BGP Graceful Restart on the Cisco FTD: Part 1 – Configuring

Enabling BGP Graceful Restart on the Cisco Firepower Threat Defense (FTD) just got so easy! I’m stoked!

So the other day I needed to put together an environment with the FTD eBGP peering with graceful restart enabled and test it. Had a blast!

Going to bring you through a step by step walk through first in case you have never configured BGP on a FTD. :). Part 2 will be seeing it all in action. So if you already know how to configure BGP on an FTD and you know how to configure it with graceful-restart… you will want part 2 not this one. 🙂

What Will be Covered in Part 1 and Part 2

  • Part 1: Configuring and Setting the Stage
    • Go thru configuring BGP on the FTD step by step
    • Deploy and see if Airlines24 has a BGP neighbor (spoiler: it won’t)
    • Add a static route on the FTD to get to the BGP peer since it is not directly connected
    • Deploy and see if Airlines24 has a BGP neighbor (spoiler: it will)
    • Notice on Airlines24 that the FTD is not advertising any subnets to us (this will mean Airlines24 will have no route back to 11.0.0.0/24 when Airlines23 tries to ping)
    • Add 11.0.0.0./24 on the FTD as a subnet to advertise out with BGP
    • Deploy
    • Notice on Airlines24 we now see the FTD advertising a subnet to us
    • Notice also on Airlines24 that the FTD is advertising it can support graceful restart
  • Part 2: PlayTime!
    • Grab a sniffer trace of the BGP coming up – to show GR in capabilities
    • Start pinging from Airlines23 to 14.0.0.114
    • Cause failover by going into FMC and switching active FTD
    • Look at results (spoiler: it’s all going to be beautiful)

Time to Get Geeky!

Originally I was going to BGP peer with the Spirent Test Center and keep the Nexus 9K on the right as layer 2 only. However, the customer scenario did also include pings so I ended up BGP peering with the Nexus9K (airlines24) on the right.

Topology with FTD and BGP

BGP Configs for the Nexus9K

The BGP is pretty straightforward and simple. We can see for the N9K the BGP is set up such that

  • ASN (autonomous-system number) is 14
  • 2 networks are being advertised: 14.0.0.0/24 to cover my loop114 which is where the ping will go, and also the Spirent Test Center network 7.7.7.0 cause I couldn’t resist to also use UDP traffic along with the ping
  • Neighbor:
    • 21.0.0.1 is the neighbor
    • ASN is 21
    • Loopback14 (14.14.14.14) will be what we peer to the neighbor with
    • ebgp-multihop 2

The only thing I really didn’t need to do was the ebgp-multihop 2 to peer from the N9K loopback address. This whole thing of needing that command is just a lot of confusion. lol. But I figured it was a more common command that people use instead of the disable connected-check command. So I used it.

Side Note: If you are like – huh? What is she talking about…. here ya go. Read this – “Clearing Up Some Misinformation RE: eBGP Multihop and TTL”

BGP Configs for the FTD

I’ll show the configs for the FTD HA pair in 2 ways – the resulting show running-config from the CLI and also the FMC (I configured it from the FMC).

Note: Code version for the FTD is 7.1.0-90

Let’s look at the diagram again.

Topology with FTD and BGP

So what do I need on the FTDs?

  1. BGP peer with GR enabled
    • neighbor 14.14.14.14 in ASN 14
    • FTD in ASN 21
    • GR enabled
    • ebgp-multihop 2 equivalent
  2. Static route to 14.14.14.14 on the FTD.
  3. FTD to advertise network 11.0.0.0/24 so Airlines23 can ping from SVI 151 to destination 14.0.0.114 and actually get return traffic.

BGP peer with GR enabled

Select FTDs to be editted

Go to Devices -> Device Management and click the HA pair to select and then click the pencil to edit.

FMC editting GUI for FTD

You will be brought to this page. Not really calling out much on this page. So going to make the image smaller. Basically on this page we just want to go to “Routing”.

FMC GUI for routing

Super simple…. first… much like typing “router bgp” on a router we have to enabled BGP and what ASN it is in and the general settings for BGP having nothing to do with IPv4 and IPv6. This is much like the default area for BGP under “router bgp” for a router and then the IPv4 and IPv6 sections are much like “address-family ipv4|ipv6” parts to a router.

(1) General Settings: BGP – aka “router bgp”

Okay so in “routing” you just click General -> BGP

When you first get in everything will be greyed out. Once you enable BGP you can then do whatever general BGP settings you’d like. Much like you have to type “router bgp” first on a router. :). The only changes I made here were to make the ASN 21 and enable GR.

FMC General BGP settings section for FTD

(2) BGP IPv4: aka “address-family ipv4”

FMC routing BGP GUI for IPv4

When you first get in here you have to click the check box to enable IPv4. This is pretty much equivalent to typing “address-family ipv4” in a router. For my environment I just want to make a neighbor for now. Later I will add the subnet to advertise under “Network”.

So let’s go to Neighbor

BGP Neighbor GUI in FMC with no neighbor

When we first get in here we will have no neighbors. So we will want to add a neighbor.

When you first come into here what you will notice is that there is the top section where we add neighbors (“1”) and then a series of tabs. When you first click here you will be in the “filtering routes” tab. I won’t be using that … just wanted to call out what section the bottom is. So for this page I just

  • Added 14.14.14.14 as the neighbor with Remote ASN 14 and clicked those 3 boxes

Now lets go to “advanced tab” (2)

Let’s deploy this to the FTDs and then see if Airlines24 sees the eBGP neighbor up.

Topology with FTD and BGP
show ip bgp summary showing neighbor not up

So for those of you who do not know this – “Active” just means the BGP is actively trying to come up and not Idle. It doesn’t mean it is up. If it were up instead of “state” being “active” we would have the number of prefixes received here.

So

  • N9K is properly configured for BGP
  • N9K can ping its peer 21.0.0.1
  • BGP is not up and peered.

Well we aren’t done are we? I listed 3 things we were going to do on the FTD. We have only done #1.

  1. BGP peer with GR enabled
  2. Static route to 14.14.14.14 on the FTD.
  3. FTD to advertise network 11.0.0.0/24 so Airlines23 can ping from SVI 151 to destination 14.0.0.114 and actually get return traffic.

Right now the FTD is configured to have a BGP neighbor with 14.14.14.14 which is NOT directly connected to the FTD. So we need a static to get there. I showed this before when I highlighted static router with a blue square. So let’s go back to there.

FMC GUI for routing

Static Route to 14.14.14.14

So let’s go back to Routing and then click Static Route that I showed above with the blue square around it.

FMC GUI for adding a static route

So let’s add a static route to get to

  • 14.14.14.14 via
  • outside
  • next hop 21.0.0.14

While I used an IP address there… I usually, admittedly, use objects with names so I can reuse objects. This config just made it simpler for those of you newer to the FTD GUI.

So let’s deploy that. And then check on Airlines24 if the BGP peer is up.

bgp neighbor up

Woot! Okay so the BGP neighbor is up. The N9K is advertising the 2 subnets at the bottom but the FTD isn’t advertising anything. Let’s fix that

Advertise 11.0.0.0/24 Subnet

FMC routing BGP GUI for IPv4

I actually highlighted in an earlier screen shot where we were going to go later to add the 11.0.0.0/24 subnet. In that “Networks” tab in the above pic. So let’s go there.

FMC GUI to add a subnet to BGP

Clicking “add” gives us “add network” with a two boxes – one is “Network” and the other is “Route Map”. I won’t be using a route-map just adding insideVlan11 which is an object that represents 11.0.0.0/24

FMC GUI of adding a subnet to BGP

Time to deploy and check Airlines24.

Woot woot! :). We have routing!

BGP Configs on FTD in CLI

router bgp 21
  bgp log-neighbor-changes
  bgp graceful-restart
  bgp router-id vrf auto-assign
  address-family ipv4 unicast
      neighbor 14.14.14.14 remote-as 14
      neighbor 14.14.14.14 ebgp-multihop 2
      neighbor 14.14.14.14 transport path-mtu-discovery disable
      neighbor 14.14.14.14 disable-connected-check
      neighbor 14.14.14.14 ha-mode graceful-restart
      neighbor 14.14.14.14 activate
      network 11.0.0.0 mask 255.255.255.0
      no auto-summary
      no synchronization
exit-address-family

Do We Have GR?

If we enter show ip bgp neighbor 21.0.0.1″ on the N9K we will find down in the network capabilities section that the FTD is advertising that it CAN do GR.

Topology with FTD and BGP

Done! The stage has been set… the configs are all on. Part 2 is time to play with it and see BGP GR in action!



Categories: BGP, Security

3 replies

  1. Link mentioned in the traceback doesn’t work. It would require “/” after .com.

Trackbacks

  1. BGP Graceful Restart on the Cisco FTD: Part 2 - Seeing it "In Action"

Leave a Reply