Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Gateway & Routing
  4. Features & Configuration

UniFi - Border Gateway Protocol (BGP)

BGP is a dynamic routing protocol which sets up neighbors with other gateways or Layer 3 switches and distributes routing information within a single AS (internal BGP) or to an external AS (external BGP). Neighbor with the ISP in a multi-homing setup to provide redundancy and load balancing for traffic to and from the internet.

Requirements

One of the following switches or gateways is required:

  • EFG, UDM-Pro-Max, UDM-SE, UDM-Pro, or UDW with UniFi OS version 4.1.13 or newer
  • UXG-Enterprise with firmware version 4.1.8 or newer
  • ECS-Aggregation

How can I use BGP?

BGP is an extensive routing protocol that can be used for many different purposes. Examples include:

  • Set up neighbors with other gateways or L3 switches in the same AS and exchange routes internally.
  • Exchange routes over a VPN and redistribute routes into BGP.
  • Neighbor with your ISP in a single-homing setup and exchange routes.
  • Neighbor with multiple ISPs in a multi-homing setup, exchange routes and use traffic engineering to influence how inbound and outbound traffic is routed.

BGP Settings

BGP is enabled by uploading a configuration text file in FRR BGP format. The file needs to be created manually and the configuration lines will differ between setups. 

Note: Any additional configuration lines such as Prefix Lists or Route Maps must be placed at the bottom of the file after exiting out of the router bgp section.

Example - BGP Neighbor with ISP

The below example configures a BGP neighbor to an ISP to advertise your local public network upstream using BGP. This allows your prefix to be globally routable and ensures that inbound traffic reaches your network through the ISP.

  1. Initialize BGP and assigns your local Autonomous System (AS) number: router bgp <local-as-number>
  2. Set the router ID, which acts as a unique identifier for the BGP instance: bgp router-id <id>
  3. Advertise your local network (203.0.113.0/24) to the ISP, allowing it to be globally routable: network <local-network-ip> mask <subnet-mask>
  4. Establish a BGP session with the ISP, referencing its AS number: neighbor <isp-ip> remote-as <isp-as-number> 
  5. Optional, configure password authentication to secure the BGP session. This needs to match the password used by the ISP: neighbor <isp-ip> password <password> 
  6. Optional, adds a local description for the peer for easier identification: neighbor <isp-ip> description <text> 
  7. Optional, reference a Route Map to accept a subnet of prefixes: neighbor <isp-ip> route-map <route-map-name> in
  8. Optional, reference a Route Map to advertise a subnet of prefixes: neighbor <isp-ip> route-map <route-map-name> out
  9. Enable soft reconfiguration to store a copy of the received routes. This allows applying route policy changes without resetting the session: neighbor <isp-ip> soft-reconfiguration inbound
  10. If a Route Map was referenced in step 7 and 8, exit out of the BGP section and add the additional configuration at the bottom of the file.
    1. Add the Route Maps: route-map: <route-map_name> permit <id>
    2. Match a Prefix List inside the Route Map: match ip address prefix-list <name>
    3. Add the Prefix Lists that are matched in the Route Maps: match ip address prefix-list <name> 
router bgp 65000
bgp router-id 198.51.100.1
!
network 203.0.113.0 mask 255.255.255.0
!
neighbor 198.51.100.2 remote-as 65001
neighbor 198.51.100.2 password securesecret1
neighbor 198.51.100.2 description ISP
!
address-family ipv4
neighbor 198.51.100.2 activate
neighbor 198.51.100.2 soft-reconfiguration inbound
neighbor 198.51.100.2 route-map ACCEPT_ROUTES in
neighbor 198.51.100.2 route-map ADVERTISED_ROUTES out
exit-address-family
!
exit
!
route-map ACCEPT_ROUTES permit 10
match ip address prefix-list ACCEPT_ALL
exit
!
route-map ADVERTISED_ROUTES permit 10
match ip address prefix-list ADVERTISE_SPECIFIC
exit
!
ip prefix-list ACCEPT_ALL seq 5 permit any
!
ip prefix-list ADVERTISE_SPECIFIC seq 5 permit 203.0.113.0/24

Note: In this example, the BGP to the ISP also requires opening TCP port 179 through the firewall. This is done by creating an External to Gateway zone firewall policy that allows the BGP service. 

Example - BGP Neighbor with AWS over IPsec Site-to-Site VPN

The below example configures a BGP neighbor to AWS over a pair of IPsec VPNs to allow dynamic route exchange between your on-premises network and AWS. This is useful for hybrid cloud environments where you need to advertise your own prefixes to AWS without the need to manage static routes.

  1. Initialize BGP and assigns your local Autonomous System (AS) number: router bgp <local-as-number>
  2. Set the router ID, which acts as a unique identifier for the BGP instance: bgp router-id <id>
  3. Advertise your local network (203.0.113.0/24) to AWS, allowing the on-premises network to be reached by servers in the clou: network <network-ip> mask <subnet-mask>
  4. Establish a BGP session with AWS over the first IPsec VPN tunnel, referencing its AS number: neighbor <remote-tunnel-ip-1> remote-as <aws-as-number> 
  5. Establish a BGP session over the second IPsec VPN tunnel, referencing the same AS number: neighbor <remote-tunnel-ip-2> remote-as <aws-as-number> 
  6. Optional, adds a local description for the peer for easier identification: neighbor <ip> description <text> 
  7. Optional, reference a Route Map to accept a subnet of prefixes: neighbor <ip> route-map <route-map-name> in
  8. Optional, reference a Route Map to advertise a subnet of prefixes: neighbor <ip> route-map <route-map-name> out
  9. Enable soft reconfiguration to store a copy of the received routes for the first IPsec VPN tunnel. This allows applying route policy changes without resetting the session: neighbor <remote-tunnel-ip-1> soft-reconfiguration inbound
  10. Enable soft reconfiguration for the second IPsec VPN tunnel: neighbor <remote-tunnel-ip-2> soft-reconfiguration inbound
  11. If a Route Map was referenced in step 7 and 8, exit out of the BGP section and add the additional configuration at the bottom of the file.
    1. Add the Route Maps: route-map: <route-map_name> permit <id>
    2. Match a Prefix List inside the Route Map: match ip address prefix-list <name>
    3. Add the Prefix Lists that are matched in the Route Maps: match ip address prefix-list <name>

Note: The tunnel IP addresses on the UniFi Gateway are configured as 169.254.100.1 and 169.254.101.1 and AWS uses 169.254.100.2 and 169.254.101.2 in this example.

router bgp 65000
bgp router-id 198.51.100.1
!
network 203.0.113.0 mask 255.255.255.0
!
neighbor 169.254.100.2 remote-as 65001
neighbor 169.254.100.2 description Tunnel1
!
neighbor 169.254.101.2 remote-as 65001
neighbor 169.254.101.2 description Tunnel2
!
address-family ipv4
neighbor 169.254.100.2 activate
neighbor 169.254.100.2 soft-reconfiguration inbound
neighbor 169.254.100.2 route-map ACCEPT_ROUTES in
neighbor 169.254.100.2 route-map ADVERTISED_ROUTES out
neighbor 169.254.101.2 activate
neighbor 169.254.101.2 soft-reconfiguration inbound
neighbor 169.254.101.2 route-map ACCEPT_ROUTES in
neighbor 169.254.101.2 route-map ADVERTISED_ROUTES out
exit-address-family
!
exit
!
route-map ACCEPT_ROUTES permit 10
match ip address prefix-list ACCEPT_ALL
exit
!
route-map ADVERTISED_ROUTES permit 10
match ip address prefix-list ADVERTISE_SPECIFIC
exit
!
ip prefix-list ACCEPT_ALL seq 5 permit any
!
ip prefix-list ADVERTISE_SPECIFIC seq 5 permit 203.0.113.0/24
Was this article helpful?