It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure BGP Router Setup with Optional BFD

  • Last updated on

Requirements

  • Request your own or use a unique ARIN-registered autonomous system (AS) number for your BGP site.
  • Know the AS numbers of BGP sites to be connected.
  • Create an OSPF/RIP/BGP service on the Barracuda CloudGen Firewall.

Step 1. Configure Basic Settings

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings.
  2. Enable BGP. (If you are not using OSPF and RIP, disable them.)
  3. From the Operation Mode drop-down field, select one of the following options according to your requirements:
    • advertise-only – Networks are only advertised.
    • learn-only – Only networks on the interfaces that are configured for OSPF/RIP/BGP are propagated; learned routes from other systems are still advertised.
    • advertise-learn – Networks are learned and propagated.
  4. In the Hostname field, enter the hostname of the BGP router.
  5. In the Router ID field, enter the IP address of the BGP router. You can enter any address from your ARIN range. Usually, the first or last IP address in the subnet is used.

    You must also add this IP address as a shared IP address in Network > IP Configuration on the Barracuda CloudGen Firewall, as described later in Step 6 of the configuration.

  6. Click Send Changes and Activate.

Step 2. Configure Operational Settings

In the settings for network routes that should be propagated by the BGP router, make sure that you enable the Advertise Route setting. See How to Configure Directly Attached Routes or How to Configure Gateway Routes.

  1. On the OSPF/RIP/BGP Settings page, click BGP Router Setup from the Configuration menu in the left navigation pane.
  2. In the AS Number field, enter the AS number that you received from the ARIN. (This is the number of the autonomous system that the BGP router belongs to.)
  3. In the Terminal Password field, specify the password for the connection to the BGP routing daemon through the command-line interface.

    The password can consist of small and capital characters, numbers, and non-alpha-numeric symbols, except the hash sign (#).

  4. In the Networks table, add an entry for the ARIN network and any other network that you want to advertise.
    1. Enter a name for the network and click OK. The Network window opens.
    2. In the Network Prefix field, enter the network and subnet mask in CIDR notation for the autonomous system of the BGP router.
    3. Click OK.
  5. In the Route Distribution Configuration section, enable the network route types to be redistributed by this BGP router according to your requirements. You can enable the following network routes:
    • Connected Routes – Network routes of directly attached networks will be redistributed.
    • RIP Routes – Network routes learned by the RIP router will be redistributed.
    • OSPF Routes – Network routes learned by the OSPF router will be redistributed.
  6. Click Send Changes and Activate.

Step 3. Configure BGP Preferences

In most cases, the default BGP preferences are sufficient and do not have to be configured. If you want, you can configure more detailed logging, special routing tables, and multipath handling.

  1. On the OSPF/RIP/BGP Settings page, click BGP Preferences from the Configuration menu in the left navigation pane.
  2. Specify the logging details according to your requirements.
  3. Click Send Changes and Activate.

Step 4. Add an IP Prefix Filter

  1. On the OSPF/RIP/BGP Settings page, click Filter Setup IPv4 from the Configuration menu in the left navigation pane.

    The Barracuda CloudGen Firewall also provides this configuration area for IPv6 addresses. When using IPv6, specify all settings described in the sections designated for IPv6. Note that IPv6 must also be enabled in FRR. For general information on the implementation of IPv6 on the Barracuda CloudGen Firewall, see IPv6.

  2. In the IPv4 Prefix Filter table, add an entry for the IP prefix filter. Enter a descriptive name, for example ARIN, and then click OK.
  3. In the IPv4 Prefix Filter configuration, enter an optional description. For example, ARIN Range.
  4. In the Sequence Number section, click + to add a sequence number configuration and specify a unique identifier number for the prefix list item in the Sequence Number field. For example, 01.
  5. In the Network Prefix field, enter the network IP range that you received from the ARIN (in this example: 198.200.200.0/24). Then click OK.
  6. Click OK.
  7. Click Send Changes and Activate.

Step 5. Configure Neighbor Settings

Before you configure the neighbor settings, the network for each provider that participates in BGP routing must be configured properly. Obtain and carefully verify the default gateway IP address for each provider.

You must start configuring the neighbor settings on the provider side only after you have completed the previous sections for enabling BGP, configuring the BGP router, and adding an IP prefix filter. Otherwise, the BGP routing infrastructure will dampen any ICMP request and response, and the BGP service will have to be restarted on the ISP side. This ping dampening will occur whenever the BGP service goes up and down numerous times over a small period of time.

  1. On the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4 from the Configuration menu in the left navigation pane.
  2. In the Neighbors table, add an entry for each provider network:
    1. Enter a descriptive name for the network and then click OK. The Neighbors window opens.
    2. In the Neighbor IP field, enter the default gateway IP address of the existing provider.
    3. From the Enable BGP Routing Protocol Usage list, select yes.
    4. In the BGP Parameters section, enter the BGP AS number of the ISP. (Do not enter the customer AS number that was specified in the BGP router settings.)
    5. In the Neighbor Password field, enter the password that should be used to connect to the neighbor peer.

      The password can consist of small and capital characters, numbers, and non-alpha-numeric symbols, except the hash sign (#).

    6. Select yes from the Update Source drop-down list to enable the Update Source Interface setting.
    7. In the Update Source Interface field, enter an IP address from your network that should be used for the BGP session to this neighbor.

      If you only advertise the ARIN route to go to providers (and not the network IP ranges or the ranges of other ISPs), it is highly recommended that you configure the Peer Filtering for Output settings. Select the peer filter from the IP filter list that you created in the previous section ( Add an IP Prefix Filter).

    8. Click OK.

  3. Click Send Changes and Activate.

If BGP Neighbor Authentication is used but is misconfigured, the sessions and packets from the remote side may not show up in the firewall log/live/history view because they will be dropped by the kernel before reaching the firewall engine. This happens because this function uses TCP Authentication Option. For more information see https://datatracker.ietf.org/doc/html/rfc5925.

Step 5a. (optional) Configure Bidirectional Forward Detection (BFD)

BFD (Bidirectional Forward Detection) is a simple hello/echo protocol for detecting link failures between 2 connected neighbors.

You must switch to Advanced Mode in Firewall Admin to access the configuration for BFD!
BFD_advanced_settings.png

BFD can only be configured for an existing IPv4 neighbor.

Perform the following steps to configure BFD:

  1. On the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4 from the Configuration menu in the left navigation pane.
  2. Double-click an entry for a neighbor in the list of configured IPv4 neighbors.
  3. The Neighbors window is displayed.
  4. Scroll down to Enable BFD in the BGP Parameters section.
  5. Select yes for Enable BFD.
  6. Click the Set... button for Advanced BFD Settings.
  7. The Advanced BFD Settings window is displayed.
  8. The edit fields are already preset with commonly used values:
    BFD_settings.png
  9. If necessary, change these values to match your requirements.
  10. Click OK.
  11. Click Send Changes and Activate.

Step 6. Add the IP Address of the BGP Router

You must add the IP address of the BGP router as a shared IP address in the IP Configuration on the Barracuda CloudGen Firewall. To add the IP address of the BGP router:

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. In the left menu, select IP Configuration.
  3. Click Lock.
  4. In the Shared Networks and IPs section, click + to add the IP address of the BGP router. The Shared Networks and IPs window opens.
    1. In the Network Address field, enter the network the BGP router resides in.
    2. In the Shared IPs in this Network table, click + and add the IP address of the BGP router.
    3. From the Responds to Ping list, select yes.
    4. Click OK.
  5. Click Send Changes and Activate.

Step 7. Create a Firewall Rule for BGP Router Communication

To allow communication with other BGP routers, introduce a host firewall rule that allows network traffic through TCP port 179. For more information on creating firewall rules, see Access Rules.

Administrating BGP Routers from the Command Line

The BGP routing daemon for the Barracuda CloudGen Firewall is based on the FRRouting Protocol Suite. You can configure and administrate the BGP router from the Barracuda CloudGen Firewall command-line interface.

  1. Open the Command-Line Interface.
  2. Enter vtysh to launch the configuration tool.