User manual SONICWALL SONICOS 5.6.5 BGP ADVANCED ROUTING

[. . . ] BGP Advanced Routing in SonicOS Document Scope This document provides an overview of SonicWALL's implmenetation of Border Gateway protocol (BGP), how BGP operates, and how to configure BGP for your network. This document contains the following sections: · "Feature Overview" section on page 2 ­ "What is BGP?" section on page 2 ­ "Background Information" section on page 2 ­ "Autonomous Systems" section on page 3 ­ "Types of BGP Topologies" section on page 3 ­ "Why Use BGP?" section on page 4 ­ "How Does BGP Work?" section on page 4 · · · "Caveats" section on page 8 "Licensing BGP" section on page 9 "Configuring BGP" section on page 9 ­ "IPSec Configuration for BGP" on page 9 ­ "Basic BGP Configuration" on page 11 ­ "BGP Path Selection Process" on page 12 ­ "AS_PATH Prepending" on page 15 ­ "Multiple Exit Discriminator (MED)" on page 15 ­ "BGP Communities" on page 16 ­ "Synchronization and Auto-Summary" on page 17 ­ "Preventing an Accidental Transit AS" on page 17 ­ "Using Multi-Homed BGP for Load Sharing" on page 18 · · "Verifying BGP Configuration" section on page 19 "BGP Terms" section on page 21 BGP Advanced Routing in SonicOS 1 Feature Overview Feature Overview The following sections provide an overview of BGP: · · · · · · "What is BGP?" section on page 2 "Background Information" section on page 2 "Autonomous Systems" section on page 3 "Types of BGP Topologies" section on page 3 "Why Use BGP?" section on page 4 "How Does BGP Work?" section on page 4 What is BGP? BGP is a large-scale routing protocol used to communicate routing information between Autonomous Systems (ASs), which are well-defined, separately administered network domains. BGP support allows for SonicWALL security appliances to replace a traditional BGP router on the edge of a network's AS. The current SonicWALL implementation of BGP is most appropriate for "single-provider / singly-homed" environments, where the network uses one ISP as their Internet provider and has a single connection to that provider. [. . . ] The VPN Policies window displays. 2. In the Policy Type pulldown menu, make sure that Site to Site is selected. Note A site-to-site VPN tunnel must be used for BGP over IPSec. Tunnel interfaces will not work for BGP. 3. 9. Select the desired Authentication Method. In this example, we are using IKE using Preshared Secret. In the IPsec Primary Gateway Name or Address field, enter the IP address of the remote peer (for this example it is 192. 168. 168. 35). In the IPsec Secondary Gateway Name or Address field, enter 0. 0. 0. 0. In the Local IKE ID field, enter the IP address of the SonicWALL (for this example it is 192. 168. 168. 75) In the Peer IKE ID field, enter the IP address of the remote peer (192. 168. 168. 35). 10 BGP Advanced Routing in SonicOS Configuring BGP 10. For the local network, select X0 IP from the Choose local network from list pulldown menu. For the remote network, select the remote peer's IP address from the Choose destination network from list pulldown menu, which is 192. 168. 168. 35 for this example. If the remote IP address is not listed, select Create new address object to create an address object for the IP address. 13. You can either use the default IPSec proposals or customize them as you see fit. 14. Click OK. The VPN policy is now configured on the SonicWALL appliance. Now complete the corresponding IPSec configuration on the remote peer. When that is complete, return to the VPN > Settings page and check the Enable checkbox for the VPN policy to initiate the IPSec tunnel. Use the ping diagnostic on the SonicWall to ping the BGP peer IP address and use Wireshark to ensure that the request and response are being encapsulated in ESP packets. Note As configured in this example, routed traffic will not go through the IPSEC tunnel used for BGP. That traffic is sent and received in the clear, which is most likely the desired behavior since the goal is to secure BGP, not all the routed network traffic. For more detailed information on configuring IPSec, see the VPN chapters in the SonicOS Enhanced Administrator's Guide. Basic BGP Configuration To configure BGP on a SonicWALL security appliance, perform the following tasks: 1. 2. On the SonicOS GUI, navigate to the Network > Routing page. In the Routing Mode pulldown menu, select Advanced Routing. Note The actual BGP configuration is performed using the SonicOS command line interface (CLI). For detailed information on how to connect to the SonicOS CLI, see the SonicOS Command-Line Interface Guide at: http://www. sonicwall. com/us/support/230_3623. html BGP Advanced Routing in SonicOS 11 Configuring BGP 3. 5. Log in to the SonicOS CLI through the console interface. Enter configuration mode by typing the configure command. [. . . ] - incomplete Network *> 7. 6. 7. 0/24 *> 12. 34. 5. 0/24 *> 199. 199. 0. 0/16 Next Hop 10. 50. 165. 228 0. 0. 0. 0 10. 50. 165. 228 Metric LocPrf Weight Path 0 0 7675 i 100 32768 i 0 0 7675 9999 i Total number of prefixes 3 20 BGP Advanced Routing in SonicOS BGP Terms Note The last route is the path to AS9999 that was learned through AS7675. Configuring BGP Logging SonicWALL BGP offers a comprehensive selection of debug commands to display log events related to BGP traffic. BGP logging can be configured on the CLI by using the debug bgp command followed by of the following keywords: BGP Debug Keywords Description all dampening events filters fsm keepalives nht nsm updates Enables all BGP debugging. Enables debugging for BGP Finite State Machine (FSM). Enables debugging for inbound/outbound BGP updates. To disable BGP debugging, enter the "no" form of the command. [. . . ]