次の方法で共有


Border Gateway Protocol (BGP) Overview

 

You can use this topic to gain an understanding of Border Gateway Protocol (BGP), including BGP supported deployment topologies and BGP features and capabilities.

This topic contains the following sections.

When configured on a Windows Server® 2012 R2 Routing and Remote Access Service (RRAS) Multitenant Gateway, Border Gateway Protocol (BGP) provides you with the ability to manage the routing of network traffic between your tenants’ VM networks and their remote sites.

BGP reduces the need for manual route configuration on routers because it is a dynamic routing protocol, and automatically learns routes between sites that are connected by using site-to-site VPN connections.

To use BGP routing, you must install the RRAS role service of the Remote Access server role on a computer or virtual machine (VM) – the type of system you use depends on whether or not you have a multitenant deployment:

  • For a multitenant deployment, it is recommended that you install the RRAS Multitenant Gateway on a VM. The RRAS Multitenant Gateway is capable of handling multiple connections from multiple tenants, and consists of a Hyper-V host and a virtual machine (VM) that is actually configured as the gateway. This gateway is configured with site-to-site VPN connections as a multitenant BGP router to exchange tenant and CSP subnet routes.

  • For a non-multitenant deployment, you can install the RRAS Gateway on either a physical computer or a VM.

Important

When you install RRAS as an RRAS Multitenant Gateway, you must specify whether BGP is enabled for each tenant by using the Enable-RemoteAccessRoutingDomain Windows PowerShell command with the –Type parameter value of All. The following example code illustrates how to install RRAS in Multitenancy mode with all RRAS features (point-to-site VPN, site-to-site VPN, and BGP routing) enabled for two tenants, Contoso and Fabrikam.

$Contoso_RoutingDomain = "ContosoTenant"
$Fabrikam_RoutingDomain = “FabrikamTenant”

Install-RemoteAccess -MultiTenancy

Enable-RemoteAccessRoutingDomain -Name $Contoso_RoutingDomain -Type All -PassThru
Enable-RemoteAccessRoutingDomain -Name $Fabrikam_RoutingDomain -Type All -PassThru

Router Versions in Windows Server 2012 R2

Two different versions of the BGP router are available in Windows Server 2012 R2 – the RRAS Multitenant Gateway and Windows Server Gateway. Although the routers have the same functionality and capabilities, you can use different methods to manage each router, depending on whether you are using System Center 2012 R2.

RRAS Multitenant Gateway. The RRAS Multitenant Gateway BGP router can be used for multitenant or non-multitenant deployments, and is a full featured BGP router. To deploy an RRAS Multitenant Gateway BGP Router, you must use Windows PowerShell commands. For more information, see Remote Access Cmdlets in Windows PowerShell and Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.

Windows Server Gateway. To deploy Windows Server Gateway, you must use System Center 2012 R2 and Virtual Machine Manager (VMM). The Windows Server Gateway BGP router is designed for use with multitenant deployments. With the System Center 2012 R2 VMM Windows Server Gateway router, only a very limited set of configuration options are available in the VMM software interface, including Local BGP IP Address and Autonomous System Numbers (ASN), List of BGP Peer IP Addresses, and ASN, values. You can, however, use Remote Access Windows PowerShell BGP commands to configure all other features of Windows Server Gateway. For more information, see Windows Server Gateway and Virtual Machine Manager.

BGP Supported Deployment Topologies

Listed below are the supported deployment topologies where Enterprise sites are connected to a Cloud Service Provider (CSP) datacenter.

In all scenarios, the CSP gateway is a Windows Server® 2012 R2 RRAS Multitenant Gateway at the edge. The RRAS Multitenant Gateway, which is capable of handling multiple connections from multiple tenants, consists of a Hyper-V host and a virtual machine (VM) that is actually configured as the gateway. This edge gateway is configured with site-to-site VPN connections as a multitenant BGP router to exchange Enterprise and CSP subnet routes.

Tenants connect to their resources at the CSP datacenter by using a site-to-site (S2S) VPN connection. In addition, the BGP routing protocol is deployed for dynamic routing information exchange between the Enterprise and CSP gateways.

The following deployment topologies are supported.

The following sections contain additional information on each supported BGP topology.

RRAS VPN Site-to-Site Gateway with BGP at Enterprise site edge

This topology depicts an Enterprise site connected to a CSP. The Enterprise routing topology includes an internal router, a Windows Server 2012 R2 RRAS Multitenant Gateway configured for VPN site-to-site connections with the CSP, and an edge firewall device. The RRAS gateway terminates the S2S VPN and BGP connections.

Both sites are connected using External Border Gateway Protocol (eBGP), which can transmit information between BGP-enabled routers in separate autonomous systems (AS). This requires that both the Enterprise and the CSP have distinct Autonomous System Numbers (ASN), which is a parameter that is integral to the BGP protocol.

In this scenario, BGP works in the following way.

  • The Enterprise site edge device learns the virtualized subnet routes (10.2.1.0/24) hosted in the cloud by using BGP. This device also advertises the on-premises subnet routes (10.1.1.0/24) to the CSP RRAS Multitenant Gateway.

  • The customer edge router learns on-premises internal routes through one of the following mechanisms:

    • The edge device runs BGP with an internal router and learns internal routes (in this example, 10.1.1.0/24). Meanwhile, the internal router learns external routes (such as 10.2.1.0/24) from the edge device, and the internal router must distribute these routes to other on-premises routers using an Interior Gateway Protocol (IGP) such as Open Shortest Path First (OSPF) or Routing Information Protocol (RIP).

    • The edge device can be configured with static routes or interfaces to select routes for advertisement by using BGP. The edge device also distributes the external routes to other on-premises routers using an IGP.

Third party Gateway with BGP at Enterprise site edge

This topology depicts an Enterprise site using a third party edge router to connect to a CSP. The edge router also serves as a site-to-site VPN gateway.

The Enterprise edge router learns on-premises internal routes through one of the following mechanisms:

  • The edge device runs BGP with an internal router and learns internal routes (in this case, 10.1.1.0/24)

  • The edge device implements an Interior Gateway Protocol (IGP) and participates directly in internal routing.

Multiple Enterprise sites with third party gateways

This topology depicts multiple Enterprise sites that use third party gateways to connect to a CSP. The third party edge devices serve as site-to-site VPN gateways and as BGP routers.

The customer edge routers learn on-premises internal routes through one of the following mechanisms:

  • The edge device runs BGP with an internal router and learns internal routes (in this case, 10.1.1.0/24)

  • The edge device implements an Interior Gateway Protocol (IGP) and participates directly in internal routing.

Each Enterprise site learns the routes from the other site over the direct eBGP connectivity.

Each Enterprise site learns the hosted network routes directly and by using the other Enterprise site, but selects the best route based on the cost of the route.

If the BGP router at Enterprise Site 1 cannot connect with the CSP datacenter BGP router because connectivity has failed, the Site 1 BGP router dynamically begins to learn the routes to the CSP network by using the other Enterprise site (Site 2), and the traffic is seamlessly rerouted from Site 1 to Site 2 to the CSP.

Note

The RRAS Multitenant Gateway BGP router does not support eBGP paired with eBGP transit routing, so this scenario is only supported by using an Enterprise edge that uses a third party BGP solution. The RRAS Multitenant Gateway BGP router supports Internal BGP (iBGP) paired with iBGP, iBGP paired with eBGP, and eBGP paired with iBGP transit routing.

Separate termination points for BGP and VPN

This topology depicts an Enterprise that uses two different routers as the BGP and site-to-site VPN endpoints. Site-to-site VPN is terminated on the Windows Server 2012 R2 RRAS Gateway, while BGP is terminated on an internal router. At the CSP side of the connections, the CSP terminates both the VPN and BGP connections with the RRAS Multitenant Gateway. With this configuration, the internal third party router hardware must support redistribution of IGP routes to BGP, as well as redistributing BGP routes to IGP.

The internal router learns Enterprise routes through one of the following mechanisms:

  • BGP

  • An Interior Gateway Protocol (IGP) such as OSPF or RIP.

  • Static route configuration

When any IGP is used at the Enterprise site, the internal router must redistribute IGP routes into BGP - as well as redistribute BGP routes into IGP routes - for maintaining the subnet connectivity between CSP virtual networks and local Enterprise subnets.

With this deployment, the Enterprise RRAS Gateway has a site-to-site VPN connection with the CSP RRAS Multitenant Gateway, which provides the Enterprise RRAS Gateway with the routes to the CSP gateway. The Enterprise internal router then learns this route to the CSP gateway by using iBGP with the Enterprise RRAS Gateway. Because of this, the Enterprise internal router is then able to establish a peering session with the CSP RRAS Multitenant Gateway BGP Router.

From this point forward, the Enterprise internal router and the CSP RRAS Multitenant Gateway exchange routing information. And the Enterprise RRAS BGP router learns the CSP routes and Enterprise routes to physically route packets between the networks.

BGP Features

Following are the features of the RRAS Multitenant Gateway BGP Router.

BGP Statistics (Message counters, Route counters). The BGP Router supports displaying the message and route statistics, if required, by using the Get-BgpStatistics Windows PowerShell command.

Equal Cost Multi Path Routing (ECMP) support. The BGP Router supports ECMP and can have more than one equal cost routes plumbed into the BGP routing table and stack. The BGP router selection of the route for transmitting data packets is random with ECMP enabled.

HoldTime configuration. The BGP Router supports configuration of the HoldTimer value according to your network requirements. This timer can be dynamically changed to accommodate interoperability with third party devices or to maintain a specific maximum time for BGP peering session timeout.

Internal BGP and External BGP support. The BGP router supports both iBGP and eBGP peering. To configure either, you must ensure that the appropriate ASNs are assigned to the local and remote BGP Routers. All four BGP deployment topologies employ the use of eBGP peering, and the fourth topology uses iBGP peering as well.

Interoperability with 3rd party solutions. The BGP Router is based on the latest BGP version 4 specification, and has been tested for interoperability with most of the major third party BGP routing devices. For more information, see Request for Comments (RFC) 4271, A Border Gateway Protocol 4 (BGP-4).

IPv4 and IPv6 transport peering support. The BGP Router supports both IPv4 and IPv6 peering. However, you must configure the BGP Identifier as the IPv4 address of the BGP Router. For all of the BGP router deployment topologies, either of the two peering types (IPV4 / IPv6) can be used.

IPv4 and IPv6 unicast route learning and advertisement capability (Multiprotocol Network Layer Reachability Information [NLRI]). No matter what transport you use, the BGP Router can exchange IPv4 and IPv6 routes if the appropriate capability is announced by other BGP routers while establishing the session. To configure IPv6 routing, parameter IPv6Routing must be enabled, and a Local Global IPv6 address must be configured at the router level.

Mixed mode and Passive mode peering. You can configure BGP peering sessions in either mixed mode – where the BGP router acts as both initiator and responder - or passive mode, where the BGP router does not initiate peering, but does respond to incoming requests. Mixed mode is the default, and is recommended for BGP peering. This is true unless you want to use passive mode for debugging or diagnostic purposes. For all of the BGP router deployment topologies, mixed mode peering is required to enable automatic restarts in case of failure events.

Note

eBGP to eBGP transit routing support is not available on the BGP router.

Route Attribute rewrite capability. You can add, modify, or remove the following attributes from the BGP router ingress and egress route advertisements by using the BGP Routing policies Next-Hop, MED, Local-Pref, and Community.

Route filtering. The BGP router supports filtering ingress or egress route advertisements based on multiple route attributes such as Prefix, ASN-Range, Community, and Next-Hop.

Route-Reflector (RR) client. The BGP Router can act as a Route-Reflector client; however it cannot be used as a Route-Reflector itself. This is useful in cases where a new BGP Router needs to be introduced in complex topologies using third party BGP Routers deployed in RR mode.

Route-Refresh support. The BGP Router supports Route-Refresh and advertises this capability on peering by default. It is capable of sending a fresh set of route updates when requested by a peer via route-refresh message.

Static route configuration support. You can configure static routes or interfaces on the BGP Router by using the Add-BgpCustomRoute Windows PowerShell command. The static routes that you configure can be the prefixes or the name of the interfaces from which the routes must be chosen. However, only the routes with resolvable next-hops are plumbed into the BGP routing tables and advertised to peers.

Transit routing support. The BGP Router supports transit routing for both iBGP to iBGP connections and iBGP to eBGP connections. iBGP <-> eBGP transit routing is evident in all of the scenarios discussed in previous section.

For additional information, see the Networking blog Border Gateway Protocol (BGP) with Windows Server 2012 R2.

See Also

Routing and Remote Access Service (RRAS) Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide Windows Server Gateway