BGP for Firepower Threat Defense

This section describes how to configure the Firepower Threat Defense to route data, perform authentication, and redistribute routing information using the Border Gateway Protocol (BGP).

About BGP

BGP is an inter and intra autonomous system routing protocol. An autonomous system is a network or group of networks under a common administration and with common routing policies. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

Routing Table Changes

BGP neighbors exchange full routing information when the TCP connection between neighbors is first established. When changes to the routing table are detected, the BGP routers send to their neighbors only those routes that have changed. BGP routers do not send periodic routing updates, and BGP routing updates advertise only the optimal path to a destination network.


Note


AS loop detection is done by scanning the full AS path (as specified in the AS_PATH attribute), and checking that the AS number of the local system does not appear in the AS path. By default, EBGP advertises the learned routes to the same peer to prevent additional CPU cycles on the ASA in performing loop checks and to avoid delays in the existing outgoing update tasks.


Routes learned via BGP have properties that are used to determine the best route to a destination, when multiple paths exist to a particular destination. These properties are referred to as BGP attributes and are used in the route selection process:

  • Weight—This is a Cisco-defined attribute that is local to a router. The weight attribute is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight is preferred.

  • Local preference—The local preference attribute is used to select an exit point from the local AS. Unlike the weight attribute, the local preference attribute is propagated throughout the local AS. If there are multiple exit points from the AS, the exit point with the highest local preference attribute is used as an exit point for a specific route.

  • Multi-exit discriminator—The multi-exit discriminator (MED) or metric attribute is used as a suggestion to an external AS regarding the preferred route into the AS that is advertising the metric. It is referred to as a suggestion because the external AS that is receiving the MEDs may also be using other BGP attributes for route selection. The route with the lower MED metric is preferred.

  • Origin—The origin attribute indicates how BGP learned about a particular route. The origin attribute can have one of three possible values and is used in route selection.

    • IGP—The route is interior to the originating AS. This value is set when the network router configuration command is used to inject the route into BGP.

    • EGP—The route is learned via the Exterior Border Gateway Protocol (EBGP).

    • Incomplete—The origin of the route is unknown or learned in some other way. An origin of incomplete occurs when a route is redistributed into BGP.

  • AS_path—When a route advertisement passes through an autonomous system, the AS number is added to an ordered list of AS numbers that the route advertisement has traversed. Only the route with the shortest AS_path list is installed in the IP routing table.

  • Next hop—The EBGP next-hop attribute is the IP address that is used to reach the advertising router. For EBGP peers, the next-hop address is the IP address of the connection between the peers. For IBGP, the EBGP next-hop address is carried into the local AS.

  • Community—The community attribute provides a way of grouping destinations, called communities, to which routing decisions (such as acceptance, preference, and redistribution) can be applied. Route maps are used to set the community attribute. The predefined community attributes are as follows:

    • no-export—Do not advertise this route to EBGP peers.

    • no-advertise—Do not advertise this route to any peer.

    • internet—Advertise this route to the Internet community; all routers in the network belong to it.

When to Use BGP

Customer networks, such as universities and corporations, usually employ an Interior Gateway Protocol (IGP) such as OSPF for the exchange of routing information within their networks. Customers connect to ISPs, and ISPs use BGP to exchange customer and ISP routes. When BGP is used between autonomous systems (AS), the protocol is referred to as External BGP (EBGP). If a service provider is using BGP to exchange routes within an AS, then the protocol is referred to as Interior BGP (IBGP).

BGP can also be used for carrying routing information for IPv6 prefix over IPv6 networks.

BGP Path Selection

BGP may receive multiple advertisements for the same route from different sources. BGP selects only one path as the best path. When this path is selected, BGP puts the selected path in the IP routing table and propagates the path to its neighbors. BGP uses the following criteria, in the order presented, to select a path for a destination:

  • If the path specifies a next hop that is inaccessible, drop the update.

  • Prefer the path with the largest weight.

  • If the weights are the same, prefer the path with the largest local preference.

  • If the local preferences are the same, prefer the path that was originated by BGP running on this router.

  • If no route was originated, prefer the route that has the shortest AS_path.

  • If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).

  • If the origin codes are the same, prefer the path with the lowest MED attribute.

  • If the paths have the same MED, prefer the external path over the internal path.

  • If the paths are still the same, prefer the path through the closest IGP neighbor.

  • Determine if multiple paths require installation in the routing table for BGP Multipath.

  • If both paths are external, prefer the path that was received first (the oldest one).

  • Prefer the path with the lowest IP address, as specified by the BGP router ID.

  • If the originator or router ID is the same for multiple paths, prefer the path with the minimum cluster list length.

  • Prefer the path that comes from the lowest neighbor address.

BGP Multipath

BGP Multipath allows installation into the IP routing table of multiple equal-cost BGP paths to the same destination prefix. Traffic to the destination prefix is then shared across all installed paths.

These paths are installed in the table together with the best path for load-sharing. BGP Multipath does not affect best-path selection. For example, a router still designates one of the paths as the best path, according to the algorithm, and advertises this best path to its BGP peers.

In order to be candidates for multipath, paths to the same destination need to have these characteristics equal to the best-path characteristics:

  • Weight

  • Local preference

  • AS-PATH length

  • Origin code

  • Multi Exit Discriminator (MED)

  • One of these:

    • Neighboring AS or sub-AS (before the addition of the BGP Multipaths)

    • AS-PATH (after the addition of the BGP Multipaths)

Some BGP Multipath features put additional requirements on multipath candidates:

  • The path should be learned from an external or confederation-external neighbor (eBGP).

  • The IGP metric to the BGP next hop should be equal to the best-path IGP metric.

These are the additional requirements for internal BGP (iBGP) multipath candidates:

  • The path should be learned from an internal neighbor (iBGP).

  • The IGP metric to the BGP next hop should be equal to the best-path IGP metric, unless the router is configured for unequal-cost iBGP multipath.

BGP inserts up to n most recently received paths from multipath candidates into the IP routing table, where n is the number of routes to install to the routing table, as specified when you configure BGP Multipath. The default value, when multipath is disabled, is 1.

For unequal-cost load balancing, you can also use BGP Link Bandwidth.


Note


The equivalent next-hop-self is performed on the best path that is selected among eBGP multipaths before it is forwarded to internal peers.


Requirements and Prerequisites for BGP

Model Support

FTD

FTDv

Supported Domains

Any

User Roles

Admin

Network Admin

Guidelines for BGP

Firewall Mode Guidelines

Does not support transparent firewall mode. BGP is supported only in routed mode.

IPv6 Guidelines

Supports IPv6. Graceful restart is not supported for IPv6 address family.

Virtual Router Guidelines

BGP IPv4 is supported both on global and user-defined virtual routers. However, only BGP IPv6 configuration is supported on a global virtual router.

Additional Guidelines

  • The system does not add route entry for the IP address received over PPPoE in the CP route table. BGP always looks into CP route table for initiating the TCP session, hence BGP does not form TCP session.

    Thus, BGP over PPPoE is not supported.

  • To avoid adjacency flaps due to route updates being dropped if the route update is larger than the minimum MTU on the link, ensure that you configure the same MTU on the interfaces on both sides of the link.

  • BGP with PATH MTU (PMTU) can cause adjacency flaps if MTU discovery fails, especially with ECMP routing. Hence, be cautious while using BGP, PMTU, and ECMP as packet drops can occur if MTU discovery fails due to any reason.

  • The BGP table of the member unit is not synchronized with the control unit table. Only its routing table is synchronized with the control unit routing table.

Configure BGP

To configure BGP, see the following topics:

Procedure


Step 1

Configure BGP Basic Settings

Step 2

Configure BGP General Settings

Step 3

Configure BGP Neighbor Settings

Step 4

Configure BGP Aggregate Address Settings

Step 5

Configure BGPv4 Filtering Settings

Note

 

The Filtering section is applicable only to IPv4 settings

Step 6

Configure BGP Network Settings

Step 7

Configure BGP Redistribution Settings

Step 8

Configure BGP Route Injection Settings


Configure BGP Basic Settings

You can set many basic settings for BGP.

For a device using virtual routing, the basic settings described in this section must be configured in the BGP page under General Settings. For more information, see Modifications to FMC Web Interface - Routing Page.

Procedure


Step 1

Choose Devices > Device Management, and edit the Firepower Threat Defense device.

Step 2

Select Routing.

Step 3

(For a virtual-router-aware device) Under General Settings, click BGP.

Step 4

Select the Enable BGP check box to enable the BGP routing process.

Step 5

In the AS Number field, enter the autonomous system (AS) number for the BGP process. The AS number internally includes multiple autonomous numbers. The AS number can be from 1 to 4294967295 or from 1.0 to 65535.65535. The AS number is a uniquely assigned value, that identifies each network on the Internet.

Step 6

(Optional) Edit the various BGP settings, starting with General. The defaults for these settings are appropriate in most cases, but you can adjust them to fit the needs of your network. Click Edit (pencil) to edit the settings in the group:

  1. In the Router ID drop-down list, select Automatic or Manual from the drop-down list. If you choose Automatic, the highest-level IP address on the Firepower Threat Defense device is used as the router ID. To use a fixed router ID, choose Manual and enter an IPv4 address in theIP Address field. The default value is Automatic. For a virtual router-aware device, you can override the router ID settings in the Virtual Routers > BGP page.

  2. Enter the Number of AS numbers in AS_PATH attribute. An AS _PATH attribute is a sequence of intermediate AS numbers between source and destination routers that form a directed route for packets to travel. Valid values are between 1 and 254. The default value is None.

  3. Check the Log Neighbor Changes check box to enable logging of BGP neighbor changes (up or down) and resets. This helps in troubleshooting network connectivity problems and measuring network stability. This is enabled by default.

  4. Check the Use TCP Path MTU Discovery check box to use the Path MTU determining technique to determine the maximum transmission unit (MTU) size on the network path between two IP hosts. This avoids IP fragmentation. This is enabled by default.

  5. Check the Reset session upon Failover check box to reset the external BGP session immediately upon link failure. This is enabled by default.

  6. Check the Enforce that the first AS is peer’s AS for EBGP routes check box to discard incoming updates received from external BGP peers that do not list their AS number as the first segment in the AS_PATH attribute. This prevents a mis-configured or unauthorized peer from misdirecting traffic by advertising a route as if it was sourced from another autonomous system. This is enabled by default.

  7. Check the Use dot notation for AS number check box to split the full binary 4-byte AS number into two words of 16 bits each, separated by a dot. AS numbers from 0-65553 are represented as decimal numbers and AS numbers larger than 65535 are represented using the dot notation. This is disabled by default.

  8. Click OK.

Step 7

(Optional) Edit the Best Path Selection section:

  1. Enter a value for Default Local Preference between 0 and 4294967295. The default value is 100. Higher values indicate higher preference. This preference is sent to all routers and access servers in the local autonomous system.

  2. Check the Allow comparing MED from different neighbors check box to allow the comparison of Multi Exit Discriminator (MED) for paths from neighbors in different autonomous systems. This is disabled by default.

  3. Check the Compare Router ID for identical EBGP paths check box to compare similar paths received from external BGP peers during the best path selection process and switch the best path to the route with the lowest router ID. This is disabled by default.

  4. Check the Pick the best MED path among paths advertised from the neighboring AS check box to enable MED comparison among paths learned from confederation peers. The comparison between MEDs is made only if no external autonomous systems are there in the path. This is disabled by default.

  5. Check the Treat missing MED as the least preferred one check box to consider the missing MED attribute as having a value of infinity, making the path the least desirable; therefore, a path with a missing MED is least preferred. This is disabled by default.

  6. Click OK.

Step 8

(Optional) Edit the Neighbor Timers section:

  1. Enter the time interval for which the BGP neighbor remains active after not sending a keepalive message in the Keepalive interval field. At the end of this keepalive interval, the BGP peer is declared dead, if no messages are sent. The default value is 60 seconds.

  2. Enter the time interval for which the BGP neighbor remains active while a BGP connection is being initiated and configured in the Hold time field. The default value is 180 seconds.

  3. (Optional) Enter the minimum time interval for which the BGP neighbor remains active while a BGP connection is being initiated and configured in the Min Hold time field. Specify a value from 0 to 65535.

    Note

     

    A hold time of less than 20 seconds increases the possibility of peer flapping.

  4. Click OK.

Step 9

(Optional) Edit the Graceful Restart section:

Note

 

This section is available only when the Firepower Threat Defense device is in failover or spanned cluster mode. This is done so that there is no drop in packets in the traffic flow, when one of the devices in the failover setup fails.

  1. Check the Enable Graceful Restart checkbox to enable Firepower Threat Defense peers to avoid a routing flap following a switchover.

  2. Specify the time duration that Firepower Threat Defense peers will wait to delete stale routes before a BGP open message is received in the Restart Time field. The default value is 120 seconds. Valid values are between 1 and 3600 seconds.

  3. Enter the time duration that the Firepower Threat Defense will wait before deleting stale routes after an end of record (EOR) message is received from the restarting Firepower Threat Defense in the Stalepath Time field. The default value is 360 seconds. Valid values are between 1 and 3600 seconds.

  4. Click OK.

Step 10

Click Save.

Step 11

To view the BGP basic settings, from the virtual routers drop-down, select the desired router, and then click BGP.

This page displays the basic settings that are configured in the Settings page. You can edit the router ID settings on this page.

Step 12

To edit the router ID settings, modify the IP address in the IP Address fields. The modified value overrides the router ID settings that were configured in the BGP page under General Settings.


Configure BGP General Settings

Configure Route maps, Administrative Route Distances, Synchronisation, Next-hop, and packet forwarding. The defaults for these settings are appropriate in most cases, but you can adjust them to fit the needs of your network.

Procedure


Step 1

On the Device Management page, click Routing.

Step 2

(For a virtual-router-aware device) From the virtual routers drop-down, select the virtual router for which you are configuring BGP.

Step 3

Choose BGP > IPv4 or IPv6.

Note

 

BGP configuration with IPv6 address family is not supported on a user-defined virtual router. Hence, if you select a user-defined virtual router, only IPv4 settings are available.

Step 4

Click General.

Step 5

In General, update the following sections:

  1. In the Settings section, enter or select a Route Map object and enter a Scanning Interval for BGP routers for next-hop validation. Valid values are from 5 to 60 seconds. The default value is 60. Click OK.

    Note

     

    The Route Map field is applicable only to IPv4 settings

  2. In the Routes and Synchronization section, update the following as required, and click OK:

    • (Optional) Generate Default Routes — Select this option to configure default-information originate.

    • (Optional) Summarize subnet routes into network-level routes— Select this to configure automatic summarization of subnet routes into network-level routes. This check box is applicable only to IPv4 settings.

    • (Optional) Advertise inactive routes— Select this to advertise routes that are not installed in the routing information base (RIB).

    • (Optional) Synchronise between BGP and IGP system— Select this to enable synchronization between BGP and your Interior Gateway Protocol (IGP) system. Usually, a BGP speaker does not advertise a route to an external neighbor unless that route is local or exists in the IGP. This feature allows routers and access servers within an autonomous system to have the route before BGP makes it available to other autonomous systems.

    • (Optional) Redistribute IBGP into IGP— Select this to configure iBGP redistribution into an interior gateway protocol (IGP), such as OSPF.

  3. In the Administrative Route Distances section, update the following as required, and click OK:

    • External — Enter the administrative distance for external BGP routes. Routes are external when learned from an external autonomous system. The range of values for this argument are from 1 to 255. The default value is 20.

    • Internal — Enter administrative distance for internal BGP routes. Routes are internal when learned from peer in the local autonomous system. The range of values for this argument are from 1 to 255. The default value is 200.

    • Local — Enter administrative distance for local BGP routes. Local routes are those networks listed with a network router show command, often as back doors, for the router or for the networks that is being redistributed from another process. The range of values for this argument are from 1 to 255. The default value is 200.

  4. In the Next Hop section, optionally select the Enable address tracking check box to enable BGP next hop address tracking and enter the Delay Interval between checks on updated next-hop routes installed in the routing table. Click OK.

    Note

     

    The Next Hop section is applicable only to IPv4 settings.

  5. In the Forward Packets over Multiple Paths section, update the following as required and click OK:

    • (Optional) Number of Paths — Specify the maximum number of Border Gateway Protocol routes that can be installed in a routing table. The range of values are from 1 to 8. The default value is 1.

    • (Optional) IBGP Number of Paths — Specify the maximum number of parallel internal Border Gateway Protocol (iBGP) routes that can be installed in a routing table. The range of values are from 1 to 8. The default value is 1.

Step 6

Click Save.


Configure BGP Neighbor Settings

A BGP router must connect with each of its peers before exchanging updates. These peers are called BGP neighbors. Use Neighbor to define BGP IPv4 or IPv6 neighbors and neighbor settings. If you have enabled virtual router on the device, you can define only BGP IPv4 neighbors for user-defined virtual router. However, for a global virtual router, you can define the BGP IPv6 as well.

Procedure


Step 1

On the Device Management page, click Routing.

Step 2

(For a virtual-router-aware device) From the virtual routers drop-down, choose the virtual router for which you are configuring BGP.

Step 3

Choose BGP > IPv4 or IPv6.

Note

 
BGP configuration with IPv6 address family is not supported on a user-defined virtual router. Hence, if you select a user-defined virtual router, only IPv4 settings are available.

Step 4

Click Neighbor.

Step 5

Click Add to define BGP neighbors and neighbor settings.

Step 6

Enter the BGP neighbor IP address. This IP address is added to the BGP neighbor table.

Step 7

Choose the BGP neighbor Interface.

Note

 

The Interface field is only applicable to IPv6 settings. For a device using virtual routing, this field appears only for a global virtual router. Also, only the interfaces belonging to the router are listed in the drop-down.

Step 8

Enter the autonomous system to which the BGP neighbor belongs, in the Remote AS field.

Step 9

Select the Enabled address check box to enable communication with this BGP neighbor. Further neighbor settings will be configured only if the Enabled address check box is selected.

Step 10

(Optional) Select the Shutdown administratively check box to disable a neighbor or peer group.

Step 11

(Optional) Select the Configure graceful restart check box to enable configuration of the BGP graceful restart capability for this neighbor. After selecting this option, you must use the Graceful Restart (failover / spanned mode) option to specify whether graceful restart should be enabled or disabled for this neighbor.

Note

 

The graceful restart fields are only applicable to IPv4 settings.

Step 12

(Optional) Select the BFD Fallover check box to enable configuration of the BFD support for BGP. This selection registers the BGP neighbor to receive forwarding path detection failure messages from BFD.

Step 13

(Optional) Enter a Description for the BGP neighbor.

Step 14

(Optional) In Filtering Routes, use access lists, route maps, prefix lists and AS path filters as required, to distribute BGP Neighbor information. Update the following sections:

  1. Enter or Select the appropriate incoming or outgoing Access List to distribute BGP neighbor information.

    Note

     

    Access Lists are only applicable to IPv4 settings.

  2. Enter or Select the appropriate incoming or outgoing Route Maps to apply a route map to incoming or outgoing routes.

  3. Enter or Select the appropriate incoming or outgoing Prefix List to distribute BGP neighbor information.

  4. Enter or Select the appropriate incoming or outgoing AS path filter to distribute BGP neighbor information.

  5. Select the Limit the number of prefixes allowed from the neighbor to control the number of prefixes that can be received from a neighbor.

    • Enter the maximum number of prefixes allowed from a specific neighbor in the Maximum Prefixes field.

    • Enter the percentage (of maximum) at which the router starts to generate a warning message in the Threshold Level field. Valid values are integers between 1 and 100. The default value is 75.

  6. Select the Control prefixes received from the peer check box to specify additional controls for the prefixes received from a peer. Do one of the following

    • Select Terminate peering when prefix limit is exceeded to stop the BGP neighbor when the prefix limit is reached. Specify the interval after which the BGP neighbor will restart in the Restart interval field.

    • Select Give only warning message when prefix limit is exceeded to generate a log message when the maximum prefix limit is exceeded. Here, the BGP neighbor will not be terminated.

  7. Click OK.

Step 15

(Optional) In Routes, specify miscellaneous Neighbor route parameter. Proceed to update the following:

  1. Enter the minimum interval (in seconds) between the sending of BGP routing updates in the Advertisment Interval field. Valid values are between 1 and 600.

  2. Select the Remove private AS numbers from outbound routing updates to exclude the private AS numbers from being advertised on outbound routes.

  3. Select the Generate default routes checkbox to allow the local router to send the default route 0.0.0.0 to a neighbor to use as a default route. Enter or Select the route map that allows the route 0.0.0.0 to be injected conditionally in the Route map field.

  4. To add conditionally advertised routes, click Add Row +. In the Add Advertised Route dialog box, do the following:

    1. Add or select a route map in the Advertise Map field, that will be advertised if the conditions of the exist map or the non-exist map are met.

    2. Select Exist Map and choose a route map from the Route Map Object Selector. This route map is compared with the routes in the BGP table, to determine whether the advertise map route is advertised.

    3. Select Non-Exist Map and choose a route map from the Route Map Object Selector. This route map is compared with the routes in the BGP table, to determine whether the advertise map route is advertised.

    4. Click OK.

Step 16

In Timers, select the Set Timers for the BGP Peer check box to set the keepalive frequency, hold time and minimum hold time

  • Keepalive Interval—Enter the frequency (in seconds) with which the Firepower Threat Defense device sends keepalive messages to the neighbor. Valid values are between 0 and 65535. The default value is 60 seconds.

  • Hold time—Enter the interval (in seconds) after not receiving a keepalive message that theFirepower Threat Defense device declares a peer dead. Valid values are between 0 and 65535. The default value is 180 seconds.

  • Min hold time—(Optional) Enter the minimum interval (in seconds) after not receiving a keepalive message that the Firepower Threat Defense device declares a peer dead. Valid values are between 0 and 65535. The default value is 0 seconds.

    Note

     

    A hold time of less than 20 seconds increases the possibility of peer flapping.

Step 17

In Advanced, update the following:

  1. (Optional) Select Enable Authentication to enable MD5 authentication on a TCP connection between two BGP peers.

    1. Choose an encryption type from the Enable Encryption drop-down list.

    2. Enter a password in the Password field. Reenter the password in the Confirm field. The password is case-sensitive and can be up to 25 characters long when the service password-encryption command is enabled and up to 81 characters long when the service password-encryption command is not enabled. The string can contain any alphanumeric characters, including spaces.

      Note

       

      You cannot specify a password in the format number-space-anything. The space after the number can cause authentication to fail.

  2. (Optional) Select the Send Communty attribute to this neighbor check box to specify that communities attributes should be sent to the BGP neighbor

  3. (Optional) Select the Use FTD as next hop for this neighbor check box to configure the router as the next-hop for a BGP speaking neighbor or peer group.

  4. Select the Disable Connection Verification checkbox to disable the connection verification process for eBGP peering sessions that are reachable by a single hop but are configured on a loopback interface or otherwise configured with a non-directly connected IP address. When deselected (default), a BGP routing process will verify the connection of single-hop eBGP peering session (TTL=254) to determine if the eBGP peer is directly connected to the same network segment by default. If the peer is not directly connected to same network segment, connection verification will prevent the peering session from being established.

  5. Select Allow connections with neighbor that is not directly connected to accept and attempt BGP connections to external peers residing on networks that are not directly connected. (Optional) Enter the time-to-live in the TTL hops field. Valid values are between 1 and 255. Alternately, select Limited number of TTL hops to neighbor, to secure a BGP peering session. Enter the maximum number of hops that separate eBGP peers in the TTL hops field. Valid values are between 1 and 254.

  6. (Optional) Select the Use TCP MTU path discovery check box to enable a TCP transport session for a BGP session.

  7. Choose the TCP connection mode from the TCP Transport Mode drop-down list. Options are Default, Active, or Passive.

  8. (Optional) Enter a Weight for the BGP neighbor connection.

  9. Select the BGP Version that the Firepower Threat Defense device will accept from the drop-down list. The version can be set to 4-Only to force the software to use only Version 4 with the specified neighbor. The default is to use Version 4 and dynamically negotiate down to Version 2 if requested.

Step 18

Update Migration, only if AS migration is considered.

Note

 

The AS migration customization should be removed after transition has been completed.

  1. (Optional) Select the Customize the AS number for routes received from the neighbor check box to customize the AS_PATH attribute for routes received from an eBGP neighbor.

  2. Enter the local autonomous system number in the Local AS number field. Valid values are any valid autonomous system number from 1 to 4294967295 or 1.0 to65535.65535.

  3. (Optional) Select the Do not prepend local AS number to routes received from neighbor check box to prevent the local AS number from being prepended to any routes received from eBGP peer.

  4. (Optional) Select the Replace real AS number with local AS number in routes received from neighbor check box to replace the real autonomous system number with the local autonomous system number in the eBGP updates. The autonomous system number from the local BGP routing process is not prepended.

  5. (Optional) Select the Accept either real AS number or local AS number in routesreceived from neighbor check box to configure the eBGP neighbor to establish a peering session using the real autonomous system number (from the local BGP routing process) or by using the local autonomous system number.

Step 19

Click OK.

Step 20

Click Save.


Configure BGP Aggregate Address Settings

BGP neighbors store and exchange routing information and the amount of routing information increases as more BGP speakers are configured. Route aggregation is the process of combining the attributes of several different routes so that only a single route is advertised. Aggregate prefixes use the classless interdomain routing (CIDR) principle to combine contiguous networks into one classless set of IP addresses that can be summarized in routing tables. As a result fewer routes need to be advertised. Use the Add/Edit Aggregate Address dialog box to define the aggregation of specific routes into one route.

Procedure


Step 1

When editing a Firepower Threat Defense device, click Routing.

Step 2

(For a virtual-router-aware device) From the virtual routers drop-down, choose the virtual router for which you are configuring BGP.

Step 3

Choose BGP > IPv4 or IPv6.

Note

 
BGP configuration with IPv6 address family is not supported on a user-defined virtual router. Hence, if you select a user-defined virtual router, only IPv4 settings are available.

Step 4

Click Add Aggregate Address.

Step 5

Enter a value for the aggregate timer (in seconds) in the Aggregate Timer field. Valid values are 0 or any value between 6 and 60. The default value is 30.

Step 6

Click Add and update the Add Aggregate Address dialog:

  1. Network — Enter an IPv4 address or select the desired network/hosts objects.

  2. Attribute Map — (Optional) Enter or select the route map used to set the attribute of the aggregate route.

  3. Advertise Map — (Optional) Enter or select the route map used to select the routes to create AS_SET origin communities.

  4. Suppress Map — (Optional) Enter or select the route map used to select the routes to be suppressed.

  5. Generate AS set path Information — (Optional) Select the check box to enable generation of autonomous system set path information.

  6. Filter all routes from updates — (Optional) Select the check box to filter all more-specific routes from updates.

  7. Click OK.


What to do next

Configure BGPv4 Filtering Settings

Filtering settings are used to filter routes or networks received in incoming BGP updates. Filtering is used to restrict routing information that the router learns or advertises.

Before you begin

Filtering is only applicable for a BGP IPv4 routing policy.

Procedure


Step 1

On the Device Management page, click Routing.

Step 2

(For a virtual-router-aware device) From the virtual routers drop-down, choose the virtual router for which you are configuring BGP.

Step 3

Choose BGP > IPv4.

Step 4

Click Filtering.

Step 5

Click Add and update the Add Filter dialog:

  1. Access List— Select an access control list that defines which networks are to be received and which are to be suppressed in routing updates.

  2. Direction— (Optional) Select a direction that specifies if the filter should be applied to inbound updates or outbound updates.

  3. Protocol— (Optional) Select the routing process for which you want to filter: None, BGP, Connected, OSPF, RIP, or Static.

  4. Process ID— (Optional) Enter the process ID for the OSPF routing protocol.

  5. Click OK.

Step 6

Click Save.


Configure BGP Network Settings

Network settings are used to add networks that will be advertised by the BGP routing process and route maps that will be examined to filter the networks to be advertised.

Procedure


Step 1

On the Device Management page, click Routing.

Step 2

(For a virtual-router-aware device) From the virtual routers drop-down, choose the virtual router for which you are configuring BGP.

Step 3

Choose BGP > IPv4 or IPv6.

Note

 

BGP configuration with IPv6 address family is not supported on a user-defined virtual router. Hence, if you select a user-defined virtual router, only IPv4 settings are available.

Step 4

Click Networks.

Step 5

Click Add and update the Add Networks dialog:

  1. Network— Enter the network to be advertised by the BGP routing processes.

  2. (Optional) Route Map— Enter or select a route map that should be examined to filter the networks to be advertised. If not specified, all networks are redistributed.

  3. Click OK.

Step 6

Click Save.


Configure BGP Redistribution Settings

Redistribution settings allow you to define the conditions for redistributing routes from another routing domain into BGP.

Procedure


Step 1

On the Device Management page, click Routing.

Step 2

(For a virtual-router-aware device) From the virtual routers drop-down, choose the virtual router for which you are configuring BGP.

Step 3

Choose BGP > IPv4 or IPv6.

Note

 

BGP configuration with IPv6 address family is not supported on a user-defined virtual router. Hence, if you select a user-defined virtual router, only IPv4 settings are available.

Step 4

Click Redistribution.

Step 5

Click Add and update the Add Redistribution dialog:

  1. Source Protocol— Select the protocol from which you want to redistribute routes into the BGP domain from the Source Protocol drop-down list.

    Note

     

    User-defined virtual routers does not support redistributing traffic from RIP.

  2. Process ID— Enter the identifier for the selected source protocol. Applies to the OSPF protocol. For devices using virtual routing, this drop-down lists the process ID assigned for the virtual router for which you are configuring the BGP settings.

  3. Metric— (Optional) Enter a metric for the redistributed route.

  4. Route Map— Enter or select a route map that should be examined to filter the networks to be redistributed. If not specified, all networks are redistributed.

  5. Match— The conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions. These options are enabled only when OSPF is chosen as the Source Protocol.

    • Internal

    • External 1

    • External 2

    • NSSA External 1

    • NSSA External 2

  6. Click OK.


Configure BGP Route Injection Settings

Route Injection settings allow you to define the routes to be conditionally injected into the BGP routing table.

Procedure


Step 1

On the Device Management page, click Routing.

Step 2

(For a virtual-router-aware device) From the virtual routers drop-down, choose the virtual router for which you are configuring BGP.

Step 3

Choose BGP > IPv4 or IPv6.

Note

 

BGP configuration with IPv6 address family is not supported on a user-defined virtual router. Hence, if you select a user-defined virtual router, only IPv4 settings are available.

Step 4

Click Route Injection.

Step 5

Click Add and update the Add Route Injection dialog:

  1. Inject Map— Enter or select the route map that specifies the prefixes to inject into the local BGP routing table.

  2. Exist Map— Enter or select the route map containing the prefixes that the BGP speaker will track.

  3. Injected routes will inherit the attributes of the aggregate route— Select this to configure the injected route to inherit attributes of the aggregate route.

  4. Click OK.

Step 6

Click Save.