Configuring BGP
The Citrix ADC appliance supports BGP (RFC 4271). The features of BGP on the Citrix ADC are:
- The Citrix ADC advertises routes to BGP peers.
- The Citrix ADC injects host routes to virtual IP addresses (VIPs), as determined by the health of the underlying virtual servers.
- The Citrix ADC generates configuration files for running BGP on the secondary node after failover in an HA configuration.
- This protocol supports IPv6 route exchanges.
- As-Override Support in Border Gateway Protocol
After enabling BGP, you need to configure advertisement of BGP routes. For troubleshooting, you can limit BGP propagation. You can display BGP settings to verify the configuration.
Enabling and Disabling BGP
To enable or disable BGP, you must use either the CLI or the GUI. When BGP is enabled, the Citrix ADC appliance starts the BGP process. When BGP is disabled, the appliance stops the BGP process.
To enable or disable BGP routing by using the CLI:
At the command prompt, type one of the following commands:
-
enable ns feature BGP
-
disable ns feature BGP
To enable or disable BGP routing by using the GUI:
- Navigate to System > Settings, in Modes and Features group, click Change advanced features.
- Select or clear the BGP Routing option.
Advertising IPv4 Routes
You can configure the Citrix ADC appliance to advertise host routes to VIPs and to advertise routes to downstream networks.
To configure BGP to advertise IPv4 routes by using the VTYSH command line:
At the command prompt, type the following commands, in the order shown:
Command | Specifies |
---|---|
VTYSH | Display VTYSH command prompt. |
configure terminal | Enter global configuration mode. |
router BGP < ASnumber> | BGP autonomous system. < ASnumber> is a required parameter. Possible values: 1 to 4,294,967,295. |
Neighbor < IPv4 address> remote-as < as-number> | Update the IPv4 BGP neighbor table with the link local IPv4 address of the neighbor in the specified autonomous system. |
Address-family ipv4 | Enter address family configuration mode. |
Neighbor < IPv4 address> activate | Exchange prefixes for the IPv4 router family between the peer and the local node by using the link local address. |
redistribute kernel | Redistribute kernel routes. |
redistribute static | Redistribute static routes. |
Example:
>VTYSH
NS# configure terminal
NS(config)# router BGP 5
NS(config-router)# Neighbor 10.102.29.170 remote-as 100
NS(config-router)# Address-family ipv4
NS(config-router-af)# Neighbor 10.102.29.170 activate
NS(config-router)# redistribute kernel
NS(config-router)# redistribute static
<!--NeedCopy-->
Prerequisites for IPv6 BGP
Before you begin configuring IPv6 BGP, do the following:
- Make sure that you understand the IPv6 BGP protocol.
- Enable the IPv6 feature.
Advertising IPv6 BGP Routes
Border Gateway Protocol (BGP) enables an upstream router to load balance traffic between two identical virtual servers hosted on two standalone Citrix ADC appliances. Route advertising enables an upstream router to track network entities located behind the Citrix ADC.
To configure BGP to advertise IPv6 routes by using the VTYSH command line:
At the command prompt, type the following commands, in the order shown:
Command | Specifies |
---|---|
VTYSH | Display VTYSH command prompt. |
configure terminal | Enter global configuration mode. |
router BGP < ASnumber> | BGP autonomous system. < ASnumber> is a required parameter. Possible values: 1 to 4,294,967,295. |
Neighbor < IPv6 address> remote-as < as-number> | Update the IPv6 BGP neighbor table with the link local IPv6 address of the neighbor in the specified autonomous system. |
Address-family ipv6 | Enter address family configuration mode. |
Neighbor < IPv6 address> activate | Exchange prefixes for the IPv6 router family between the peer and the local node by using the link local address. |
redistribute kernel | Redistribute kernel routes. |
redistribute static | Redistribute static routes. |
Example:
>VTYSH
NS# configure terminal
NS(config)# router BGP 5
NS(config-router)# Neighbor a1bc::102 remote-as 100
NS(config-router)# Address-family ipv6
NS(config-router-af)# Neighbor a1bc::102 activate
NS(config-router)# redistribute kernel
NS(config-router)# redistribute static
<!--NeedCopy-->
Verifying the BGP Configuration
You can use VTYSH to display BGP settings.
To view the BGP settings using the VTYSH command line
At the command prompt, type:
VTYSH
You are now in the VTYSH command prompt. An output similar to the following appears:
NS170#
At the VTYSH command prompt, type:
NS170# sh ip BGP
NS170# sh BGP
NS170# sh ip BGP neighbors
NS170# sh ip BGP summary
NS170# sh ip BGP route-map <map-tag>
<!--NeedCopy-->
As-Override Support in Border Gateway Protocol
As a part of BGP loop prevention functionality, if a router receives a BGP packet containing the router’s Autonomous System Number (ASN) in the Autonomous Systems (AS) path, the router drops the packet. The assumption is that the packet originated from the router and has reached the place from where it originated.
If an enterprise has several sites with a same ASN, BGP loop prevention causes the sites with an identical ASN to not get linked by another ASN. Routing updates (BGP packets) are dropped when another site receives them.
To solve this issue, BGP AS-Override functionality has been added to the ZebOS BGP routing module of the Citrix ADC.
With AS-Override enabled for a peer device, when the Citrix ADC appliance receives a BGP packet for forwarding to the peer, and the ASN of the packet matches that of the peer, the appliance replaces the ASN of the BGP packet with its own ASN number before forwarding the packet.
You can enable AS-Override for a specific neighbor or a group of neighbors (peer group) by using the VTYSH command line.
To configure BGP AS-Override for a IPv4 neighbor by using the VTYSH command line:
Command | Specifies |
---|---|
configure terminal | Enter global configuration mode. |
router BGP < ASnumber> | BGP autonomous system. < ASnumber> is a required parameter. |
Neighbor < IPv4 address> remote-as < as-number> | Update the IPv4 BGP neighbor table with the IPv4 address of the neighbor in the specified autonomous system. |
Neighbor |
Enable BGP as-override for the specified neighbor. |
> VTYSH NS# configure terminal
NS(config)# router BGP 200
NS(config-router)# Neighbor 192.0.2.100 remote-as 100
NS(config-router)# Neighbor 10.102.29.100 as-override
<!--NeedCopy-->
To configure BGP AS-Override for a IPv4 BGP peer group by using the VTYSH command line:
Command | Specifies |
---|---|
configure terminal | Enter global configuration mode. |
router BGP < ASnumber> | BGP autonomous system. < ASnumber> is a required parameter. |
Neighbor |
Create a BGP peer group. |
Neighbot |
Associate neighbors to the specified peer group. |
Neighbor |
Update the IPv4 BGP neighbor table with the IPv4 address of the neighbor in the specified autonomous system. |
Neighbor |
Enable BGP as-override for all the neighbors that are associated with the specified peer group. |
> VTYSH NS# configure terminal
NS(config)# router BGP 200
NS(config-router)# neighbor external-peers-1 peer-group
NS(config-router)# neighbor 192.0.2.101 peer-group external-peers-1
NS(config-router)# neighbor 192.0.2.102 peer-group external-peers-1
NS(config-router)# neighbor 192.0.2.103 peer-group external-peers-1
NS(config-router)# Neighbor external-peers-1 remote-as 100
NS(config-router)# Neighbor external-peers-1 as-override
<!--NeedCopy-->
To configure BGP AS-Override for an IPv6 neighbor by using the VTYSH command line:
Command | Specifies |
---|---|
configure terminal | Enter global configuration mode. |
router BGP < ASnumber> | BGP autonomous system. < ASnumber> is a required parameter. |
Neighbor < IPv6 address> remote-as < as-number> | Update the IPv4 BGP neighbor table with the IPv4 address of the neighbor in the specified autonomous system. |
Neighbor |
Enable BGP as-override for the specified neighbor. |
Address-family ipv6 | Enter address family configuration mode. |
Neighbor < IPv6 address> activate | Exchange prefixes for the IPv6 router family between the specified neighbor and the Citrix ADC by using the link local address. |
Neighbor |
Enable BGP as-override for the specified neighbor. |
> VTYSH NS# configure terminal
NS(config)# router BGP 200
NS(config-router)# Neighbor a1bc::102 remote-as 100
NS(config-router)# Neighbor a1bc::102 as-override
NS(config-router)# Address-family ipv6
NS(config-router-af)# Neighbor a1bc::102 activate
NS(config-router)# Neighbor a1bc::102 as-override
<!--NeedCopy-->
To configure BGP AS-Override for IPv6 peer group by using the VTYSH command line:
Command | Specifies |
---|---|
configure terminal | Enter global configuration mode. |
router BGP < ASnumber> | BGP autonomous system. < ASnumber> is a required parameter. |
Neighbor |
Create a BGP peer group. |
Neighbor |
Associate a neighbor with the specified peer group. |
Neighbor |
Update the IPv4 BGP neighbor table with the IPv4 address of the neighbor in the specified autonomous system. |
Neighbor |
Enable BGP as-override for all the neighbors that are associated with the specified peer group. |
Address-family ipv6 | Enter address family configuration mode. |
Neighbor |
Exchange prefixes for the IPv6 router family between the neighbors of the specified peer group and the Citrix ADC by using the link local address. |
Neighbor |
Enable BGP as-override for all the neighbors that are associated with the specified peer group. |
> VTYSH NS# configure terminal
NS(config)# router BGP 200
NS(config-router)# neighbor external-peers-2 peer-group
NS(config-router)# neighbor 2001::1 peer-group external-peers-2
NS(config-router)# neighbor 2001::2 peer-group external-peers-2
NS(config-router)# Neighbor external-peers-2 remote-as 100
NS(config-router)# Neighbor external-peers-2 as-override
NS(config-router)# Address-family ipv6
NS(config-router-af)# Neighbor external-peers-2 activate
NS(config-router)# Neighbor external-peers-2 as-override
<!--NeedCopy-->
Graceful Restart
In a non-INC high availability (HA) setup in which a routing protocol is configured, after a failover, routing protocols are converged and routes between the new primary node and the adjacent neighbor routers are learned. Route learning take some time to complete. During this time, forwarding of packets is delayed, network performance might get disrupted, and packets might get dropped.
Graceful restart enables an HA setup during a failover to direct its adjacent routers to not remove the old primary node’s learned routes from their routing databases. Using the old primary node’s routing information, the new primary node and the adjacent routers immediately start forwarding packets, without disrupting network performance.
Note:
Graceful restart is not supported for high availability setups in INC mode.
Configuring Graceful Restart for BGP
To configure graceful restart for BGP by using the VTYSH command line, at the command prompt, type the following commands, in the order shown:
Command | Example | Command Description |
---|---|---|
VTYSH | VTYSH | Enters VTYSH command prompt. |
configure terminal | NS# configure terminal | Enters global configuration mode. |
router-id |
NS(config)# router-id 1.1.1.1 | A router identifier for the Citrix ADC appliance. This identifier is set for all the dynamic routing protocols. The same identifier must be specified on the other node in a high availability setup for graceful restart to work properly. |
router bgp |
NS(config)# router bgp 5 | Enters BGP configuration mode. |
bgp graceful-restart | NS(config)# bgp graceful-restart | Enables graceful restart on the BGP routing process. |
bgp graceful-restart restart-time <1-1800> | NS(config-router)# bgp graceful-restart restart-time 170 | Specifies the grace period, in seconds, that the helper routers waits for a TCP connection from the new primary node after a failover. For this amount of time, the helper routers preserve the routes. |
bgp graceful-restart stalepath-time <1-1800> | NS(config-router)# bgp graceful-restart stalepath-time 180 | Specifies the time, in seconds, that the Citrix ADC appliance in helper mode retains the stale routes for restarting neighbor routers. The default value is 360 seconds. |
neighbor |
NS(config-router)# neighbor 192.0.2.30 remote-as 2 | Establishes BGP peering with the specified neighbor router device. |
neighbor |
NS(config-router)# neighbor 192.0.2.30 capability graceful-restart | Enables graceful restart with the specified neighbor. |
redistribute kernel | NS(config-router)# redistribute kernel | Redistributes kernel routes. |
Configuring Graceful Restart for IPv6 BGP
To configure graceful restart for IPv6 BGP by using the VTYSH command line, at the command prompt, type the following commands, in the order shown:
Command | Example | Command Description |
---|---|---|
VTYSH | VTYSH | Enters VTYSH command prompt. |
configure terminal | NS# configure terminal | Enters global configuration mode. |
router-id |
NS(config)# router-id 1.1.1.1 | Sets a router identifier for the Citrix ADC appliance. This identifier is set for all the dynamic routing protocols. The same ID must be specified in the other node in a high availability setup for graceful restart to work properly. |
router bgp |
NS(config)# router bgp 5 | Enters configuration mode for BGP protocol. |
bgp graceful-restart | NS(config)# bgp graceful-restart | Enables graceful restart on the BGP routing process. |
bgp graceful-restart restart-time <1-1800> | NS(config-router)# bgp graceful-restart restart-time 170 | Specifies the grace period, in seconds, that the helper routers waits for a TCP connection from the new primary node after a failover. For this amount of time, the helper routers preserve the routes. The default value is 360 seconds. |
bgp graceful-restart stalepath-time <1-1800> | NS(config-router)# bgp graceful-restart stalepath-time 180 | Specifies the time, in seconds, that the Citrix ADC appliance in helper mode retains the stale routes for restarting neighbor routers. The default value is 360 seconds. |
neighbor |
NS(config-router)# neighbor 2001:db8::10 remote-as 2 | Establishes BGP peering with the specified neighbor router device. |
address-family ipv6 | NS(config-router)#address-family ipv6 | Enters address family configuration mode. |
neighbor |
NS(config-router-af)#neighbor 2001:db8::10 activate | Enables the exchange of address family routes with the specified neighbor router device. |
neighbor |
NS(config-router-af)#neighbor 2001:db8::10 capability graceful-restart | Enables graceful restart with the specified neighbor router device. |
redistribute kernel | NS(config-router-af)#redistribute kernel | Redistributes kernel routes. |
exit-address-family | NS(config-router-af)#exit-address-family | Exits address family configuration mode. |
Configuring MD5 Authentication for IPv4 BGP
The Citrix ADC appliance supports MD5 authentication for Border Gateway Protocol (BGP). When authentication is enabled, any TCP segment belonging to BGP exchanged between the Citrix ADC appliance and its peer device is verified and accepted only if authentication is successful. For authentication to be successful, both the peers must be configured with the same MD5 password. If authentication fails, the BGP neighbor relationship is not being established. MD5 authentication support for BGP in the Citrix ADC appliance is compliant with RFC 2385.
Before you Begin
Before you start configuring BGP MD5 authentication, consider the following points:
- Make sure that you understand the different components of BGP MD5 authentication, described in RFC 2385.
- BGP MD5 authentication is not supported for Citrix ADC admin partitions.
- BGP MD5 authentication is not supported for IPv6 BGP configurations.
- BGP MD5 authentication is supported for Citrix ADC cluster configurations as well as for high availability configurations.
- Because of the following issue in FreeBSD, Citrix recommends to set a low keep-live and hold-time values (for example, 5 and 15) and configure graceful restart for a BGP session in a Layer 2 high availability configuration. Otherwise, with MD5 authentication enabled, BGP might take a longer time to re-establish a connection with the neighbour after a failover.
- Last ACK from FreeBSD does not contain md5 digest:
Configuring MD5 Authentication for IPv4 BGP
To configure MD5 authentication for IPv4 BGP by using the VTYSH command line, at the command prompt, type the following commands, in the order shown:
Command | Specifies |
---|---|
vtysh | Displays VTYSH command prompt. |
configure terminal | Enters global configuration mode. |
**router bgp |
Enters configuration mode for BGP protocol. |
**neighbor |
Updates the IPv4 BGP table with the IPv4 address of the neighbor in the specified autonomous system. |
neighbor < neighbour IPv4 address > password < password in double quotes> | Configures MD5 authentication for the specified neighbour with the specified MD5 password. For MD5 authentication to be successful, you must configure the same MD5 password on the Citrix ADC appliance and the neighbour appliance. |
> vtysh
ns# configure terminal
ns(config)#router bgp 5
ns(config-router)#neighbor 20.20.20.138 remote-as 1
ns(config-router)#neighbor 20.20.20.138 password “secret”
ns(config-router)#redistribute kernel
ns(config-router)#exit
<!--NeedCopy-->
In this article
- Enabling and Disabling BGP
- Advertising IPv4 Routes
- Prerequisites for IPv6 BGP
- Advertising IPv6 BGP Routes
- Verifying the BGP Configuration
- As-Override Support in Border Gateway Protocol
- Graceful Restart
- Configuring MD5 Authentication for IPv4 BGP
- Before you Begin
- Configuring MD5 Authentication for IPv4 BGP