BGP Neighbor Configuration

BGP Neighbors are managed at Services > FRR BGP on the Neighbors tab.

The Neighbors tab contains a list of current neighbors, if any, and controls to manage the entries (e.g. edit, delete). The fa-plus Add button creates a new neighbor.

The remaining sections on this page cover the various options available when creating or editing a neighbor entry.

General Options

Name/Address:

The name of a peer group or IP address of a neighbor.

Enter a text name to define a Peer Group. Enter an IP Address to define a Peer.

Peer groups allow common options to be defined which may then be applied to multiple neighbors without manually placing the options on each neighbor.

Description:

A text description about this neighbor.

Peer Group:

A list of existing peer groups to which this neighbor can be added. Can only be used when defining a neighbor by IP address.

Password:

Sets a password used to secure communication with this neighbor using TCP MD5.

The operating system of the neighbor and its BGP support may restrict which of the password types can be used.

FRR and setkey Bidirectional:

Configures the password in FRR and at the operating system level in security policies for both inbound and outbound packets.

This is the best option to use when possible as it fully implements TCP MD5 at the operating system level and in FRR. Use this when both neighbors fully support TCP MD5 for both sending and receiving.

FRR and setkey Outbound:

Configures the password in FRR and at the operating system level in security policies, but only in the outbound direction.

This option does not validate TCP MD5 on inbound packets, but will add TCP MD5 information to packets sent to the neighbor. Use this if the neighbor is unable to properly send TCP MD5 which can be validated by this firewall.

FRR Only:

Configures the password only in FRR, not at the operating system level.

setkey Only Outbound:

Configures the password only at the operating system level in security policies, but only in the outbound direction.

setkey Only Bidirectional:

Configures the password at the operating system level in security policies for both inbound and outbound packets, but not in FRR.

Shutdown

Neighbor Administrative Shutdown:

When checked, the neighbor will be put into, and kept in, an administratively shutdown state.

Shutdown Message:

A text message sent to the neighbor while it is administratively shut down.

Auto-Shutdown:
RTT:

If the round-trip time to the neighbor exceeds this value it will be automatically shut down.

Keep alive Count:

If the neighbor fails to respond to this number of keep alive messages, it will be automatically shut down.

Basic Options

Remote AS:

Autonomous System (AS) Number for this neighbor. May be an integer from 1-4294967295, external, or internal.

Update Source:

These options control how FRR will communicate with the neighbor.

IP Type:

Sets the address family of the IP address to which FRR will bind for communicating to this neighbor, either IPv4 or IPv6.

Local Source:

Sets the specific IP address to use when communicating with the neighbor. This can be an interface address, an IP alias VIP, or a CARP VIP.

Address Family:

When set, the neighbor is allowed to advertise routes for both IPv4 and IPv6. Otherwise, the type of routes will be restricted to whichever IP type is set for the Update Source.

Default Originate:

These options control whether or not FRR will advertise itself as the default route for this neighbor.

Originate Default to Neighbor:

Sets the address family for which a default route will be sent to the neighbor, either IPv4, IPv6, or both.

Route Map:

A route map used to restrict default origination.

Send Community:

Sends the community attribute to this peer, limited to the specified types.

Next Hop Self:

Disables next hop calculation for this neighbor and uses the address of this router instead.

Enabled:

Uses the address of this router as the next hop in routes announced to this peer if they are learned via eBGP.

Force:

When set, also sets the next hop to the address of this router on reflected routes.

Inbound Soft Reconfiguration:

Allows the peer to send requests for soft reconfiguration, to apply changes to routes or new attributes without the need for a session reset.

Timers:
Keep Alive Interval:

Configures the interval between keep alive messages to wait for a response from this neighbor before considering the peer unreachable. This overrides the default values set on the BGP server itself.

Hold Time:

Configures how long to wait for a response from this neighbor before considering the peer unreachable. This overrides the default values set on the BGP server itself.

Connect Timer:

The amount of time, in seconds from 1-65535, in which a connection to this peer must be established or else it is considered unsuccessful.

Peer Filtering

These options control which routes may be sent to, or received from, this neighbor.

Note

The current FRR package does not exchange routes with BGP peers by default without being explicitly allowed to do so by a filter. This is secure behavior but requires manually specifying a filter to allow routes to be exchanged.

To replicate the behavior of older FRR versions, add a route map to permit all routes (Name: allow-all, Action: Permit, Sequence: 100), then set that route map on BGP neighbors for inbound and outbound peer filtering. For increased security, utilize route maps which filter incoming and outgoing routes so they match more strictly.

Distribute List Filter:

Defines an access list which is used by BGP to filter route updates for this peer, in either the inbound or outbound direction.

Prefix List Filter:

Defines a prefix list which is used by BGP to filter route updates for this peer, in either the inbound or outbound direction.

AS Path Filter:

Defines an AS path list which is used by BGP to filter route updates by AS path in either the inbound or outbound direction.

Route Map Filters:

Defines a route map which is used by BGP to filter route updates for this peer, in either the inbound or outbound direction.

Unsuppress Route Map:

Configures a route map which BGP can use to unsuppress routes that would otherwise be suppressed by other configuration settings.

BFD

Configures Bidirectional Forwarding Detection (BFD) options for this peer.

BFD Enable:

Listen for BFD events registered on the same target as this BGP neighbor.

BFD Check Control Plane Failure:

Allow FRR to write CBIT independence in outgoing BFD packets. Also allow FRR to read both the CBIT value of BFD and lookup BGP peer status. This option allows BFD to ignore down events during a graceful restart of the remote peer if graceful restarts are enabled in BGP. When enabled, if BFD catches a down event it first checks if the BGP peer has requested that local the BGP daemon keep the remote BGP entries marked as stale. In that case it can safely ignore the event to allow the restart to happen gracefully (RFC 4724).

BFD Peer:

Selects a BFD peer to associate with this neighbor.

Graceful Restart

Graceful restart mode for this neighbor, may be one of:

Default:

Will use the default value for BGP graceful restart from Graceful Restart/Shutdown.

Restart:

Enables BGP graceful restart functionality for this peer.

Helper:

Enables BGP graceful restart helper only functionality for this peer.

Disable:

Disables all BGP graceful restart functionality for this peer.

Advanced Options

Weight:

Applies the given weight to routes received from this peer.

Passive:

When set, this router will not issue open requests to the neighbor on its own. The BGP daemon will only respond to remote open requests from this neighbor.

Path Advertise:
All Paths:

Advertise all known paths to this peer, instead of only advertising the base path.

Best Path:

Advertise only the best known base paths for each AS.

Advertisement Interval:

Minimal time (in seconds) between sending BGP routing updates to this neighbor.

Allow AS Inbound:

Allows routes to be received from this peer which are from the same AS of this router, but through a different path.

Enabled:

Always allow.

Only if Origin:

Accept the AS of this router in an AS path if the route originated in the AS of this router.

Allow <number>x:

Allowed number of AS occurrences, from 1-10.

AS Override:

Override ASNs in outbound updates to this peer if the AS path is identical to the remote AS.

Attribute Unchanged:

Propagates route attributes to this peer unchanged. This behavior can be optionally restricted to only specific attributes.

Advertise Capability:

Advertises the selected capabilities to this neighbor, may be one of:

Dynamic:

Enables negotiation of the dynamic capability with this neighbor or peer group.

Extended Next-Hop:

Enables negotiation of the extended-nexthop capability with this neighbor or peer group. This capability can set IPv6 next-hops for IPv4 routes when peering with IPv6 neighbors on interfaces without IPv4 connectivity. This is automatically enabled when peering with IPv6 link-local addresses.

ORF:

Advertise outbound route filtering capability to this peer.

Disable Capability Negotiation:

Disables dynamic capability negotiation with the peer. When set, the router does not advertise capabilities, nor does it accept them. This results in using only locally configured capabilities.

Override Capability Negotiation:

Ignores capabilities sent by the peer during negotiation and uses locally configured capabilities instead.

TTL Security Hops:

Sets a specific hop count at which neighbors must be reached, rather than the maximum value set by eBGP multi-hop.

This cannot be set if eBGP multi-hop is set.

Disable Connected Check:

Disables a check that normally prevents peering with eBGP neighbors which are not directly connected. This enables using loopback interfaces to establish adjacency with peers.

eBGP Multi-Hop:

The maximum allowed hops between this router and the neighbor, in the range 1-255. When enabled without a specific value, the default is 1.

This value cannot be set if TTL Security Hops is set.

Enforce eBGP Multi-Hop:

When set, enforces that neighbors perform multi-hop.

Local AS:
Local AS Number:

Sets the local AS number sent to this neighbor, which replaces the AS number configured on the BGP server itself. By default, this value is prepended to the AS path for routes received from this neighbor or peer group, and is added to the AS path for routes sent to this neighbor or peer group after the AS number from the BGP sever.

Do not prepend eBGP:

Suppresses prepending this AS number to the AS path for received routes from eBGP.

Do not prepend iBGP:

Suppresses prepending this AS number to the AS path for received routes from iBGP.

Maximum Prefix:

Defines the maximum number of prefixes this router will accept from the peer before tearing down the BGP session.

Note

This action is considered harsh and the best practice is to filter received prefixes by other mechanisms such as a prefix-list rather than to abruptly break contact in this way.

Maximum Prefix:

The maximum number of prefixes to allow from the peer, from 1-4294967295.

Warn Percentage:

Warning message threshold, from 1-100 percent.

Warn Only:

Warn the peer when the limit is exceeded, rather than disconnecting.

Restart Interval:

Restarts the connection after warning limits are exceeded. The restart is performed at the defined interval, in minutes, from 1-65535.

Maximum Prefix Out:

Limits the number of prefixes which will be sent to the neighbor by FRR.

Remove Private AS:
Remove Outbound:

Prevents the BGP daemon from sending routes with private AS numbers to this peer.

Apply to All:

When present, this action applies to all ASNs.

Replace with Local:

When present, replaces private AS numbers with the AS number of this router.

Route Client:
Route Reflector Client:

Configures this peer as a route reflector client. This allows routes received from peers in the same AS or using iBGP to be reflected to other peers, avoiding the need for a full mesh configuration between all routing peers.

Route Server Client:

Configures this peer as a route server client. This enables transparent mode, which retains attributes unmodified, and maintains a local RIB for this peer.

Solo Peer:

Instructs the router to prevent reflection of routes received from this neighbor back to this neighbor. This option is not useful in peer groups with multiple members.