User manual SONICWALL SONICOS 5.6.5 BGP ADVANCED ROUTING

[. . . ] BGP Advanced Routing in SonicOS Document Scope This document provides an overview of SonicWALL's implmenetation of Border Gateway protocol (BGP), how BGP operates, and how to configure BGP for your network. This document contains the following sections: · "Feature Overview" section on page 2 ­ "What is BGP?" section on page 2 ­ "Background Information" section on page 2 ­ "Autonomous Systems" section on page 3 ­ "Types of BGP Topologies" section on page 3 ­ "Why Use BGP?" section on page 4 ­ "How Does BGP Work?" section on page 4 · · · "Caveats" section on page 8 "Licensing BGP" section on page 9 "Configuring BGP" section on page 9 ­ "IPSec Configuration for BGP" on page 9 ­ "Basic BGP Configuration" on page 11 ­ "BGP Path Selection Process" on page 12 ­ "AS_PATH Prepending" on page 15 ­ "Multiple Exit Discriminator (MED)" on page 15 ­ "BGP Communities" on page 16 ­ "Synchronization and Auto-Summary" on page 17 ­ "Preventing an Accidental Transit AS" on page 17 ­ "Using Multi-Homed BGP for Load Sharing" on page 18 · · "Verifying BGP Configuration" section on page 19 "BGP Terms" section on page 21 BGP Advanced Routing in SonicOS 1 Feature Overview Feature Overview The following sections provide an overview of BGP: · · · · · · "What is BGP?" section on page 2 "Background Information" section on page 2 "Autonomous Systems" section on page 3 "Types of BGP Topologies" section on page 3 "Why Use BGP?" section on page 4 "How Does BGP Work?" section on page 4 What is BGP? BGP is a large-scale routing protocol used to communicate routing information between Autonomous Systems (ASs), which are well-defined, separately administered network domains. BGP support allows for SonicWALL security appliances to replace a traditional BGP router on the edge of a network's AS. The current SonicWALL implementation of BGP is most appropriate for "single-provider / singly-homed" environments, where the network uses one ISP as their Internet provider and has a single connection to that provider. [. . . ] When configuring BGP over IPSec, first configure the IPSec tunnel and verify connectivity over the tunnel before configuring BGP. BGP Advanced Routing in SonicOS 9 Configuring BGP The following procedure shows a sample IPSec configuration between a SonicWALL and a remote BGP peer, where the SonicWALL is configured for 192. 168. 168. 75/24 on the X0 network and the remote peer is configured for 192. 168. 168. 35/24 on the X0 network. 1. Navigate to the VPN > Settings page and click the Add button under the VPN Policies section. The VPN Policies window displays. 2. In the Policy Type pulldown menu, make sure that Site to Site is selected. Note A site-to-site VPN tunnel must be used for BGP over IPSec. In the IPsec Primary Gateway Name or Address field, enter the IP address of the remote peer (for this example it is 192. 168. 168. 35). In the Local IKE ID field, enter the IP address of the SonicWALL (for this example it is 192. 168. 168. 75) In the Peer IKE ID field, enter the IP address of the remote peer (192. 168. 168. 35). 10 BGP Advanced Routing in SonicOS Configuring BGP 10. For the local network, select X0 IP from the Choose local network from list pulldown menu. For the remote network, select the remote peer's IP address from the Choose destination network from list pulldown menu, which is 192. 168. 168. 35 for this example. If the remote IP address is not listed, select Create new address object to create an address object for the IP address. 13. You can either use the default IPSec proposals or customize them as you see fit. 14. Click OK. The VPN policy is now configured on the SonicWALL appliance. Now complete the corresponding IPSec configuration on the remote peer. When that is complete, return to the VPN > Settings page and check the Enable checkbox for the VPN policy to initiate the IPSec tunnel. Use the ping diagnostic on the SonicWall to ping the BGP peer IP address and use Wireshark to ensure that the request and response are being encapsulated in ESP packets. Note As configured in this example, routed traffic will not go through the IPSEC tunnel used for BGP. That traffic is sent and received in the clear, which is most likely the desired behavior since the goal is to secure BGP, not all the routed network traffic. For more detailed information on configuring IPSec, see the VPN chapters in the SonicOS Enhanced Administrator's Guide. Basic BGP Configuration To configure BGP on a SonicWALL security appliance, perform the following tasks: 1. In the Routing Mode pulldown menu, select Advanced Routing. Note The actual BGP configuration is performed using the SonicOS command line interface (CLI). For detailed information on how to connect to the SonicOS CLI, see the SonicOS Command-Line Interface Guide at: http://www. sonicwall. com/us/support/230_3623. html BGP Advanced Routing in SonicOS 11 Configuring BGP 3. You will now see the following prompt: ZebOS version 7. 7. 0 IPIRouter 7/2009 ARS BGP> 6. Type show running-config to see the current BGP running configuration. When you have completed your configuration, type the write file command. If the unit is part of an High Availability pair or cluster, the configuration changes will be automatically conveyed to the other unit or units. BGP Path Selection Process The following attributes can be used to configure the BGP path selection process. Attribute Weight Local Preference Network or Aggregate paths AS_PATH Origin Multi Exit Discriminator (MED) Recency Router ID Description Prefer routes learned from neighbors with the highest weight set. Prefer paths that were locally originated from the network and aggregate-address commands. [. . . ] Typically, you will not want to configure a SonicWALL security appliance as a transit peer. Figure 4 Transit Peers vs. Non-Transit Peers To prevent your appliance from inadvertently becoming a transit peer, you will want to configure inbound and outbound filters, such as the following: Outbound Filters Permit only routes originated from the local AS out ip as-path access-list 1 permit ^$ BGP Advanced Routing in SonicOS 17 Configuring BGP router bgp 12345 bgp router-id 10. 50. 165. 233 network 12. 34. 5. 0/24 neighbor 10. 50. 165. 228 remote-as 7675 neighbor 10. 50. 165. 228 filter-list 1 out neighbor 172. 1. 1. 2 remote-as 9999 neighbor 10. 50. 165. 228 filter list 1 out Permit only owned prefixes out ip prefix-list myPrefixes seq 5 permit 12. 34. 5. 0/24 ip prefix-list myPrefixes seq 10 permit 23. 45. 6. 0/24 router bgp 12345 bgp router-id 10. 50. 165. 233 network 12. 34. 5. 0/24 network 23. 45. 6. 0/24 neighbor 10. 50. 165. 228 remote-as 7675 neighbor 172. 1. 1. 2 remote-as 9999 neighbor 10. 50. 165. 228 prefix-list myPrefixes out neighbor 172. 1. 1. 2 prefix-list myPrefixes out Inbound Filters Drop all owned and private inbound prefixes ip ip ip ip ip ip prefix-list prefix-list prefix-list prefix-list prefix-list prefix-list unwantedPrefixes unwantedPrefixes unwantedPrefixes unwantedPrefixes unwantedPrefixes unwantedPrefixes seq seq seq seq seq seq 5 deny 12. 34. 5. 0/24 le 32 10 deny 23. 45. 6. 0/24 le 32 20 deny 10. 0. 0. 0/8 le 32 21 deny 172. 16. 0. 0/12 le 32 22 deny 192. 168. 0. 0/16 le 32 30 permit 0. 0. 0. 0/0 le 32 router bgp 12345 bgp router-id 10. 50. 165. 233 network 12. 34. 5. 0/24 network 23. 45. 6. 0/24 neighbor 10. 50. 165. 228 remote-as 7675 neighbor 172. 1. 1. 2 remote-as 9999 neighbor 10. 50. 165. 228 prefix-list unwantedPrefixes in neighbor 172. 1. 1. 2 prefix-list unwantedPrefixes in Using Multi-Homed BGP for Load Sharing The following topology shows an example where a SonicWALL security appliance uses a multi-homed BGP network to load share between two ISPs. Figure 5 Multi-Homed BGP for Load Sharing Topology The SonicWALL security appliance is configured as follows: 18 BGP Advanced Routing in SonicOS Verifying BGP Configuration router bgp 12345 bgp router-id 10. 50. 165. 233 network 12. 34. 5. 0/24 neighbor 10. 50. 165. 228 remote-as 7675 neighbor 10. 50. 165. 228 route-map ISP1 out neighbor 172. 1. 1. 2 remote-as 9999 neighbor 10. 50. 165. 228 route-map ISP2 out !route-map ISP1 permit 10 match ip address 1 set weight 100 route-map ISP1 permit 20 match ip address 2 route-map ISP2 permit 10 match ip address 1 route-map ISP2 permit 20 match ip address 2 set weight 100 access-list 1 permit 12. 34. 5. 0/25 access-list 2 deny 12. 34. 5. 0/25 access-list 2 permit any Verifying BGP Configuration The following sections describe methods to verify a BGP configuration: · · "Viewing BGP FIB and RIB routes" on page 19 "Configuring BGP Logging" on page 21 Viewing BGP FIB and RIB routes Figure 6 shows a basic BGP topology where a SonicWALL security appliance is configured for BGP to connect to two routers on two different ASs. Figure 6 BGP Topology The routes in the FIB for this network can be viewed either in the SonicOS GUI or by using the CLI. BGP Advanced Routing in SonicOS 19 Verifying BGP Configuration Viewing FIB routes in the GUI The BGP routes in the FIB can be viewed on the SonicOS GUI in the Routing Policies table on the Network > Routing page. Viewing FIB Routes in the CLI To view the FIB routes in the CLI, perform the following commands: NSA 2400> configure (config[NSA 2400])> route ars-nsm ZebOS version 7. 7. 0 IPIRouter 7/2009 ARS NSM>show ip route Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default B B C C C 7. 6. 7. 0/24 [20/0] via 10. 50. 165. 228, X1, 05:08:31 199. 199. 0/16 [20/0] via 10. 50. 165. 237, X1, 05:08:31 10. 50. 165. 192/26 is directly connected, X1 127. 0. 0. 0/8 is directly connected, lo0 12. 34. 5. 0/24 is directly connected, X0 Viewing RIB Routes in the CLI To view the RIB routes in the CLI, enter the show ip bgp command: ARS BGP>show ip bgp BGP table version is 98, local router ID is 10. 50. 165. 233 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, l labeled S Stale Origin codes: i - IGP, e - EGP, ?- incomplete Network *> 7. 6. 7. 0/24 *> 12. 34. 5. 0/24 *> 199. 199. 0. 0/16 Next Hop 10. 50. 165. 228 0. 0. 0. 0 10. 50. 165. 228 Metric LocPrf Weight Path 0 0 7675 i 100 32768 i 0 0 7675 9999 i Total number of prefixes 3 20 BGP Advanced Routing in SonicOS BGP Terms Note The last route is the path to AS9999 that was learned through AS7675. Configuring BGP Logging SonicWALL BGP offers a comprehensive selection of debug commands to display log events related to BGP traffic. [. . . ]