BGP Notes

From Global Knowledge Class

1-Aug-2005

Barry Gursky

 

BGP Route Selection Criteria

• Inaccessible next hop
• Synchronized IBGP
• Weight (highest) – local only – routemap or neighbor set – default is 0
• Local pref (highest) – local AS advertise to others – IBGP, IEBGP in rec
• Rtr Originated
• AS path (shortest)
• Origin code (lowest (IGP < EGP < incomplete (?)), network command is IGP, redistrib is ?)
• MED – MultiExit Discriminator (multi link to same AS) (lowest – Cisco default 0 – make sure you set in mixed environment)
• EBGP paths over IBGP
• If IBGP, Closest IGP neighbor path (closest based on IGP metric)
• If EBGP, prefer Oldest (most stable) path
• Router-ID (lowest BGP Router-ID)

 

Mandatory Well-Known Attributes

Origin (IGP, EGP, ?-redistributed)

AS-path (sequence of AS numbers)

Next-hop* (IP addr of rte to which rec rtr should forward packets toward dest)

Discretionary Well-Known Attributes

Local pref (used for consistent routing policy within AS)

Atomic aggregate (informs neighbor AS that originating rtr aggregated routes, you are summarizing your own routes)

Optional Attributes (non transitive)

MED (Multi-exit discriminator – discriminate betw multi entry points to single AS)

Optional Attributes (transitive)

Aggregator (specifies IP addr and AS # of rtr that performed route aggregation

Community (num val attached to routes as they pass a spec point in net)

 

*Next-Hop – set to IP addr of sending EBGP rtr unless in same (broadcast) subnet

 

 

Rtr-A

Router BGP 400

neighbor ip-address description

neighbor ip-address shutdown (temporarily disable BGP neighbor, limit re-neighboring, table reloads, etc…less penalty from neighbor router)

neighbor 11.1.1.1 remote-as 100 (AS# makes it an EBGP neighbor) (used to qualify connection)

neighbor 200.200.0.66 remote-as 400 (AS# makes it and IBGP)

neighbor 200.200.0.194 update-source Lo0 (do this to make sure src addr matches up with other neighbor statements, likely use loopback addr, make sure internal routes already exist for loopbacks)

neighbor 200.200.0.194 password cisco (md5 hash password)

neighbor 200.20.0.193 remote-as 400 (IBGP)

neighbor 200.200.0.193 update source Lo0

network 200.200.0.0 mask 255.255.255.192 (moves from routing table into BGP advertising if entries match routing table – make sure in routing table, origin code I (ISP)).

network 200.200.1.0 (uses default (classful) mask) - Remember

no autosummary (if you don’t own all subnets in particular class subnet)

OR (coming from IGP)

redistribute OSPF 1 (puts all OSPF 1 routes into BGP, origin code ?, ISP origin is taken over this one))

OR (if you have route to null0)

network 200.200.0.0 mask 255.255.254.0

no autosummary

 

ip route 200.200.0.0 255.255.254.0 null0 (static route, higher value in routing table)

neighbor 172.31.4.3 filter-list 1 out (filter AS (routes) being sent to 172.31.4.3)

ip as-path access-list 1 permit ^$ (empty AS path i.e. Networks originating in local AS)

neighbor 172.31.4.3 filter-list 2 in (filter AS (routes) being received from 172.31.4.3)

ip as-path access-list 2 deny

 

neighbor 11.1.1.1 prefix-list notransit out

 

Weight

neighbor 11.1.1.1 route-map blahfilter in

 

route-map blahfilter permit 10 (route-maps used for complex filtering or setting attribute)

match ip addr prefix-list defonly

match as-path 10

set weight 100

route-map blahfilter permit 20 (or this)

match ip address prefix-list defonly

set weight 100 (and this)

Local Pref

bgp default local-preference 60 (only iBGP rtrs not EBGP, normal default is 100)

 

ip as-path access-list 10 permit _387$

ip prefix-list defonly seq 10 permit 0.0.0.0/0

 

neighbor 1.2.3.4 route-map L2M in

 

route-map L2M permit 10

Prepend

route-map name permit sequence match condition

 

MED (Multi-Exit Discriminator)

default-metric number (lower is preferred if from same AS, cisco default is 0, MEDs get passed throughout neighbor AS that you send it to)

route-map MED

set metric 100

neighbor ip-addr route-map name in | out

 

maybe …

bgp always-compare-med (put this everywhere in AS if you use, ignore AS src)

bgp bestpath med missing-as-worst (push to 65336

bgp deterministic-med (re-sorts routes by AS, and will choose (one of) best sent))

can be set going out, or get’s stripped going out.

Communities

route-map name

match condition

set community value [value … ] [additive]

neighbor ip-address route-map map in | out

redistribute protocol route-map map

 

router bgp 213

neightbor 1.2.3.4 remote-as 387

neighbor 1.2.3.4 route-map setcomm out

neighbor 1.2.3.4 send-community

 

route-map setcomm permit 10

set community 387:17

 

neighbor ip-address default-originate Which way is this?

neighbor ip-address remove-private-as

 

 

if peering with loopback of EBGP

neighbor ip-address ebgp-multihop (TTL ] (default is 255, but DON’T USE, make sure to set directly, if didn’t set default would be 1 , i.e. neighbors must all be directly connected and don’t use loopback

 

neighbor ip-address local-as private-as (translates to a separate AS, i.e. if you’re waiting for real AS going to a 2^nd ISP

 

 

 

Good enterprise settings to do

Limit # of prefixes received from internet routers (do you really need 160,000, do you have memory or CPU do deal with them, just get default route, and maybe their local stuff from their AS)

 

3 different ways to get routes into IBGP

network

redistribute

route to null0 & redistribute

 

clear ip bgp {* | ip-address | peer-group-name} (hard bounce of neighbor connection – don’t do unless you have to)

neighbor ip-address soft-reconfiguration inbound (stores all routes received from neighbor as extra copy in memory (before any filtering is applied))

clear ip bgp ip-address soft in (resend saved copy of the received routing info through new filters)

clear ip bgp ip-address soft out (sets table version # of neighbor to 0 and when next update interval for neighbor arrives, the local router will ‘discover’ that all routes need to be sent to neighbor because they all have a table version number higher than 0

clear ip bgp {* | ip-address | peer-group-name} in (sends a route refresh message to neighbors – this requests that all routes be resent – both routers need to support this capability – needs to be negotiated between routers when bgp session is first established)

 

in route-refresh

out – soft out

 

QOS can be based on routes

 

 

Stuck in states

IDLE

- no route – IGP not configured correctly

- TCP SYN answered with RST – far side doesn’t want to do BGP

ACTIVE -> IDLE -> ACTIVE -> IDLE …

- AS number mismatch between BGP neighbors

ACTIVE

3 way TCP port 179 handshake being sent

make sure neighbor statements

- FW blocking TCP port 179

- FW blocking all traffic

- access list blocking

- no return route

OPENSENT -

BGP Open msg being sent (BGP Ver, rtr AS, Holdtime, rtr ID, optional params)

Peer rtr accepts params, replies with Open msg

- has to accept IP # as neighbor, and AS

- no neighbor statement in other router

- update src command missing (i.e. loopbacks not on)

negotiate holdtime vs keepalive timer (keepalive timer = lowest holdtime / 3)

OPENCONFIRM –

Rtr recieves (2^nd TCP connection/Open msg) response from peer

ESTABLISHED – n/a

Rtr accepts params, sends keepalive

Lower rtr ID drops TCP connection

- synchronization not turned off

 

Debugging

sh ip bgp

BGP table version is 4, local router ID is 172.216.0.1

Status codes: s suppressed, d damped, h history, * valid, > best, I – internal

Origin codes: I – IGP, e – EGP, ? – incomplete

 

Network Next Hop Metric LocPrf Weight Path

*> 197.1.1.0 0.0.0.0 0 32768 i

*> 200.20.0.0/16 150.1.0.2 0 0 456 20 i

*> 204.56.0.0/16 150.1.0.2 0 0 456 i

 

Security bulletin from Cisco – USE MD5

Security bulletin from Cisco – no BGP log-neigbor changes (look up on Internet…)

 

Uses

Designed for Policy and Scalability

ISP

Dual Homed Internet connection

MPLS

Transit selling our services

 

RFC1721

 

BGP

- only one way to go

- like spanning tree

- no loadshare

- 12 if-then choices

 

BGP is external Gateway Protocol

designed to run between ASes i.e. between companies

 

EIGRP uses AS just to build neighbors

routing updates actually don’t use AS # in EIGRP…

 

BGP AS # part of routing update

If you see ASes in routing update not from your domain drop it

 

1-64511 public assigned by ARIN, RIPE, etc…

64512-65535 private

 

InterNIC – APNIC, RIPE, ARIN, sub-divisions…

 

NAPs – 7

Private peering points…

 

Masks have no class

CIDR/Supernetting

 

IBGP – Internal – doesn’t replace IGP – used to share external information internally – running BGP internally between routers to share what’s learned external information internally. Uses Metric to evaluate best path.

EBGP – External

 

 

BGP provides routing table with best external routes

BGP calculates separately, doesn’t respond instantly

 

BGP doesn’t have to be physically connected…

 

ASPath – Looked at as hop counts…1^st thing BGP looks at as how to get there…

Origin – 2^nd thing BGP looks at as how to get there…

BGP doesn’t always get best path

BGP never knows bandwidth

Policy based routing protocol

Can be over-ridden

 

I-dump-it-on-you policy

push your bandwidth to other carriers…

 

BGP never fully converges

Only cares about itself – internalized per router convergence

 

Use more then default route advertised via BGP if you want to get to other addresses on the internet

Can accept partial updates (for only user networks I’m interested in)

Big providers need to get full updates (larger routers 128M min for 160,000, 256M recommended)

 

RIP spoof source dest

OSPF authentication but must be processed to see if we should pay attention

BGP unicast

 

Routing protocol is an application L7

TCP port 179

reliable / connection-oriented

Security

Ignore anything that’s not from a neighbor

TCP so depends an seq #s and acks

authentication – MD5 –

 

Can also filter what accept and what don’t

 

BGP uses 3 tables

- routing

- topology/BGP/FIB (holds all of table)

- neighbors

 

BGP only sends updates

 

Reliable updates

- use TCP as transport protocol port 179

- no periodic updates

- periodic keepalives to verify TCP connectivity

- Triggered updates are buatched and rate limited

- every 5 seconds for internal peer (IBGP)

- every 30 seconds for external peer (EBGP)

 

ISPs cannot have default route…

Chap – Est BGP Sessions

 

BGP neighbors are configured manually

 

IBGP and EBGP – same protocol but different policies

EB

 

Neighbor establishment State

IDLE – do I have a route to my neighbor,
ACTIVE – 3way hand-shake (tcp establishing)

OPENSENT

BGP OPEN msg

BGP version

AS # of local rtr

Holdtime

BGP router identifier

Optional parameters

(note no IP addr, look to L3)

OPENCONFIRM

ESTABLISHED

(now we can exchange BGP routes)

 

Use loopback for peering addresses. That way when new neighbor connection is changed you don’t dump the entire address table)

 

sh ip bgp summary

Table Version – what version of my table have I sent them.

- if yours and the one you sent are same, you’re converged…

 

debug ip tcp transactions

debug ip bgp events

 

KEEPALIVE/HOLD 20/60

Note that holdtime is in BGP OPEN msg, agree to lower hold time.

holdtime is agreed to be 3 missed keepalives (i.e. lower holdtime/3)

this only gets done at neighbor establishment

 

Prefix is routing entry i.e. 200.200.1.0/24

 

network entries – routes

path entries – potential routes

 

don’t forget send updates in batches, not instantaneously…

 

MD5 Authentication (Hash)

 

Make sure you peer with IBGP neighbors also

Anything you learn from IBGP neighbor can repeat to other IBGP neigbors

Anything learned from EBGP neighbor can repeat to everyone else but one learned from (split horizon)

 

well-known attributes must be supported by all routers

 

BGP network command tells what we want to take from routing table and originate in BGP world…classful by nature…if you don’t want, make sure to type mask

 

BGP autosummarizes automatically…summarizes to class…

 

next-hop attribute – best path

IBGP – don’t change next hop – to get to next hop

redistribute connected

 

B 1.0.0.0/8 11.1.1.1

recursive route lookup

OSPF 11.1.1.1

OR break rool

B 1.0.0.0/8 200.200.0.192

neighbor 200.200.0.193 next-hop-self

200.

 

local-preference – used for consistent routing policy within AS defaults to 100

get’s entire AS to flow to system one way…

 

Atomic aggregate

 

debug ip bgp update (never use in prod rtr (too many updates – will take down router))

sh ip bgp (probably never type in prod router, too many routes)

 

wights

LocPrrf

Am I next hop

Shortest Path

 

sh ip bgp 199.220.0.0 (parse table using prefix)

or

sh ip bgp 199.220.0.0 255.255.255.192

 

admin distance 20 ([20/0] in route)

lower is better

EBGP is 20

IGP is 90->170

compare if exactly same

metric 0 ([20/0] in route)

BGP is always 0 because multiple BGP route selection

 

debug ip routing

shows any changes to routing table

 

tables

route table BGP/FIB neighbors

 

debug ip bgp update

 

OK to oversummarize if you own more than 50% of subnet…

 

(EBGP) route dampening – add points and shutdown – 3 times and you’re out ‘till you’re up for a while…

Day 2

Transit Network can’t have default routes…creates loops

In EBGP set next-hop to ourselves, if neighbor not in same subnet

in IBGP pass next-hop

 

IBGP sharing border/external routes,

IGP only does internal router

 

BGP core rtr – any router that may be involved in forwarding between routers…

 

BGP split-horizon

EBGP – don’t advertise back to neighbor you learned it from

IBGP – anything you learn via IBGP neighbor, don’t advertise to other EBGP neighbor

 

don’t forget about recursive lookup

BGP route neighbor lookup in

 

Synchronization Rule

• Anything learned via IBGP cannot use or re-advertise unless you already new about in your IGP.
• SAFETY RULE – Take off carefully
• no synch – already done in 12.3 (default)

 

Redistribution

Typically not desired. Too much lost in translation.

Recommended to maintain in iBGP and necessary stuff in IGP

 

Alwasys run IBGP sessions between loopback interfaces

 

QUEST: Research next-hop self

 

Edge routers usually use next-hop self

Don’t use if more then 1 hop away…

 

IBGP doesn’t change attributes, EBGP change it

IBGP doesn’t synch, EBGP synchs

MEDs, can’t send local pref

BATCH updates 5 secons IBGP, 30 seconds EBGP neighbor

EBGP perfered over IBGP in routes

 

CEF (BGP Style)– do recursive lookup before we see data and put in switch cache…

turn CEF on if it’s not on by default (Switches it is, Rtrs it isn’t)

Route once/Switch Many – Cache only holds permitted…

 

route-dampening – point system

 

Never accept routes on your own network (subnets)!

don’t change admin value on IBGP and IBGP

 

Filtering techniques get rid of transit network

 

Multihomed Cust Routing Policies

- one provider is primary; the other is backup

- traffic to direct customers of the ISPs goes direct; all other traffic goes through primary provider

- All traffic to a particular part of world goes through one ISP

- Traffic toward a specific destination goes through only on eof the ISPs.

 

2 types of route policy – Filtering & Route Selection

uses regular expressions

ip as-path access-list 1 permit 31

implicit deny (at the end of the access path)

 

Regular Expressions

| or

[ … ] ranges [1-4] [1234]

. matches any single character

^ matches begiinning of string

$ matches end of string

_ matches any delimiter (beginning, end, white space, tab, comma ‘(‘, ‘)’ )

( ) grouping smaller expressions into larger expressions

\ single-character patterns, remove pecial meaning by preceding each character with a \

* matches 0 or more characters or sets

+ matches 1 or more characters of sets

? matches 0 or 1 character or sets

_23(_79)?_45_

23 followed by 79 or or 1 times

\1

 

Patterns

_100_ Going through AS 100, i.e. 100 is somewhere in AS list

^100$ Directly connected to AS 100, i.e. only thing in list

_100$ Originated in AS 100, i.e. something with 100 all the way on the right

^100_. Networks behind AS100, i.e. 100 is on the left and there’s something behind it

^[0-9]+$ AS paths one AS long

^([0-9]+)(_\1)*$ Supposed to be prepending performed in neighboring originating AS but doesn’t work

^$ (empty AS path i.e. Networks originating in local AS)

.* matches everhting.

 

show ip as-path-access-list [filter-list]

show ip bgp filter-list access-list-number

show ip bgp regexp regular-expression

 

Confederations

IEBGEP – intra-confederation BGP

( internal – confederation lists )

(65001 65002) – gets replaced with real AS on way out to eBGP

no router bgp as-number

router bgp member-as-number

bgp confederation identifier external-as-number

bgp confederation peers list-of-intra-confederation-as

 

show ip bgp neighbor { prefix }

show ip bgp prefix

as-set at end of path

{400,190,8224} these are some of the ASes that were summarized…

 

Influence return path

MEDS

Prepend multiple of same AS path (400 400 400 400)

 

PRACTICE show regexpressions an ASes et. al.

 

QUESTION: WHY NOT SEPARATE ROUTERS

Lose IGP parameters

 

named access lists can be have numbered lists

 

distribute list

access list 100 deny ip 10.0.0.0 0.255.255.255. 255.0.0.0 0.255.255.255

anything network 10.x.x.x subnet 255.x.x.x

 

ip prefix-list list-name

neighbor 11.1.1.1 prefix-list notransit out

ip prefix-list notransit permit 200.200.0.0/23 ge 24

 

IOS – t train becomes next major revision production…

 

Clear IP BGP tears down list and rebuilds it…

 

 

 

QUESTION: Can we use prefix lists with other things than BGP filter lists?

minimally to OSPF, but basically no.

 

Filters

AS-Path Filters

ip as-path access-list 1 permit ^$

Prefix filters (IP Addresses)

neighbor 11.1.1.1 prefix-list notransit out

ip prefix-list notransit permit 200.200.0.0/23 ge 24

ORF – O Route Filter

route-maps – combine as-path filter and prefix filters OR BGP attributes

 

route-map policy permit 10

match ip address 1 2 (on same line 1 OR 2)

match origin IGP

set local-pref 200

 

route-map policy permit (default is 10 so add to 10)

match ip address prefix-list net 3 (multi lines in a row are ANDed)

match ip address prefix-list net 4

 

route-map policy permit 200 (no match condition means any)

 

access-list 1 permit 10.1.0.0

access-list 2 permit 10.2.0.0

ip prefix-list net 3 permit 10.3.0.0/16

neighbor 11.1.1.1 route-map newpolicy out

 

ip prefix-list net1 permit 1.0.0.0/8

ip prefix-list net1 deny 0.0.0.0/0 le 32

ip as-path access-list 2 permit _100_

ip as-path access-list 2 deny .*

 

route-map newpolicy deny 10

match ip address prefix-list net1

match as-path 2

 

route-map newpolicy deny 20

match ip address prefix-list rfe1928

 

route-map newpolicy permit 30

match as-path 1

set metric 100 (MED)

 

asdf asdf

permit permit permit

deny permit deny

permit deny no match

deny deny no match

 

Log statement on end of access list bypasses cacheing

 

Soft Outbound Reconfiguration

Soft inbound – stores dupl copy of entire table and filters off of that bad idea memory intensive

Soft In

Route Refresh – Please resend routes without tearing down neighbor connection

In

 

 

PBR – Policy Based Routing

 

Question: i in begin of ‘sh ip bgp’?

internal

Question: loopback not in external links?

igp focused…

 

If you have a direct connection between IBGP routers use serial connections IP addresses for neighbor commands,

If you don’t have a direct connection, either re-distribute routes into IGP or don’t run

IBGP between internal routers.

 

 

 

QUESTION: Why does PxR4 have BGP going on? Because it’s

Look up next-hop self

 

 

Example Config

router bgp 65004

no synchronization

bgp cluster-id 143

bgp log-neighbor-changes

network 10.4.0.0 mask 255.255.255.0

network 10.4.1.0 mask 255.255.255.0

network 10.4.2.0 mask 255.255.255.0

network 10.4.3.0 mask 255.255.255.0

aggregate-address 10.4.0.0 255.255.0.0 summary-only

neighbor 10.4.100.101 remote-as 65004

neighbor 10.4.100.101 update-source Loopback0

neighbor 10.4.100.101 route-reflector-client

neighbor 10.4.100.104 remote-as 65004

neighbor 10.4.100.104 update-source Loopback0

neighbor 10.4.100.104 route-reflector-client

neighbor 10.254.0.2 remote-as 64999

no auto-summary

 

 

4

router bgp 65004

no synchronization

bgp log-neighbor-changes

neighbor 10.4.100.103 remote-as 65004

neighbor 10.4.100.103 update-source Loopback0

no auto-summary