Inside-Out BGP Visibility

You're familiar with the capabilities that ThousandEyes provides with regard to external BGP visibility, using public monitors to show the reachability of a particular network prefix, but want data that is more relevant to your organization.

Let's say you have a business-critical process that depends on an external software provider, such as salesforce.com -- and you want to be able to monitor the reachability of the Salesforce prefix from inside each of your office locations where Salesforce is used.

A second use case is for an internal BGP monitor when you're originating a prefix of your own; by virtue of having a monitor which tracks all routing changes inside your AS, you'll have direct visibility over path changes that occur on your own network (origin AS). This allows deeper visibility into the origin network, from the vantage point of your internal monitors, which can be instrumental in diagnosis of problems.

So, how do you accomplish this? You're already monitoring the target site using a web or network test and Enterprise Agents, but perhaps you want BGP data that is more relevant to your own network topology.

We've introduced the ability to obtain inside-out BGP visibility, using the private eBGP peer capability of our platform. This allows your network administrators to configure their BGP speakers to peer with our route collector, which will show the reachability of each BGP target, from the vantage point of your own networks.

Configuring your BGP Speaker to Interface with the ThousandEyes Collector

Your user must be in a role that has the Edit BGP monitors permission assigned in order to make these configuration changes.

Browse to Cloud & Enterprise Agents > BGP Monitors and click Add Private BGP Monitor; this shows a new monitor form. Fill the fields as follows:

  • Monitor Name - the name you wish to show in the list of BGP monitors.

  • Remote IP Address - the external (non RFC-1918) address allocated to your router.

  • Remote AS Number - your Autonomous System number. You must maintain your own AS number in order to configure peering with our route collector.

  • TCP MD5 Password - (optional) the authentication key used to establish the peering session on your router.

Caution: edge router configuration changes should only be done by qualified personnel. Consult your network administration team for assistance if any of the steps shown below are unclear.

Once you complete all the required fields, click Request Peering. A modal window like this displays:

An email is then sent to the recipients configured in the Notifications tab, along with configuration commands to be entered on your router.

The BGP monitor appears, with a "Pending" status and the entered information, as shown below:

If you wish to delete a BGP private monitor or cancel a pending request, click the trash icon next to the Status field of the desired BGP private monitor. You will be asked to confirm your action.

Next, you'll need to configure your router as a multi-hop peer with ThousandEyes, using private AS number 65315. Sample instructions and targets will be shown in the dialog.

Peer AS number: 65315 BGP type: external, multihop Neighbor address: <Peer IP as per email from ThousandEyes>

Once configured, we strongly recommend that the peering session be configured to reject all route changes. After the request is received and approved by our team, we will approve the peering session, and coordinate with you on timing for establishing sessions with your BGP speakers.

Once approved, and the peering session established, the monitor will show in the list of private peers, indicating the remote IP of the monitor, target AS number, and the length of time that the peering session has been established. Changes to account group bindings are now permitted for BGP private monitors. If needed, a private peering will need to deleted and requested again from the desired account group.

Administrators can optionally trigger alerts from ThousandEyes when the BGP monitor is unavailable. This works in the same general manner as our Enterprise Agent availability notifications. You can enter a list of email addresses to notify, via this interface.

If you have any questions around using this feature, contact our Customer Engineering team at support@thousandeyes.com‚Äč