Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2349
Views
11
Helpful
17
Replies

Firepower BGP Route Manipulation

Solo356
Level 1
Level 1

‎06-02-2023 04:11 AM

Hello Team,

How can we manipulate BGP attributes such as MED or AS-Path prepend for BGP routes received before sending them downstream?

Thank You.

17 Replies 17

M02@rt37
VIP
VIP

‎06-02-2023 04:20 AM

Hello @Solo356,

To manipulate BGP attributes such as MED or AS-Path prepend for BGP routes before sending them downstream, you can use:

--Route Maps: powerful tool for manipulating BGP attributes. You can create a route map that matches specific BGP routes based on criteria such as prefix, AS-Path, or community. Within the route map, you can set or modify attributes like MED or prepend the AS-Path. Then, apply the route map to the inbound or outbound BGP neighbor session or to specific BGP neighbors or peer groups.

--AS-Path Prepending: technique used to influence inbound traffic by adding additional occurrences of your own AS number to the AS-Path attribute. By prepending your AS number multiple times, you can make your routes less desirable to other ASs, effectively pushing traffic away from those routes. This can be accomplished using the [neighbor x.x.x.x. route-map] command with a route map that modifies the AS-Path attribute.

--Communities: a way to group routes together and apply certain policies based on those groups. You can define and assign communities to BGP routes and then configure policies on routers to match those communities and modify the desired attributes (such as MED). By using communities, you can easily apply consistent attribute manipulation across multiple routers or peer groups.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/bgp_for_firepower_threat_defense.pdf

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Solo356
Level 1
Level 1
In response to M02@rt37

‎06-02-2023 04:32 AM

Thanks for your swift response, but upon reading your reference document in detail, there is no mention of being able to use route-maps for attribute manipulation, All I can find is this:

- Routemaps in FTD are used for filtering purposes only.

- Check this section of the document you shared: Configure BGP General Settings

 

Kindly can you point me to where it shows how to modify the MED for a router or do AS-Prepend?

Thank You

 

MHM Cisco World
VIP
VIP
In response to Solo356

‎06-02-2023 05:03 AM - edited ‎06-02-2023 05:09 AM

Use flexconfig of fdm of fmc 

Solo356
Level 1
Level 1
In response to MHM Cisco World

‎06-02-2023 05:19 AM

Hey MHM,

I checked the flexconfig section of config guide of FMC & could not find any example of how to do it especially that I could not find it on ASA either on how to manipulate BGP route attributtes.

BR,

0 Helpful

M02@rt37
VIP
VIP
In response to Solo356

‎06-02-2023 05:05 AM

Ok @Solo356,

"can you point me to where it shows how to modify the MED for a router or do AS-Prepend?"

https://community.cisco.com/t5/networking-blogs/bgp-as-path-prepending-configuration/ba-p/3819334

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/112965-bgpmed-attr-00.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Solo356
Level 1
Level 1
In response to M02@rt37

‎06-02-2023 05:17 AM

Hey M02,

We need this config on Firepower Threat Defense, Do you have samples for that?

BR

0 Helpful

Rob Ingram
VIP
VIP
In response to Solo356

‎06-02-2023 05:36 AM

@Solo356 how are you managing the FTD? FDM, FMC or CDO? And on what version?

If using FMC and a recent version, most settings can be configured without using flexconfig. Settings as MED can be configured. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/routing-bgp.html

 

0 Helpful

Solo356
Level 1
Level 1
In response to Rob Ingram

‎06-02-2023 05:44 AM - edited ‎06-02-2023 05:45 AM

Hey Rob,

I am using FMC & I read this document, I could not find where you can manipulate BGP attributes for incoming routes before I pass them to my neighbors, I am not referring to the networks I will advertise where you can set custom attributes. The only thing I found was AS-Prepend that comes with a caution to only use for migration then remove it. It seems these capabilities are for the routers only.

I could not find it for ASA as well, how to configure BGP route attributes manipulation similar to what we can do on the routers.

BR,

MHM Cisco World
VIP
VIP
In response to Solo356

‎06-02-2023 05:52 AM - edited ‎06-02-2023 05:53 AM

AS-Prepend for migrate is differ than AS-prepend for best path selection. 
Try this way

Step 1

Choose Devices > Device Management, and edit the FTD device.
Step 2

Select Routing.
Step 3

(For a non-virtual-router-aware device) Select BGP.
Step 4

Select the Enable BGP check box to enable the BGP routing process.
Step 5

In the AS Number field, enter the autonomous system (AS) number for the BGP process. The AS number internally includes multiple autonomous numbers. The AS number can be from 1 to 4294967295 or from 1.0 to 65535.65535. The AS number is a uniquely assigned value, that identifies each network on the Internet.
Step 6

(Optional) Edit the various BGP settings, starting with General. The defaults for these settings are appropriate in most cases, but you can adjust them to fit the needs of your network. Click Edit (pencil) to edit the settings in the group:

  1. In the Router ID drop-down list, select Automatic or Manual from the drop-down list. If you choose Automatic, the highest-level IP address on the Firepower Threat Defense device is used as the router ID. To use a fixed router ID, choose Manual and enter an IPv4 address in theIP Address field. The default value is Automatic.

  2. Enter the Number of AS numbers in AS_PATH attribute. An AS _PATH attribute is a sequence of intermediate AS numbers between source and destination routers that form a directed route for packets to travel. Valid values are between 1 and 254. The default value is None.
0 Helpful

Solo356
Level 1
Level 1
In response to MHM Cisco World

‎06-02-2023 06:10 AM - edited ‎06-02-2023 06:12 AM

Hey MHM,

What I am looking for to be specific is:

Use AS path prepending to influence inbound routing into the peer's autonomous system. When using AS Path prepending, we need the firewall to artificially lengthens the AS path for routes it will recieve then it advertises to the neighbor downstream, making them view the path as much longer than it actually is.

This I can't find anywhere on FTD.

I hope this helps clarify my ask.

BR,

MHM Cisco World
VIP
VIP
In response to Solo356

‎06-02-2023 06:16 AM

I know exactly what you want I think this new feature in FMC can give you that 
as-prepend will add multi AS-path to as-path attribute, which if I am correct what this op. do 
we specify 2 then the as-path attribute will add two as-path (i.e. prepend you as-path add more)

Solo356
Level 1
Level 1
In response to MHM Cisco World

‎06-02-2023 06:19 AM

ok but based on the configuration steps you are mentioning this would apply to all routes, advertised by FTD & recieved if I understood correctly.

How to seggregate? On routers we use route-maps to do all of that, here I can only see route-maps used for filtering purposes on FTD.

BR,

MHM Cisco World
VIP
VIP
In response to Solo356

‎06-02-2023 06:25 AM

get you point, so we return to first point you route-map with flexconfig in FMC 

Solo356
Level 1
Level 1
In response to MHM Cisco World

‎06-02-2023 06:50 AM

Well unfortunately not a clear way on how to do it with Flexconfig especially that I could not locate for ASA code & commands to start with. It seems ASA does not have them as well.

On top of that, Flexconfig can be tricky with TAC & the support as I read in the config guide.

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card