Configuring BGP peering

Prerequisites for configuring BGP sessions

• A BGP session must be established in each tunnel.
• A BGP session is established between internal, private IP addresses of the tunnel.
• If the Customer does not have their own AS, a BGP session is established between a private autonomous system number issued to the Customer by Kaspersky DDoS Protection and the public autonomous system number of the Kaspersky DDoS Protection Scrubbing Center.
• For each established BGP session, announcements of IP addresses issued by Kaspersky DDoS Protection for each Protected resource must be continually visible from the Customer side.
• The Customer's equipment must trust the MED attribute announced from the Scrubbing Center.

Description

BGP peering is configured between Kaspersky DDoS Protection autonomous system 200107 and the Customer's autonomous system (or a private autonomous system whose number is allocated to the Customer by Kaspersky DDoS Protection).

A BGP session established in each tunnel performs multiple functions. The IP addresses issued by Kaspersky DDoS Protection must be announced through the established BGP session to maintain traffic routing between the Scrubbing Center and Protected resources. After completing the connection of the Customer's site, the Protected resource must be accessible over the Internet using two IP addresses: the original IP address and the IP address issued by Kaspersky DDoS Protection.

Establishing a BGP session in each tunnel is required to ensure a fault-tolerant connection between Scrubbing Centers and the Customer's site. A BGP neighborhood enables automatic selection of the utilized GRE tunnel at Kaspersky DDoS Protection Scrubbing Centers. For this purpose, Kaspersky DDoS Protection forwards an MED attribute to each tunnel. The Customer's equipment must trust this attribute.

It is recommended to use Policy-Based Routing to ensure symmetry in a tunnel. To begin using this technology, the Scrubbing Center announces a signal prefix through all established BGP sessions. This prefix is used as a next-hop recursive to return the outbound traffic of Protected resources to the active GRE tunnel.

To ensure traffic symmetry, the Scrubbing Center may announce an agreed signal prefix for Policy-Based Routing.

To switch traffic of the Customer's Protected resources to Scrubbing Centers, Kaspersky DDoS Protection allocates IP addresses for each DNS name to the Customer.