Sonicwall BGP ADVANCED ROUTING SONICOS FEATURE MODULE

BGP Advanced Routing in SonicOS

Document Scope

This document provides an overview of SonicWALL’s implmenetation of Border Gateway protocol (BGP),
how BGP operates, and how to configure BGP for your network.

This document contains the following sections:

• “Feature Overview” section on page 2

–

“What is BGP?” section on page 2

–

“Background Information” section on page 2

–

“Autonomous Systems” section on page 3

–

“Types of BGP Topologies” section on page 3

–

“Why Use BGP?” section on page 4

–

“How Does BGP Work?” section on page 4

• “Caveats” section on page 8

• “Licensing BGP” section on page 9

• “Configuring BGP” section on page 9

–

“IPSec Configuration for BGP” on page 9

–

“Basic BGP Configuration” on page 11

–

“BGP Path Selection Process” on page 12

–

“AS_PATH Prepending” on page 15

–

“Multiple Exit Discriminator (MED)” on page 15

–

“BGP Communities” on page 16

–

“Synchronization and Auto-Summary” on page 17

–

“Preventing an Accidental Transit AS” on page 17

–

“Using Multi-Homed BGP for Load Sharing” on page 18

• “Verifying BGP Configuration” section on page 19

• “BGP Terms” section on page 21

BGP Advanced Routing in SonicOS

1

Feature Overview

Feature Overview

The following sections provide an overview of BGP:

• “What is BGP?” section on page 2

• “Background Information” section on page 2

• “Autonomous Systems” section on page 3

• “Types of BGP Topologies” section on page 3

• “Why Use BGP?” section on page 4

• “How Does BGP Work?” section on page 4

What is BGP?

BGP is a large-scale routing protocol used to communicate routing information between Autonomous
Systems (ASs), which are well-defined, separately administered network domains. BGP support allows for
SonicWALL security appliances to replace a traditional BGP router on the edge of a network's AS. The
current SonicWALL implementation of BGP is most appropriate for "single-provider / singly-homed"
environments, where the network uses one ISP as their Internet provider and has a single connection to that
provider. SonicWALL BGP is also capable of supporting "single-provider / multi-homed" environments,
where the network uses a single ISP but has a small number of separate routes to the provider. BGP is
configured through the SonicOS Command Line Interface (CLI).

Background Information

Routing protocols are not just packets transmitted over a network, but comprise all the mechanisms by
which individual routers, and groups of routers, discover, organize, and communicate network topologies.
Routing protocols use distributed algorithms that depend on each participant following the protocol as it is
specified, and are most useful when routes within a network domain dynamically change as links between
network nodes change state.

Routing protocols typically interact with two databases:

• Routing Information Base (RIB) - Used to store all the route information required by the routing

protocols themselves.

• Forward Information Base (FIB) - Used for actual packet forwarding.

The best routes chosen from the RIB are used to populate the FIB. Both the RIB and FIB change
dynamically as routing updates are received by each routing protocol, or connectivity on the device changes.

There are two basic classes of routing protocols:

• Interior Gateway Protocols (IGPs) - Interior Gateway Protocols are routing protocols designed to

communicate routes within the networks that exist inside of an AS. There are two generations of IGPs.
The first generation consists of distance-vector protocols. The second generation consists of link-state
protocols. The distance-vector protocols are relatively simple, but have issues when scaled to a large
number of routers. The link-state protocols are more complex, but have better scaling capability. The
existing distance-vector protocols are Interior Gateway Routing Protocol (IGRP), Enhanced Interior
Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP), and RIPv2, an enhanced
version of RIP. IGRP and EIGRP are proprietary Cisco protocols. The link-state protocols currently in
use are Open Shortest Path First (OSPF) and the little-used Intermediate System to Intermediate
System (IS-IS) protocol.

2

BGP Advanced Routing in SonicOS

SonicOS supports OSPFv2 and RIPv1/v2 protocols, the two most common routing Interior Gateway
Protocols, allowing our customers to use our products in their IGP networks and avoid the additional
cost of a separate traditional router.

• Exterior Gateway Protocols (EGPs) - The standard, ubiquitous Exterior Gateway Protocol is BGP

(BGP4, to be exact). BGP is large-scale routing protocol that communicates routing information and
policy between well-defined network domains called Autonomous Systems (ASs). An Autonomous
System is a separately administered network domain, independent of other Autonomous Systems. BGP
is used to convey routes and route policy between Autonomous Systems. ISPs commonly use BGP to
convey routes and route policy with their customers as well as with other ISPs.

Each Autonomous System has a 16-bit number assigned. Like IP addresses, an AS number may be
public or private. Public AS numbers are a limited resource and are provisioned based on a number of
factors. ISP customers with large networks multi-homed to two or more ISPs usually have a public AS,
whereas smaller customers will be given a private AS administered by their ISP provider.

As our products evolve in support of enterprise-level requirements, some customers may want to place
our products on the edge of their AS in place of a traditional BGP router. To support these topologies,
BGP has been added beginning in SonicOS 5.6.5.

Autonomous Systems

Each Autonomous System has a 16-bit number assigned. Like IP addresses, an AS number may be public
or private. Public AS numbers are a limited resource and are provisioned based on a number of factors. ISP
customers with large networks multi-homed to two or more ISPs usually have a public AS, whereas smaller
customers will be given a private AS administered by their ISP provider.

Feature Overview

Types of BGP Topologies

BGP is a very flexible and complex routing protocol. As such, BGP routers may be placed in a large variety
of topology settings, such as Internet core routers, intermediary ISP routers, ISP Customer Premises
Equipment (CPE), or routers in small private BGP networks. The number of BGP routes required for
different topologies varies from greater than 300,000 for core routers, to 0 for ISP customers that use a
single ISP and use default routing for all destinations outside of their AS. ISP customers are often required
to run BGP from their edge router (the CPE) to the ISP regardless of the number of routes they receive
from the ISP. This allows ISP customers to control which networks to advertise to the outside world. There's
always the fear that a customer will advertise a network, or network aggregate, not owned by the customer,
black-holing Internet traffic to those networks. In reality, ISP providers are careful to filter invalid
advertisements from their customers (one of BGP's strengths), so this rarely happens.

There are three basic scales of BGP networks:

• Single-Provider / Singly-Homed - The network receives a single route (singly-homed) from a single

ISP (single-provider). The number of routes an ISP customer receives from its ISP depends on the
nature of its AS. An ISP customer that uses only one ISP as their Internet provider, and has a single
connection to that provider (single-provider / singly-homed) has no need to receive any routes - all
traffic destined outside of the AS will go to their ISP. These customers may still advertise some or all
of their inside network to the ISP.

• Single-Provider / Multi-Homed - The network receives multiple routes (multi-homed) from a single

ISP (single-provider). ISP customers that use a single ISP, but have multiple connections to their ISP
may only receive the default route (0.0.0.0/0) at each ISP gateway. If an ISP connection goes down, the
advertised default route sent from the connected CPE router to internal routers would be withdrawn,
and Internet traffic would then flow to a CPE router that has connectivity to the ISP. The customer's
inside network would also be advertised to the ISP at each CPE router gateway, allowing the ISP to use
alternate paths should a particular connection to a customer go down.

BGP Advanced Routing in SonicOS

3

Feature Overview

• Multi-Provider / Multi-Homed - ISP customers that use more than one ISP (multi-provider /

multi-homed) have one or more separate gateway routers for each ISP. In this case, the customer's AS
must be a public AS, and may either be a transit or non-transit AS. A transit AS will receive and forward
traffic from one ISP destined for a network reachable through another ISP (the traffic destination is
not in the customer's AS). A non-transit AS should only receive traffic destined for its AS - all other
traffic would be dropped. BGP routers in a transit AS would often receive a large portion (in many
cases, all) of the full BGP route table from each ISP.

Why Use BGP?

• Even if you are not a large network on the internet, BGP is the standard for multi-homing,

load-balancing, and redundancy:

–

–

–

• Route summarization makes routing scalable.

Single-provider / Singly-homed – Not typically a strong candidate for BGP, but may still use it to
advertise networks to the ISP. Singly-homed networks are not eligible for a public AS from RIRs.

Single-provider / Multi-homed – Common to follow RFC2270 suggestion to use a single private
AS (64512 to 65535) to get the benefit of BGP while preserving public ASN.

Multi-provider / Multi-homed – Highly redundant, typically with dedicated routers to each ISP.
Requires public ASN. Large memory footprint

How Does BGP Work?

BGP uses TCP port 179 for communication. BGP is considered a path-vector protocol, containing
end-to-end path descriptions for destinations. BGP neighbors can either be internal (iBGP) or external
(eBGP):

• iBGP – Neighbor is in the same AS.

• eBGP – Neighbor is in a different AS.

Paths are advertised in UPDATE messages that are tagged with various path attributes. AS_PATH and
NEXT_HOP are the two most important attributes that describe the path of a route in a BGP update
message.

• AS_PATH: Indicates the ASs that the route is traveling from and two. In the example below, the

AS_PATH is from AS 7675 to AS 12345. For internal BGP, the AS_PATH specifies the same AS for
both the source and destination.

4

BGP Advanced Routing in SonicOS

Feature Overview

• NEXT_HOP: Indicates the IP address of the next router the path travels to. Paths advertised across

AS boundaries inherit the NEXT_HOP address of the boundary router. BGP relies on interior routing
protocols to reach NEXT_HOP addresses.

BGP Advanced Routing in SonicOS

5

Feature Overview

BGP Finite State Machine

RFC 1771, which defines BGP, describes the operation of BGP in terms of the following state machine. The
table following the diagram provides additional information on the various states.

Figure 1 BGP Finite State Machine

State Description

Idle Waiting for Start event, after establishing new BGP session or resetting an existing

session. In the event of errors, falls back to the Idle state. After a Start event, BGP
initializes, resets connect retry timer, initiates TCP transport connection, and listens for
connections

Connect Once the TCP layer is up, transition to OpenSent, and send OPEN. If no TCP, transition

to Active. If the connect retry timer expires, remain in Connect, reset the timer, and
initiate a transport connection. Otherwise, transition back to Idle.

Active Try to establish TCP connection with peer. If successful, transition to OpenSent and send

OPEN. If connect retry expires, restart the timer and fall back to the Connect state. Also
actively listen for connection by another peer. Go back to Idle in case of other events.

• Connect to Active flapping indicates a TCP transport problem, e.g. TCP

retransmissions or unreachability of a peer.

OpenSent Waiting for OPEN message from peer. Validate on receipt. On validation failure, send

NOTIFICATION and go to Idle. On success, send KEEPALIVE and reset the keepalive
timer. Negotiate hold time, smaller value wins. If zero, hold timer and keepalive timer are
not restarted.

OpenConfirm Wait for KEEPALIVE or NOTIFICATION. If KEEPALIVE is received, transition to

Established. If UPDATE or KEEPALIVE is received, restart the hold timer (unless the
negotiated hold time is zero). If NOTIFICATION is received, transition to Idle.

• Periodic KEEPALIVE messages are sent. If TCP layer breaks, transition to Idle. If

an error occurs, send a NOTIFICATION with error code, transition to Idle.

Established Session up, exchange updates with peers. If a NOTIFICATION is received, transition to

Idle. Updates are checked for errors. On error, send NOTIFICATION, and transition to
Idle. In case of hold time expiration, disconnect TCP.

6

BGP Advanced Routing in SonicOS

BGP Messages

Feature Overview

BGP communication includes the following types of messages

• Open – The first message between BGP peers after TCP session establishment. Contains the necessary

information to establish a peering session, e.g. ASN, hold time, and capabilities such as multi-product
extensions and route-refresh.

• Update – These messages contain path information, such as route announcements or withdrawals.

• Keepalive – Periodic messages to keep TCP layer up, and to advertise liveliness.

• Notification – A request to terminate the BGP session. Non-fatal notifications contain the error code

“cease”. Subcodes provide further detail:

Subcode Description

1 – Maximum number of prefixes reached The configured “neighbor maximum-prefix” value

was exceeded

2 – Administratively shutdown Session was administratively shutdown

3 – Peer unconfigured Peer configuration has been removed

4 – Administratively reset Session was administratively reset

5 – Connection rejected Rejection (sometimes temporary) of BGP session

6 – Other configuration change Session was administratively reset for some reason

BGP Attributes

• Route-refresh – A request for the peer to resend its routes.

BGP update messages can include the following attributes:

Value C ode

1ORIGIN

2AS_PATH

3NEXT_HOP

4MULTI_EXIT_DISC

5LOCAL_PREF

6ATOMIC_AGGREGATE

7 AGGREGATOR

8 COMMUNITY

9 ORIGINATOR_ID

10 CLUSTER_LIST

11 DPA

12 ADVERTISER (Historic)

13 RCID_PATH / CLUSTER_ID (Historic)

14 MP_REACH_NLRI

15 MP_UNREACH_NLRI

16 EXTENDED COMMUNITIES

BGP Advanced Routing in SonicOS

7