Sample BGP Routing Configuration File (FRR)
To use the BGP dynamic routing protocol with Fireware, you must type BGP configuration commands or import a configuration file on the Network > Dynamic Routing page. This topic includes a sample configuration file. To use this configuration file as a starting point for your BGP configuration, copy the text into a text editor application and edit the parameters to meet your business requirements.
In Fireware v12.9 or higher, Fireware uses the Free Range Routing (FRR) routing engine, which replaces Quagga. If your configuration includes Quagga commands for dynamic routing, those commands work after you upgrade. Some FRR commands appear in a different section than in Quagga.
For information about BGP requirements and how to configure BGP, go to Configure IPv4 and IPv6 Routing with BGP.
In Fireware v12.8.x or lower, Fireware uses the Quagga routing engine. For a sample routing configuration file for Fireware v12.8.x or lower, go to Sample BGP Routing Configuration File (Quagga). For a list of Quagga commands, go to BGP Commands (Quagga).
IPv4 Sample
This configuration sample shows how to configure some common IPv4 BGP commands that you might include in your BGP configuration in Fireware v12.9 or higher. Your configuration file might include other commands.
For descriptions of common commands, go to BGP Commands (FRR). For a complete list of FRR commands, go to the FRRouting User Guide.
If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually add these commands:
- To disable the requirement to add BGP filtering policies: no bgp ebgp-requires-policy
If this setting is enabled and an inbound or outbound BGP policy does not exist for the eBGP session, the Firebox cannot learn or announce routes. - To disable the import check setting: no bgp network import-check
If this setting is enabled and the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.
! SECTION 1
! Enable the BGP daemon and set local ASN to 100
router bgp 100
! The Firebox cannot learn or announce routes unless you add an inbound or outbound BGP policy for the eBGP session. ! To remove the policy requirement, enter the command 'no bgp ebgp-requires-policy.'
no bgp ebgp-requires-policy
! When import-check is enabled, if the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.
no bgp network import-check
! Set neighbor (192.0.2.1) as member of remote ASN (200)
neighbor 192.0.2.1 remote-as 200
! Enable Bidirectional Forwarding (BFD)
neighbor 192.0.2.1 bfd
! Set custom TCP port 189 to communicate with BGP neighbor (192.0.2.1). Default port is TCP 179
neighbor 192.0.2.1 port 189
! Set neighbor (203.0.113.1) on another network using EBGP multi-hop
neighbor 203.0.113.1 remote-as 300
neighbor 203.0.113.1 ebgp-multihop 255
! Set BGP version (4, 4-) for communication with a neighbor; default is 4
neighbor 192.0.2.1 version 4-
! Apply a route map on the specified neighbor for the direction in.
neighbor 203.0.113.1 route-map RPKI in
! SECTION 2
address-family ipv4 unicast
! Announce local network 192.0.2.0/24 to all neighbors defined in this configuration
network 10.2.0.0/24
! Redistribute static routes to BGP
redistribute static
! Redistribute rip routes to BGP
redistribute rip
! Redistribute ospf routes to BGP
redistribute ospf
! Announce default route to BGP neighbor (192.0.2.1)
neighbor 192.0.2.1 default-originate
! Set maximum number of prefixes allowed from this neighbor
neighbor 192.0.2.1 maximum-prefix NUMBER
! Set a default weight for neighbor (192.0.2.1) routes
neighbor 192.0.2.1 weight 1000
! Set distribute list and direction for peer
neighbor 192.0.2.1 distribute-list LISTNAME [in|out]
neighbor 192.0.2.1 prefix-list LISTNAME [in|out]
! To apply a route map to incoming or outgoing routes
neighbor 192.0.2.1 route-map MAPNAME [in|out]
! To match an autonomous system path access list to incoming or outgoing routes
neighbor 192.0.2.1 filter-list LISTNAME [in|out]
exit-address-family
exit
! SECTION 3
! Set access list
access-list NAME seq 5 deny 192.0.2.128/25
access-list NAME seq 10 permit 192.0.2.0/25
! SECTION 4
! Set prefix list
ip prefix-list PRELIST seq 5 permit 10.0.0.0/8
! SECTION 5
! Create a route map with the name MAPNAME and allow with a priority of 10
route-map MAPNAME permit 10
set community 7000:80
!
! Create a route map with the name RPKI and allow with a priority of 10. Invalid routes are removed from the routing table and valid routes are kept.
route-map RPKI permit 10
match rpki invalid
match rpki valid
IPv6 Sample
This configuration sample shows how to configure some common IPv6 BGP comands that you might include in your BGP configuration in Fireware v12.9 or higher. Your configuration file might include other commands. For descriptions of common comands, go to BGP Commands (FRR). For a complete list of FRR commands, go to the FRRouting User Guide.
If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually add these commands:
- To disable the requirement to add BGP filtering policies: no bgp ebgp-requires-policy
If this setting is enabled and an inbound or outbound BGP policy does not exist for the eBGP session, the Firebox cannot learn or announce routes. - To disable the import check setting: no bgp network import-check
If this setting is enabled and the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.
! SECTION 1
! Enable the BGP daemon and set local ASN to 100
router bgp 100
! set route id for bgp
bgp router-id 1.1.1.1
! The Firebox cannot learn or announce routes unless you add an inbound or outbound BGP policy for the eBGP session. ! To remove the policy requirement, enter the command 'no bgp ebgp-requires-policy'.
no bgp ebgp-requires-policy
! When import-check is enabled, if the route for the network does not exist in IGP, the network is marked as invalid in BGP routes and is not advertised. In FRR, import-check is enabled by default.
no bgp network import-check
! Set neighbor (2000::2) as member of remote ASN (200)
neighbor 2000::2 remote-as 200
! Enable Bidirectional Forwarding (BFD)
neighbor 2000::2 bfd
! SECTION 2: Enter IPv6 Address Family command mode
address-family ipv6
! Announce local network 3344::/64 to all neighbors
network 3344::/64
! Redistribute static routes to BGP
redistribute static
! Redistribute ripng routes to BGP
redistribute ripng
! Redistribute ospfv3 routes to BGP
redistribute ospf6
! Activate neighbor 2000::2
neighbor 2000::2 activate
! Announce default route to BGP neighbor (2000::2)
neighbor 2000::2 default-originate
neighbor 2000::2 filter-list LISTNAME [in|out]
! To apply a route map to incoming or outgoing routes
! To match an autonomous system path access list to incoming or outgoing routes
neighbor 2000::2 route-map MAPNAME [in|out]
! Set distribute list and direction for peer
neighbor 2000::2 distribute-list LISTNAME [in|out]
! To apply a prefix list to be matched to incoming or outgoing advertisements to that neighbor
neighbor 2000::2 prefix-list PRELIST [in|out]
exit-address-family
exit
! SECTION 3: Announcement filtering
! Set access list
ipv6 access-list LISTNAME deny 4000::/64
ipv6 access-list LISTNAME permit 4000::/25
! SECTION 4: Set prefix list
ipv6 prefix-list PRELIST permit 3000::/64
! SECTION 5: Create a route map with name MAPNAME and allow with a priority of 10 (1-199)
route-map MAPNAME permit 10
match ipv6 address LISTNAME
exit
IPv4 and IPv6 Sample
This configuration sample shows how to configure some common IPv4 and IPv6 BGP comands that you might include in your BGP configuration in Fireware v12.9 or higher. Your configuration file might include other commands. For descriptions of common commands, go to BGP Commands (FRR). For a complete list of FRR commands, go to the FRRouting User Guide.
If you add a new BGP configuration after you upgrade to Fireware v12.9, you must manually add these commands:
- To disable the requirement to add BGP filtering policies: no bgp ebgp-requires-policy
If this setting is enabled and an inbound or outbound BGP policy does not exist for the eBGP session, the Firebox cannot learn or announce routes. - To disable the import check setting: no bgp network import-check
If this setting is enabled and the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.
! SECTION 1
router bgp 65534
bgp router-id 10.15.1.1
no bgp ebgp-requires-policy
no bgp network import-check
timers bgp 5 15
neighbor 172.16.255.2 remote-as 65535
neighbor 172.16.255.2 timers connect 5
neighbor fd00::25 remote-as 65535
neighbor fd00::25 timers connect 5
! SECTION 2
address-family ipv4
network 10.15.2.0/24
exit-address-family
! SECTION 3:
address-family ipv6
! network 1500::0/64
neighbor fd00::25 activate
exit-address-family