Configuring BGP peering

Prerequisites for configuring BGP sessions

• Kaspersky autonomous system AS200107 must be allowed to transmit routing information of the Customer's autonomous system.
• Transit of an announcement of the Customer's network through the Kaspersky DDoS Protection System must be allowed.
• A BGP session must be established in each tunnel.
• A BGP session is established between internal, private IP addresses of the tunnel.
• The Customer's equipment must trust the MED attribute announced from the Scrubbing Center.

Description

BGP peering is configured between Kaspersky autonomous system 200107 and the Customer's autonomous system.

To maintain routing of traffic between the Scrubbing Center and the Customer's site when switching traffic to the protection route, the switched subnetwork must be announced through the established BGP sessions. In normal mode, announcements are not transmitted over an established BGP session. Establishing a BGP session in each tunnel is required to ensure a fault-tolerant connection between Scrubbing Centers and the Customer's site. A BGP neighborhood enables automatic selection of the utilized GRE tunnel at Kaspersky DDoS Protection Scrubbing Centers. For this purpose, Kaspersky DDoS Protection forwards an MED attribute to each tunnel. The Customer's equipment must trust this attribute.

To ensure symmetry in a tunnel when receiving Full View announcements from the provider or if the switched subnetwork is part of a larger subnetwork, it is recommended to use Policy-Based Routing technology. To utilize this technology, the Scrubbing Center announces a signal prefix through all established BGP sessions. This prefix is used as a next-hop recursive for Policy-Based Routing (Source-Based Routing) to return the outbound traffic of Protected resources to the active GRE tunnel.

To ensure traffic symmetry, the Scrubbing Center may announce an agreed signal prefix for Policy-Based Routing or the default route 0.0.0.0/0.