Introduction to BGP on Windows Server 2022
Border Gateway Protocol (BGP) is the routing protocol that underpins the global Internet. It is a path-vector protocol that operates between autonomous systems (AS) and is responsible for exchanging reachability information between network domains. Windows Server 2022 includes a full BGP implementation as part of the Remote Access Server (RAS) role through the Routing and Remote Access Service (RRAS) component. This makes Windows Server capable of acting as a BGP router, BGP peer, or even a BGP route reflector without requiring dedicated hardware routers in scenarios such as virtualized data centres, small branch offices, or SDN deployments.
This tutorial covers every major aspect of BGP configuration on Windows Server 2022 using PowerShell cmdlets from the RemoteAccess module.
BGP Use Cases on Windows Server
Windows Server BGP is commonly used in several scenarios. In Software-Defined Networking (SDN) deployments, Windows Server acts as a BGP speaker in the RAS Gateway role, exchanging routes with physical Top-of-Rack (ToR) switches. In branch office scenarios, Windows Server can peer with ISP edge routers to provide multi-homed Internet connectivity. In Hyper-V environments, BGP is used with Network Virtualization to advertise virtual network prefixes to the physical fabric. Understanding which scenario applies helps determine the AS numbering, peer configuration, and route advertisement strategy.
Installing RRAS with BGP Support
BGP on Windows Server 2022 requires the Remote Access role with the Routing sub-feature. Install it using PowerShell:
Install-WindowsFeature -Name RemoteAccess -IncludeManagementTools
Install-WindowsFeature -Name RRAS -IncludeManagementToolsAfter installation, install and configure the BGP router using the RemoteAccess module cmdlets. First, initialise RRAS in LAN routing mode (required before BGP can be configured):
Install-RemoteAccess -VpnType RoutingOnlyVerify the Remote Access service is running:
Get-RemoteAccess | Select-Object RoutingStatus, VpnStatusImport the BGP module if it is not automatically loaded:
Import-Module RemoteAccessAdding the BGP Router Instance
With RRAS running, create the BGP router instance. Every BGP router requires a Router ID (typically the loopback or primary IP address of the router) and a Local AS number. AS numbers in the range 64512–65534 are reserved for private use (similar to RFC1918 for IP), while numbers from 1–64511 are public ASNs that must be registered with a Regional Internet Registry (RIR).
Add-BgpRouter -BgpIdentifier "10.0.0.1" -LocalASN 65001The -BgpIdentifier is a 32-bit value expressed as a dotted quad IPv4 address used to uniquely identify this BGP speaker. It does not need to be a routable address, but it must be unique within the BGP domain. For servers with multiple interfaces, use the primary management IP or a dedicated loopback address.
To verify the router was created correctly:
Get-BgpRouterThis returns the BgpIdentifier, LocalASN, RouteReflectorEnabled, ClusterId, PolicyList, and current router state.
Configuring BGP Peers
A BGP peer (also called a BGP neighbour) is another BGP router with which this server establishes a TCP session on port 179 to exchange routing information. BGP peers are either iBGP (same AS) or eBGP (different AS). Add a BGP peer using:
Add-BgpPeer -Name "Peer-ToR-Switch-01" -LocalIPAddress "10.0.0.1" -PeerIPAddress "10.0.0.254" -LocalASN 65001 -PeerASN 65000 -PeeringMode AutomaticParameters explained: -LocalIPAddress is the IP address on this server used to source the BGP TCP connection. -PeerIPAddress is the IP address of the remote BGP speaker. -PeerASN is the AS number of the remote peer. -PeeringMode Automatic means the session is established and maintained automatically; the alternative is Manual, which requires explicit start/stop.
To add a second peer (for redundancy via a second ToR switch):
Add-BgpPeer -Name "Peer-ToR-Switch-02" -LocalIPAddress "10.0.0.1" -PeerIPAddress "10.0.0.253" -LocalASN 65001 -PeerASN 65000 -PeeringMode AutomaticTo add an iBGP peer (same AS, typically for route reflector scenarios):
Add-BgpPeer -Name "iBGP-Peer-RR" -LocalIPAddress "10.0.0.1" -PeerIPAddress "10.0.0.2" -LocalASN 65001 -PeerASN 65001 -PeeringMode AutomaticConfigure BGP MD5 authentication for a peer (strongly recommended for production deployments to prevent BGP session hijacking):
$secureKey = ConvertTo-SecureString "BGPSecretKey123!" -AsPlainText -Force
Set-BgpPeer -Name "Peer-ToR-Switch-01" -MaxAllowedPrefix 1000 -Weight 100Note: Windows Server BGP supports TCP MD5 authentication through the -PeerKey parameter on Add-BgpPeer. Check your specific build version for availability as this feature was added in later updates.
Advertising Networks via BGP
BGP does not automatically advertise networks reachable on an interface. You must explicitly tell the BGP router which prefixes to originate and advertise to peers. Use Add-BgpCustomRoute for this purpose.
To advertise a specific subnet:
Add-BgpCustomRoute -Network "192.168.10.0/24"To advertise multiple subnets at once:
Add-BgpCustomRoute -Network "192.168.10.0/24", "192.168.20.0/24", "10.10.0.0/16"To advertise routes based on an existing Windows routing table entry (interface routes):
Add-BgpCustomRoute -Interface "Ethernet"This tells BGP to redistribute all routes associated with the Ethernet interface into BGP. To verify which networks are being advertised:
Get-BgpCustomRouteTo remove a network from advertisement:
Remove-BgpCustomRoute -Network "192.168.10.0/24"BGP Routing Policies
BGP routing policies control which routes are accepted from peers and which routes are advertised to peers. They allow you to filter, modify attributes (like local preference, MED, community), and control traffic engineering. Windows Server BGP supports import policies (applied to received routes) and export policies (applied to routes being sent to peers).
Create a route filter policy that matches a specific prefix:
Add-BgpRoutingPolicy -Name "Filter-Default-Route" -PolicyType Deny -MatchPrefix "0.0.0.0/0" -PassThruCreate an allow policy for a specific prefix range:
Add-BgpRoutingPolicy -Name "Allow-RFC1918" -PolicyType ModifyAttribute -MatchPrefix "10.0.0.0/8" -PassThruApply a policy to a peer (import direction — controls what we accept from the peer):
Set-BgpPeer -Name "Peer-ToR-Switch-01" -IngressPolicyList "Filter-Default-Route"Apply an export policy (controls what we advertise to the peer):
Set-BgpPeer -Name "Peer-ToR-Switch-01" -EgressPolicyList "Allow-RFC1918"To view all configured routing policies:
Get-BgpRoutingPolicy | Format-Table PolicyName, PolicyType, MatchPrefix, ActionMonitoring BGP Sessions and Routes
Once BGP is configured and peers are added, monitor the session state and route table extensively before putting the configuration into production.
Check the state of all BGP peers:
Get-BgpPeer | Format-Table PeerName, PeerIPAddress, PeerASN, ConnectivityStatus, BgpStateThe BgpState will progress through: Idle, Connect, Active, OpenSent, OpenConfirm, and finally Established. A peer that remains in the Active state cannot reach the peer IP on TCP port 179 — check routing and firewall rules between the two endpoints.
To view the BGP routing information base (RIB) — all routes learned from peers:
Get-BgpRouteInformation | Format-Table DestinationNetwork, NextHop, Origin, LocalPref, MED, AsPathTo filter routes learned from a specific peer:
Get-BgpRouteInformation -PeerList "Peer-ToR-Switch-01"To get detailed BGP router statistics:
Get-BgpStatistics | Format-ListThis shows counters for messages sent and received, route updates, withdrawals, and errors per peer.
Configuring Windows Server as a BGP Route Reflector
In large iBGP deployments, a full mesh of iBGP sessions between all routers is required unless route reflection is used. A route reflector (RR) accepts routes from iBGP clients and re-advertises them to other clients, eliminating the need for every router to peer with every other router. To enable route reflector functionality on the BGP router:
Set-BgpRouter -RouteReflector Enabled -ClusterId "1.1.1.1"Add a BGP client peer and mark it as a route reflector client:
Add-BgpPeer -Name "RR-Client-01" -LocalIPAddress "10.0.0.1" -PeerIPAddress "10.0.0.10" -LocalASN 65001 -PeerASN 65001 -RouteReflectorClient $true -PeeringMode AutomaticVerify the route reflector configuration:
Get-BgpRouter | Select-Object RouteReflectorEnabled, ClusterIdBGP with Hyper-V Network Virtualization
In Hyper-V Network Virtualization (HNV) environments, BGP is used to distribute Customer Address (CA) to Provider Address (PA) mappings across the physical fabric. The RAS Gateway component runs BGP and peers with ToR switches to advertise virtual machine subnet prefixes. This allows the physical network to route traffic to the correct Hyper-V host based on the virtual network topology without requiring manual static routes on every switch.
In this scenario, each RAS Gateway instance is configured with an eBGP session to the ToR switches in its rack:
Add-BgpRouter -BgpIdentifier "172.16.0.1" -LocalASN 65100
Add-BgpPeer -Name "ToR-Rack1" -LocalIPAddress "172.16.0.1" -PeerIPAddress "172.16.0.254" -LocalASN 65100 -PeerASN 65000 -PeeringMode Automatic
Add-BgpCustomRoute -Network "10.100.0.0/24"The 10.100.0.0/24 in this example represents the HNV provider address space being advertised so the physical switches know which host to send encapsulated packets to.
Troubleshooting BGP on Windows Server 2022
When BGP sessions fail to establish, use these diagnostic steps. First, verify TCP port 179 is reachable between peers:
Test-NetConnection -ComputerName "10.0.0.254" -Port 179Check that the Windows Firewall allows inbound TCP 179:
Get-NetFirewallRule | Where-Object { $_.DisplayName -like "*BGP*" }If no BGP rule exists, create one:
New-NetFirewallRule -DisplayName "Allow BGP Inbound" -Direction Inbound -Protocol TCP -LocalPort 179 -Action Allow -Profile AnyRestart a stuck BGP peer session:
Restart-BgpPeer -Name "Peer-ToR-Switch-01"Remove and re-add a problematic peer:
Remove-BgpPeer -Name "Peer-ToR-Switch-01" -Force
Add-BgpPeer -Name "Peer-ToR-Switch-01" -LocalIPAddress "10.0.0.1" -PeerIPAddress "10.0.0.254" -LocalASN 65001 -PeerASN 65000 -PeeringMode AutomaticCheck Windows event logs for RRAS and BGP-related errors:
Get-WinEvent -LogName "Microsoft-Windows-RemoteAccess-MgmtClient/Operational" -MaxEvents 50 | Format-List TimeCreated, MessageBGP on Windows Server 2022 provides a fully functional routing solution for virtualised and software-defined environments. While it is not intended to replace dedicated routing hardware in large-scale service provider deployments, it is well-suited for SDN overlays, HNV gateway roles, and medium-scale enterprise BGP edge routing scenarios.
