Configure BGP Monitoring

Border Gateway Protocol (BGP) is a standard routing protocol used to exchange routing and reachability information between autonomous systems (AS) on the internet or within an organization. BGP peers—network devices configured to share routing information—establish a TCP connection and exchange route updates.

A key feature of BGP is its built-in loop prevention: routers will not accept routes that include their own AS in the AS-Path. This makes the AS-Path an effective anti-loop mechanism. BGP is commonly used for multi-homing in medium-sized networks and is also used within internal enterprise networks.

When BGP Discovery is enabled in Asset Manager, the system peers with your BGP infrastructure to listen for and report on routing updates. It retrieves route information from BGP-enabled routers in each zone by participating in route exchanges with configured peer routers. Because of this, you must configure at least one BGP peer router per zone to generate results—without a peer, no data will be collected.

Asset Manager collects the following BGP data:

  • CIDR routes

  • The originating Autonomous System Number (ASN)

  • Route status (e.g., withdrawn)

  • AS-Path

To configure BGP Discovery, contact your system administrator for the IP address and authentication details of a BGP peer router (typically one per zone). The administrator must also configure your system as a peer by using your IP address and providing you with an ASN to use during setup.

BGP Discovery is passive and does not advertise or inject routes into the BGP environment.

Only users with Manager or Superuser permissions in Asset Manager can configure BGP peer settings.

Incompatibility between FIPS 140-2 mode and BGP authentication

BGP with authentication will not work on a FIPS 140-2 enabled system because the BGP authentication method involves the kernel using MD5, which is forbidden when running in FIPS 140-2 compliant mode

Further information about configuring FIPS 140-2 can be found here: FIPS.

Specific BGP-related findings are available in two reports:  BGP Routes and BGP Scanner History.

BGP results are folded into the Host and Path scanners (subject to Eligible / Avoid lists) and then into further scanners, producing more robust and comprehensive device details.

Question: What do we collect from BGP today?

Answer: Today Asset Manager collects the CIDR routes it gets from BGP peers, the ASN (Autonomous System Number), whether the route has been withdrawn, and the AS-Path

Question:  What happens if I select Skip BGP Router in the SNMP Discovery tab, yet configure the BGP Discovery tab?

Answer:   The two items are completely independent and entirely different. By Skipping BGP Router in the SNMP tab, you will avoid collecting BGP routes to the Internet. By enabling BGP listening in the BGP tab, you will cause Asset Manager to passively listen to BGP talk between subnets on your zone, thereby generating more comprehensive results. BGP Listening focuses on BGP listening to inter-network traffic, which is akin to OSPF listening. In the SNMP tab, however, the focus is on gathering BGP routes, which are ingested to the SNMP discovery process, amplifying results. 

The SNMP discovery agent can also collect or skip route tables from BGP routers. The field is labeled "Skip BGP" rather than "Collect BGP" because Border Gateway Protocol (BGP) routers are likely to be Internet-facing. These BGP routers often hold very large routing tables that are irrelevant to your network; collecting these routing tables is typically time consuming and does not provide useful information. 

The Maximum Route Table Size option is another mechanism that, like Skip BGP, stops Asset Manager's discovery agent from wasting time collecting routing tables that do not provide useful information.

Identify BGP Peers

Go to Settings > Support Tools > BGP Current Status for details on BGP Peers in all zones.

Configure BGP Monitoring

To begin discovering devices on your network immediately, configure a collector to execute passive monitoring first. Passive discovery provides instantaneous network updates and broadens understanding of a network's core.

New expiration policy for stored route data

The passive discovery types are Broadcast, OSPF, and BGP.

BGP and all passive discovery types are not impacted by a collector's rescan interval because passive discovery never sends out packets. The rescan interval only comes into play for active discovery methods configured on a collector such as Host Discovery and Path Discovery.

Configure BGP

To configure BGP from the Asset Manager main menu, do the following

  1. Go to Settings > Zones > Zone Collectors > BGP > BGP Peers.

  2. Click Add.

  3. Input the IP Address, Remote AS (this is the AS that your BGP peer expects Asset Manager to have), and if necessary, a Password for each BGP peer you add. The Password field is optional.

  4. Note that the IP address can be either IPv4 or IPv6.

  5. Click Create > Configuration > Edit.

  6. Click the Enable BGP Discovery > Create. BGP is enabled and begins listening immediately.

BGP Syntax in CLI

If you need to configure BGP from the command-line interface (CLI), follow the below syntax.

The CLI only supports IPv4 configuration. For IPv6 BGP Configuration use the UI.

  • Enable BGP: collector bgp <collector name> enabled [ true | false ] 

  • Add Peer: collector bgp <collector name> peer new <ipaddr> <remote AS> <password>
    (where <password> field is optional)

  • Delete Peer: collector bgp <collector name> peer delete <ipaddr>

To see which protocols are the most responsive in your network, go to Reports > Browse Real-Time and review these reports:

  • Discovery Statistics by Discovery Type

  • Discovery Statistics by Protocol