When you configure a BGP neighbor for an IPsec connection, define the Private IP addresses for the site and the Cato Socket. For more about configuring BGP for a cloud service, see Using BGP in the Cato Cloud.
Note
Note: You can only configure up to two BGP neighbors for an IPsec connection, one BGP neighbor per tunnel.
The Additional section for a BGP neighbor contains these advanced BGP settings:
-
Metric
-
Hold Time
-
Keep-alive Interval
The Metric defines the priority for this BGP route. The lower this value, the higher the priority given to the metric (for example, 10 is a higher priority than 100). The default Metric is 100.
The Hold Time is the number of seconds that the site waits until it defines that the BGP neighbor is down. For example, if the Hold Time is 90, then if the site does not receive a BGP message for 90 seconds, it stops sending traffic to that neighbor and disconnects. After disconnecting from the BGP neighbor, the site attempts to re-connect to it.
-
The default setting for a Cato site is 60.
-
A Hold Time value of 1 or 2 isn't valid.
-
If the neighbors have different Hold Time values, then the smallest value is used for the pair. Both neighbors always use the same Hold Time value.
-
If the Hold Time value for both neighbors is 0, then the site never disconnects.
The keep-alive Interval is the number of seconds that the site sends keep-alive messages to the BGP neighbor to keep the session alive. We recommend that the value of the keep-alive Interval is 1/3 the Hold Time value.
-
The default keep-alive Interval for a Cato site is 20.
-
When the BGP neighbor has a smaller Hold Time value, both members use that value. If the keep-alive Interval value is smaller than the Hold Time value for the BGP neighbor, then a new keep-alive Interval that is 1/3 the Hold Time value for the BGP neighbor is used.
For example, Cato site A has a Hold Time of 120 and a keep-alive interval of 40, and neighbor B has a Hold Time of 30. Then both neighbors use the Hold Time value of 30, and site A has a new keep-alive interval of 10.
Define and configure the BGP neighbor pair for sites that use IPsec connections. First define the private IP addresses for the IPsec tunnel, and then define a new rule for each BGP neighbor.
For each peer, we recommend configuring BGP neighbor status change notifications. Email Notifications are sent directly to an admin mailing list upon a BGP peer connection state change. This is the frequency that the notifications are sent:
-
Immediate - an email is sent to the recipients for every occurrence.
-
Hourly - an email is sent to the recipients with the first occurrence, and if there are any additional occurrences, then the next email for any additional occurrences follows after 1 hour.
-
Daily - an email is sent to the recipients with the first occurrence, and the next email follows after 24 hours (including all additional occurrences).
-
Weekly - an email is sent to the recipients with the first occurrence, and if there are any additional occurrences, then the next email for any additional occurrences follows after 1 week.
To define a BGP neighbor for an IPsec site:
-
From the navigation menu, click Network > Sites and select the site.
-
Define the private IP addresses for the IPsec connection:
-
From the navigation menu, click Site Settings > IPsec.
-
Expand the Primary section, and configure the Private IPs that are inside the VPN tunnel.
Note
Note: The IP address for the Site is also used to configure the settings for the BGP neighbor.
-
For sites that use a secondary IPsec tunnel, expand the Secondary section and configure the settings in the previous step and then click Save.
-
Click Save. The private IP address is defined for the site.
-
-
From the navigation menu, click Site Settings > BGP.
-
Click New. The Add Rule panel opens.
-
In the General section, enter the Name for this rule that defines the BGP neighbor.
-
In the ASN Settings section, configure the BGP Neighbor's ASN and Cato's ASN.
For more about changing the default ASN for Cato (see Using BGP in the Cato Cloud).
-
In the IPs section, enter the BGP Neighbor's IP address.
-
In the Routing section, define the BGP routing behavior for your network:
-
The Advertise options lets you configure how the Socket advertises the BGP routes for this neighbor:
-
Default route - The Socket advertises a default route (0/0) to BGP neighbors. The neighbors can send all traffic to this default route, even if it is not in the routing table. Select this option for deployments that use the Cato Socket as the Internet Gateway for that router.
-
All routes - The Socket advertises the internal routing table for the entire account to the BGP neighbor. These routes include static and floating ranges, in addition to routes that are learned from other peers in this site and across your network. This option is often enabled to send the WAN traffic to the BGP neighbor.
Note: The entire range of SDP users is advertised to the BGP peer as a single route.
-
-
In the Accept section, select Dynamic Ranges to configure the Cato Socket to accept the dynamic IP addresses that are published by this neighbor. For most scenarios, this option is enabled. When you disable this option, you are limiting the dynamic propagation from this BGP neighbor.
For example, in deployments that use AWS Direct Connect, BGP is required but you do not want to accept the AWS dynamic addresses. In these deployments, we recommend that you disable this option.
-
In the NAT section, select Perform NAT to public IPs to define a BGP session over a Cato Socket Alternative WAN connection type (see Using BGP in the Cato Cloud).
-
-
To authenticate BGP MD5 using a pre-shared secret, in the Additional: section, select MD5 Auth.
Note: BGP MD5 authentication is supported according to RFC 2385.
-
In the Additional section, you can configure advanced settings for the BGP neighbor:
-
To change the Metric for this route, enter the new priority.
The lower this value, the higher the priority given to the metric (for example, 10 is a higher priority than 100).
-
To change how long the BGP session is kept open, enter the new Hold time (in seconds).
-
To change the frequency of the Keepalive interval, enter the new value (in seconds) between keep-alive messages.
-
-
To receive notifications based on changes to the status of the BGP neighbor:
-
Select Email Notification.
-
Define the Frequency that the notifications are sent.
-
Select the mailing list that receives the notifications.
-
-
Click Apply. The new rule is added to the rulebase.
-
Repeat these steps to configure additional rules for BGP neighbors.
-
Click Save. The BGP neighbor is configured for the IPsec connection.
After you configure the BGP neighbor for the connection, we recommend that you use Show BGP Status feature to test the status of the neighbor and make sure that this dynamic route is working.
Note
Note: You can only show the BGP status after you save the configuration for the BGP neighbor and it is sent to the site.
To show the status of the BGP neighbor:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Settings > BGP.
-
Click Show BGP Status.
An HTTP query is sent to the relevant PoP. The pop-up window shows the status of each BGP neighbor and data about the current routes.
-
Click OK to close the window.
4 comments
Added information for email notifications when there is a change to BGP peer status
How about BGP filters?
Bastian Goettling - BGP filters are a planned enhancement for 2024. Thanks!
Great! Thanks!
Please sign in to leave a comment.