNs in outbound updates to this peer if the AS path is identical to the remote AS.
- Attribute Unchanged
Propagates route attributes to this peer unchanged. This behavior can be optionally restricted to only specific attributes.
- Advertise Capability
Advertises the selected capabilities to this neighbor, may be one of:
- Dynamic
Enables negotiation of the
dynamiccapability with this neighbor or peer group.- Extended Next-Hop
Enables negotiation of the
extended-nexthopcapability with this neighbor or peer group. This capability can set IPv6 next-hops for IPv4 routes when peering with IPv6 neighbors on interfaces without IPv4 connectivity. This is automatically enabled when peering with IPv6 link-local addresses.- ORF
Advertise outbound route filtering capability to this peer.
- Disable Capability Negotiation
Disables dynamic capability negotiation with the peer. When set, the router does not advertise capabilities, nor does it accept them. This results in using only locally configured capabilities.
- Override Capability Negotiation
Ignores capabilities sent by the peer during negotiation and uses locally configured capabilities instead.
- TTL Security Hops
Sets a specific hop count at which neighbors must be reached, rather than the maximum value set by eBGP multi-hop.
This cannot be set if eBGP multi-hop is set.
- Disable Connected Check
Disables a check that normally prevents peering with eBGP neighbors which are not directly connected. This enables using loopback interfaces to establish adjacency with peers.
- eBGP Multi-Hop
The maximum allowed hops between this router and the neighbor, in the range
1-255. When enabled without a specific value, the default is1.This value cannot be set if TTL Security Hops is set.
- Enforce eBGP Multi-Hop
When set, enforces that neighbors perform multi-hop.
- Local AS
- Local AS Number
Sets the local AS number sent to this neighbor, which replaces the AS number configured on the BGP server itself. By default, this value is prepended to the AS path for routes received from this neighbor or peer group, and is added to the AS path for routes sent to this neighbor or peer group after the AS number from the BGP sever.
- Do not prepend eBGP
Suppresses prepending this AS number to the AS path for received routes from eBGP.
- Do not prepend iBGP
Suppresses prepending this AS number to the AS path for received routes from iBGP.
- Maximum Prefix
Defines the maximum number of prefixes this router will accept from the peer before tearing down the BGP session.
Note
This action is considered harsh and the best practice is to filter received prefixes by other mechanisms such as a
prefix-listrather than to abruptly break contact in this way.- Maximum Prefix
The maximum number of prefixes to allow from the peer, from
1-4294967295.- Warn Percentage
Warning message threshold, from
1-100percent.- Warn Only
Warn the peer when the limit is exceeded, rather than disconnecting.
- Restart Interval
Restarts the connection after warning limits are exceeded. The restart is performed at the defined interval, in minutes, from
1-65535.- Maximum Prefix Out
Limits the number of prefixes which will be sent to the neighbor by FRR.
- Remove Private AS
- Remove Outbound
Prevents the BGP daemon from sending routes with private AS numbers to this peer.
- Apply to All
When present, this action applies to all ASNs.
- Replace with Local
When present, replaces private AS numbers with the AS number of this router.
- Route Client
- Route Reflector Client
Configures this peer as a route reflector client. This allows routes received from peers in the same AS or using iBGP to be reflected to other peers, avoiding the need for a full mesh configuration between all routing peers.
- Route Server Client
Configures this peer as a route server client. This enables transparent mode, which retains attributes unmodified, and maintains a local RIB for this peer.
- Solo Peer
Instructs the router to prevent reflection of routes received from this neighbor back to this neighbor. This option is not useful in peer groups with multiple members.