General
|
IP Address
|
Enter the BGP neighbor IP address. This IP address is added to the BGP neighbor table.
|
Remote AS
|
Enter the autonomous system to which the BGP neighbor belongs.
|
Enable Address Family
|
(Optional) Enables communication with the BGP neighbor.
|
Shutdown neighbor administratively
|
(Optional) Disable a neighbor or peer group.
|
Configure Graceful Restart per neighbor
(ASA 9.3.1+ only)
|
(Optional) Enables configuration of the Border Gateway Protocol (BGP) graceful restart capability for this neighbor. After
selecting this option, you must use the Graceful Restart (Use in failover or spanned cluster mode) option to specify whether
graceful restart should be enabled or disabled for this neighbor.
|
Graceful Restart (Use in failover or spanned cluster mode)
(ASA 9.3.1+ only)
|
(Optional) Enables the Border Gateway Protocol (BGP) graceful restart capability for this neighbor.
|
Description
|
(Optional) Enter a description for the BGP neighbor.
|
fall-over BFD
|
(Optional) Enables BFD support for fall-over for the BGP neighbor.
|
BFD-Hop
|
(Optional) Specify if there is a single IP hop or multiple IP hops between a BFD source and destination.
|
Filtering
|
Filter routes using an access list
|
(Optional) Enter or Select the appropriate incoming or outgoing access control list to distribute BGP neighbor information.
|
Filter routes using route map
|
(Optional) Enter or Select the appropriate incoming or outgoing route maps to apply a route map to incoming or outgoing routes.
Tip
|
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects
from the Route Map Object Selector. For more information, see Understanding Route Map Objects.
|
|
Filter routes using a Prefix list
|
(Optional) Enter or Select the appropriate incoming or outgoing prefix list to distribute BGP neighbor information.
Tip
|
Click Select to open the Prefix List Object Selector from which you can select a prefix list object. You can also create new objects from
the object Prefix List Object selector. For more information, see Add or Edit Prefix List Object Dialog Box.
|
|
Filter routes using AS Path filter
|
(Optional) Enter or Select the appropriate incoming or outgoing AS path filter to distribute BGP neighbor information.
Tip
|
Click Select to open the AS Path Object Selector from which you can select an AS path object. You can also create new AS path objects
from the AS Path Object Selector. For more information, see Add or Edit As Path Object Dialog Boxes.
|
|
Limit the number of prefixes allowed from the neighbor
|
(Optional) Select to control the number of prefixes that can be received from a neighbor.
-
Enter the maximum number of prefixes allowed from a specific neighbor in the Maximum Prefixes field.
-
Enter the percentage (of maximum) at which the router starts to generate a warning message in the Threshold Level field. Valid values are integers between 1 and 100. The default value is 75.
-
(Optional) Check the Control prefixes received from the peer check box to specify additional controls for the prefixes received from a peer. Do one of the following:
-
Select Terminate peering when prefix limit is exceeded to stop the BGP neighbor when the prefix limit is reached. Specify the interval after which the BGP neighbor will restart
in the Restart interval field.
-
Select Give only warning message when prefix limit is exceeded to generate a log message when the maximum prefix limit is exceeded. Here, the BGP neighbor will not be terminated.
|
Routes
|
Advertisement Interval
|
Enter the minimum interval (in seconds) between the sending of BGP routing updates. Valid values are between 1 and 600.
|
Remove private AS numbers from outbound routing updates
|
(Optional) Excludes the private AS numbers from being advertised on outbound routes.
|
Generate Default route
|
(Optional) Select to allow the local router to send the default route 0.0.0.0 to a neighbor to use as a default route. Enter
or Select the route map that allows the route 0.0.0.0 to be injected conditionally in the Route map field.
Tip
|
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects
from the Route Map Object Selector. For more information, see Understanding Route Map Objects.
|
|
Conditionally Advertised Routes
|
(Optional) To add or edit conditionally advertised routes, click the Add Row (+)button, or select a row in the table and click the Edit Row(pencil)button.
In the Add/Edit Advertised Route dialog box, do the following:
|
Timers
|
Set timers for the BGP peer
|
(Optional) Select to set the keepalive frequency, hold time and minimum hold time.
|
Keepalive Interval
|
Enter the frequency (in seconds) with which the ASA sends keepalive messages to the neighbor. Valid values are between 0
and 65535. The default value is 60 seconds.
|
Hold Time
|
Enter the interval (in seconds) after not receiving a keepalive message that the ASA declares a peer dead. Valid values are
between 0 and 65535. The default value is 180 seconds.
|
Min Hold Time
|
(Optional) Enter the minimum interval (in seconds) after not receiving a keepalive message that the ASA declares a peer dead.
Valid values are between 0 and 65535. The default value is 0 seconds.
|
Advanced
|
Enable Authentication
|
(Optional) Select to enable MD5 authentication on a TCP connection between two BGP peers.
The password is case-sensitive and can be up to 25 characters long when the service password-encryption command is enabled
and up to 81 characters long when the service password-encryption command is not enabled. The first character cannot be a
number. The string can contain any alphanumeric characters, including spaces.
Note
|
You cannot specify a password in the format number-space-anything. The space after the number can cause authentication to
fail.
|
|
Send Community attribute to this neighbor
|
(Optional) Specifies that communities attributes should be sent to the BGP neighbor.
|
Use ASA as next hop for neighbor
|
(Optional) Select to configure the router as the next-hop for a BGP speaking neighbor or peer group.
|
Disable connection verification
|
(Optional) Select to disable the connection verification process for eBGP peering sessions that are reachable by a single
hop but are configured on a loopback interface or otherwise configured with a non-directly connected IP address.
This command is required only when the neighbor ebgp-multihop command is configured with a TTL value of 1. The address of
the single-hop eBGP peer must be reachable. The neighbor update-source command must be configured to allow the BGP routing
process to use the loopback interface for the peering session.
When deselected (default), a BGP routing process will verify the connection of single-hop eBGP peering session (TTL=254)
to determine if the eBGP peer is directly connected to the same network segment by default. If the peer is not directly connected
to same network segment, connection verification will prevent the peering session from being established.
|
Allow connections with neighbor that is not directly connected
|
Select to accept and attempt BGP connections to external peers residing on networks that are not directly connected.
(Optional) Enter the time-to-live in the TTL hops field. Valid values are between 1 and 255.
Note
|
This feature should be used only under the guidance of Cisco technical support staff. To prevent the creation of loops through
oscillating routes, the multihop will not be established if the only route to the multihop peer is the default route (0.0.0.0).
|
|
Limit number of TTL hops to neighbor
|
Select this option to secure a BGP peering session. Enter the maximum number of hops that separate eBGP peers in the TTL
hops field. Valid values are between 1 and 254.
This feature provides a lightweight security mechanism to protect BGP peering sessions from CPU utilization-based attacks.
These types of attacks are typically brute force Denial of Service (DoS) attacks that attempt to disable the network by flooding
the network with IP packets that contain forged source and destination IP addresses in the packet headers.
This feature leverages designed behavior of IP packets by accepting only IP packets with a TTL count that is equal to or
greater than the locally configured value. Accurately forging the TTL count in an IP packet is generally considered to be
impossible. Accurately forging a packet to match the TTL count from a trusted peer is not possible without internal access
to the source or destination network.
This feature should be configured on each participating router. It secures the BGP session in the incoming direction only
and has no effect on outgoing IP packets or the remote router. When this feature is enabled, BGP will establish or maintain
a session only if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the peering
session. This feature has no effect on the BGP peering session, and the peering session can still expire if keepalive packets
are not received. If the TTL value in a received packet is less than the locally configured value, the packet is silently
discarded and no Internet Control Message Protocol (ICMP) message is generated. This is designed behavior; a response to a
forged packet is not necessary.
To maximize the effectiveness of this feature, the hop-count value should be strictly configured to match the number of hops
between the local and external network. However, you should also take path variation into account when configuring this feature
for a multihop peering session.
The following restrictions apply to the configuration of this command:
-
This feature is not supported for internal BGP (iBGP) peers.
-
The effectiveness of this feature is reduced in large-diameter multihop peerings. In the event of a CPU utilization-based
attack against a BGP router that is configured for large-diameter peering, you may still need to shut down the affected peering
sessions to handle the attack.
-
This feature is not effective against attacks from a peer that has been compromised inside of your network. This restriction
also includes peers that are on the network segment between the source and destination network.
|
Use TCP Path MTU Discovery
|
(Optional) Select to enable a TCP transport session for a BGP session.
|
TCP transport mode
|
Choose the TCP connection mode from the drop-down list. Options are Default, Active, or Passive.
|
Weight
|
(Optional) Enter a weight for the BGP neighbor connection.
|
BGP Version
|
Choose the BGP version that the ASA will accept from the drop-down list. The version can be set to 4-Only to force the software
to use only Version 4 with the specified neighbor. The default is to use Version 4 and dynamically negotiate down to Version
2 if requested.
|
Migration
Note
|
This customization should only be used for AS migration, and should be removed after the transition has been completed. The
procedure should be attempted only by an experienced network operator. Routing loops can be created through improper configuration.
|
|
Customize the AS number for routes received from the neighbor
|
(Optional) Select to customize the AS_PATH attribute for routes received from an eBGP neighbor.
|
Local AS Number
|
Enter the local autonomous system number. Valid values are any valid autonomous system number from 1 to 4294967295 or 1.0
to 65535.65535.
|
Do not prepend local AS number to routes received from neighbor
|
(Optional) Select to prevent the local AS number from being prepended to any routes received from eBGP peer.
|
Replace real AS number with local AS number in routes received from neighbor
|
(Optional) Select to replace the real autonomous system number with the local autonomous system number in the eBGP updates.
The autonomous system number from the local BGP routing process is not prepended.
|
Accept either real AS number or local AS number in routes received from neighbor
|
(Optional) Configures the eBGP neighbor to establish a peering session using the real autonomous system number (from the
local BGP routing process) or by using the local autonomous system number.
|