How to Set Up Windows Server 2016 Border Gateway Protocol
Border Gateway Protocol (BGP) is the routing protocol that underlies the internet, enabling autonomous systems (AS) to exchange routing and reachability information. Windows Server 2016 includes a software-based BGP router as part of the Remote Access Server (RAS) role, allowing administrators to configure dynamic routing without dedicated hardware routers. This makes it particularly valuable in virtualized and Software Defined Networking (SDN) environments, as well as in scenarios where Windows servers serve as edge routers or VPN gateways.
The BGP implementation in Windows Server 2016 supports both iBGP (internal BGP, between routers in the same AS) and eBGP (external BGP, between different autonomous systems). It supports route reflection, confederations, route filtering with policies, and integration with Hyper-V Network Virtualization for multi-tenant environments.
Prerequisites
To set up BGP on Windows Server 2016, ensure the Remote Access role is installed with the Routing component. You also need two or more IP addresses configured (to simulate multiple ASes or to peer with an external router), PowerShell remoting enabled for remote management, and appropriate firewall rules to allow BGP traffic on TCP port 179.
Step 1: Install the Remote Access Role with Routing
Install the necessary role components via PowerShell:
Install-WindowsFeature RemoteAccess, Routing -IncludeManagementToolsAfter installation, configure and start the Routing and Remote Access Service:
Install-RemoteAccess -VpnType RoutingOnlyVerify the service is running:
Get-Service RemoteAccessStep 2: Add the BGP Router
Once the Remote Access role is configured, add a BGP router to the local server. You need to specify a BGP identifier (typically the router’s loopback or primary IP) and a local ASN (Autonomous System Number):
Add-BgpRouter -BgpIdentifier 192.168.1.1 -LocalASN 65001The BgpIdentifier uniquely identifies this BGP router to its peers and is typically a stable IP address. ASNs in the range 64512–65534 are reserved for private use and are appropriate for internal lab or enterprise BGP configurations.
Step 3: Add BGP Peers
A BGP peer is another router with which this instance exchanges routing information. Add an eBGP peer with a different ASN:
Add-BgpPeer -Name "Router2" -LocalIPAddress 192.168.1.1 -PeerIPAddress 192.168.1.2 -PeerASN 65002 -OperationMode MixedThe OperationMode “Mixed” means the router can both send and receive routes. Other options are “Receive” (accept only) or “Send” (advertise only).
To add an iBGP peer within the same AS:
Add-BgpPeer -Name "InternalRouter" -LocalIPAddress 10.0.0.1 -PeerIPAddress 10.0.0.2 -PeerASN 65001 -OperationMode MixedStep 4: Advertise Routes via BGP
To advertise a specific network prefix to BGP peers, use the Add-BgpCustomRoute command. This tells the BGP router to announce a particular subnet to its peers:
Add-BgpCustomRoute -Network 10.10.0.0/24You can also advertise all routes from the local routing table by specifying the interface name:
Add-BgpCustomRoute -Interface EthernetStep 5: Create BGP Routing Policies
BGP routing policies allow you to filter, modify, or prioritize routes. Create a policy that filters routes based on network prefix:
Add-BgpRoutingPolicy -Name "BlockRoute" -PolicyType Deny -MatchPrefix @("172.16.0.0/12") -PassThruApply the policy to a specific peer for inbound route processing:
Add-BgpRoutingPolicyForPeer -PeerName "Router2" -PolicyName "BlockRoute" -Direction IngressStep 6: Verify BGP Status and Routes
Check the current state of all BGP peers. Connected peers will show a state of “Connected”:
Get-BgpPeerList all BGP routes being advertised by this router:
Get-BgpRouteInformationView statistics for a specific peer including message counts and uptime:
Get-BgpStatistics -PeerName "Router2"Step 7: Configure Route Reflection
In large iBGP deployments, route reflection reduces the need for a full mesh of iBGP peerings. To configure the Windows Server as a route reflector for a specific peer (route reflector client):
Set-BgpPeer -Name "InternalRouter" -RouteReflectorClient $trueStep 8: Allow BGP Traffic Through Windows Firewall
BGP uses TCP port 179. Add a firewall rule to allow this traffic:
New-NetFirewallRule -DisplayName "Allow BGP" -Direction Inbound -Protocol TCP -LocalPort 179 -Action AllowTroubleshooting BGP
If peers are not connecting, check for common issues such as incorrect ASN, unreachable peer IP, or firewall blocking port 179. Restart the BGP router if needed:
Restart-Service RemoteAccessThe BGP implementation in Windows Server 2016 provides a robust solution for dynamic routing in both SDN and traditional enterprise network environments, with full PowerShell manageability.
