-
Notifications
You must be signed in to change notification settings - Fork 459
Graceful Restart
Thomas Mangin edited this page Nov 13, 2025
·
4 revisions
BGP Graceful Restart (GR) enables BGP sessions to maintain forwarding state during control plane restarts, minimizing service disruption. ExaBGP provides full RFC 4724 implementation, supporting both Helper and Restarter roles for high-availability BGP deployments.
- What is Graceful Restart?
- How Graceful Restart Works
- ExaBGP GR Capabilities
- Graceful Restart Modes
- Configuration
- Use Cases
- Graceful Restart Process
- Monitoring and Verification
- Limitations and Considerations
- Common Errors and Solutions
- See Also
- References
Graceful Restart (GR) is a BGP capability defined in RFC 4724 that allows a BGP speaker to preserve forwarding state while the BGP control plane restarts. This minimizes traffic loss during planned maintenance, software upgrades, or control plane failures.
When a BGP session goes down, the traditional behavior is:
- BGP neighbor detects session failure (keepalive timeout)
- All routes from that neighbor are immediately withdrawn
- Forwarding stops β Traffic blackhole
- Session re-establishes
- All routes are re-learned
- Forwarding resumes
Result: Service disruption of 30-180 seconds depending on convergence time.
With Graceful Restart enabled:
- BGP session goes down (control plane restart)
- Forwarding state is preserved (routes remain in RIB/FIB)
- Helper peer marks routes as "stale" but keeps forwarding
- Session re-establishes within restart time
- Routes are refreshed
- Stale routes are removed
Result: Minimal to zero traffic loss (typically <5 seconds).
[Session Establishment]
ExaBGP (Restarter) BGP Peer (Helper)
β β
βββββ OPEN with GR Capability ββββββββββΆβ
β (Restart Time: 120s) β
β (Families: ipv4/unicast) β
β β
ββββββ OPEN with GR Capability ββββββββββ
β (Restart Time: 120s) β
β β
βββββ KEEPALIVE ββββββββββββββββββββββββΆβ
ββββββ KEEPALIVE ββββββββββββββββββββββββ
β β
β BGP session established β
β Routes exchanged normally β
[Control Plane Restart Scenario]
ExaBGP (Restarter) BGP Peer (Helper)
β β
β ExaBGP process restarts β
β (planned upgrade, crash) β
β β
ββ TCP session closes ββββββββββββββββΆ β
β β
β Helper detects
β session loss
β ββ Starts GR timer
β (120s restart time)
β ββ Marks routes STALE
β ββ KEEPS forwarding!
β β
β ExaBGP restarts β
β β
βββββ TCP SYN ββββββββββββββββββββββββββΆβ
ββββββ TCP SYN-ACK ββββββββββββββββββββββ
βββββ OPEN (with GR, R-bit set) ββββββββΆβ
β (R-bit = "I'm restarting") β
β β
ββββββ OPEN with GR βββββββββββββββββββββ
β β
βββββ KEEPALIVE ββββββββββββββββββββββββΆβ
ββββββ KEEPALIVE ββββββββββββββββββββββββ
β β
ββββββ Route Refresh Request ββββββββββββ
β (refresh stale routes) β
β β
βββββ UPDATE (all routes) βββββββββββββββΆβ
βββββ END-OF-RIB marker βββββββββββββββββΆβ
β β
β Helper removes
β stale routes
β ββ Forwarding updated
β β
β Graceful Restart complete β
Key Points:
- Helper peer preserves forwarding for
restart-timeseconds (configurable) - Restarter sets R-bit in OPEN message after restart
- Helper requests route refresh to update stale routes
- Stale routes removed after END-OF-RIB marker received
ExaBGP provides full RFC 4724 Graceful Restart implementation:
β Both GR Roles:
- Restarter: ExaBGP advertises GR capability and can perform graceful restart
- Helper: ExaBGP supports peers that perform graceful restart
β Per-Address-Family Support:
- IPv4 unicast
- IPv6 unicast
- VPNv4 / VPNv6
- FlowSpec
- EVPN
- All supported address families
β GR Capability Negotiation:
- Restart Time advertisement (seconds)
- Per-AFI/SAFI forwarding state flags
- R-bit (restart state) flag handling
β Stale Route Handling:
- Marks routes as stale during GR period
- Removes stale routes after convergence
- END-OF-RIB marker support (RFC 4724)
Implementation: src/exabgp/bgp/message/open/capability/graceful.py
RFC Compliance: RFC 4724 fully implemented
ExaBGP is the speaker performing the restart.
When ExaBGP restarts (planned or unplanned):
- BGP session closes
- Peer (Helper) preserves routes for
restart-time - ExaBGP re-establishes session with R-bit set
- ExaBGP re-announces all routes
- Peer removes stale routes
Configuration:
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
capability {
graceful-restart 120; # Restart time: 120 seconds
}
family {
ipv4 unicast;
}
}When to Use:
- ExaBGP process upgrades
- ExaBGP host maintenance
- Control plane restarts (while forwarding continues elsewhere)
ExaBGP's peer is performing the restart.
When the peer restarts:
- ExaBGP detects session loss
- ExaBGP marks peer's routes as stale
- ExaBGP keeps routes in its RIB (does NOT manipulate FIB - external process decides)
- Peer re-establishes with R-bit
- ExaBGP sends Route Refresh request
- Peer re-announces routes
- ExaBGP removes stale routes
Configuration:
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
capability {
graceful-restart 120;
}
family {
ipv4 unicast;
}
}When to Use:
- Peer router upgrades (Cisco, Juniper, etc.)
- Peer restarts while forwarding plane continues
- High-availability BGP deployments
Important: ExaBGP does NOT manipulate the FIB (Forwarding Information Base). External API processes receive route updates and must decide whether to maintain forwarding during graceful restart.
Enable GR with 120-second restart time:
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
capability {
graceful-restart 120; # Restart time in seconds
}
family {
ipv4 unicast;
ipv6 unicast;
}
}GR applies to all configured address families:
neighbor 2001:db8::1 {
router-id 192.168.1.2;
local-address 2001:db8::2;
local-as 65001;
peer-as 65000;
capability {
graceful-restart 180; # 3-minute restart window
}
family {
ipv4 unicast;
ipv6 unicast;
ipv4 flow; # FlowSpec also GR-capable
}
}Disable GR (default if not configured):
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
# No graceful-restart directive = GR disabled
family {
ipv4 unicast;
}
}| Parameter | Type | Default | Description |
|---|---|---|---|
graceful-restart |
Integer (seconds) | Disabled | Restart time (0-4095 seconds) |
Recommended Values:
- Small networks: 60-120 seconds
- Medium networks: 120-180 seconds
- Large networks: 180-300 seconds
Considerations:
- Longer restart time = more resilience to slow restarts
- Longer restart time = stale routes persist longer if restart fails
- Typical: 120 seconds (2 minutes)
Scenario: Upgrade ExaBGP to a new version without service disruption.
Architecture:
ExaBGP (Anycast DNS) BGP Router (Helper)
β β
βββββ Announces 8.8.8.8 ββββββββΆβ
β β
β (upgrade ExaBGP) β
β session closes β
β β
β Router keeps
β forwarding to
β 8.8.8.8 (GR)
β β
β (ExaBGP restarts) β
ββββββ Restore session ββββββββββ
βββββ Re-announce 8.8.8.8 βββββββΆβ
β β
β Zero packet loss! β
Configuration:
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
capability {
graceful-restart 120; # 2-minute upgrade window
}
family {
ipv4 unicast;
}
}Benefits:
- Zero service disruption during upgrades
- No need for redundant ExaBGP instances
- Simple upgrade workflow
Scenario: Anycast service with graceful failover.
Architecture:
βββββββββββββββ
β BGP Router β
β (Helper) β
βββββββββββββββ
β
ββββββββββ΄βββββββββ
β β
βββββββββββ βββββββββββ
β ExaBGP β β ExaBGP β
β Node 1 β β Node 2 β
β 1.1.1.1 β β 1.1.1.1 β
βββββββββββ βββββββββββ
β β
[Web Server] [Web Server]
Both nodes advertise the same anycast IP with GR enabled. During restarts, the router maintains forwarding to the restarting node while its forwarding plane continues serving traffic.
Scenario: Maintain DDoS filtering rules during ExaBGP restart.
Architecture:
ExaBGP (FlowSpec) Router (Helper + Enforcer)
β β
βββ FlowSpec: Block attacker βββΆβ
β (drop src 1.2.3.4) β
β β
β Router applies
β filter in hardware
β β
β (ExaBGP restarts) β
β session closes β
β β
β Router KEEPS
β filtering (GR)
β ββ Attacker still
β blocked!
β β
β (ExaBGP reconnects) β
βββ Re-send FlowSpec rules ββββββΆβ
β β
β DDoS protection maintained β
Configuration:
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
capability {
graceful-restart 120;
}
family {
ipv4 flow; # FlowSpec with GR
}
}Benefits:
- DDoS filters remain active during control plane restart
- No traffic leak window during upgrades
- Continuous attack mitigation
Scenario: ExaBGP as route reflector client with graceful restart support.
Architecture:
Route Reflector
(Helper Mode)
β
β
ββββββ΄βββββ
β β
ExaBGP ExaBGP
Client 1 Client 2
(GR) (GR)
Configuration:
neighbor 192.168.1.254 { # Route Reflector
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65001; # iBGP
capability {
graceful-restart 180;
}
family {
ipv4 unicast;
ipv6 unicast;
ipv4 vpn;
}
}[GR States]
IDLE
β
ββββΆ CONNECT
β
ββββΆ OPEN_SENT (GR capability advertised)
β
ββββΆ OPEN_CONFIRM (GR negotiated)
β
ββββΆ ESTABLISHED
β
β [Session Loss Detected]
βΌ
GR_RESTART
β
β (Helper: preserve routes)
β (Restarter: attempt reconnect)
β
ββββΆ [Timeout] βββΆ DELETE_STALE_ROUTES
β β
β ββββΆ IDLE
β
ββββΆ [Reconnect Success]
β
ββββΆ ESTABLISHED (Route Refresh)
β
ββββΆ END-OF-RIB received
β
ββββΆ GR_COMPLETE
RFC 4724 defines END-OF-RIB (End-of-Routing-Information-Base) marker to signal completion of route updates after graceful restart.
Format:
- Empty UPDATE message for IPv4 unicast
- MP_UNREACH_NLRI with no routes for other address families
ExaBGP Behavior:
- Sends END-OF-RIB after re-announcing all routes post-restart
- Recognizes END-OF-RIB from peers to complete GR process
- Removes stale routes after END-OF-RIB received
Enable API monitoring:
[exabgp.api]
encoder = json
neighbor 192.168.1.1 {
# ... neighbor config ...
api {
processes [ monitor-gr ];
}
}
process monitor-gr {
run python3 /etc/exabgp/api/monitor.py;
encoder json;
}API messages during graceful restart:
{
"type": "notification",
"notification": "neighbor 192.168.1.1 up",
"neighbor": {
"address": { "local": "192.168.1.2", "peer": "192.168.1.1" },
"asn": { "local": 65001, "peer": 65000 }
}
}Capability negotiation:
{
"type": "open",
"neighbor": {
"address": { "peer": "192.168.1.1" },
"capabilities": {
"graceful-restart": {
"enabled": true,
"restart-time": 120
}
}
}
}Enable GR logging:
[exabgp.log]
level = INFO
network = true
packets = trueLog output example:
INFO network Peer 192.168.1.1: Graceful Restart capability negotiated (restart-time: 120s)
INFO network Peer 192.168.1.1: Session established with GR
WARNING network Peer 192.168.1.1: Session lost - starting GR timer (120s)
INFO network Peer 192.168.1.1: Reconnected with R-bit set (graceful restart in progress)
INFO network Peer 192.168.1.1: Received END-OF-RIB - GR complete
INFO network Peer 192.168.1.1: Removed 0 stale routes
Before restart:
- β Verify GR capability negotiated: check OPEN messages
- β Confirm restart-time value: check logs or API
- β Test BGP session stability
During restart:
- β Verify peer preserves routes (Helper mode)
- β Verify reconnection within restart-time
- β Check R-bit set in OPEN message
After restart:
- β Verify all routes re-announced
- β Confirm END-OF-RIB sent/received
- β Verify stale routes removed
-
No FIB Manipulation
- ExaBGP does NOT install routes into the kernel FIB
- External API processes must handle forwarding state preservation
- GR only affects ExaBGP's RIB and what it advertises to peers
-
API Process Coordination
- API processes must independently preserve forwarding state
- ExaBGP's restart does NOT guarantee external process continuity
- Design external processes for independent graceful restart
-
Restart Time Window
- ExaBGP must re-establish session within configured restart-time
- If exceeded, peer removes all routes β traffic loss
- Plan for worst-case restart duration
-
Not a Replacement for Redundancy
- GR provides restart resilience, not failure protection
- Use redundant ExaBGP instances for true high availability
- GR complements (not replaces) multi-homing and anycast
-
Peer Support Required
- Both peers must support and negotiate GR capability
- Verify peer router supports RFC 4724
- Check vendor-specific GR limitations
-
Address Family Support
- GR applies per address family
- Not all address families may support GR on all routers
- Verify AFI/SAFI GR support with peer equipment
-
Stale Route Risk
- If restart fails, stale routes may blackhole traffic
- Peer's restart-time determines how long stale routes persist
- Monitor GR failures and have rollback procedures
Symptom: GR configured but not negotiated with peer.
Logs:
WARNING Peer 192.168.1.1: Graceful Restart capability not negotiated
Causes:
- Peer does not support GR (RFC 4724)
- Peer has GR disabled
- Configuration mismatch
Solutions:
# Check peer GR configuration
# Cisco:
router bgp 65000
neighbor 192.168.1.2 activate
neighbor 192.168.1.2 graceful-restart
# Juniper:
protocols {
bgp {
group peers {
graceful-restart;
}
}
}
# Verify ExaBGP config
grep graceful-restart /etc/exabgp/exabgp.confSymptom: Session does not re-establish within restart-time.
Logs:
ERROR Peer 192.168.1.1: Graceful restart timeout (120s exceeded)
INFO Peer 192.168.1.1: Removing stale routes
Causes:
- ExaBGP restart took longer than configured time
- Network issues preventing reconnection
- restart-time value too short
Solutions:
# Increase restart-time
neighbor 192.168.1.1 {
capability {
graceful-restart 300; # 5 minutes instead of 2
}
}
# Or optimize ExaBGP startup time
# Reduce configuration size
# Use faster storage
# Optimize API processesSymptom: Session re-establishes but routes missing.
Causes:
- API process not re-announcing routes
- Configuration lost during restart
- Process startup race condition
Solutions:
# API process must re-announce all routes after restart
import sys
import time
def announce_routes():
"""Re-announce all routes after ExaBGP restart"""
routes = [
"announce route 10.0.0.0/8 next-hop 192.168.1.2",
"announce route 172.16.0.0/12 next-hop 192.168.1.2",
]
for route in routes:
sys.stdout.write(f"{route}\n")
sys.stdout.flush()
# On startup, wait for session establishment
time.sleep(5)
announce_routes()Symptom: Peer does not preserve routes during graceful restart.
Causes:
- Peer GR helper mode disabled
- Peer does not support GR for address family
- Session terminated ungracefully
Solutions:
# Verify peer GR helper capability
# Cisco:
show bgp neighbors 192.168.1.2 | include Graceful
# Juniper:
show bgp neighbor 192.168.1.2 | match graceful
# ExaBGP logs should show GR negotiation
[exabgp.log]
level = DEBUG
network = true
# Check for GR capability in OPEN message- Route Refresh - Route refresh capability (complements GR)
- API Overview - API integration for route management
- Service High Availability - HA patterns with GR
- Anycast Management - Anycast with graceful restart
- Configuration Syntax - Complete configuration reference
- RFC 4724: Graceful Restart Mechanism for BGP
- RFC 4271: BGP-4 base specification
- RFC 2918: Route Refresh Capability for BGP-4
- RFC Support - All implemented RFCs
- RFC Information - Detailed RFC implementation list
-
Source Code:
src/exabgp/bgp/message/open/capability/graceful.py - Capability Type: 64 (0x40)
- ExaBGP Version: 3.x, 4.x, 5.x/main
π» Ghost written by Claude (Anthropic AI)
π Home
π Getting Started
π§ API
π‘οΈ Use Cases
π Address Families
βοΈ Configuration
π Operations
π Reference
- Architecture
- BGP State Machine
- Communities (RFC)
- Extended Communities
- BGP Ecosystem
- Capabilities (AFI/SAFI)
- RFC Support
π Migration
π Community
π External
- GitHub Repo β
- Slack β
- Issues β
π» Ghost written by Claude (Anthropic AI)