BGP Saturation Test — primer¶
Help Center primer for the BGP Routing Table Saturation test (Wave 6, BGP-10). Pairs with ADR 0012.
What it tests¶
Most NGFWs have ample data-plane throughput but silently fall over when their control plane (routing daemon) is asked to carry tens of thousands of BGP routes. This test:
- Stands up a BGP peer (VyOS + FRR) sharing only an L2 link with the NGFW under test.
- Advertises a chosen number of prefixes (synthetic or real Internet snapshot).
- Measures convergence (T₅₀ / T₉₅ / T₉₉), DUT memory + CPU peak, and churn recovery (p95) when withdraw/re-advertise is enabled.
- Renders Annex L in the report so customers see exactly when the DUT runs out of headroom.
Three-axis configuration¶
| Axis | Options |
|---|---|
enabled |
yes / no |
afi_stack |
ipv4-only / ipv6-only / dual-stack (default) |
route_count_mode |
100 / 1k / 10k / 100k / 1m / real-internet-snapshot / fit-to-dut-capacity |
The dashboard pre-validates (SKU, route_count_mode) against the DUT
catalog. Picking real-internet-snapshot on a SKU below ~950K v4 RIB
capacity returns a warning + suggested fit-to-dut-capacity.
Static-route precedence — safety guarantee¶
Persona forwarding uses static routes (admin distance 1). eBGP- injected routes (admin distance 20) NEVER win, even when overlapping prefixes appear in a real Internet snapshot. Persona reachability is therefore unaffected by BGP route flap or load.
Layered vs standalone¶
- Standalone: pick
test_kind = bgp-saturationto run pure control-plane stress with no data traffic. - Layered: any data-plane test (TLS throughput, branch office,
inspection profile, etc.) can enable the
bgp_layeredmodifier to run BGP saturation in parallel — full-plane stress.
Reading Annex L¶
The PDF report ships an Annex L block per BGP run:
- DUT → label + vendor RIB capacity
- Run config → the 3 axes
- Convergence → T₅₀ / T₉₅ / T₉₉ (use this vs vendor datasheet claims)
- Resource envelope → peak memory + CPU during advertise burst
- Churn signature → withdraw recovery p95 (when enabled)
- Errors → only present when something failed
- Static-route precedence reminder (always present)
Common patterns¶
| Symptom | Likely cause |
|---|---|
| T₉₉ never reached, FIB stalls below target | DUT RIB capacity exceeded — pick smaller mode or fit-to-dut-capacity |
| Memory crosses 95%, alert fires | DUT undersized — capture peak metrics for sales conversation |
| Session flapping during advertise | DUT BGPd CPU saturated, restarting under route load |
| Slow churn recovery > 30s | DUT re-resolving routes through software path under churn |
Related¶
- ADR 0012 — design lock + safety reasoning
- BGP Saturation dashboard — operator entry point
- Grafana dashboard
bgp-saturation-detail— live metrics