Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
In this Section
https://techlib.barracuda.com/DoFq
1 / 41
OSPF Basics
OSPF is a link state protocol and uses Dijkstra algorithm to calculate the shortest path tree. A router's interface is the "link".
The "state" of this interface is summed up by its IP address, subnet mask, interface type, neighbour state Every router
keeps track of all connected interfaces and states and sends this information with multicasts to its neighbours. These
packets are known as LSAs (Link State Advertisements). The router builds its link state database with the information
provided by the LSAs. Every time a network change occurs, LSAs containing the new information are sent thus triggering
every router to update its database. After having received all LSAs, the router calculates the loop-free topology. LSAs cannot
be filtered within an area because all routers in an area must have the same link state database. If some information is
missing, routing loops can occur.
OSPF is a hierarchical IGP - it uses Areas to achieve this. The top-level Area is known as Backbone Area and the number of
this Area always has to be 0 or 0.0.0.0 - this is a must. All other Areas must be physically connected to this Backbone Area.
A very important thing within OSPF is that Areas must not be split (If this cannot be avoided, a virtual link has to be used to
expand Area 0 over any other area.). Routers within an area are known as Area Routers. Routers connected to two or more
areas are known as Area Border Routers (ABR) and routers connected to other autonomous systems are called Autonomous
System Boundary Routers (ASBR). Routing information may be summarized on ABRs and ASBRs, it is not possible to
summarize routing information within an area.
The metric used by OSPF is cost. Every link has an associated cost value, derived from the link bandwidth. The metric to a
destination is calculated by adding up all costs. If there are more possible paths to a destination the route with the lowest
cost is chosen as the best route. To advertise LSAs, the router has to live in OSPF neighbourship with other routers. When
this neighbourship is fully established, the interfaces begin sending the updates (LSAs). To build an adjacency, hello packets
are continuously exchanged between neighbouring routers. This also keeps track of the existence of the connected OSPF
neighbours. To lower down the number of updates exchanged on a Broadcast Medium (for example Ethernet), LSAs are only
sent to a so called Designated Router (DR). This interface advertises the information to all other routers on the shared
medium. Without a DR, an any-to-any neighbourship between all OSPF routers on this segment would be needed. For backup
reasons, a Backup DR (BDR) is elected. Each other router establishes neighbourship only with the DR and BDR.
Areas can be configured as stub areas, where external routes are not advertised by ABRs to the Area Routers. Instead, a
default route is injected to the area. Area 0 cannot be stub.
OSPF is very CPU and memory intensive. Therefore, be careful when enabling OSPF on low-end interfaces in a large
network.
RIP Basics
RIP is a distance-vector protocol. The expression "distance-vector" can be defined as follows: The vector is the direction to
the destination (next hop); the distance is treated as a metric type. Example: Destination A is a distance of 3 hops away and
the direction is via router AA. RIP uses Hop Count as metric. A maximum of 15 hops are possible; metric 16 means that a
network is unreachable. All RIP routers periodically send routing updates. Every update includes the whole routing table. The
following techniques have been introduced to prevent routing loops:
https://techlib.barracuda.com/DoFq
2 / 41
Split Horizon - When sending Updates out a particular interface, the routes learned from this interface are not included in
the update.
Split Horizon with Poison reverse - This method is an extension to Split Horizon. The router includes learned routes in
the update but marks these routes as unreachable.
Counting to infinity - To recognize unreachable networks on link failures. Infinity in RIP is defined as 16 hops. Every time
a routing update passes a router, the hop count is increased by 1. When the counter reaches 16, the network is considered
unreachable.
RIPv1 is classful, which means that subnet information cannot be distributed. RIPv2, on the other hand, is classless, that
means the subnet mask is included in the routing update.
BGP Basics
BGP is an Exterior Gateway Protocol (EGP) and is typically used to connect autonomous systems (AS) of Internet service
providers. BGP calculates routing paths based on several information like AS Path, IGP-Metric, Multi-Exit Discriminator,
Communities, Local Preferences, Next Hop, Weight and Origin. AS are communicating with each other through TCP sessions
on port 179. BGP can run between peers in the same AS as well as peers on the border to other AS. So it acts as
an IBGP (Interior Border Gateway Protocol) as well as an Exterior Gateway Protocol (EGP).
Protocol Comparison
The following table summarizes the feature differences between the supported dynamic routing protocols.
Attribute
OSPF
RIP
BGP
Convergence
Fast
Slow
Slow
Network size
Need of device
resources
Need of network
resources
Metric
Is based on bandwidth.
Design
Hierarchical network
possible.
Flat network.
Fully meshed.
HA Operation
The OSPF/RIP service synchronizes externally learned routes with its HA partner. Routes cannot be introduced on the
partner, while this is "passive" because network routes required to do so are missing. The external routes HA information is
thus stored in a file and introduced on the HA system during startup of the OSFP/RIP service. Take over and startup of the
OSPF/RIP service usually take a few seconds. The HA routes are introduced as protocol "extha" (number 245). These routes
are then either replaced by newly learned external OSPF or RIP routes (protocols "ospfext" or "ripext") or removed with the
HA garbage collection after five minutes.
https://techlib.barracuda.com/DoFq
3 / 41
On a Barracuda NG Firewall, route selection is directly dependent of the metric of a route; routes with a lower metric
are preferred to routes with a higher metric. Static routes have a metric of 1 by default. RIP routes can have a
maximum metric of 15 hops and OSPF routes will mostly have a cost of more than 20. As it is desirable that OSPF
routes be preferred to RIP routes, metrics can be increased artificially through defining administrative distances. The
corresponding parameter Administrative Distance for RIP is by default set to 120. The congeneric parameter
Admin Distance related to OSPF is by default left empty. The value specified for the administrative distance is
going to be added to every route learned through OSPF or RIP respectively.
Operational Setup
Idle Mode
If this parameter is set to yes, the OSPF/RIP/BGP wrapper gets started by the control daemon but does
not start up the actual OSPF/RIP/BGP routing service.
Run OSPF Router By setting this value the OSPF routing functionality can be enabled or disabled.
Run RIP Router
By setting this value the RIP routing functionality can be enabled or disabled.
By setting this value the BGP routing functionality can be enabled or disabled.
Hostname
Allows overriding the propagated hostname, which by default is the box hostname.
Operation Mode
The operation mode defines handling of route learning and propagation. The following settings are
possible:
advertise-only - Routes are only advertised.
learn-only - Networks are not propagated, except those networks living on the interfaces configured
for OSPF/RIP/BGP themselves; learned routes from other systems are still advertised.
advertise-learn - OSPF/BGP routes are learned and propagated.
Router ID
Every OSPF/BGP router is identified by its Router ID. This ID is defined by an IP address explicitly
configured for this router.
Note that the router ID must also be set if the routing service only provides a RIP service, although not
used by RIP, you must enter any IP address.
OSPF Preferences
https://techlib.barracuda.com/DoFq
4 / 41
Log Level
critical
debugging
emergencies
errors
informational (default)
notifications
warnings
alerts
Use Special
By setting this parameter to yes and selecting a table name below, routes learned by the OSPF service
Routing Table are introduced into an own routing table. Note that the routing table is not automatically introduced but
has to be configured manually by introducing Policy Routes.
Table Names
A list of policy routing names can be specified here. Routes learned by the routing daemon are introduced
into each of the enlisted routing tables.
Multipath
Handling
ignore
assign-internal-preferences
accept-on-same-device
accept-all (default)
For more detailed information on OSPF Router configuration, see How to Configure OSPF Routers and Areas.
RIP Preferences
This section, accessible via the link in the Configuration menu, can be specified the same way.
For more detailed information on RIP Router configuration, see How to Configure RIP Router Setup.
For a setup example including screenprints, see Example for OSPF and RIP Configuration.
Description
AS Number
Confederation Parent AS Number of the autonomous system that internally includes multiple sub-autonomous systems
(aka confederation).
Confederation Partners
Terminal Password
Password to connect to the BGP router through telnet. The system is reachable on loopback
TCP port 2605.
Privileged Terminal
Password
Networks
Enter all networks the BGP router should run on. When running a Exterior Gateway Protocol
BGP router, enter your WAN network.
Make sure to enter an IP address including netmask. For example: 210.80.90.100/26
Route Aggregations
Enter network addresses to perform route aggregation to decrease the size of routing tables.
https://techlib.barracuda.com/DoFq
5 / 41
Advanced settings
BGP Preferences
Setting
Description
Log Level
Routes learned via BGP will not be introduced in main table, but in tables given below.
Table Names
Multipath Handling
For more detailed information on BGP Router configuration, see How to Configure BGP Router Setup.
GUI as Text
This parameter set is only available in Advanced View mode. The configuration done with the GUI is displayed here in
quagga/Cisco commands.
Show as Text - Set this to yes to show created OSPF syntax configuration after Send Changes.
OSPF Text - Created OSPF syntax configuration. Shown, if Show as Text is set to yes.
RIP Text - Created RIP syntax configuration. Shown, if Show as Text is set to yes.
BGP Text - Created BGP syntax configuration. Shown, if Show as Text is set to yes.
Use Free Format - Set this to yes to use free OSPF/RIP syntax configuration.
https://techlib.barracuda.com/DoFq
6 / 41
Free Format Text - OSPF/RIP/BGP syntax configuration. This field applies when parameter Use Free Format is set
to yes.
In this configuration example, the required box network route "10.0.66.0/24 via dev eth1" is completely included in the
additional box network route (bold). This will lead to a mismatch in the OSPF configuration. OSPF will neither detect eth0 nor
eth1 as OSPF enabled and therefore not work.
HA Operation
The OSPF/RIP service synchronizes externally learned routes with its HA partner. Routes cannot be introduced on the
partner, while this is "passive" because network routes required to do so are missing. The external routes HA information is
thus stored in a file and introduced on the HA system during startup of the OSFP/RIP service. Take over and startup of the
OSPF/RIP service usually take a few seconds. The HA routes are introduced as protocol "extha" (number 245). These routes
are then either replaced by newly learned external OSPF or RIP routes (protocols "ospfext" or "ripext") or removed with the
HA garbage collection after five minutes.
https://techlib.barracuda.com/DoFq
7 / 41
Related Articles
In this article:
Description
ABR Type
Specifies the area border router (ABR) behavior of the OSPF routing daemon. You can select:
Not an ABR
Cisco Type
Standard RFC 2328 Type
IBM Type
Terminal Password
The password to connect via telnet. The OSPF router is reachable on TCP port 2604 (loopback
only).
Privileged Terminal
Password
RFC1583 Compatibility Specifies if the router is compatible with RFC 1583 standards.
Auto-Cost Ref Bwidth
[MBit/s]
The OSPF metric. This metric is calculated as reference bandwidth divided by bandwidth. The
default setting is 10000.This value is overwritten by explicit cost statements. This setting
should be used equally with all OSPF routers in an autonomous system. Otherwise, the metric
calculation will be incorrect.
Network Prefix
Defines the interfaces on which OSPF runs and the networks that are propagated as OSPF
intra-area or inter-area routes. Enter a network address including the network mask.
Network Area
Advanced Settings
https://techlib.barracuda.com/DoFq
8 / 41
Default Route
Distribution
The default route distribution settings. To edit the following settings, click Edit:
OSPF Metric - Set the metric in the routers link state advertisement. The SPF algorithm
uses this value to calculate the cost for each route. Routes with lower costs are preferred over
routes with higher costs.
OSPF External Metric - Select an external metric type:
Type1 - Type 1 external routes have a cost that is the sum of the cost of this external
route plus the cost to reach the ASBR.
Type2 - The cost of Type 2 external routes is defined similarly to the cost of Type 1
routes but without the cost to reach the ASBR.
Route Maps - Filter definitions. Reference the Route Map Filters settings on the Filter
Setup page. For more information, see How to Configure Filter Setup for OSPF and RIP.
Route Redistribution
In this table, add route redistribution settings. For each entry, you can edit the following
settings:
Route Types - The route type. You can select connected, RIP, or BGP.
OSPF Metric - Set the metric in the routers link state advertisement. The SPF algorithm
uses this value to calculate the cost for each route. Routes with lower costs are preferred over
routes with higher costs.
OSPF External Metric - If required, select an external metric type:
Type1 - Type 1 external routes have a cost that is the sum of the cost of this external
route plus the cost to reach the ASBR.
Type2 - The cost of Type 2 external routes is defined similarly to the cost of Type 1
routes but without the cost to reach the ASBR.Otherwise, select NOT-SET if an external metric
setting is not required.
Route Maps - Filter definitions. Reference the Route Map Filters settings on the Filter
Setup page. For more information, see How to Configure Filter Setup for OSPF and RIP.
1.
Open the OSPF/RIP/BGP Settings page (Config > Full Config > Box > Virtual Servers > your server > Assigned
2.
Click Lock.
3.
From the Configuration menu in the left navigation pane, select OSPF Router Setup.
4.
5.
Description
Enable Configuration
Area ID Format
Specifies which format is used to enter the area ID. You can select:
Integer (default) - Enter your area ID as an integer in the Area ID [Int] field.
Quad-IP - Enter your area ID as a Quad IP address in the Area ID [IP] field.
Area ID [IP]
Area ID [Int]
The area ID as a number. For example, 0. The ID for the first area must be 0.
Authentication Type
https://techlib.barracuda.com/DoFq
9 / 41
Special Type
The virtual link ID for this area. This setting is only available in Advanced View mode.
To edit the settings for the virtual link, click Edit. For more information on these settings,
see the "Template Configuration" section of How to Configure Network Interfaces for
OSPF and RIP. This setting is only available in Advanced View mode.
The cost for the default route injected in an attached stub area.
In this table, configure special actions for a summary range. For each entry, you can edit
the following settings:
Summary Range IP/Mask - The IP address/mask of the summary range.
Range Action - The special action for the range. You can select:
advertise (default)
non-advertise
substitute
Range Cost - Cost for a range.
Advertised Range - Advertise configured range to.
Area in Filters
1.
Open the OSPF/RIP/BGP Settings page (Config > Full Config > Box > Virtual Servers > your
2.
Click Lock.
3.
From the Configuration menu in the left navigation pane, select OSPF Area Setup.
4.
Click OK.
Click Send Changes and then click Activate.
5.
6.
https://techlib.barracuda.com/DoFq
10 / 41
Related Articles
This tab only has to be configured when RIP has been activated in
the Operational Setup tab through setting the Run RIP Router
parameter to yes. Specification of global RIP settings such as
version, timers and authentication, and definition of interfaces on
which the RIP process is to run, is done in this place.
Description
RIP Keychains
Key/Key String
RIP Version
RIP Terminal
Password
Password to connect via telnet and query status information of the RIP router. The RIP router is
reachable on TCP port 2604 (loopback only). This is mainly useful for debugging purposes. Note that
remote connection to the RIP terminal is not possible.
Privileged RIP
Terminal
Password
Password to connect via telnet and change configuration of the RIP router (not recommended since
changes made via the terminal are not persistent). Note that remote connection to the RIP terminal is
notpossible.
Networks
Route Update Filtering is used to provide Access Control Mechanisms and mechanisms to fine-tune RIP
metrics.
Version_1 (classful)
Version_2 (classless)
Metric Offsets
Configuring Metric Offsets adds an offset to incoming and
outgoing metrics to routes learned via RIP.
Update Direction
Enforced Metric
ACLs Devices
Update Direction
Object Type
ACLs
IP Prefix List
Devices
In the RIP Preferences section, accessible from the Configuration menu, the settings can be specified as follows:
Parameter
Log Level
Description
Specifies the verbosity of the RIP routing
service. Available values are:
https://techlib.barracuda.com/DoFq
critical
debugging
emergencies
errors
informational (default)
notifications
warnings
alerts
11 / 41
Use Special
Routing Table
By setting this parameter to yes and selecting a table name below, routes learned by the RIP service
are introduced into an own routing table. Note that the routing table is not automatically introduced,
but has to be configured manually by introducing How to Configure RIP Router Setup.
Table Names
A list of policy routing names can be specified here. Routes learned by the routing daemon are
introduced into each of the enlisted routing tables.
Multipath
Handling
1.
Open the OSPF/RIP Settings page (Config > Full Config > Box > Virtual Servers > your server > Assigned
2.
Click Lock.
3.
4.
https://techlib.barracuda.com/DoFq
12 / 41
Related Articles
Requirements
Request or own an unique ARIN registered autonomous system (AS) number for your BGP site.
Know the AS nubers of BGP sites to be connected.
Create an OSPF/RIP/BGP service on the Barracuda NG Firewall. For more information on creating services, see How to
Create a Service.
5.
6.
name > Assigned Services > service name (OSP-RIP-BGP-Service) > OSPF/RIP/BGP Settings).
Enable BGP (If you are not using OSPF and RIP, disable them).
From the Operation Mode drop down field, select one of the following options according to your
requirements:
a. advertise-only - Networks are only advertised.
b. learn-only - Only networks on the interfaces that are configured for OSPF/RIP/BGP are propagated; learned
routes from other systems are still advertised.
c. advertise-learn - Networks are learned and propagated.
In the Hostname field, enter the hostname of the BGP router.
In the Router ID field, enter the IP address of the BGP router. You can enter any address from your ARIN
range. Usually, the first or last IP address in the subnet is used.You must also add this IP address as an additional
IP address in the Virtual Server Properties on the Barracuda NG Firewall, as described later in Step 6 of the
configuration.
https://techlib.barracuda.com/DoFq
13 / 41
pane.
2. In the AS Number field, enter the AS number that you received from the ARIN. (This is the number of the
https://techlib.barracuda.com/DoFq
14 / 41
You must only start configuring the neighbor settings on the provider side after you have completed the previous
sections for enabling BGP, configuring the BGP router and adding an IP prefix filter. Otherwise, the BGP routing
infrastructure will dampen any ICMP request and response, and the BGP service will have to be restarted on the ISP
side. This ping dampening will occur whenever the BGP service goes up and down numerous times over a small period
of time.
1. On the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4 from the Configuration menu in the left navigation
pane.
2. In the Neighbors table, add an entry for each provider network:
a. Enter a descriptive name for the network and then click OK. The Neighbors window opens.
b. In the Neighbor IP field, enter the default gateway IP address of the existing provider.
c. From the Enable BGP Routing Protocol Usage list, select yes.
d. In the BGP Parameters section, enter the BGP AS number of the ISP. (Do not enter the customer AS number that was
specified in the BGP router settings.)
e. In the Neighbor Password field, enter the password that should be used to connect to the neighbor peer.
f. Select yes from the Update Source drop down list to enable the Update Source Interface setting.
g. In the Update Source Interface field, enter an IP address from your network that should be used for the BGP session
to this neighbor.If you only advertise the ARIN route to go to providers (and not the network IP ranges or the ranges of
other ISPs), it is highly recommended that you configure the Peer Filtering for Output settings. Select the Peer
Filter from the IP filter list that you created in the previous section (- Add an IP Prefix Filter).
h. Click OK.
3. Click Send Changes and then click Activate.
https://techlib.barracuda.com/DoFq
15 / 41
Related Articles
Load Interface Info - If set to yes, the list of available interfaces is loaded after execution of Send Changes.
Interfaces - See Interface list (Available Interfaces).
Network Type - Type of network. Ethernet is normally broadcast. Sometimes there may be a need to use point-to-point
for Ethernet-Links, for example when there is only a /30 subnet. Type non-broadcast is needed to propagate OSPF over a
VPN tunnel.
Bandwidth [kBit/s] - Bandwidth of the interface. Configuration is highly recommended since this information can not be
determined automatically. This setting is used by OSPF to calculate the metric.
Interface Addresses - By specifying an Interface Address the configuration only applies for a single OSPF network. This
parameter can be useful in multinet environments. Otherwise the parameters applies to all OSPF networks on the given
interface.
Parameter Template for Address - References templates for this interface.
https://techlib.barracuda.com/DoFq
16 / 41
Enable Split Horizon - Split Horizon is a mechanism used by RIP to reduce the possibility of routing loops. By enabling
this parameter (default: yes), routes learned from a specific interface, are not re-advertised on this interface.
Enable Poisoned Reverse - This technology is an extension to Split Horizon. By enabling this setting (default: no), routes
learned from a specific interface are re-advertised on this interface but the metric is set to infinity (16).
OSPF Parameters
Authentication Type - Authentication for neighbours on specified interface. Either no authentication (default: null),
simple authentication as specified in RFC1583 or the cryptographic authentication digest-MD5 (RFC2328) can be used.
Simple Authentication Key - Password for simple authentication. This value only has to be specified with
Authentication type set to simple.
Digest Authentication Key - Password for digest authentication. This value only has to be specified with
Authentication type set to digest-MD5.
Message Digest Key ID - Key for digest authentication. This value only has to be specified with Authentication type
set to digest-MD5.
OSPF Priority - Set to a higher value, the router will be more eligible to become a Designated Router or a Backup
Designated Router. Set to 0, the router is no longer eligible to become a Designated Router. Default: 1.
OSPF Dead Interval - Seconds for timer value used for Wait Timer and Inactivity Timer. This value must be the same for
all routers attached to a common network.
OSPF Hello Interval - Time to wait between OSPF "hello" messages to neighbours (sec). This value must be the same for
all routers attached to a common network.
OSPF Retransmit Interval - Minimum time waited between retransmissions (sec).
OSPF Transmit Delay - Sets number of seconds for InfTransDelay value. The InfTransDelay parameter defines the
estimated time required to send a link-state update packet on the interface.
RIP Parameters
Authentication Type - Authentication for neighbours on specified interface. Either no authentication (default: null), text
authentication or the cryptographic authentication digest-MD5 (RFC2082) can be used.
RIP Key Chain - The pull-down menu displays the configured key chains (see: How to Configure RIP Router Setup) and
allows selection of a key chain which is used for authentication.
RIP Text Secret - Specifies the text secret used for authentication purposes. Note that the value specified here always
takes precedence over the RIP Keychains settings.
Send Protocol - Configures protocol types for transmission. Possible values are Version_1, Version_2 or Version_1+2.
Receive Protocol - Configures protocol types for reception. Possible values are Version_1, Version_2 or Version_1+2.
Neighbor Setup
https://techlib.barracuda.com/DoFq
17 / 41
From the Configuration menu in the left navigation pane, select Neighbor Setup.
https://techlib.barracuda.com/DoFq
18 / 41
Related Articles
Example: The RIP learned route 10.0.0.0/24 with metric 4 hops should
have metric 6 instead. The match condition in the route map must be a
filter matching 10.0.0.0/24 and the set condition must be metric 6.
When applying route filters in the RIP or OSPF section, only ACLs or
Prefix-lists but no route maps are needed.
This dialog is restricted to basic ACLs. Extended ACLs must be be configured in tab Text Based Configuration.
Description
Name
Description
Network Prefix Network/Netmask - Enter this address in Inverted CIDR Notation.This address will be converted to
Cisco notation for the config file.
Type
Route Map FiltersRoute maps are used to control and modify routing information that is exchanged
between routing domains.
Setting
Description
Name
Route Map
Configuration
OSPF Specific
Conditions
Sequence Number
Type
Match Condition
The route map entry matches when the route
matches the configured criteria or filter:
ACL (default)
PREFIXLIST
Gateway-IP
Interface-Name
https://techlib.barracuda.com/DoFq
19 / 41
RIP Specific
Conditions
Sequence Number
Type
ACL (default)
PREFIXLIST
Gateway-IP
Interface-Name
Metric
IP Prefix List FiltersPrefix lists are easier to understand for route-filters than ACLs. Example for IP
prefix list filter usage:
Network Prefix
Type
Extent Type
0.0.0.0/32
deny
none
10.0.0.0/24
permit
none
Setting
Description
Name
Description
Network/Netmask
Type
Extent Type
Matching condition:
Prefix Length
none (default)
greater-than
less-than
Minimum or maximum prefix length to be matched.
1.
2.
From the Config Tree, expand Box > Virtual Servers > <your
3.
4.
5.
6.
7.
https://techlib.barracuda.com/DoFq
20 / 41
Scenario 1 A BGP peer runs on a loopback address that is externally unreachable. This can be required if the other IP
addresses of the system are dynamically changeable.
For both scenarios, you can configure EBGP multihop routing with either a route map or static routes:
Route Map If you do not require load balancing over more than one router, using a route map is the simplest way of
configuring EBGP. You only need to configure the BGP neighbor and do not need to introduce additional routes. All routes
learned by router R1 (as configured in Scenario 2) are directed over one gateway. However, this setup can prolong traffic
from routes whose next hop would initially have been directly reachable from router R0, and load balancing over more
than one router is no more possible.
Static Routes For arriving routes without a directly reachable next hop, configure static routes. You only need to
configure the neighbor once for EBGP multihop routing and do not need to change any other BGP configurations. Routes
received via next hop can be analyzed. However, you must also set up a new next hop, and the routing table for the kernel
becomes more complicated.
Complete the steps in the following sections to configure EBGP multihop routing with either a route map or static routes,
depending on your network architecture. The sections provide examples of how to configure EBGP multihop routing for
Scenario 2, as illustrated in the above diagram. BGP peer R1 in an external network is configured on router R0.
https://techlib.barracuda.com/DoFq
21 / 41
A static route over the gateway of router R0 to the network of router R1.
A direct route to the network of router R1.
https://techlib.barracuda.com/DoFq
22 / 41
Whenever a route with an unknown next hop is received, you must execute a next hop lookup, configure a static route,
and then configure a device route. Use the example steps from above.
https://techlib.barracuda.com/DoFq
23 / 41
Prerequisites
Before configuring BGP over VPN, you must:
Create and configure the VPN service. For more information, see How to Create a Service.
Register with the ARIN to obtain an AS number and be assigned a network range.
Open the Server Properties page (Config > Full Config > Box > Virtual Servers > your virtual server).
Click Lock.
In the Additional IP table, add the IP address of the VPN interface.
Click Send Changes and then click Activate.
https://techlib.barracuda.com/DoFq
24 / 41
Additional Information
In addition to the vpn* interfaces, there should now exist a vpnr* interface to which an IP address out of the
BGPVPN-network is assigned. Verify this on the Control > Network > Interfaces > IPs page. Routes that have been
learned from BGP via VPN should now be introduced to the kernel routing table and routed through vpnr*. For more
information about the vpnr* interfaces, use the command: ktinactrl rdev show (see also: ktinactrl).
https://techlib.barracuda.com/DoFq
25 / 41
In this example the BGP AS details and networks where provided by the cloud provider. In other cases this can be negotiated
between both sides.
https://techlib.barracuda.com/DoFq
26 / 41
IPsec Configuration
First, you have to create the IPsec tunnel (see: How to Create an IPsec VPN Tunnel between the Barracuda NG Firewall and a
pfSense Firewall). The IPsec configuration in this case is similar to a policy based VPN. You still need to enter a network on
both sides but this can be the transit LAN and the same on both sides.
However, the difference is that the policy based routing is configured in the Advanced tab of the tunnel settings. In this tab
you configure the VPN interface as you configured it in the VPN settings and you defined the next hop router in the transit
LAN for this configuration.
https://techlib.barracuda.com/DoFq
27 / 41
To validate that the tunnel is up and running and interfaces are valid you can check in Control > Network and
the VPN > Site-to-Site tab.
BGP Configuration
For BGP, you need to agree with the other side on negotiation details. In the BGP settings, you must enable BGP and then
configure the BGP Router- and Neighbor settings.
Once you have setup this you can on the CLI connect to the Quagga router on port 2065. This will ask you for a password
and you can see the live BGP configuration. Beware you can also change this configuration - however, after a reload of the
configuration this can be overwritten by Barracuda NG Admin. For more information,
see: http://www.nongnu.org/quagga/docs/docs-info.html.
https://techlib.barracuda.com/DoFq
28 / 41
In this article:
Network Setup
Four routers are appointed to learn routes from OSPF and RIP "Clouds". Router 1 and router 2 are both attached to LAN
segment 62.99.0.0/24 and belong to OSPF Area 0. Router 3 is attached to LAN segment 194.93.0.0/24 serving as OSPF
router in OSPF Area 1 and as RIP router for RIP Cloud 2. Router 4 is a sole RIP router attached to LAN segment 194.93.0.0/24.
Two further networks 192.168.10.0/24 and 192.168.11.0/24 live in Rip Cloud 2.
Example setup for OSPF and RIP configuration:
62.99.0.0/24
62.99.0.0/24
https://techlib.barracuda.com/DoFq
29 / 41
Router 3 RIP and OSPF learned networks from OSPF and RIP Cloud 2:
194.93.0.0/24
Step 2: Add the Network Interfaces Speaking OSPF to the Server Properties
OSPF is spoken on two interfaces linking to the following networks: eth1 (62.99.0.0/24) and eth2 (194.93.0.0/24).
Configuring of addresses in the Server Properties:
https://techlib.barracuda.com/DoFq
30 / 41
The Barracuda NG Firewall is configured to operate as "normal" router. The operation mode is set to "active-passive" (that is
advertise-learn). By this means, all routes are learned and forwarded. Setting a Router ID is mandatory. It is important for
easily identifying LSAs during troubleshooting.
https://techlib.barracuda.com/DoFq
31 / 41
Specify the interfaces where OSPF should be enabled and where adjacencies should be built through the Network Prefix
parameter. In the example, the Barracuda NG Firewall is made an Area Border Router (ABR) with interfaces in Area 0 and
Area 1. The network 62.99.0.0/24 is part of Area 0; the network 194.93.0.0/24 is part of Area 1.
https://techlib.barracuda.com/DoFq
32 / 41
A further way to see more detailed information regarding the OSPF service is to connect to the quagga engine itself with a
telnet to localhost:2604 at the Command Line Interface. This mode can also be used for debugging purposes. If needed,
see www.quagga.net for information about the Quagga Routing Suite. The following screenprint shows the Quagga engine
output of the commands sh ip ospf neigh and sh ip ospf route.
33 / 41
192.168.254.1/32
https://techlib.barracuda.com/DoFq
34 / 41
With these configuration settings, all networks connected to the Barracuda NG Firewall will be redistributed to OSPF with a
cost of 10 and Metric-type External 1.
https://techlib.barracuda.com/DoFq
35 / 41
With these configuration settings, the default route (if configured) will be redistributed to OSPF with a cost of 10 and
Metric-type External 1. If a default route should always be distributed unless configured or not, set parameter Originate
Always to yes.
Authentication in an Area
Authentication on a Link
Area authentication is configured within the OSPF Area Setup. For Link Authentication first a parameter template has to be
created, and then a reference to this template has to be established. The example uses Link Authentication. Authentication
configuration is done in the Network Interfaces section of the OSPF Routing configuration. Proceed as follows to configure
Link Authentication:
https://techlib.barracuda.com/DoFq
36 / 41
All other routers on this interface must have the same settings. Otherwise, adjacency cannot be established.
Click Insert to create new configuration settings for Area 1. Set the value for Area ID [Int] to 1.
Create a new entry for parameter Summary Range IP/Mask by clicking Insert
https://techlib.barracuda.com/DoFq
37 / 41
Range 192.168.10.0/23 is now going to be advertised as summary route with cost 10. A router in Area 0 is going to create an
entry in its routing table.
Operational Setup - RIP is activated by setting parameter Run RIP Router to yes.
RIP Preferences - Parameter Multipath Handling is set to ignore.
RIP Router Setup - RIP Version 2 is enabled on Network Device eth2 in the Networks section. Redistribution of
connected networks to RIP is configured in the Route Redistribution section. In the example, all connected networks are
redistributed to RIP with a hopcount of 2.
https://techlib.barracuda.com/DoFq
38 / 41
RIP Router Setup - To redistribute routes learned by OSPF insert a new entry in the Route Redistribution Configuration
https://techlib.barracuda.com/DoFq
39 / 41
section.
https://techlib.barracuda.com/DoFq
40 / 41
https://techlib.barracuda.com/DoFq
41 / 41