- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
BGP Configuration/BGP multihoming with single ISP- Dual Homed
10/14/2021 
127 People found this article helpful
103,504 Views
Description
BGP Configuration/BGP multihoming with single ISP- Dual Homed
Resolution
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Devices not Supported: TZ 300/ 300W
What is BGP?
BGP is a large-scale routing protocol used to communicate routing information between Autonomous Systems (ASs), which are well-defined, separately administered network domains. BGP support allows for SonicWall security appliances to replace a traditional BGP router on the edge of a network's AS. The current SonicWall implementation of BGP is most appropriate for "single-provider / singly-homed" environments, where the network uses one ISP as their Internet provider and has a single connection to that provider. SonicWall BGP is also capable of supporting "single-provider / multi-homed" environments, where the network uses a single ISP but has a small number of separate routes to the provider. BGP is configured through the SonicOS Command Line Interface (CLI).
Autonomous Systems
Each Autonomous System has a 16-bit number assigned. Like IP addresses, an AS number may be public or private. Public AS numbers are a limited resource and are provisioned based on a number of factors. ISP customers with large networks multi-homed to two or more ISPs usually have a public AS, whereas smaller customers will be given a private AS administered by their ISP provider
SonicWall supports 2- Byte and 4- Byte ASN
Default is 2- Byte
How Does BGP Work?
BGP uses TCP port 179 for communication. BGP is considered a path-vector protocol, containing end-to-end path descriptions for destinations. BGP neighbors can either be internal (iBGP) or external (eBGP): iBGP Neighbor is in the same AS.
eBGP Neighbor is in a different AS. Paths are advertised in UPDATE messages that are tagged with various path attributes. AS_PATH and NEXT_HOP are the two most important attributes that describe the path of a route in a BGP update message.
AS_PATH: Indicates the ASs that the route is traveling from and two. In the example below, the AS_PATH is from AS 7675 to AS 12345. For internal BGP, the AS_PATH specifies the same AS for both the source and destination.
NEXT_HOP: Indicates the IP address of the next router the path travels to. Paths advertised across AS boundaries inherit the NEXT_HOP address of the boundary router. BGP relies on interior routing protocols to reach NEXT_HOP addresses.
BGP Messages
BGP communication includes the following types of messages
Open The first message between BGP peers after TCP session establishment. Contains the necessary information to establish a peering session, e.g. ASN, hold time, and capabilities such as multi-product extensions and route-refresh.
Update These messages contain path information, such as route announcements or withdrawals.
Keepalive Periodic messages to keep TCP layer up, and to advertise liveliness.
Notification A request to terminate the BGP session. Non-fatal notifications contain the error code "cease". Subcodes provide further detail:
Enable advanced routing and BGP(Configure Via CLI)
Before enabling check for the sonicOS Expanded License
- Click Manage in the top navigation menu
- Navigate to Network | Routing
- Click on Settings Tab
- Under the Routing Mode Drop down Select Advanced Routing
Click on OK to proceed and configure BGP from CLI
BGP configuration for Multihoming with single ISP
CLI Commands
admin@C0EAE45BFE7A> configure
config(C0EAE45BFE7A)# routing
(config-routing)# bgp
ZebOS version 7.7.0 IPIRouter7/2009
ARS BGP>configure terminal
ARS BGP(config-router)>router bgp 100
ARS BGP(config-router)>network 192.168.1.0/24 <>
ARS BGP(config-router)>network 192.168.2.0/24
ARS BGP(config-router)>neighbor 1.1.1.2 remote-as 200
ARS BGP(config-router)>neighbor 1.1.1.2 prefix-list DEFAULT-ROUTE in <>
ARS BGP(config-router)>neighbor 2.2.2.2 remote-as 200
ARS BGP(config-router)>neighbor 2.2.2.2 prefix-list DEFAULT-ROUTE in <>
ARS BGP(config-router)>neighbor 2.2.2.2 route-map ROUTE-ADVTISED out <>
ARS BGP(config-router)>ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0
ARS BGP(config-router)>route-map ROUTE-ADVTISED permit 10
ARS BGP(config-route-map)>set as-path prepend100 100 100
ARS BGP(config-router)>Ctrl+Z
ARS BGP> Write
ARS BGP> Exit
config(C0EAE45BFE7A)#commit
Commands to check:
config(C0EAE45BFE7A)# show routing bgp [neighbor|summary]
config(C0EAE45BFE7A)# show routing bgp
config-routing)# show routing nsm database <>
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
C *> 127.0.0.0/8 is directly connected, lo0
S *> 172.27.60.0/24 [1/1] via 172.27.76.1, X0
C *> 172.27.76.0/24 is directly connected, X0
C *> 192.168.176.0/24 is directly connected, X1
B 2.0.0.0/8 [20/0] via 150.10.10.2, 00:04:23
[20/0] via 160.20.20.2, 00:04:01
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
What is BGP?
BGP is a large-scale routing protocol used to communicate routing information between Autonomous Systems (ASs), which are well-defined, separately administered network domains. BGP support allows for SonicWall security appliances to replace a traditional BGP router on the edge of a network's AS. The current SonicWall implementation of BGP is most appropriate for "single-provider / singly-homed" environments, where the network uses one ISP as their Internet provider and has a single connection to that provider. SonicWall BGP is also capable of supporting "single-provider / multi-homed" environments, where the network uses a single ISP but has a small number of separate routes to the provider. BGP is configured through the SonicOS Command Line Interface (CLI).
Autonomous Systems
Each Autonomous System has a 16-bit number assigned. Like IP addresses, an AS number may be public or private. Public AS numbers are a limited resource and are provisioned based on a number of factors. ISP customers with large networks multi-homed to two or more ISPs usually have a public AS, whereas smaller customers will be given a private AS administered by their ISP provider
SonicWall supports 2- Byte and 4- Byte ASN
Default is 2- Byte
How Does BGP Work?
BGP uses TCP port 179 for communication. BGP is considered a path-vector protocol, containing end-to-end path descriptions for destinations. BGP neighbors can either be internal (iBGP) or external (eBGP): iBGP Neighbor is in the same AS.
eBGP Neighbor is in a different AS. Paths are advertised in UPDATE messages that are tagged with various path attributes. AS_PATH and NEXT_HOP are the two most important attributes that describe the path of a route in a BGP update message.
AS_PATH: Indicates the ASs that the route is traveling from and two. In the example below, the AS_PATH is from AS 7675 to AS 12345. For internal BGP, the AS_PATH specifies the same AS for both the source and destination.
NEXT_HOP: Indicates the IP address of the next router the path travels to. Paths advertised across AS boundaries inherit the NEXT_HOP address of the boundary router. BGP relies on interior routing protocols to reach NEXT_HOP addresses.
BGP Messages
BGP communication includes the following types of messages
Open The first message between BGP peers after TCP session establishment. Contains the necessary information to establish a peering session, e.g. ASN, hold time, and capabilities such as multi-product extensions and route-refresh.
Update These messages contain path information, such as route announcements or withdrawals.
Keepalive Periodic messages to keep TCP layer up, and to advertise liveliness.
Notification A request to terminate the BGP session. Non-fatal notifications contain the error code "cease". Subcodes provide further detail:
Subcode Description
Sample BGP Packet Capture.
Enable advanced routing and BGP(Configure Via CLI)
BGP configuration for Multihoming with single ISP
CLI Commands
admin@C0EAE45BFE7A> configure
config(C0EAE45BFE7A)# routing
(config-routing)# bgp
ZebOS version 7.7.0 IPIRouter7/2009
ARS BGP>configure terminal
ARS BGP(config-router)>router bgp 100
ARS BGP(config-router)>network 192.168.1.0/24 <>
ARS BGP(config-router)>network 192.168.2.0/24
ARS BGP(config-router)>neighbor 1.1.1.2 remote-as 200
ARS BGP(config-router)>neighbor 1.1.1.2 prefix-list DEFAULT-ROUTE in <>
ARS BGP(config-router)>neighbor 2.2.2.2 remote-as 200
ARS BGP(config-router)>neighbor 2.2.2.2 prefix-list DEFAULT-ROUTE in <>
ARS BGP(config-router)>neighbor 2.2.2.2 route-map ROUTE-ADVTISED out <>
ARS BGP(config-router)>ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0
ARS BGP(config-router)>route-map ROUTE-ADVTISED permit 10
ARS BGP(config-route-map)>set as-path prepend100 100 100 <>
ARS BGP(config-router)>Ctrl+Z
ARS BGP> Write
ARS BGP> Exit
config(C0EAE45BFE7A)#commit
Commands to check:
config(C0EAE45BFE7A)# show routing bgp [neighbor|summary]
config(C0EAE45BFE7A)# show routing bgp
config-routing)# show routing nsm database <>
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
C *> 127.0.0.0/8 is directly connected, lo0
S *> 172.27.60.0/24 [1/1] via 172.27.76.1, X0
C *> 172.27.76.0/24 is directly connected, X0
C *> 192.168.176.0/24 is directly connected, X1
B 2.0.0.0/8 [20/0] via 150.10.10.2, 00:04:23 <>
[20/0] via 160.20.20.2, 00:04:01
Related Articles
- Client VPN hanging at acquiring IP using SonicWall DHCP
- GVC stuck on acquiring IP for some users
- App Control fails by schema error when editing VPN category
Categories
- Firewalls > TZ Series > Networking
- Firewalls > SonicWall NSA Series > Networking
- Firewalls > SonicWall SuperMassive E10000 Series > Networking
- Firewalls > SonicWall SuperMassive 9000 Series > Networking
YES
NO