BGP Neighbor Configuration

From within config-bgp mode, the neighbor statement can take either an IP address to setup a single neighbor or it can take a name which configures a peer group. The command then changes to config-bgp-neighbor mode.

tnsr(config-bgp)# neighbor 203.0.113.14
tnsr(config-bgp-neighbor)#

Peer groups work nearly identical to neighbors, and they define options that are common to multiple neighbors.

Warning

A neighbor or peer group must first be defined here before it can be used inside an address family (BGP Address Family Neighbor Configuration).

config-bgp-neighbor mode contains the following commands:

advertisement-interval <interval-sec>:

Minimal time between sending routing updates to this neighbor. Expressed in seconds between 0-600.

bfd enabled (true|false):

Enable Bidirectional Forwarding Detection for this BGP neighbor.

capability dynamic:

Enables negotiation of the dynamic capability with this neighbor or peer group.

capability extended-nexthop:

Enables negotiation of the extended-nexthop capability with this neighbor or peer group. This capability can set IPv6 next-hops for IPv4 routes when peering with IPv6 neighbors on interfaces without IPv4 connectivity. This is automatically enabled when peering with IPv6 link-local addresses.

disable-connected-check:

Disables a check that normally prevents peering with eBGP neighbors which are not directly connected. This enables using loopback interfaces to establish adjacencies with peers.

description <string>:

A brief text description of this neighbor.

dont-capability-negotiate:

Disables dynamic capability negotiation with the peer. When set, the router does not advertise capabilities, nor does it accept them. This results in using only locally configured capabilities.

ebgp-multihop [hop-maximum <hops>]:

The maximum allowed hops between this router and the neighbor, in the range 1-255. When enabled without a specific value, the default is 255. Setting this option automatically removes any existing value for ttl-security.

(enable|disable):

The default state of a neighbor is disabled. To enable the neighbor, use the enable command. To disable the neighbor, run disable or no enable.

graceful-restart (enable|helper|disable):

By default, neighbors use the globally defined graceful restart configuration. This command overrides the global BGP graceful restart behavior for this neighbor. For details, see Graceful Restart.

enforce-first-as:

When set, enforces the first AS for eBGP routes.

local-as <asn> [no-prepend [replace-as]]:

Sets the local AS number sent to this neighbor, which replaces the AS number configured on the BGP server itself. By default, this value is prepended to the AS path for routes received from this neighbor or peer group, and is added to the AS path for routes sent to this neighbor or peer group after the AS number from the BGP sever.

no-prepend:

Suppresses prepending this AS number to the AS path for received routes.

replace-as:

Suppresses prepending the BGP server AS to transmitted routes, so that only this value is present.

local-role <role> [strict-mode]:

Configures BGP role support (RFC 9234) for this neighbor. BGP roles aid in route leak prevention and detection by explicitly configuring a relationship type between peers and marking routes as “Only To Customer” (OTC) depending on who sends the route. This helps when dealing with routes leaking due to BGP misconfigurations on peers, such as from a lack of filtering.

To enable BGP roles, use this command to configure the role of the local router with respect to this neighbor. If the neighbor also has a BGP role configured, the two peers will negotiate this when exchanging capability information. Roles may only be defined in specific combinations, mentioned in each entry below.

The following roles are available:

peer:

The local AS and remote AS have a lateral peering relationship. The neighbor must also declare itself a peer.

Peers can exchange their own routes in either direction, but cannot pass routes to peers which are marked as OTC unless the AS matches the peer sending the route.

provider:

The local AS is a transit provider of the remote AS. If the local AS is a provider, the neighbor must declare itself a customer.

Routes sent from provider to customer are marked OTC. If a provider receives a route marked OTC, it has leaked and is considered ineligible.

customer:

The local AS is a transit customer of the remote AS. If the local AS is a customer, the neighbor must declare itself a provider.

rs-server:

The local AS is a route server (RS), and the remote AS is its client. If the local AS is an rs-server, the neighbor must declare itself an rs-client.

Routes sent from an RS server to an RS client are marked OTC. If an RC server receives a route marked OTC, it has leaked and is considered ineligible.

rs-client:

The local AS is a route server client, and the remote AS is its server. If the local AS is an rs-client, the neighbor must declare itself an rs-server.

In each case, if a route was received from another neighbor and it contains an OTC marker, BGP roles prevent it from being propagated to other neighbors inappropriately.

Each role also supports the following options:

strict-mode:

When set, BGP will not establish a session with a peer unless it also has BGP role support and is properly configured with an appropriate role.

When this is not set, if the peer does not support BGP roles or does not have a role configured, then local BGP role support is disabled.

override-capability:

Ignores capabilities sent by the peer during negotiation and uses locally configured capabilities instead.

passive:

When set, this router will not issue requests to the neighbor on its own. The BGP daemon will only respond to remote requests from this neighbor.

password <line>:

A password used by BGP for TCP-MD5 (RFC 2385) authentication of communications with the neighbor, up to 64 characters in length.

peer-group <peer-group-name>:

Configure this neighbor as a member of the given peer group. Only valid for use in neighbors defined by address, not on peer groups.

port <port>:

An alternate port number used by this daemon for BGP messages, if it uses a value other than TCP port 179.

remote-as <asn>:

The remote AS number of this neighbor.

solo:

Instructs the router to prevent reflection of routes received from this neighbor back to this neighbor. This command is not useful in peer groups with multiple members.

strict-capability-match:

When set, enforces the comparison between the set of capabilities sent by the peer during negotiation and the set of capabilities present in the local configuration. If there is a mismatch, an error is transmitted to the peer.

timers keepalive <interval> holdtime <hold>:

Configures the intervals between keep alive messages and how long to wait for a response from this neighbor before considering the peer unreachable. This overrides the default values set on the BGP server itself. Both values must be in the range 0-65535, in seconds.

timers connect <seconds>:

The amount of time, in seconds from 1-65535, in which a connection to this peer must be established or else it is considered unsuccessful.

ttl-security hops <hops>:

Similar to ebgp-multihop but sets a specific hop count at which neighbors must be reached, rather than the maximum value set by ebgp-multihop. Setting this option automatically removes any existing value for ebgp-multihop.

update-source (<ifname>|<ip-address>):

Configures a specific interface or IP address to use when sending messages to this peer.

Note

Within BGP neighbor mode, the most important directives are remote-as to set the AS number of the neighbor and enable. The majority of other neighbor configuration is handled by the neighbor definition for a specific address family (BGP Address Family Neighbor Configuration).