BSCI Module 6 BGP. Configuring Basic BGP. BSCI Module 6

Transcription

1 Configuring Basic BGP BSCI Module 6 BSCI Module Cisco Systems, Inc. All rights reserved. Cisco Public 1 BSCI Module 6 BGP An AS is a collection of networks under a single technical administration. IGPs operate within an AS. BGP is used between autonomous systems. Exchange of loop-free routing information is guaranteed. 2

2 BSCI Module 6 BGP An AS is a group of routers that share similar routing policies and operate within a single administrative domain. An AS can be a collection of routers running a single IGP, or it can be a collection of routers running different protocols all belonging to one organization. In either case, the outside world views the entire Autonomous System as a single entity. 3 BSCI Module 6 BGP Internet Assigned Numbers Authority (IANA) is enforcing a policy whereby organizations that connect to a single provider and share the provider's routing policies use an AS number from the private pool, to These private AS numbers appear only within the provider's network and are replaced by the provider's registered number upon exiting the network. 4

3 Using BGP to Connect to the Internet 5 Single-Homed AS When an AS has only 1 exit point to outside Often referred to as stub networks, or stubs Can rely on a default route for all traffic to nonlocal networks Methods to advertise the network ISP has a static entry and advertises it to Internet IGP Both the provider and the customer use an IGP to share information regarding the customer's networks EGP, such as BGP. But it s not normally needed in this situation ip route

4 Multi-homed Autonomous Systems Same ISP An AS is a multi-homed system if it has more than one exit point to outside networks Provides for redundancy An AS connected to the Internet can be multi-homed to: A single provider (AS) Multiple providers (ASs) 7 Example: Default Routes from All Providers 8

5 Default Routes from All Providers and Partial Table 9 Multi-homed Non-transit Autonomous Systems Multi-homed non-transit ASs Don t allow transit traffic to pass through it Don t really need to run BGP4 with their providers, although it is recommended, and often required by ISPs BGP4 offers increased control of route propagation and filtering X 10

6 Multi-homed Transit Autonomous Systems A multi-homed transit system Has more than one connection to the outside world Can be used for transit traffic by other ASs Can run BGP inside an AS IBGP Transit traffic any traffic originating from outside sources bound for outside destinations EBGP External BGP: BGP between ASs 11 When not to use BGP Do not use BGP if : There s a single connection to Internet or another AS No concern for routing policy or routing selection A limited understanding of route filtering and BGP path selection process A lack of memory or processing power on your routers to handle constant BGP updates Low BW between AS s Use BGP if : There are different policy requirements than the ISP The AS has multiple connections to other AS s and they are active 12

7 BGP Basics Functions: Exchange routing information between AS Guarantee the selection of a loop free path Supports CIDR and route aggregation BGP makes routing decisions based on network policies BGP constructs a graph of ASs based on the information between BGP neighbors BGP sees only a tree of autonomous systems PATH Connection between any two systems AS_PATH Sequence of AS numbers that forms a route 13 BGP Operation BGP updates use TCP on port 179 IP connectivity must exist between BGP peers TCP connections must be negotiated between them before updates can be exchanged When 2 routers establish a TCP-enabled BGP connection between each other They are called neighbors or peers First, they exchange their entire BGP routing tables After that, they exchange incremental, partial updates with only the information that has changed They contain route prefix, AS path, path attributes, withdrawn routes Each router running BGP is called a BGP speaker 14

8 BGP Terms 15 BGP Databases Neighbor table List of BGP neighbors BGP table (forwarding database) List of all networks learned from each neighbor Can contain multiple paths to destination networks Contains BGP attributes for each path IP routing table List of best paths to destination networks 16

9 BGP Message Types BGP defines the following message types: Open Includes holdtime and BGP router ID Keepalive Update Information for one path only (could be to multiple networks) Includes path attributes and networks Notification When error is detected BGP connection is closed after being sent 17 Peers = Neighbors A BGP peer, also known as a BGP neighbor, is a specific term that is used for BGP speakers that have established a neighbor relationship. Any two routers that have formed a TCP connection to exchange BGP routing information are called BGP peers or BGP neighbors. 18

10 External BGP When BGP is running between neighbors that belong to different autonomous systems, it is called EBGP. EBGP neighbors, by default, need to be directly connected. 19 Internal BGP When BGP is running between neighbors within the same AS, it is called IBGP. The neighbors do not have to be directly connected. 20

11 BGP Commands 21 BGP Commands Router(config)# router bgp autonomous-system This command just enters router configuration mode; subcommands must be entered in order to activate BGP. Only one instance of BGP can be configured on the router at a single time. The autonomous system number identifies the autonomous system to which the router belongs. The autonomous system number in this command is compared to the autonomous system numbers listed in neighbor statements to determine if the neighbor is an internal or external neighbor. 22

12 BGP neighbor remote-as Command Router(config-router)# neighbor {ip-address peer-group-name} remote-as autonomous-system The neighbor command activates a BGP session with this neighbor. The IP address that is specified is the destination address of BGP packets going to this neighbor. This router must have an IP path to reach this neighbor before it can set up a BGP relationship. The remote-as shows what AS this neighbor is in. This AS number is used to determine if the neighbor is internal or external. This command is used for both external and internal neighbors. 23 BGP neighbor shutdown Command Router(config-router)# neighbor {ip-address peer-group-name} shutdown Administratively brings down a BGP neighbor Used for maintenance and policy changes to prevent route flapping Router(config-router)# no neighbor {ip-address peer-group-name} shutdown Re-enables a BGP neighbor that has been administratively shut down 24

13 Example: BGP neighbor Command 25 BGP neighbor update-source Command Router(config-router)# neighbor {ip-address peer-group-name} update-source interface-type interface-number This command allows the BGP process to use the IP address of a specified interface as the source IP address of all BGP updates to that neighbor. A loopback interface is usually used, because it will be available as long as the router is operational. The IP address used in the neighbor command on the other router will be the destination IP address of all BGP updates and should be the loopback interface of this router. The neighbor update-source command is normally used only with IBGP neighbors. The address of an EBGP neighbor must be directly connected by default; the loopback of an EBGP neighbor is not directly connected. 26

14 Example: BGP Using Loopback Addresses Without the update-source loopback 0 command, BGP routers can use only the closest IP interface to the peer 27 IBGP and EBGP EBGP RTA(config)#router bgp 100 RTA(config-router)#neighbor remote-as 200 RTB(config)#router bgp 200 RTB(config-router)#neighbor remote-as 100 IBGP RTB(config)#router bgp 200 RTB(config-router)#neighbor remote-as 200 RTB(config-router)#neighbor update-source loopback 0 RTC(config)#router bgp 200 RTC(config-router)#neighbor remote-as 200 RTC(config-router)#neighbor update-source loopback 0 28

15 BGP neighbor ebgp-multihop Command Router(config-router)# neighbor {ip-address peer-group-name} ebgp-multihop [ttl] This command increases the default of one hop for EBGP peers. It allows routes to the EBGP loopback address (which will have a hop count greater than 1). The neighbor ebgp multihop Command Parameters ip-address is the IP address of the BGP-speaking neighbor. peer-group-name is the Name of a BGP peer group. ttl (Optional) TTL in the range from 1 to 255 hops 29 Example: ebgp-multihop Command 30

16 EBGP multihop EBGP neighbors must be directly connected to establish an EBGP session EBGP multihop Cisco IOS option It allows RTW and RTU to be logically connected in an EBGP session, although RTV does not support BGP It is configured on each peer: R(config-router)#neighbor IP-address ebgp-multihop [hops] RTW(config)#router bgp 200 RTW(config-router)#neighbor remote-as 300 RTW(config-router)#neighbor ebgp-multihop 2 RTU(config)#router bgp 300 RTU(config-router)#neighbor remote-as 200 RTU(config-router)#neighbor ebgp-multihop 2 31 BGP network Command To begin configuring a BGP process: Router(config)#router bgp AS-number IOS permits only 1 BGP process to run at a time a router cannot belong to more than one AS Router(config-router)#network network-number [mask network-mask] network command IGPs determine the interfaces on which to send and receive updates, and which directly connected networks to advertise BGP it does not affect what interfaces BGP runs on. It tells the BGP process what locally learned networks to advertise Configuring just a network statement will not establish a BGP neighbor relationship These networks must also exist in the local router s routing table or they will not be sent out in updates 32

17 Verifying BGP Configuration If the router has not installed the BGP routes, you can use the show ip bgp command to verify that BGP has learned these routes If an expected BGP route does not appear in the BGP table, you can use the show ip bgp neighbors command to verify that your router has established a BGP connection with its neighbors 33 Example: BGP Peering RouterA# show ip bgp summary BGP router identifier , local AS number BGP table version is 124, main routing table version network entries using 1053 bytes of memory 22 path entries using 1144 bytes of memory 12/5 BGP path/bestpath attribute entries using 1488 bytes of memory 6 BGP AS-PATH entries using 144 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 3829 total bytes of memory BGP activity 58/49 prefixes, 72/50 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :02: :01: :01:

18 BGP Peering BGP does not advertise routes learned via IBGP peers to other IBGP peers If they did, BGP routing inside the AS would present a dangerous potential for routing loops For IBGP routers to learn about all BGP routes inside the AS, they must connect to every other IBGP router in a logical full IBGP mesh Possible even if the routers aren t directly connected IBGP peers can connect to each other using TCP/IP 35 BGP States 36

19 BGP Message Types 4 BGP message types: Type 1: OPEN Used to establish connections with peers Includes fields for the BGP version, AS number, hold time, router ID Type 2: UPDATE Contains all the information that BGP uses to construct a loopfree picture of the internetwork Type 3: NOTIFICATION Used to inform the receiving router of errors Includes a field for error codes Type 4: KEEPALIVE Sent periodically between peers to maintain connections 37 BGP Finite State Machine BGP FSM includes six states: Idle Connect Active OpenSent Open Confirm Established 38

20 BGP States When establishing a BGP session, BGP goes through the following steps: Idle: Router is searching routing table to see if a route exists to reach the neighbor. Connect: Router found a route to the neighbor and has completed the three-way TCP handshake. Open sent: Open message sent, with the parameters for the BGP session. Open confirm: Router received agreement on the parameters for establishing session. Alternatively, router goes into Active state if no response to open message Established: Peering is established; routing begins. 39 BGP Established and Idle States Idle: The router in this state cannot find the address of the neighbor in the routing table. Check for an IGP problem. Is the neighbor announcing the route? Established: The established state is the proper state for BGP operations. In the show ip bgp summary command, if the state column has a number, then the route is in the established state. The number is how many routes have been learned from this neighbor. 40

21 Example: show ip bgp neighbors Command RouterA#sh ip bgp neighbors BGP neighbor is , remote AS 64998, external link BGP version 4, remote router ID BGP state = Established, up for 00:19:10 Last read 00:00:10, last write 00:00:10, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 7 7 Notifications: 0 0 Updates: <output omitted> 41 BGP Active State Troubleshooting Active: The router has sent out an open packet and is waiting for a response. The state may cycle between active and idle. The neighbor may not know how to get back to this router because of the following reasons: 1. Neighbor does not have a route to the source IP address of the BGP open packet generated by this router 2. Neighbor peering with the wrong address 3. Neighbor does not have a neighbor statement for this router 4. AS number misconfiguration 42

22 Example: BGP Active State Troubleshooting AS number misconfiguration: At the router with the wrong remote-as number: %BGP-3-NOTIFICATION: sent to neighbor /2 (peer in wrong AS) 2 bytes FDE6 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 FDE6 00B4 AC1F At the remote router: %BGP-3-NOTIFICATION: received from neighbor /2 (peer in wrong AS) 2 bytes FDE6 43 BGP Update Message The UPDATE messages contain all the information BGP uses to construct a loop-free picture of the internetwork Update messages advertises feasible routes, withdrawn routes, or both. The three basic components of an UPDATE message are: Network-Layer Reachability Information (NLRI) Path Attributes Withdrawn Routes 44

23 BGP Update Message Network-Layer Reachability Information (NLRI) One or more (Length, Prefix) tuples that advertise IP address prefixes and their lengths /19 Length = /19 Prefix = Path Attributes Provides the information that allows BGP to choose a shortest path, detect routing loops, and determine routing policy Withdrawn Routes Tuples describing destination that have become unreachable and are being withdrawn from service 45 Path Attributes Each route has its own set of defined attributes Path information, route preference, next-hop Administrators use them to enforce routing policy Filter routing information, prefer certain paths Every UPDATE message has a variable-length sequence of path attributes in the form <attribute type, attribute length, attribute value> Types of path attributes: Well-known mandatory Well-known discretionary Optional transitive Optional non-transitive 46

24 Path Attributes Well-known mandatory Attribute that must exist in the BGP UPDATE packet It must be recognized by all BGP implementations If a well-known attribute is missing, a notification error will be generated Example: AS_PATH attribute Well-known discretionary Attribute recognized by all BGP implementations May or may not be sent in the BGP UPDATE Example: LOCAL_PREF 47 Path Attributes Optional transitive Attribute that may or may not be recognized by all BGP implementations BGP should accept and advertise the attribute even if it isn t recognized Example: COMMUNITY Optional non-transitive An attribute that may or may not be recognized by all BGP implementations. Whether or not the receiving BGP router recognizes the attribute, it is non-transitive, and should not be passed along to other BGP peers Example: MULTI_EXIT_DISC 48

25 Path Attributes 49 BGP Attributes NEXT_HOP AS_PATH ATOMIC_AGGREGATE AGGREGATOR LOCAL_PREF Weight MULTI_EXIT_DISC (MED) ORIGIN COMMUNITY 50

26 NEXT_HOP Well-known mandatory attribute For EBGP sessions IP address of the neighbor that announced the route For IBGP sessions For routes originated inside the AS IP address of the neighbor that announced the route For routes injected into the AS via EBGP The next hop learned from EBGP is carried unaltered into IBGP The next hop is the IP address of the EBGP neighbor from which the route was learned When the route is advertised on a multiaccess medium, the next hop is usually the IP address of the interface of the router 51 NEXT_HOP on multiaccess media BGP speakers should always advertise the actual source of the route if the source is on the same multiaccess link as the speaker For example: RTA, RTB, and RTC share a common multi-access media. RTA and RTC are running EBGP; RTC and RTB are running OSPF RTC has learned /24 from RTB via OSPF and advertises it to RTA via EBGP Because RTA and RTB are running different protocols, it would seem logical that RTA would consider RTC ( ) as its next hop to reach /24, but this is incorrect. The correct behavior is for RTA to consider RTB ( ) as the next hop because RTB shares the same media with RTC 52

27 NEXT_HOP - NBMA RTA gets a BGP routing update about /24 from RTC and would try to use RTB ( ) as the next hop Routing will fail: no virtual circuit exists between RTA and RTB Cisco IOS solution: next-hop-self keyword It forces the router (RTC) to advertise /24 with itself as the next hop ( ) RTA would then direct its traffic to RTC to reach destination /24 R(config-router)#neighbor IP-address next-hop-self So: RTC(config-router)#neighbor next-hop-self /24 AS 300 RouterA / /30 AS 200 AS 400 RouterB /8 RouterC /8 RouterC#show ip bgp BGP table version is 8, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> i *> i *> i 54

28 AS_PATH Well-known mandatory attribute Sequence of AS numbers a route has traversed to reach a destination The AS that originates the route adds its own AS number when sending the route to its external BGP peers Thereafter, each AS that receives the route and passes it on to other BGP peers will prepend its own AS number Prepending add the AS to the beginning of the list AS_SEQUENCE AS_PATH list where the AS numbers are ordered sequentially EBGP BGP speakers prepend their AS numbers when advertising routing updates to other AS IBGP When the route is passed to a BGP speaker within the same AS, the AS_PATH information is left intact 55 AS_PATH BGP uses the AS_PATH attribute to ensure a loop-free topology In comparing different routes, given that all other attributes are identical, a shorter path is always preferred Each route that gets passed between BGP peers will carry a list of all AS numbers that the route has already been through If the route is advertised to the AS that originated it, that AS will see itself as part of the AS_PATH attribute list and will not accept the route 56

29 AS_PATH private AS numbers Private AS numbers cannot be leaked to the Internet because they are not unique Cisco uses remove-private-as, to strip private AS numbers out of the AS_PATH list before the routes get propagated to the Internet RTB(config)#router bgp 1 RTB(config-router)#neighbor remote-as RTB(config-router)#neighbor remote-as 7 RTB(config-router)#neighbor remove-private-as 57 ATOMIC_AGGREGATE Well-know discretionary attribute Set to either True or False If True, Alerts BGP routers that multiple destinations have been grouped into a single update The BGP router that sent the update had a more specific route to the destination, but did not send it. It warns receiving routers that the information is not necessarily the most complete route information available This attribute uses the aggregate-address command Router(config-router)#aggregate-address address mask [asset][summary-only] [suppress-map map-name][advertisemap map-name] [attribute-map map-name] An aggregate is created only if a more-specific route to the aggregate exists in the BGP table 58

30 Example: Aggregating Local Routes / / / / /22 (Aggregate) / /24 RTA RTB / /24 RTB router bgp 2 neighbor remote-as 1 network mask network mask {/24} network mask {/24} network mask {/24} aggregate-address AS 1 AS 2 By configuring all of them the aggregate will be sent in case one of the networks goes down RTA and RTB will have all n.0/24 routes in its BGP table (show ip bgp), and the the aggregate address of /22 59 AGGREGATOR Well-known discretionary attribute The router can also include its router ID and local AS number along with the supernet route if aggregation is configured It enables ISP administrators to determine which BGP router is responsible for a particular instance of aggregation 60

31 The LOCAL_PREF Attribute Well-known discretionary attribute Degree of preference given to a route to compare it with other routes for the same destination Higher LOCAL_PREF values are preferred There could be two or more exit points from the local AS to any given destination Local to the AS Exchanged between IBGP peers only Not advertised to EBGP peers Force BGP routers to prefer one exit point over another when routing to a particular destination To manipulate LOCAL_PREF: bgp default local-preference route map to set local preference 61 62

32 The LOCAL_PREF Attribute Router C router bgp 256 neighbor remote-as 100 neighbor remote-as 256 bgp default local-preference 150 Router D router bgp 256 neighbor remote-as 300 neighbor remote-as 256 bgp default local-preference 200 Result: all traffic in AS 256 destined for network is sent by RTD 63 The LOCAL_PREF Attribute Using a Route Map to set LOCAL_PREF on Router D specifically for updates regarding AS 300: Router D router bgp 256 neighbor remote-as 300 neighbor route-map SETLOCALIN in neighbor remote-as 256 ip as-path access-list 7 permit ^300$ route-map SETLOCALIN permit 10 match as-path 7 set local-preference 200 The local preference attribute of any update coming from AS 300 is set to 200 Instance 20 of the SETLOCALIN route map accepts all other routes 64

33 The WEIGHT attribute Cisco proprietary attribute Used in the path selection process when there is more than one route to the same destination Local to the router on which it is assigned, and it is not propagated in routing updates By default, the weight attribute is for paths that the router originates and zero for other paths Routes with a higher weight are preferred when there are multiple routes to the same destination The most important attribute when determining route preference /24 AS 300 RouterA / /30 AS 200 AS 400 RouterB /8 RouterC /8 RouterC#show ip bgp BGP table version is 8, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> i *> i *> i 66

34 The MED attribute MULTI_EXIT_DISC (Multi-Exit Discriminator) Optional non-transitive attribute Informs external neighbors about the preferred path into an AS that has multiple entry points A lower MED is preferred over a higher MED The MED attribute is exchanged between ASs A MED that comes into an AS does not leave the AS When BGP forwards the routing update to another AS, the MED is reset to zero The router compares MED attributes for paths from external neighbors that are in the same AS To compare MED attributes from neighbors in other ASs, configure bgp always-compare-med 67 The MED attribute Router A router bgp 100 neighbor remote-as 300 neighbor remote-as 300 neighbor remote-as 400 Router B router bgp 400 neighbor remote-as 100 neighbor route-map SETMEDOUT out neighbor remote-as 300 route-map SETMEDOUT permit 10 set metric 50 Router C router bgp 300 neighbor remote-as 100 neighbor route-map SETMEDOUT out neighbor remote-as 400 neighbor remote-as 300 route-map SETMEDOUT permit 10 set metric 120 Router D router bgp 300 neighbor remote-as 100 neighbor route map SETMEDOUT out neighbor remote-as 300 route-map SETMEDOUT permit 10 set metric 200 AS100 receives updates regarding from B, C, and D C & D are in AS300, B is in AS400 A can only compare the MED coming from C to the MED coming from D, even though B has the lowest MED value A will choose C as the best path for reaching network To force A to include updates for from B in the comparison, use the bgp alwayscompare-med command Now, Router A will choose Router B as the best next hop for reaching network

35 The ORIGIN attribute Well-known mandatory attribute Indicates the origin of the routing update IGP EGP The prefix is internal to the originating AS The prefix was learned via some EGP INCOMPLETE The prefix was learned by some other means, probably redistribution BGP prefers the path with the lowest origin type, where IGP is lower than EGP, and EGP is lower than INCOMPLETE 69 The BGP decision process 70

36 Resetting BGP Sessions 71 Clearing the BGP Session When policies such as access lists or attributes are changed, the change takes effect immediately, and the next time that a prefix or path is advertised or received, the new policy will be used. It can take a long time for the policy to be applied to all networks. You must trigger an update to ensure that the policy is immediately applied to all affected prefixes and paths. Ways to trigger an update: Hard reset Soft reset Route refresh 72

37 Hard Reset of BGP Sessions Router# clear ip bgp * Resets all BGP connections with this router. Entire BGP forwarding table is discarded. BGP session makes the transition from established to idle; everything must be relearned. Router# clear ip bgp [neighbor-address] Resets only a single neighbor. BGP session makes the transition from established to idle; everything from this neighbor must be relearned. Less severe than clear ip bgp *. 73 Soft Reset Outbound Router# clear ip bgp {* neighbor-address} soft out Routes learned from this neighbor are not lost. This router resends all BGP information to the neighbor without resetting the connection. The connection remains established. This option is highly recommended when you are changing outbound policy. The soft out option does not help if you are changing inbound policy. 74

38 Inbound Soft Reset Router(config-router)# neighbor [ip-address] soft-reconfiguration inbound This command stores all updates from this neighbor in case the inbound policy is changed. The command is memory-intensive. Router# clear ip bgp {* neighbor-address} soft in Uses the stored information to generate new inbound updates. 75 Route Refresh: Dynamic Inbound Soft Reset Router# clear ip bgp {* neighbor-address} [soft in in] Routes advertised to this neighbor are not withdrawn. Does not store update information locally. The connection remains established. Introduced in IOS 12.0(2)S and 12.0(6)T 76

39 debug ip bgp updates Command RouterA#debug ip bgp updates Mobile router debugging is on for address family: IPv4 Unicast RouterA#clear ip bgp <output omitted> *Feb 24 11:06:41.309: %BGP-5-ADJCHANGE: neighbor Up *Feb 24 11:06:41.309: BGP(0): send UPDATE (format) /24, next , metric 0, path Local *Feb 24 11:06:41.309: BGP(0): send UPDATE (prepend, chgflags: 0x0) /24, next , metric 0, path Local *Feb 24 11:06:41.309: BGP(0): NEXT_HOP part 1 net /24, next *Feb 24 11:06:41.309: BGP(0): send UPDATE (format) /24, next , metric 0, path *Feb 24 11:06:41.309: BGP(0): NEXT_HOP part 1 net /24, next *Feb 24 11:06:41.309: BGP(0): send UPDATE (format) /24, next , metric 0, path <output omitted> *Feb 24 11:06:41.349: BGP(0): rcvd UPDATE w/ attr: nexthop , origin i, localpref 100, metric 0 *Feb 24 11:06:41.349: BGP(0): rcvd /24 *Feb 24 11:06:41.349: BGP(0): rcvd /24 77 BGP Peer Groups & Neighbors 78

40 Using a Peer Group Router(config-router)# neighbor peer-group-name peer-group This command creates a peer group. Router(config-router)# neighbor ip-address peer-group peer-group-name This command defines a template with parameters set for a group of neighbors instead of individually. This command is useful when many neighbors have the same outbound policies. Members can have a different inbound policy. Updates are generated once per peer group. Configuration is simplified. 79 Peer Groups 80

41 Example: Using a Peer Group 81 BGP Neighbor Authentication Router(config-router)# neighbor {ip-address peer-group-name} password string BGP authentication uses MD5. Configure a key (password); router generates a message digest, or hash, of the key and the message. Message digest is sent; key is not sent. Router generates and checks the MD5 digest of every segment sent on the TCP connection. Router authenticates the source of each routing update packet that it receives 82

42 Example: BGP Neighbor Authentication 83 Example: show ip bgp Command RouterA# show ip bgp BGP table version is 14, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i * i i *> / i *>i / i *> / i * i * i i *> / i * i * i i r> / i r i r i i *> / i <output omitted> Displays networks from lowest to highest. 84

43 BGP Local Preference Case Study 85 Local Preference Attribute Paths with highest local preference value are preferred: Local preference is used to advertise to IBGP neighbors about how to leave their AS. The local preference is sent to IBGP neighbors only (that is, within AS only). The local preference attribute is well-known and discretionary. Default value =

44 Changing BGP Local Preference For All Routes Local preference is used in these ways: Within an AS between IBGP speakers. To determine the best path to exit the AS to reach an outside network. Set to 100 by default; higher values are preferred. Router(config-router)# bgp default local-preference value Changes the default local preference value. All routes advertised to an IBGP neighbor have the local preference set to the value specified. 87 Local Preference Case Study What is the best path for router C to 65003, 65004, and 65005? 88

45 Router C BGP Table With Default Settings RouterC# show ip bgp BGP table version is 7, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path * i i *>i i *>i i * i i *>i i * i i By default, BGP selects the shortest AS path as the best (>) path. In AS 65001, the percent of traffic going to is 30%, is 20%, and is 10%. 50% of all traffic will go to the next hop of (AS 65005), and 10% of all traffic will go to the next hop of (AS 65002). Make traffic to select the next hop of to achieve load sharing where both external links get approximately 30% of the load. 89 Route Map for Router A Router A s configuration: router bgp neighbor remote-as neighbor remote-as neighbor remote-as update-source loopback0 neighbor remote-as update-source loopback0 neighbor remote-as neighbor route-map local_pref in! access-list 65 permit ! route-map local_pref permit 10 match ip address 65 set local-preference 400! route-map local_pref permit 20 90

46 Router C BGP Table with Local Preference Learned RouterC# show ip bgp BGP table version is 7, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path * i i *>i i *>i i * i i * i i *>i i Best (>) paths for networks /16 and /16 have not changed. Best (>) path for network has changed to a new next hop of due to the next hop of having a higher local preference, 400. In AS 65001, the percentage of traffic going to is 30%, is 20%, and is 10%. 30% of all traffic will go to the next hop of (AS 65005), and 30% of all traffic will go to the next hop of (AS 65002). 91 BGP MED 92

47 MED Attribute The paths with the lowest MED (also called the metric) value are the most desirable: MED is used to advertise to EBGP neighbors how to exit their AS to reach networks owned by this AS. The MED attribute is optional and nontransitive. 93 Changing BGP MED For All Routes MED is used when multiple paths exist between two autonomous systems. A lower MED value is preferred. The default setting for Cisco is MED = 0. The metric is optional, nontransitive attribute. Usually, MED is shared only between two autonomous systems that have multiple EBGP connections with each other. Router(config-router)# default-metric number MED is considered the metric of BGP. All routes that are advertised to an EBGP neighbor are set to the value specified using this command. 94

48 BGP Using Route Maps and the MED 95 Route Map for Router A Router A s Configuration: router bgp neighbor remote-as neighbor remote-as neighbor update-source loopback0 neighbor update-source loopback0 neighbor remote-as neighbor route-map med_65004 out! access-list 66 permit access-list 66 permit ! route-map med_65004 permit 10 match ip address 66 set metric 100! route-map med_65004 permit 100 set metric

49 Route Map for Router B Router B s Configuration: router bgp neighbor remote-as neighbor remote-as neighbor update-source loopback0 neighbor update-source loopback0 neighbor remote-as neighbor route-map med_65004 out! access-list 66 permit ! route-map med_65004 permit 10 match ip address 66 set metric 100! route-map med_65004 permit 100 set metric MED Learned by Router Z RouterZ# show ip bgp BGP table version is 7, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *>i i * i i * i i *>i i * i i *>i i Examine the networks that have been learned from AS on Router Z in AS For all networks: Weight is equal (0); local preference is equal (100); routes are not originated in this AS; AS path is equal (65001); origin code is equal (i) has a lower metric (MED) through (100) than (200) has a lower metric (MED) through (100) than (200) has a lower metric (MED) through (100) than (200). 98

50 Route Selection Decision Process Consider only (synchronized) routes with no AS loops and a valid next hop, and then: Prefer highest weight (local to router). Prefer highest local preference (global within AS). Prefer route originated by the local router (next hop = ). Prefer shortest AS path. Prefer lowest origin code (IGP < EGP < incomplete). Prefer lowest MED (exchanged between autonomous systems). Prefer EBGP path over IBGP path. Prefer the path through the closest IGP neighbor. Prefer oldest route for EBGP paths. Prefer the path with the lowest neighbor BGP router ID. Prefer the path with the lowest neighbor IP address. 99 Filtering routes 100

51 Route filtering A BGP speaker can choose what routes to exchange with any of its BGP peers Incoming route advertisements influence outgoing traffic, and outgoing advertisements influence your incoming traffic Inbound filtering At the peer level, the BGP speaker is filtering routing updates coming from other peers At the protocol level, limits the routing updates being redistributed into BGP Outbound filtering At the peer level, filters the routing updates advertised from this BGP speaker towards other peers At the protocol level, limits the routing updates redistributed from BGP into an IGP 101 Manipulating a route 2 steps: Identify the network number and subnet mask of the route to which the policies are to be applied NLRI (prefix) It relies on route maps Implement the policies Filter prefixes Manipulate attributes 102

52 Distribute-list to filter updates To restrict the routing information that the router learns or advertises, filter routing updates Distribute-list command can be used To prevent an AS become a transit AS Distribute-list command can be used Router A router bgp 3 neighbor remote-as 3 neighbor remote-as 1 neighbor distribute-list 1 out access-list 1 deny access-list 1 permit IP prefix-list command ip prefix-list Alternative to access-lists with many BGP route filtering commands Advantages: Significant performance improvement in loading and route lookup of large lists Support for incremental updates A more user friendly command-line interface Greater flexibility R(config)#ip prefix-list list-name [seq seq-val] deny permit network/len [ge ge-val] [le le-val] Example: applied to outgoing EBGP updates to R(config)# ip prefix-list ELMO permit /16 R(config)# router bgp 100 R(config-router)# neighbor remote-as 200 R(config-router)# neighbor prefix-list ELMO out 104

53 IP prefix-list command ip prefix-list Optional parameters: ge and le Specify the range of the prefix length to be matched for prefixes that are more specific than the network/len value len < ge-value <= le-value <= 32 Ex: Accept a mask length of up to 24 bits in routes with the prefix /8, and to deny more specific routes RTA(config)#ip prefix-list GROVER permit /8 le 24 RTA(config)#ip prefix-list GROVER deny /8 ge /19 and /24 match the permit, but /27 doesn t All prefixes in /8 that have a mask length from 16 to 24 bits RTA(config)#ip prefix-list OSCAR permit /8 ge 16 le 24 Each prefix list entry is assigned a sequence number new entries can be inserted at any point in the list automatically generated in increments of five 105 Redundancy, Symmetry and Load Balancing Redundancy Achieved by providing multiple alternate paths Having multiple connections to one or more ASs Problem the more redundant links a network has, the more unpredictable the entrance and exit points become Alternate routes imply additional information in the routing tables Symmetry Solution default routing If traffic leaves the AS from a certain exit point and returns through the same point Choose a primary path and configure routing policies that force traffic to flow along this path Load Balancing Division of traffic optimally over multiple links To enable BGP load balancing over equal cost paths: Router(config-router)# maximum-paths number 106

54 Redundancy Default routes Minimize the size of a routing table Provide networks with redundancy in the event of failures and connectivity interruptions In BGP Local Preference attribute can be manipulated on the various default routes One default route is the primary the highest Local Preference 107 BGP Redistribution Relationship between Internet route stability and the method used to inject routes into BGP Information can be injected into BGP Dynamically Routes come and go from the BGP routing table, depending on the status of the networks Purely dynamic redistribution All the IGP routes are redistributed into BGP using the redistribute command Semi-dynamic redistribution Only certain IGP routes are injected into BGP using the BGP network command Statically More selective than a completely dynamic method Network command is necessary for each route prefix Routes are constantly maintained by the BGP routing tables 108

55 Synchronization 109 BGP Peering BGP does not advertise routes learned via IBGP peers to other IBGP peers. If they did, BGP routing inside the AS would present a dangerous potential for routing loops. For IBGP routers to learn about all BGP routes inside the AS, they must connect to every other IBGP router in a logical full IBGP mesh. You can create a logical full mesh even if the routers aren t directly connected, as long as the IBGP peers can connect to each other using TCP/IP. 110

56 AS Synchronization When an IBGP router receives an update about a destination from an IBGP peer, it tries to verify reachability to that destination via an IGP, such as RIP or OSPF. If the IBGP router can t find the destination network in it s IGP routing table, it will not advertise the destination to other BGP peers. 111 AS Synchronization If the IBGP router does have an IGP route to this destination, the route is considered synchronized, and the router will announce it to other BGP peers. Otherwise, the router will treat the route as not being synchronized with the IGP and will not advertise it. 112

57 AS Synchronization The Cisco IOS offers an optional command called no synchronization. This command enables BGP to override the synchronization requirement, allowing the router to advertise routes learned via IBGP irrespective of an existence of an IGP route. 113 AS Synchronization Usually a BGP speaker does not advertise a route to an external neighbor unless that route is local or exists in the IGP. no synchronization command It permits BGP to advertise networks without caring whether the IGP (OSPF, IS-IS, EIGRP, etc.) has the route. 114

58 AS Synchronization In practice, two situations exist where synchronization can be safely turned off on border routers: 1. When all transit routers inside the AS are running fully meshed IBGP. Internal reachability is guaranteed because a route that is learned via EBGP on any of the border routers will automatically be passed on via IBGP to all other transit routers. 2. When the AS is not a transit AS. 115 BGP Configuration Finally, whenever configuring BGP, you will notice that changes you make to an existing configuration may not appear immediately. To force BGP to clear its table and reset BGP sessions, use the clear ip bgp command. The easiest way to enter this command is as follows: Router#clear ip bgp * 116

59 BGP Routing Routes are exchanged between BGP peers via UPDATE messages BGP routers Receive the UPDATE messages Run some policies or filters over the updates Pass on the routes to other BGP peers BGP Cisco implementation has a BGP table separate from the IP routing table 117 Regular Expressions For example, the following command will match any AS_PATH that includes 364: Router(config)#ip as-path access-list 1 permit 364 Unfortunately, the regular expression, 364, will match not only AS 364, but also 1364, 2364, 3364, etc. Because policy routing demands a certain degree of precision, you will typically use one or more these special characters when creating a regular expression. 118

60 Regular Expressions Character Description ^ $ _. * Matches the beginning of the input string. Matches the end of the input string. Matches a space, comma, left brace, right brace, the beginning of an input string, or the ending of an input stream Matches any single character Matches 0 or more single- or multiplecharacter patterns. Router(config)#ip as-path access-list 1 permit ^364$ 119 BGP Redistribution Information can be injected into BGP Dynamically Routes come and go from the BGP routing table, depending on the status of the networks Purely dynamic redistribution All the IGP routes are redistributed into BGP using the redistribute command Semi-dynamic redistribution Statically Only certain IGP routes are injected into BGP using the BGP network command More selective than a completely dynamic method Network command is necessary for each route prefix Routes are constantly maintained by the BGP routing tables 120

61 Redistribute BGP RTB(config)#router bgp 200 RTB(config-router)#neighbor remote-as 100 RTB(config-router)#neighbor route-map BLOCK-BAD-ADDRESSES out RTB(config-router)#redistribute ospf 1 match internal metric 50 RTB(config-router)#redistribute static RTB(config)#router bgp 200 RTB(config-router)#neighbor remote-as 100 RTB(config-router)#neighbor route-map BLOCK-BAD-ADDRESSES out RTB(config-router)#network RTB(config-router)#network Q and A 122