BGP

From Network Security Wiki


Introduction

Protocol Specifications
Protocol Type Path vector
Peering mechanism Manual peering between neighbors
eBGP AD 20
iBGP AD 200
Rights Open standard
Supported protocols IPv4, IPv6
Transport TCP/179
Update mode Triggered(Internal 5s, External 30s)
Timers Hello (60 sec)
Authentication None, MD5
Specifications RFC 4271


  • Usage applications
BGP is needed for redundancy of servers. BGP is not used for providing redundancy to users for internet access.
Customer connected to multiple Internet service providers (ISPs).
Service provider networks (Transit autonomous system).
Network cores of very large enterprise networks (distribution or core layer)as a backup or redundant routing protocol due to its stability.
  • Customer's Network will become a Transit Autonomous system if ISP traffic passes through your AS.
  • Session Establishment facts
BGP neighbors are not discovered.
They must be configured manually on both sides of the connection.
TCP port 179 is used. 
Only one session remains if both connection attempts succeed.
  • Without tuning behaves like RIP, considers AS as a Hop.
  • BGP is an advanced Path Vector Protocol and has following advantages:
Reliable updates (using TCP)
Triggered updates only
Rich metric (Path attributes)
Scalable to massive networks
Updates are Incremental and Triggered
  • Only 1 instance of BGP can be run on a router. It will show an error if running it with another AS Number.

BGP States

Idle           Neighbor is not responding/Verifying Route to neighbor
Active         Attempting to connect
Connect        TCP session established
OpenSent       Open message sent
OpenConfirm    Neighbor replied with Open Message
Active(2nd)    Neighbor failed to reply or Mismatched Parameter
Established    Adjacency established

BGP Messages

Open            Starts the Session
Update          Network Reachability Exchanges
Keepalive       Sent every 60 seconds
Notification    Always indicate something is wrong

BGP Tables

Neighbor Table        Configured/Connected BGP Peers
BGP Table             List of All BGP Routes(Can be Huge)
Routing Table         List of Best Routes

Loopback Interface

        This section is under construction.


Attributes[1]

Mnemonics: N-WLLA-OMNI-ORN

  • Full Internet BGP routing table is more than 300K routes and a BGP router can receive multiple copies of that routing table from multiple providers, router has to compare those multiple entries and select only the best route for the routing table.
  • It uses the BGP Best Path Selection Algorithm to do this.
  • Routes installed by different BGP instances are compared by the general algorithm, i.e. route distances are compared and the route with lower distance is preferred.

Well known BGP attribute types:

Well-known mandatory: Attributes of this type must be understood by all BGP implementations and must EXIST in the BGP update messages.
Well-known discretionary: Attributes of this type must be understood by all BGP implementations but they don’t have to exist in all BGP updates to all neighbors.

Optional BGP attribute types:

Optional transitive: optional BGP attributes as the name implies don’t need to be understood by all BGP implementations, but since the transitive flag is set they will be passed to other neighbors. 
Optional non-transitive: Attributes of this type are also optional as the name implies and will not be passed to other neighbors. 


Attribute Which is better Type
Next Hop reachable Route cannot be used if next hop is unreachable Well-known Mandatory
Weight Bigger; value local to the router; Cisco proprietary; default is 0 for all routes not originated by local router
Local Preference Bigger; used within AS and exchanged bw iBGP routers; default is 100 Well-known discretionary
Locally Injected (Originate) Prefer path local router originated; Locally injected > iBGP/eBGP learned; In BGP table it will hv next hop 0.0.0.0
AS Path Length Smaller; e.g: AS path 1 2 3 is preferred over AS path 1 2 3 4 5 Well-known Mandatory
Origin Prefer IGP(advertised by network cmd - i) > EGP > INCOMPLETE - '?'(reditributed) Well-known Mandatory
MED(Metric) Smaller; used to advertise to neighbors how they should enter your AS; propagated to all routers within the neighbor AS but not passed along any other AS Optional non-transitive
Neighbor Type Prefer eBGP over iBGP
IGP Metric to Next Hop Smaller; Prefer the path within the AS with the lowest IGP metric to the BGP next hop
Oldest path Prefer the path that we received first
Router ID Prefer the path with the lowest BGP neighbor router ID (Manually conf > Highest Loopback IP address > Highest Interface IP address)
Neighbor IP address Prefer the path with the lowest neighbor IP address


  • Directions
Aspath prepend:  Applied outwardly.
                 Impacts incoming path.
                 Shorter the as-path length higher the preference
                 As-path prepend is the way to add AS number to the list of subnet u want to advertise. 
                 This is a way to route poisoning. 
                 Tell the outside world not to follow the path.
Local preference:  Applied while the traffic coming inside.  
                   Impacts traffic while going out.  
                   Non transitive. 
                   Propagates within the same as-path.
                   Higher the local preference value higher the preference
MED:  Multi Exit Discriminator
      When your router has connection with two other routers with same AS. 
      You can use MED value to mention which networks should be accessed through which links. 
      It is advertised outwards. 
      Impacts the incoming traffic. 
      Semi transitive. 
      Propagates to one AS.
      Lower the MED value higher the preference.
      MED should be used carefully as it reduces network resiliency.

Filter with Route Maps

  • Route maps are very powerful filtering tools, they can be used to accomplish the following tasks:
Filter on IP prefixes coming from a specific autonomous system
Filter on other BGP attributes
Modify BGP attributes
  • Match clauses in the BGP route map can be based on the following:
IP network numbers and subnet masks (prefix list or access list)
Route originator
Next hop
Origin code
Tag value attached to an Interior Gateway Protocol (IGP) route
Autonomous system path
Community
IGP route type
  • With a route map, the following can be set:
Origin
Next hop
Weight
Community
Local preference
MED
  • You can apply a route map on incoming or outgoing routing information for a neighbor.
  • The routing information must be permitted by the route map to be accepted.
  • If the route map has no statement explicitly permitting a route, the route is implicitly denied and dropped.
  • The syntax required is as follows:
Router(config-router)# neighbor ip-address route-map name in|out

Route Reflector?[2]

  • Any route received from an iBGP neighbor must not be advertised to any other iBGP neighbor.
  • This requires all iBGP routers be connected in logical full mesh topology, which is not scalable.

Two solution possible:

BGP confederations
Route reflectors
  • A route reflector is BGP router that is allowed to break the iBGP loop avoidance rule.
  • Route reflectors can advertise updates received from an iBGP peer to another iBGP peer.
  • This allow for building iBGP networks that scale easily.
  • IBGP routers are divided into:
Route Reflectors
Route Reflector Clients
Non-Client Peers
  • Routes received from:
RR-client is reflected to other clients and non-client neighbors
Non-client neighbors are reflected to Route-Reflector-client neighbors only
  • An RR reflecting the route received from a RR-Client adds:
Originator ID - Router ID of the originator of the route in the local AS. 
                If the update comes back to the originator, it ignores the update.
Cluster List - Router ID of RR. A list of Cluster IDs that an update has traversed. 
               When a RR sends a route received from a client to a non-client, it appends the local Cluster ID. 
               If a RR receives a route whose Cluster List contains the local Cluster ID, it ignores the update.
  • RR reflects routes considered as best routes only.
  • If more than one update is received for the same destination only the BGP best route is reflected.
  • RR is not allowed to change any attributes of the reflected routes including the next-hop attribute.
  • Loop Prevention:
If a router received an iBGP route with the Originator-ID attribute set to its own router-id, the route is discarded.
If a route reflector receives a route with a cluster-list attribute containing its cluster-id, the route is discarded.
  • Config:
[Client1]------------------[RR1]------------------[Client2]
RR1 router
router bgp 100
 neighbor 172.16.1.2 remote-as 100
 neighbor 172.16.1.2 route-reflector-client
Client1 router
router bgp 100
 neighbor 172.16.1.1 remote-as 100
 network 11.1.1.1 mask 255.255.255.255     --> Route to be reflected

Verification on RR1:

show ip bgp 11.1.1.1
show ip bgp neighbors 172.16.1.2 advertised-routes

Confederation

  • RR does not require major changes to existing configuration
  • It implies choosing routers that will act as a focal point for iBGP sessions within a single AS, running a single IGP.
  • Confederations needs quite a config change and architecture.
  • Confederations may contain different IGPs, adding more flexibility to scaling your network.
  • In case your IGP is exceeding its scalability limit and becomes unmanageable, use Confederation.
  • A method to subdivide a single AS into multiple internal sub-AS's, yet still advertise as a single AS to external peers.
  • The intent is to reduce iBGP mesh size, scalable approach for a large autonomous system.
  • Each of Sub-AS has its own AS number.
  • Reduces the total number of iBGP peering sessions per router within AS.
  • Large no of iBGP sessions can consume bandwidth and cause high CPU utilization, so negatively affect the performance.
  • Each sub-AS has different AS number.
  • All peers in sub-AS are fully meshed in order to learn external routes from external sources.
  • Every sub-AS is identified by its unique AS number(private: 64512 – 65535), the connection between them is always eBGP peering called Intra-Confederation eBGP.
  • eBGP routes between sub-ASs called Confederation External Routes, are preferred over iBGP routes.
  • If BGP has to choose between two paths, one leading inside sub-AS and other outside sub-AS, within confederation, it will choose the external path – to neighboring sub-AS.
  • To choose between Confederation eBGP route and eBGP route leading outside of confederation, BGP will choose the second one.
  • AS_PATH attribute contains AS_CONFED_SET parameter which is modified inside the confederation only
  • In case the confederation runs one IGP, NEXT_HOP, MED, LOCAL_PREF do not change when routing update traverses Intra-Confederation eBGP
Config

Source: networklessons.com

[R2 AS-2 SubAS-24]------------------------[R3 AS-2 SubAS-35]

R2:

R2(config)#router ospf 1
R2(config-router)#network 2.2.2.2 0.0.0.0 area 0

R2(config)#router bgp 24
R2(config-router)#bgp confederation identifier 2
R2(config-router)#bgp confederation peers 35
R2(config-router)#neighbor 3.3.3.3 remote-as 35
R2(config-router)#neighbor 3.3.3.3 update-source loopback 0
R2(config-router)#neighbor 3.3.3.3 ebgp-multihop 2


R3:

R3(config)#router ospf 1
R3(config-router)#network 3.3.3.3 0.0.0.0 area 0

R3(config)#router bgp 35
R3(config-router)#bgp confederation identifier 2
R3(config-router)#bgp confederation peers 24
R3(config-router)#neighbor 2.2.2.2 remote-as 24
R3(config-router)#neighbor 2.2.2.2 update-source loopback 0
R3(config-router)#neighbor 2.2.2.2 ebgp-multihop 2
Verification
R2(config)#interface loopback 5
R2(config-if)#ip address 55.55.55.55 255.255.255.255

R2(config)#router bgp 35
R2(config-router)#network 55.55.55.55 mask 255.255.255.255
R3#show ip bgp 55.55.55.55
~
     Origin IGP, metric 0, localpref 100, valid, confed-internal, best

Route Aggregation

Source noction.com

RA also known as BGP Route Summarization
A method to minimize the size of the routing table
Announcing the whole address block received from the Regional Internet Registry (RIR) to other ASes. 
RA is opposite to non-aggregation routing, where individual sub-prefixes of the address block are announced to BGP peers. 
RA reduces the size of the global routing table, decreases routers’ workload and saves network bandwidth.
  • BGP Route Aggregation with Static Discard Route:
Firstly create an aggregate address with a static discard route 70.36.0.0/20 pointing to a null interface. 
The discard static route 70.36.0.0/20 configured on a router R1 makes the router to discard any packet that matches the route. 
However, as long as there are more specific (longer prefix) working routes in a routing table of the router R1, packets matching these routes are not discarded. 
The BGP tables of R2 and R3 routers are injected with the network command configured on R1 router, matching the static discard route.
router bgp 3695
bgp log-neighbor-changes
network 70.36.0.0 mask 255.255.240.0
neighbor 12.0.0.2 remote-as 11260
!
ip route 70.36.0.0 255.255.240.0 Null0
  • BGP Route Aggregation with Aggregate-address Command
Now make the router R1 advertise the aggregate prefix 70.36.0.0/20 to its BGP neighbor R2. 
The aggregate address is advertised to a neighbor as long as it represents at least one part of the aggregate address in the BGP table of a router. 
The parts are called components or the contributing routes and represent more specific matches for the aggregated route. 
We will inject a single route 70.36.0.0/24 into the BGP table of R1 with the network command.
router bgp 3695
bgp log-neighbor-changes
network 70.36.0.0 mask 255.255.255.0
aggregate-address 70.36.0.0 255.255.240.0
neighbor 12.0.0.2 remote-as 11260
        This section is under construction.
  • Option summary-only
  • Option suppress-map
  • Option unsuppress-map
  • Option attribute-map
  • Option advertise-map
  • Option as-set

Routing Information Base (RIB)

BGP Routing Information Base consists of three parts as explained below:

  • The Adj-RIBs-In:
BGP RIB-In stores BGP routing information received from different peers. 
The stored information is used as an input to BGP decision process. 
In other words this is the information received from peers before applying any attribute modifications or route filtering to them.
  • The Local RIB:
The local routing information base stores the resulted information from processing the RIBs-In database’s information.
These are the routes that are used locally after applying BGP policies and decision process.
  • The Adj-RIBs-out:
This one stores the routing information that was selected by the local BGP router to advertise to its peers through BGP update messages. 
Do not forget; BGP only advertises best routes if they are allowed by local outbound policies.

Community

Source: networkers-online.com

  • A numerical value that can be assigned to a specific prefix and advertised to other neighbors.
  • When the neighbor receives the prefix it will examine the community value and take proper action whether it is filtering or modifying other attributes.
  • By default the community attribute is removed from the update before being sent to the neighbor.
  • To allow community values to be sent to a specific neighbor
neighbor x.x.x.x send-community
  • BGP has default 4 well known communities that can be used to mark prefixes:
Internet:     advertise these routes to all neighbors.
Local-as:     prevent sending routes outside the local As within the confederation.
No-Advertise: do not advertise this route to any peer, internal or external.
No-Export:    do not advertise this route to external BGP peers.
  • Communities can be used to mark a set of prefixes that share a common property.
  • Upstream providers can use these marks to apply a common routing policy such as filtering or assigning a specific local preference.
  • Set community attribute values by:
Network command
Aggregate address
Neighbor command
Redistribution
  • Configuration
R1 Config
ip bgp-community new-format

route-map SETCOM
 set community 1:10

router bgp 12
 neighbor 192.168.12.2 remote-as 12
 neighbor 192.168.12.2 send-community

network 150.1.1.0 mask 255.255.255.0 route-map SETCOM
R2 Before applying any policies
R2# show ip bgp 150.1.1.0
BGP routing table entry for 150.1.1.0/24, version 2
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer
  Local
    192.168.12.1 from 192.168.12.1 (192.168.127.1)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Community: 1:10
R2 Config - Match the community using a standard community-list
ip community-list 1 permit 1:10

route-map COM
 match community 1
 set metric 100

router bgp 12
 neighbor 192.168.12.1 route-map COM in
R2 After applying the policy
R2 #sh ip bgp 150.1.1.0/24
BGP routing table entry for 150.1.1.0/24, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x800
  Not advertised to any peer
  Local
    192.168.12.1 from 192.168.12.1 (192.168.127.1)
      Origin IGP, metric 100, localpref 100, valid, internal, best
      Community: 1:10

Synchronization

  • Do not Use or Advertize to eBGP a route learned by iBGP unless the same has been learned by IGP as well.
  • This is used to prevent the traffic form getting dropped by the intermediate routers, a method of circumventing black-holes in transit networks.
  • This rule requires the redistribution of the BGP routes into the IGP in order to validate via the IGP.
  • But this is non scalable due to size of Internet Routing Table therefore is disabled by default(since 12.2).
  • To prevent black-holes in transit networks, iBGP needs to be run on all routers since BGP only can handle this amount of prefixes.

Auto-Summarization

  • Normally when you advertise a network in BGP you have to type in the exact network and subnet mask that you want to advertise or it won’t be placed in the BGP table.
  • With auto-summary enabled, you can advertise a classful network and you don’t have to add the mask parameter.
  • BGP will automatically advertise the classful network if you have the classful network or a subnet of this network in your routing table.

Config:

R1(config)#router bgp 1
R1(config-router)#auto-summary
R1(config-router)#network 1.0.0.0

Next Hop Processing

  • eBGP: Changes next hop address on advertized routes.
  • iBGP: Do not changes next hop address on advertized routes.
  • iBGP was designed to be run in Frame Relay, Ethernet:
        [R1]    [R3]
          |       |
          ---------
              |
             [R2]
  • Here if Peering is formed between R1-R2 & R2-R3.
  • Traffic from R1 can reach R3 directly if the next hop IP is not changed.
  • Else it needs to pass through R2 unnecessarily.
  • Can be changed with:
neighbor 1.1.1.1 next-hop-self

BGP Split Horizon

  • Do not send updates that you receive from iBGP to other iBGP peers
  • Override it as:
R1(config)# router bgp 21
R1(config-router-af)# neighbor 192.0.2.1 remote-as 100
R1(config-router-af)# neighbor 192.0.2.1 activate
R1(config-router-af)# neighbor 192.0.2.1 as-override split-horizon

Peer Groups

neighbor IBGP_PEERS peer-group
neighbor IBGP_PEERS remote-as 5500 
neighbor IBGP_PEERS next-hop-self
neighbor IBGP_PEERS update-source lo1
neighbor 3.3.3.3 peer-group IBGP_PEERS
neighbor 2.2.2.2 peer-group IBGP_PEERS
neighbor 4.4.4.4 peer-group IBGP_PEERS

MED vs Local Preference vs Weight

Multi-Exit Discriminator
  • The MED is an optional attribute that comes in handy when there are multiple entrance paths to an AS.
  • The remote AS sets MED values to tell the other AS which path to use.
  • The MED is passed between the two autonomous systems, but the value is not passed to any other ASs.
  • The path with the lowest MED is the preferred path.
  • This attribute is only used to influence entry INTO the AS.


Local Preference
  • LOCAL_PREF is a well-known attribute that is also used when multiple paths between autonomous systems exist.
  • The LOCAL_PREF attribute is just local and exclusive to the AS.
  • Routers within the local AS are told what path to use to exit that AS.
  • The local preference value is passed only among iBGP peers, and this value never leaves the local AS.
  • Local Preference is configured in Incoming direction.
  • Configure Local Pref R3 so that R1 will prefer routes learned via R3.
  • Local Pref stays inside AS only.
  • Configured for the whole BGP process on the router.


Weight
  • Cisco Proprietary
  • Weight is configured for Outgoing direction:
 [R1]-------[R2]
   |
   |--------[R3]
  • If you want R1 to prefer R3, Configure more weight on R1
  • Configured on Per-Neighbor basis.


Example Scenario
   <--AS3--> <--AS100-->
   |------[R2]--------[R4]
 [R1]      |
   |------[R3]--------[R5]
  • Weight R1 to R2 or R3:
   |------>                   Applied
   |------>                   Traffic Impacted
  • Local Preference R2 to R1 or R3 to R1:
   <------|                   Applied
   |------>                   Traffic Impacted
  • MED R4 to R2 or R5 to R3:
            |--------->       Applied
            <---------|       Traffic Impacted


ASPath Prepend

Source: noction.com

  • AS path is a well-known mandatory attribute, which means that it’s present for all prefixes exchanged between BGP neighbors.
  • When a BGP router sends out an update to a neighbor in a different autonomous system (i.e., an external or eBGP neighbor), it adds its own AS number to the front (left side) of the AS path.
  • So the AS path lists all the ASes that need to be traversed to reach the location where the prefix that the path is attached to is advertised from.
  • As such, a traceroute should encounter those same ASes.
  • The main purpose of the AS path is to avoid loops.
  • Prepending means adding one or more AS numbers to the left side of the AS path.
  • Normally this is done using one’s own AS number, using someone else’s AS number for this can have unintended side effects.

Config:

router bgp 65123
neighbor 198.51.100.90 remote-as 65456
neighbor 198.51.100.90 description IX peer
neighbor 198.51.100.90 route-map prepend out
!
route-map prepend permit 10
set as-path prepend 65123

BGP Route Dampening

Source: noction.com

  • The unstable route whose availability alters repeatedly is called a flap.
  • When flaps occur, excessive number of BGP UPDATE messages are sent to BGP peers which in turn increases the load of the peers and excessively consumes CPU power.
  • The goal of BGP route dampening when first introduced was to reduce the propagation of flapping routes without affecting the convergence time of the stable routes.
  • It was designed to decrease the load on routers and increase the overall network stability, as the stable prefixes would still be advertised while the propagation of the flapping routes would remain suppressed until such routes become stable again.
  • BGP Route dampening was applied locally on the routes learned by the eBGP peers.
  • When the command bgp dampening is enabled without configuring any optional arguments, the default values are used.
  • The default IOS dampening values are 15 750 2000 60.


Config
router bgp 64501 
 bgp dampening 
 neighbor 10.0.0.2 remote-as 64502


Verify
R1# show ip bgp dampening parameters
R1# show ip bgp dampening flap-statistics
R1# debug ip bgp dampening


Default dampening parameters
  • The penalty will be reduced to half after 15 minutes (Half-life time).
  • The routes will not be used when the Suppress penalty 2000 is reached.
  • The dampened route will be reused when the penalty is decoyed into 750 (Reuse penalty).
  • The routes experiencing route flaps should not be suppressed for more than 60 minutes (Max suppress time).

Multipath

  • Unlike most routing protocols, BGP only selects a single best path for each prefix.
  • It doesn’t do ECMP (Equal Cost Multi-Path Routing) by default but it is possible to enable this.
  • In order for BGP to use the second path, the following attributes have to match:
Weight
Local Preference
AS Path (both AS number and AS path length)
Origin code
MED
IGP metric
  • Next hop address for each path must be different.
  • This comes into play when you are multihomed to the same router.
Config
R1(config)#router bgp 1
R1(config-router)#maximum-paths 2

BFD

        This section is under construction.

Route Health Injection

        This section is under construction.

EBGP vs IBGP

EBGP IBGP
Peering is between two different AS Peering is between same AS
Routes learned from eBGP peer will be advertised to other peers(EBGP or IBGP) Routes learned from IBGP peer will not be advertised to other IBGP peers, can be advertised to EBGP peer.
EBGP peers are set with TTL = 1, neighbors are assumed to be directly connected.
Can change this behavior for EBGP by “neighbor x.x.x.x ebgp-multihop <TTL>”.
Multihop is the term used in EBGP only.
For IBGP peers dont need to be directly connected.
Routes have AD of 20 Routes have AD of 200
Next hop is changed on advertised routers Next-hop IP will not be changed when adv prefixes to another IBGP


Config Commands

Configure Weight:

neighbor 1.1.1.1 weight 500

Temporarily disable a neighbor:

neighbor 2.2.2.2 shutdown

Clear BGP Process:

clear ip bgp *

Set MED:

default-metric 200


Monitoring

Command Description
show ip bgp neighbor ip-address Displays detailed neighbor information
show ip bgp Displays all the routes in the BGP table
show ip bgp summary Brief Neighbor Information
show ip bgp ip-prefix [mask subnet-mask] Displays detailed information about all paths for a single prefix
debug ip tcp transactions Displays all TCP transactions
debug ip bgp events Displays significant BGP events
debug ip bgp keepalives Debugs BGP keepalive packets
debug ip bgp updates Displays all incoming or outgoing BGP updates
debug ip bgp updates acl Displays all incoming and sent updates matching an ACL
debug up bgp ip-address update [acl] Displays all BGP updates received from or sent to a specific neighbor


Troubleshooting

  • BGP route not installing, route reasons:
Synchronisation is enabled & route unknown by IGP(run 'no sync' command)
Next Hop inaccessible (for iBGP run 'neighbor 1.1.1.1 next-hop-self' command)
AS path includes the local AS
Rejection by inbound policy
  • Blackhole formed in iGBP if all internal routers not running BGP, Solution:
Redistribute into IGP: Full Routing Table redistribution not possible, Redistribute partial routing table/specific routes.
Add a direct WAN Link between BGP Peers
Run iBGP between Peers
?? Configure Route Reflector
  • If any of the neighbors in below command output shows as in 'Active' state, it means some issue with the neighbor:
show ip bgp summary
  • Use Loopback interface for forming peers in router having multiple links.
When using eBGP, peers will not come up when using loopback as they need to be directly connected and should not have a Hop.
Use ebgp-multihop command to resovle this issue:
    # neighbor 1.1.1.1 ebgp-multihop 2
  • There are 2 ways to advertise networks into BGP:
Network Command
Redistribution
  • When using Network command:

Below command will advertize 50.0.0.0/8 into BGP

network 50.0.0.0

Therefore advertize exact subnet only:

network 50.1.1.0 mask 255.255.255.0
  • If the carot sign '>' is missing, the route is not the best one, so not installed in routing table:
 * valid, > best, i - internal, r RIB-failure

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.1.1.1/32      0.0.0.0                  0         32768 i
*>i10.2.2.2/32      172.16.1.2               0    100      0 i



R&S Quick Notes

  • When using Communities, don’t forget “neighbor send-community”
  • Know your attributes and the direction which applied, when to used what.
  • “aggregate address” needs a more specific prefix in the BGP table for aggregate to be advertised.
  • Synchronization issue has 3 solutions, 1- Load BGP on all transit routers, 2- GRE tunnel, 3- Redistribution BGP>IGP.
  • “no bgp nexthop trigger” – Disables next-hop tracking between scanner intervals.
  • “no bgp fast-ext-fallover” – Force the router to wait for the dead-timer to expire, before generating notification messages , when a connected peer goes down.
  • “neighbor fall-over” – Will check neighbor connenctivity between scanner intervals, aka BGP Fast Peering.
  • Only the Holdtime is sent in update-msg. Two neighbors will use the lowest holdtime and then calculate the keepalive from that.
  • Know your Regular Expressions
  • Know the difference between Peer-Groups and Peer-Templates

BGP Notes 2

  • BGP Synchronization rule -IF the AS is acting transient for other AS routes learn through BGP will not be advertized unless the all the routes learn this routes though IGP.
  • If we turned on the synchronisation BGP router will not advertize the route learned from IBGP PEER to EBGP Peer unless that route is learned through IGP.
  • Split horizon rule -Routes larn though IBGp nei will not be advertized to other IBGP nei .
  • BGP path selection criterion
Route is excluded if next hop is unreachable
hightest wieight
high local pref
route if locally orginated
shortest as path len
prefer lowest origin code (IGP<EGP<Unknown)
lowest MED
ebgp over IBGP
between IBGP closed IGP nei
bet EBGP oldest route
lowest Router ID.
  • BGP Message types - Keepalive, notification, open, update.
  • Routes received from a Route-Reflector-client is reflected to other clients and non-client neighbors.So if we have two route reflectors we should also keep in separte clusters ,, to avoide loops .That means that if you have multiple RRs with different cluster ID, optimal path is selected by selecting shorter cluster list. Having multiple RRs in the same cluster creates partial connectivity during failure
  • The first route reflector also set an additonal BGP attribute called originator id and add it to BGP router -id of client.if any router receive the route which contains its own router id will ignore the route
  • Confedrations - Breaking As into smaller As so that they can exchange routing updates using intra confedration EBGp Seesion.

but on the intraconfedration EBGP session parmaters for IBGP are still preserved. (like next hop self, metric, preference)

  • Commands - under BGP process bgp confedration id x.x -Original As
         - BGP confederation peers x.x ,y...- Need to specify the the intra confdration with in AS.
  • MED Vs AS path prepend - MED doesnot goes beyond neibor As while As path prepeend goes beyond that.
  • BGP always compare md - compares MED for a path from neighbors in different AS.
  • BGP Determinsic-Med -comparison of MEd for a path from differnt Peers advertize in same AS.
  • BGP conditional advertizement uses two terms advertize-map and non-exist-map, advertize the prefix in adtervertize map only if there is no route in BGPtable defined in non-exist-map.
  • BGP conditonal Inject and Exist map -BGP conditional Route injection advertize the specific route defined in inject map from the summary route present in exist map .Its reverse of Aggregation .
  • SOO - Site of orgin -is used to prevent routing loops and is used to identify the site from where the route is orginated and does not readvertize same route back to the site .
  • SOO is enabled on PE routers - marked the customer prefixes.
  • BGP communities are used to TAG the routes and they are used to perform policy routing in upstream router. Community attribute consist of four octets. Inorder to send community
  • We need to use send community command under BGP process.
  • BGP community are :
Internet: advertise these routes to all neighbors. 
Local-as: prevent sending routes outside the local As within the confederation. 
No-Advertise: do not advertise this route to any peer, internal or external. 
No-Export: do not advertise this route to external BGP peers. 
  • Local AS command can be used in while migration of As - it will genrate BGP open message which is defined in local AS.
  • nei x.x.x. local 100 no prepend replace as dual-as.( can be used for remote peer to configue whatever AS no has configured at there side ).
  • Peers Group -Peer groups are a way of defining templates/groups with settings for neighbor
  • Relationships - The same policy that goes to 1 neighbor in the peer group must go to all if it case one neighbor has a slightly different config we do not use peer-group for this neighbor the idea being a group with all required bgp settings and then add the neighbors to this group so they inherit the settings.
  • Using BGP peer group one update is sent to peer group instead of individual updates helps in optimisation of updates .Configration makes its simpler.
  • BGP route relector -Eliminates the need of bgp full mesh ,similar to ospf DR ,BDR elecltion, only peering needs to with RR.
  • When RR get the update from its client it sent to other RR and its client .
  • Modify the spilt horizon rule .BGP cluster id is used as loop prevention.
  • Does not modiy the next hope attributes.
  • Route reflectores modify split horizon rule now routes learn through IBGP can be forwarded to other IBGP nei ,route reflectore can do .
  • if the client is having IBGP session with multiple routereflectores so each client will receive two copies of all routes.this can create the routing loops to avoid it each route reflector and its client form cluster which is identifed by cluster id which is unique in AS.
  • whenver particular route is reflected route reflector router id is added to cluster list attirbute and set cluster id number in cluster -list.if for any reason route is reflected back to route reflectore for some reason it will reconganize cluster id includes its own router id . and will not forward it .
  • The BGP Link Bandwidth feature used to enable multipath load balancing for external links with unequal bandwidth capacity. This feature is enabled under an IPv4 or VPNv4 address family sessions by entering the bgp dmzlink-bw command. This feature supports both iBGP, eBGP multipath load balancing, and eiBGP multipath load balancing in Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). When this feature is enabled, routes learned from directly connected external neighbor are propagated through the internal BGP (iBGP) network with the bandwidth of the source external link.
  • The link bandwidth extended community indicates the preference of an autonomous system exit link in terms of bandwidth. This extended community is applied to external links between directly connected eBGP peers by entering the neighbor dmzlink-bw command. The link bandwidth extended community attribute is propagated to iBGP peers when extended community exchange is enabled with the neighbor send-community command.
  • It should be configured in conjuction with max path command:
bgp dmzlink-bw
neighbor ip-address dmzlink-bw
neighbor ip-address send-community [both | extended | standard
  • Aggreagate with AS set command - normal aggregation with summary command advertise the summary prefix only and suppress all the specific routes, so router which is performing the aggreagation will include its own AS while sending the update.
  • So when Aggreagate with AS set command is used it will include all the AS in updates for summary prefix for those AS route performing the aggregation with AS list, this will prevent routing loop.
  • Attribute map -can be used to modify the community received in aggregation router to none.(command) MAP. When particular is sending the prefix to router performing aggregation with community like no export attached, Aggregate router will inherit the communtiy and can cause issue to aggregate prefix while propagating, To avoid it we can modifiy the community to none using atrribute map command (aggrgate address x.x.x.x .x.x.x as-set summary only attribute map)
  • BGP Backdor link - used to modifiy the AD for external route from 20 to 200 so that IGP learned route can be prefered over EBGP.
  • Command will be added to router which is learning the prefises from two routing ptotocols .
router bgp x.x.x.x
network x.x.x.x mask backdoor

Redistribution from osfp to bgp

  • All redistributed routes into bgp takes ad value of BGP ,inorder redistribute all the ospf routes internal ,external (E1&E2) we need to uses redisrtibute ospf process mathc internal external 1 external 2
  • Redistribution of bgp into Ospf will take metric one ,Reditributio of ospf into BGP take IGP metric
  • Qos -Each router maintain two queue hardware queue works on FIFO and software queues (LLQ,CBWFQ,Flow based WFq) ,service policy applies only on software queue
  • Use the tx-ring-limit command to tune the size of the transmit ring to a non-default value (hardware queue is last stop before the packet is transmitted)

Note: An exception to these guidelines for LLQ is Frame Relay on the Cisco 7200 router and other non-Route/Switch Processor (RSP) platforms. The original implementation of LLQ over Frame Relay on these platforms did not allow the priority classes to exceed the configured rate during periods of non-congestion. Cisco IOS Software Release 12.2 removes this exception and ensures that non-conforming packets are only dropped if there is congestion. In addition, packets smaller than an FRF.12 fragmentation size are no longer sent through the fragmenting process, reducing CPU utilization.

  • It's all based upon whether there is or is not congestion on the link.
  • The priority queue (LLQ) will always be served first, regardless of congestion. It will be both guaranteed bandwidth AND policed if there is congestion. If there is not congestion, you may get more throughput of your priority class traffic.
  • If the class is underutilized then the bandwidth may get used by other classes. Generally speaking this is harder to quantify than you may think. Because in normal classes, the "bandwidth" command is a minimum of what's guaranteed. So you may get MORE in varying amounts just depending on what is in the queue at any point in time of congestion.
  • As mentioned before, policers determine whether each packet conforms or exceeds (or, optionally, violates) to the traffic configured policies and take the prescribed action. The action taken can include dropping or re-marking the packet. Conforming traffic is traffic that falls within the rate configured for the policer. Exceeding traffic is traffic that is above the policer rate but still within the burst parameters specified. Violating traffic is traffic that is above both the configured traffic rate and the burst parameters.
  • An improvement to the single-rate two-color marker/policer algorithm is based on RFC 2697, which details the logic of a single-rate three-color marker.
  • The single-rate three-color marker/policer uses an algorithm with two token buckets. Any unused tokens in the first bucket are placed in a second token bucket to be used as credits later for temporary bursts that might exceed the CIR. The allowance of tokens placed in this second bucket is called the excess burst (Be), and this number of tokens is placed in the bucket when Bc is full. When the Bc is not full, the second bucket contains the unused tokens. The Be is the maximum number of bits that can exceed the burst siz

LAB

BGP Basic Lab

GNS3 File: File:cbt nuggets bgp lab.zip

Objectives

  • Configure iBGP & eBGP
  • Establish Neighbors using Loopback interfaces
  • Using Update-Source command
  • Using eBGP-Multihop command
  • Advertising Networks into BGP
  • Turn off BGP Auto-Summary
  • BGP Synchronization
  • BGP Handling of Next Hop Address

Configurations

R1 Config
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
!
interface Serial1/0
 ip address 10.1.13.1 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.12.1 255.255.255.0
 serial restart-delay 0
!
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
router bgp 5500
 no synchronization
 bgp log-neighbor-changes
 neighbor IBGP_PEERS peer-group
 neighbor IBGP_PEERS remote-as 5500
 neighbor IBGP_PEERS update-source Loopback1
 neighbor IBGP_PEERS next-hop-self
 neighbor 2.2.2.2 peer-group IBGP_PEERS
 neighbor 3.3.3.3 peer-group IBGP_PEERS
 neighbor 4.4.4.4 remote-as 5500
 neighbor 4.4.4.4 update-source Loopback1
 no auto-summary
!
R2 Config
!
interface Loopback1
 ip address 2.2.2.2 255.255.255.255
!
!
interface Serial1/0
 ip address 10.1.24.1 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.12.2 255.255.255.0
 serial restart-delay 0
!
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
router bgp 5500
 no synchronization
 bgp log-neighbor-changes
 neighbor IBGP_PEERS peer-group
 neighbor IBGP_PEERS remote-as 5500
 neighbor IBGP_PEERS update-source Loopback1
 neighbor IBGP_PEERS next-hop-self
 neighbor 1.1.1.1 peer-group IBGP_PEERS
 neighbor 3.3.3.3 peer-group IBGP_PEERS
 neighbor 4.4.4.4 peer-group IBGP_PEERS
 no auto-summary
!
R3 Config
!
interface Loopback1
 ip address 3.3.3.3 255.255.255.255
!
!
interface Serial1/0
 ip address 10.1.13.2 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.34.1 255.255.255.0
 serial restart-delay 0
!
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
router bgp 5500
 no synchronization
 bgp log-neighbor-changes
 neighbor IBGP_PEERS peer-group
 neighbor IBGP_PEERS remote-as 5500
 neighbor IBGP_PEERS update-source Loopback1
 neighbor IBGP_PEERS next-hop-self
 neighbor 1.1.1.1 peer-group IBGP_PEERS
 neighbor 2.2.2.2 peer-group IBGP_PEERS
 neighbor 4.4.4.4 peer-group IBGP_PEERS
 no auto-summary
!
R4 Config
!
interface Loopback1
 ip address 4.4.4.4 255.255.255.255
!
!
interface Serial1/0
 ip address 10.1.24.2 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.34.2 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 ip address 10.1.45.1 255.255.255.0
 serial restart-delay 0
!
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
router bgp 5500
 no synchronization
 bgp log-neighbor-changes
 neighbor IBGP_PEERS peer-group
 neighbor IBGP_PEERS remote-as 5500
 neighbor IBGP_PEERS update-source Loopback1
 neighbor IBGP_PEERS next-hop-self
 neighbor 1.1.1.1 peer-group IBGP_PEERS
 neighbor 1.1.1.1 update-source Loopback1
 neighbor 2.2.2.2 peer-group IBGP_PEERS
 neighbor 3.3.3.3 peer-group IBGP_PEERS
 neighbor 5.5.5.5 remote-as 6500
 neighbor 5.5.5.5 ebgp-multihop 2
 neighbor 5.5.5.5 update-source Loopback1
 no auto-summary
!
ip route 5.5.5.5 255.255.255.255 10.1.45.2
!
!
R5 Config
!
interface Loopback0
 ip address 200.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 200.1.2.1 255.255.255.255
!
interface Loopback2
 ip address 200.1.3.1 255.255.255.255
!
interface Loopback3
 ip address 200.1.4.1 255.255.255.255
!
interface Loopback4
 ip address 200.1.5.1 255.255.255.255
!
interface Loopback5
 ip address 200.1.6.1 255.255.255.255
!
interface Loopback6
 ip address 50.1.1.1 255.255.255.0
!
interface Loopback7
 ip address 5.5.5.5 255.255.255.255
!
interface Serial1/2
 ip address 10.1.45.2 255.255.255.0
 serial restart-delay 0
!
!
router bgp 6500
 no synchronization
 bgp log-neighbor-changes
 network 50.1.1.0 mask 255.255.255.0
 redistribute connected route-map FILTER
 neighbor 4.4.4.4 remote-as 5500
 neighbor 4.4.4.4 ebgp-multihop 2
 neighbor 4.4.4.4 update-source Loopback7
 no auto-summary
!
ip route 4.4.4.4 255.255.255.255 10.1.45.1
!
!
!
access-list 50 permit 200.1.1.1
access-list 50 permit 200.1.2.1
access-list 50 permit 200.1.3.1
access-list 50 permit 200.1.4.1
!
route-map FILTER permit 10
 match ip address 50
!

BGP Attributes Lab

GNS3 Project File:CBT Nuggets BGP Attributes Lab.zip

Objectives

Configure below Attributes:

Weight
AS-Path
Next Hop Address
Origin
Local Preference
Metric


Configurations

R1 Config
!
interface Serial1/0
 ip address 10.1.12.1 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.13.1 255.255.255.0
 serial restart-delay 0
!
!
router bgp 5500
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.12.2 remote-as 5500
 neighbor 10.1.13.3 remote-as 5500
 no auto-summary
!


R2 Config
!
interface Serial1/0
 ip address 10.1.12.2 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.23.2 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 ip address 10.1.24.2 255.255.255.0
 serial restart-delay 0
!
!
router bgp 5500
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.12.1 remote-as 5500
 neighbor 10.1.12.1 next-hop-self
 neighbor 10.1.23.3 remote-as 5500
 neighbor 10.1.24.4 remote-as 777
 no auto-summary
!
R3 Config
!
interface Serial1/0
 ip address 10.1.23.3 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.13.3 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 ip address 10.1.36.3 255.255.255.0
 serial restart-delay 0
!
router bgp 5500
 no synchronization
 bgp default local-preference 700
 bgp log-neighbor-changes
 neighbor 10.1.13.1 remote-as 5500
 neighbor 10.1.13.1 next-hop-self
 neighbor 10.1.23.2 remote-as 5500
 neighbor 10.1.36.6 remote-as 777
 neighbor 10.1.36.6 route-map LOCAL_PREF in
 default-metric 200
 no auto-summary
!
!
ip access-list standard ROUTES_FOR_R2
 permit 200.0.0.0 0.255.255.255
ip access-list standard ROUTES_FOR_R3
 permit 150.1.50.0 0.0.0.255
 permit 150.2.50.0 0.0.0.255
!
route-map LOCAL_PREF permit 10
 match ip address ROUTES_FOR_R3
 set local-preference 1000
!
route-map LOCAL_PREF permit 20
 match ip address ROUTES_FOR_R2
 set local-preference 10
!
route-map LOCAL_PREF permit 30
!
R4 Config
!
interface Serial1/0
 ip address 10.1.45.4 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 ip address 10.1.24.4 255.255.255.0
 serial restart-delay 0
!
router bgp 777
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.24.2 remote-as 5500
 neighbor 10.1.45.5 remote-as 911
 no auto-summary
!
R5 Config
!
interface Loopback0
 ip address 150.1.50.5 255.255.255.0
!
interface Loopback1
 ip address 150.2.50.5 255.255.255.0
!
!
interface Serial1/0
 ip address 10.1.45.5 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.57.5 255.255.255.0
 serial restart-delay 0
!
!
router bgp 911
 no synchronization
 bgp log-neighbor-changes
 redistribute connected route-map FILTER
 neighbor 10.1.45.4 remote-as 777
 neighbor 10.1.57.7 remote-as 711
 no auto-summary
!
!
access-list 50 permit 150.1.50.0
access-list 50 permit 150.2.50.0
no cdp log mismatch duplex
!
route-map FILTER permit 10
 match ip address 50
!
R6 Config
!
interface Serial1/0
 ip address 10.1.67.6 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 ip address 10.1.36.6 255.255.255.0
 serial restart-delay 0
!
!
router bgp 777
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.36.3 remote-as 5500
 neighbor 10.1.67.7 remote-as 711
 no auto-summary
!
R7 Config
!
interface Ethernet0/0
 ip address 200.50.2.7 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 200.60.2.7 255.255.255.0
 half-duplex
!
!
interface Serial1/0
 ip address 10.1.67.7 255.255.255.0
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.1.57.7 255.255.255.0
 serial restart-delay 0
!
!
router bgp 711
 no synchronization
 bgp log-neighbor-changes
 network 200.50.2.0
 network 200.60.2.0
 neighbor 10.1.57.5 remote-as 911
 neighbor 10.1.67.6 remote-as 777
 no auto-summary
!


References

  1. www.accenture.com
  2. www.accenture.com



{{#widget:DISQUS |id=networkm |uniqid=BGP |url=https://aman.awiki.org/wiki/BGP }}