Introduction to BGP. Cisco ISP Workshops. 2003, Cisco Systems, Inc. All rights reserved.

Transcription

1 Introduction to BGP Cisco ISP Workshops 1

2 Border Gateway Protocol Routing Protocol used to exchange routing information between networks exterior gateway protocol RFC1771 work in progress to update draft-ietf-idr-bgp4-18.txt Currently Version 4 Runs over TCP Cisco ISP Workshops 2

3 BGP Path Vector Protocol Incremental Updates Many options for policy enforcement Classless Inter Domain Routing (CIDR) Widely used for Internet backbone Autonomous systems Cisco ISP Workshops 3

4 Path Vector Protocol BGP is classified as a path vector routing protocol (see RFC 1322) A path vector protocol defines a route as a pairing between a destination and the attributes of the path to that destination / i AS Path Cisco ISP Workshops 4

5 Path Vector Protocol AS6337 AS11268 AS7018 AS500 AS6461 AS600 Cisco ISP Workshops 5

6 Definitions Transit carrying traffic across a network, usually for a fee Peering exchanging routing information and traffic Default where to send traffic when there is no explicit match in the routing table Cisco ISP Workshops 6

7 Default Free Zone The default free zone is made up of Internet routers which have explicit routing information about the rest of the Internet, and therefore do not need to use a default route. Cisco ISP Workshops 7

8 Peering and Transit example provider A IXP- West Backbone Provider D IXP-East provider B A and B can peer, but need transit arrangements with D to get packets to/from C provider C Cisco ISP Workshops 8

9 Autonomous System (AS) AS 100 Collection of networks with same routing policy Single routing protocol Usually under single ownership, trust and administrative control Cisco ISP Workshops 9

10 Demarcation Zone (DMZ) A DMZ Network AS 100 AS 101 C B D E AS 102 Shared network between ASes Cisco ISP Workshops 10

11 BGP Basics Peering A C AS 100 AS 101 B D BGP speakers are called peers E AS 102 Cisco ISP Workshops 11

12 BGP General Operation Learns multiple paths via internal and external BGP speakers Picks the best path and installs in the forwarding table Policies applied by influencing the best path selection Cisco ISP Workshops 12

13 Constructing the Forwarding Table BGP in process receives path information from peers results of BGP path selection placed in the BGP table best path flagged BGP out process announces best path information to peers Best paths installed in forwarding table if: prefix and prefix length are unique lowest protocol distance Cisco ISP Workshops 13

14 Constructing the Forwarding Table in everything BGP in process discarded accepted bgp peer BGP table forwarding table out best paths BGP out process Cisco ISP Workshops 14

15 External BGP Peering (ebgp) A AS 100 AS 101 C B Between BGP speakers in different AS Should be directly connected Do not run an IGP between ebgp peers Cisco ISP Workshops 15

16 Configuring External BGP Router A in AS100 interface ethernet 5/0 ip address router bgp 100 network mask neighbor remote-as 101 neighbor prefix-list RouterC-in in neighbor prefix-list RouterC-out out Router C in AS101 interface ethernet 1/0/0 ip address router bgp 101 network mask neighbor remote-as 100 neighbor prefix-list RouterA-in in neighbor prefix-list RouterA-out out Cisco ISP Workshops 16

17 Internal BGP (ibgp) BGP peer within the same AS Not required to be directly connected ibgp speakers need to be fully meshed they originate connected networks they do not pass on prefixes learned from other ibgp speakers Cisco ISP Workshops 17

18 Internal BGP Peering (ibgp) A AS 100 B D Topology independent Each ibgp speaker must peer with every other ibgp speaker in the AS E Cisco ISP Workshops 18

19 Peering to Loop-back Address AS 100 Peer with loop-back address Cisco ISP Workshops Loop-back interface does not go down ever! ibgp session is not dependent on state of a single interface ibgp session is not dependent on physical topology 19

20 Configuring Internal BGP Router A interface loopback 0 ip address router bgp 100 network neighbor remote-as 100 neighbor update-source loopback0 neighbor remote-as 100 neighbor update-source loopback0 Cisco ISP Workshops Router B interface loopback 0 ip address router bgp 100 network neighbor remote-as 100 neighbor update-source loopback0 neighbor remote-as 100 neighbor update-source loopback0 20

21 Inserting prefixes into BGP Two ways to insert prefixes into BGP redistribute static network command Cisco ISP Workshops 21

22 Inserting prefixes into BGP redistribute static Configuration Example: router bgp 100 redistribute static ip route serial0 Static route must exist before redistribute command will work Forces origin to be incomplete Care required! Cisco ISP Workshops 22

23 Inserting prefixes into BGP redistribute static Care required with redistribute! redistribute <routing-protocol> means everything in the <routing-protocol> will be transferred into the current routing protocol Will not scale if uncontrolled Best avoided if at all possible redistribute normally used with route-maps and under tight administrative control Cisco ISP Workshops 23

24 Inserting prefixes into BGP network command Configuration Example router bgp 100 network mask ip route serial0 A matching route must exist in the routing table before the network is announced Forces origin to be IGP Cisco ISP Workshops 24

25 Configuring Aggregation Three ways to configure route aggregation redistribute static aggregate-address network command Cisco ISP Workshops 25

26 Configuring Aggregation Configuration Example: router bgp 100 redistribute static ip route null0 250 static route to null0 is called a pull up route packets only sent here if there is no more specific match in the routing table distance of 250 ensures this is last resort static care required see previously! Cisco ISP Workshops 26

27 Configuring Aggregation Network Command Configuration Example router bgp 100 network mask ip route null0 250 A matching route must exist in the routing table before the network is announced Easiest and best way of generating an aggregate Cisco ISP Workshops 27

28 Configuring Aggregation aggregate-address command Configuration Example router bgp 100 network mask aggregate-address [ summary-only ] Requires more specific prefix in routing table before aggregate is announced {summary-only} keyword optional keyword which ensures that only the summary is announced if a more specific prefix exists in the routing table Cisco ISP Workshops 28

29 Historical Defaults Auto Summarisation Disable historical default 1 Automatically summarises subprefixes to the classful network when redistributing to BGP from another routing protocol Example: /22 fi /8 Must be turned off for any Internet connected site using BGP router bgp 100 no auto-summary Cisco ISP Workshops 29

30 Historical Defaults Synchronisation Disable historical default 2 In Cisco IOS, BGP does not advertise a route before all routers in the AS have learned it via an IGP Disable synchronisation if: AS doesn t pass traffic from one AS to another, or All transit routers in AS run BGP, or ibgp is used across backbone router bgp 100 no synchronization Cisco ISP Workshops 30

31 Summary BGP4 path vector protocol ibgp versus ebgp stable ibgp peer with loopbacks announcing prefixes & aggregates no synchronization & no auto-summary Cisco ISP Workshops 31

32 Introduction to BGP Cisco ISP Workshops 32

33 BGP Attributes and Policy Control Cisco ISP Workshops 1

34 Agenda BGP Attributes BGP Path Selection Applying Policy Cisco ISP Workshops 2

35 BGP Attributes The tools available for the job Cisco ISP Workshops 3

36 What Is an Attribute?... Next Hop AS Path MED Describes the characteristics of prefix Transitive or non-transitive Some are mandatory Cisco ISP Workshops 4

37 AS-Path Sequence of ASes a route has traversed Loop detection Apply policy AS 300 AS 200 AS / / / / AS /16 AS / / / Cisco ISP Workshops 5

38 AS-Path loop detection AS 200 AS / /16 AS / / / / AS / / /16 is not accepted by AS100 the network has AS100 in the AS-PATH this is loop detection in action Cisco ISP Workshops 6

39 Next Hop AS /16 A B AS / / AS /16 Next hop to reach a network Usually a local network is the next hop in ebgp session Cisco ISP Workshops 20 7

40 Next Hop AS /16 A ebgp B ibgp AS 300 C AS / / / Next hop not changed for ibgp Cisco ISP Workshops 8

41 ibgp Next Hop / /23 Loopback /32 B ibgp C Loopback /32 AS 300 D A Next hop is ibgp router loopback address Recursive route look-up Cisco ISP Workshops / /

42 Third Party Next Hop AS / A C B AS / ebgp between Router A and Router C ibgp between RouterA and RouterB /24 prefix has next hop address of this is passed on to RouterC instead of More efficient No extra config needed Cisco ISP Workshops 10

43 Next Hop (summary) IGP should carry route to next hops Recursive route look-up Unlinks BGP from actual physical topology Allows IGP to make intelligent forwarding decision Cisco ISP Workshops 11

44 Origin Conveys the origin of the prefix Influence best path selection Three values IGP, EGP, incomplete IGP generated from BGP network statement EGP generated from EGP incomplete generated by redistribute action Cisco ISP Workshops 12

45 Aggregator Useful for debugging purposes Conveys the IP address of the router/bgp speaker generating the aggregate route Does not influence path selection Cisco ISP Workshops 13

46 Local Preference AS /16 AS 200 AS 300 D E / > / A AS 400 C B Cisco ISP Workshops 14

47 Local Preference Local to an AS non-transitive local preference set to 100 when heard from neighbouring AS Used to influence BGP path selection determines best path for outbound traffic Path with highest local preference wins Cisco ISP Workshops 15

48 Local Preference Configuration of Router B: router bgp 400 neighbor remote-as 300 neighbor route-map local-pref in! route-map local-pref permit 10 match ip address prefix-list MATCH set local-preference 800! ip prefix-list MATCH permit /16 ip prefix-list MATCH deny /0 le 32 Cisco ISP Workshops 16

49 Multi-Exit Discriminator (MED) AS 200 C / / A B /24 AS 201 Cisco ISP Workshops 17

50 Multi-Exit Discriminator Inter-AS non-transitive metric attribute not announced to next AS Used to convey the relative preference of entry points determines best path for inbound traffic Comparable if paths are from same AS IGP metric can be conveyed as MED set metric-type internal in route-map Cisco ISP Workshops 18

51 MED & IGP Metric set metric-type internal enable BGP to advertise a MED which corresponds to the IGP metric values changes are monitored (and re-advertised if needed) every 600s bgp dynamic-med-interval <secs> Cisco ISP Workshops 19

52 Multi-Exit Discriminator Configuration of Router B: router bgp 400 neighbor remote-as 200 neighbor route-map set-med out! route-map set-med permit 10 match ip address prefix-list MATCH set metric 1000! ip prefix-list MATCH permit /24 ip prefix-list MATCH deny /0 le 32 Cisco ISP Workshops 20

53 Weight Not really an attribute local to router Highest weight wins Applied to all routes from a neighbour neighbor weight 100 Weight assigned to routes based on filter neighbor filter-list 3 weight 50 Cisco ISP Workshops 21

54 Weight Used to Deploy RPF AS4 Link to use for most traffic from AS1 AS4, LOCAL_PREF 200 Backup link, but RPF still needs to work AS1 AS4, LOCAL_PREF 100 Local to router on which it s configured Not really an attribute route-map: set weight Highest weight wins over all valid paths Weight customer ebgp on edge routers to allow RPF to work correctly Cisco ISP Workshops 22

55 Community Communities described in RFC bit integer Commonly represented as two 16 bit integers (RFC1998) Used to group destinations Each destination could be member of multiple communities Community attribute carried across AS s Very useful in applying policies Cisco ISP Workshops 23

56 Community ISP 2 X / /16 300: /16 300:1 E AS /16 300:9 D AS 300 ISP /16 300:1 C /16 300:1 AS 100 A /16 B AS /16 Cisco ISP Workshops 24

57 Well-Known Communities no-export do not advertise to ebgp peers no-advertise do not advertise to any peer local-as do not advertise outside local AS (only used with confederations) Cisco ISP Workshops 25

58 No-Export Community / X.X No-Export X.X A D /16 AS 100 AS 200 B E G C F Cisco ISP Workshops 26

59 No-Export Community AS100 announces aggregate and subprefixes aim is to improve loadsharing between AS100 and AS200 by leaking subprefixes Subprefixes marked with no-export community Router G in AS200 strips out all prefixes with no-export community set Cisco ISP Workshops 27

60 BGP Path Selection Algorithm Why is this the best path? Cisco ISP Workshops 28

61 BGP Path Selection Algorithm Do not consider path if no route to next hop Do not consider ibgp path if not synchronised Highest weight (local to router) Highest local preference (global within AS) Prefer locally originated route Shortest AS path Cisco ISP Workshops 29

62 BGP Path Selection Algorithm (continued) Lowest origin code IGP < EGP < incomplete Lowest Multi-Exit Discriminator (MED) If bgp deterministic-med, order the paths before comparing If bgp always-compare-med, then compare for all paths otherwise MED only considered if paths are from the same AS (default) Cisco ISP Workshops 30

63 BGP Path Selection Algorithm (continued) Prefer ebgp path over ibgp path Path with lowest IGP metric to next-hop For ebgp paths: If multipath is enabled, install N parallel paths in forwarding table If router-id is the same, go to next step If router-id is not the same, select the oldest path Cisco ISP Workshops 31

64 BGP Path Selection Algorithm (continued) Lowest router-id (originator-id for reflected routes) Shortest cluster-list Client must be aware of Route Reflector attributes! Lowest neighbour address Cisco ISP Workshops 32

65 Applying Policy with BGP How to use the tools Cisco ISP Workshops 33

66 Applying Policy with BGP Policy-based on AS path, community or the prefix Rejecting/accepting selected routes Set attributes to influence path selection Tools: Prefix-list (filters prefixes) Filter-list (filters ASes) Route-maps and communities Cisco ISP Workshops 34

67 Policy Control Prefix List Per neighbour prefix filter incremental configuration High performance access-list Inbound or Outbound Based upon network numbers (using familiar IPv4 address/mask format) Cisco ISP Workshops 35

68 Prefix-list Command [no] ip prefix-list <list-name> [seq <seq-value>] deny permit <network>/<len> [ge <ge-value>] [le <le-value>] <network>/<len>: The prefix and its length ge <ge-value>: "greater than or equal to" le <le-value>: "less than or equal to" Both "ge" and "le" are optional. Used to specify the range of the prefix length to be matched for prefixes that are more specific than <network>/<len> Cisco ISP Workshops 36

69 Prefix Lists Examples Deny default route ip prefix-list EG deny /0 Permit the prefix /8 ip prefix-list EG permit /8 Deny the prefix /12 ip prefix-list EG deny /12 In 192/8 allow up to /24 ip prefix-list EG permit /8 le 24 This allows all prefix sizes in the /8 address block, apart from /25, /26, /27, /28, /29, /30, /31 and /32. Cisco ISP Workshops 37

70 Prefix Lists Examples In 192/8 deny /25 and above ip prefix-list EG deny /8 ge 25 This denies all prefix sizes /25, /26, /27, /28, /29, /30, /31 and /32 in the address block /8. It has the same effect as the previous example In 193/8 permit prefixes between /12 and /20 ip prefix-list EG permit /8 ge 12 le 20 This denies all prefix sizes /8, /9, /10, /11, /21, /22, and higher in the address block /8. Permit all prefixes Cisco ISP Workshops ip prefix-list EG permit /0 le matches all possible addresses, 0 le 32 matches all possible prefix lengths 38

71 Policy Control Prefix List Example Configuration router bgp 200 network neighbor remote-as 210 neighbor prefix-list PEER-IN in neighbor prefix-list PEER-OUT out! ip prefix-list PEER-IN deny /16 ip prefix-list PEER-IN permit /0 le 32 ip prefix-list PEER-OUT permit /16 ip prefix-list PEER-OUT deny /0 le 32 Cisco ISP Workshops 39

72 Policy Control Filter List Filter routes based on AS path Inbound or Outbound Example Configuration: router bgp 100! network neighbor filter-list 5 out neighbor filter-list 6 in ip as-path access-list 5 permit ^200$ ip as-path access-list 6 permit ^150$ Cisco ISP Workshops 40

73 Policy Control Regular Expressions Like Unix regular expressions. Match one character * Match any number of preceding expression + Match at least one of preceding expression ^ Beginning of line $ End of line _ Beginning, end, white-space, brace Or () brackets to contain expression Cisco ISP Workshops 41

74 Policy Control Regular Expressions Simple Examples.* match anything.+ match at least one character ^$ match routes local to this AS _1800$ ^ _1800 (1800_)+ _\(65530\)_ originated by AS1800 received from AS1800 via AS1800 via AS1800 and AS790 multiple AS1800 in sequence (used to match AS-PATH prepends) via AS65530 (confederations) Cisco ISP Workshops 42

75 Policy Control Regular Expressions Not so simple Examples ^[0-9]+$ ^[0-9]+_[0-9]+$ ^[0-9]*_[0-9]+$ ^[0-9]*_[0-9]*$ ^[0-9]+_[0-9]+_[0-9]+$ _( ) 1849(_.+_)12163$ Match AS_PATH length of one Match AS_PATH length of two Match AS_PATH length of one or two Match AS_PATH length of one or two (will also match zero) Match AS_PATH length of three Match anything which has gone through AS701 or AS1800 Match anything of origin AS12163 and passed through AS1849 Cisco ISP Workshops 43

76 Policy Control Route Maps A route-map is like a programme for IOS Has line numbers, like programmes Each line is a separate condition/action Concept is basically: if match then do expression and exit else if match then do expression and exit else etc Cisco ISP Workshops 44

77 Route Maps Caveats Lines can have multiple set statements but only one match statement Line with only a set statement all prefixes are matched and set any following lines are ignored Line with a match/set statement and no following lines only prefixes matching go through the rest are dropped Cisco ISP Workshops 45

78 Route Maps Caveats Example omitting the third line below means that prefixes not matching list-one or list-two are dropped route-map sample permit 10 match ip address prefix-list list-one set local-preference 120! route-map sample permit 20 match ip address prefix-list list-two set local-preference 80! route-map sample permit 30! Don t forget this Cisco ISP Workshops 46

79 Policy Control Route Maps Example Configuration route map and prefix-lists router bgp 100 neighbor route-map infilter in! route-map infilter permit 10 match ip address prefix-list HIGH-PREF set local-preference 120! route-map infilter permit 20 match ip address prefix-list LOW-PREF set local-preference 80! ip prefix-list HIGH-PREF permit /8 ip prefix-list LOW-PREF permit /8 Cisco ISP Workshops 47

80 Policy Control Route Maps Example Configuration route map and filter lists router bgp 100! neighbor remote-as 200 neighbor route-map filter-on-as-path in route-map filter-on-as-path permit 10 match as-path 1 set local-preference 80! route-map filter-on-as-path permit 20 match as-path 2 set local-preference 200! ip as-path access-list 1 permit _150$ ip as-path access-list 2 permit _210_ Cisco ISP Workshops 48

81 Policy Control Route Maps Example configuration of AS-PATH prepend router bgp 300 network neighbor remote-as 100 neighbor route-map SETPATH out! route-map SETPATH permit 10 set as-path prepend Use your own AS number when prepending Otherwise BGP loop detection may cause disconnects Cisco ISP Workshops 49

82 Policy Control Route Maps Route Map MATCH Articles as-path clns address clns next-hop clns route-source community interface ip address ip next-hop ip route-source length metric nlri route-type tag Cisco ISP Workshops 50

83 Policy Control Route Maps Route map SET Articles as-path automatic-tag clns comm-list community dampening default interface interface ip default next-hop ip next-hop Cisco ISP Workshops 51

84 Policy Control Route Maps Route map SET Articles ip precedence ip qos-group ip tos level local preference metric metric-type next-hop nlri multicast nlri unicast origin tag traffic-index weight Cisco ISP Workshops 52

85 Policy Control Matching Communities Example Configuration router bgp 100 neighbor remote-as 200 neighbor route-map filter-on-community in! route-map filter-on-community permit 10 match community 1 set local-preference 50! route-map filter-on-community permit 20 match community 2 exact-match set local-preference 200! ip community-list 1 permit 150:3 200:5 ip community-list 2 permit 88:6 Cisco ISP Workshops 53

86 Policy Control Setting Communities Example Configuration router bgp 100 network ! neighbor remote-as 200 neighbor send-community neighbor route-map set-community out route-map set-community permit 10 match ip address prefix-list NO-ANNOUNCE! set community no-export route-map set-community permit 20 match ip address prefix-list EVERYTHING! ip prefix-list NO-ANNOUNCE permit /16 ge 17 ip prefix-list EVERYTHING permit /0 le 32 Cisco ISP Workshops 54

87 Aggregation Policies Suppress Map Used to suppress selected more-specific prefixes (e.g. defined through a route-map) in the absence of the summary-only keyword. Unsuppress Map Used to unsuppress selected morespecific prefixes per BGP peering when the summary-only keyword is in use. Cisco ISP Workshops 55

88 Aggregation Policies Suppress Map Example router bgp 100 network network network network network aggregate-address suppress-map block-net neighbor remote-as 200! route-map block-net permit 10 match ip address prefix-list SUPPRESS! ip prefix-list SUPPRESS permit /21 le 32 ip prefix-list SUPPRESS deny /0 le 32! Cisco ISP Workshops 56

89 Aggregation Policies Suppress Map show ip bgp on the local router router1#sh ip bgp BGP table version is 11, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i s> i s> i s> i *> i *> i Cisco ISP Workshops 57

90 Aggregation Policies Suppress Map show ip bgp on the remote router router2#sh ip bgp BGP table version is 90, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *> i *> i Cisco ISP Workshops 58

91 Aggregation Policies Unsuppress Map Example router bgp 100! network network network network network aggregate-address summary-only neighbor remote-as 200 neighbor unsuppress-map leak-net route-map leak-net permit 10 match ip address prefix-list LEAK! ip prefix-list LEAK permit /21 le 32 ip prefix-list LEAK deny /0 le 32! Cisco ISP Workshops 59

92 Aggregation Policies Unsuppress Map show ip bgp on the local router router1#sh ip bgp BGP table version is 11, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i -internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i s> i s> i s> i s> i s> i Cisco ISP Workshops 60

93 Aggregation Policies Unsuppress Map show ip bgp on the remote router router2#sh ip bgp BGP table version is 90, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> / i *> i *> i *> i Cisco ISP Workshops 61

94 Aggregation Policies Aggregate Address Summary-only used all subprefixes suppressed unsuppress-map to selectively leak subprefixes bgp per neighbour configuration Absence of summaryonly no subprefixes suppressed suppress-map to selectively suppress subprefixes bgp global configuration Cisco ISP Workshops 62

95 BGP Attributes and Policy Control Cisco ISP Workshops 63

96 BGP Communities RST _05_2003_c1 1

97 Problem: Scale Routing Policy Solution: COMMUNITY NOT in decision algorithm BGP route can be a member of many communities Typical communities: Destinations learned from customers Destinations learned from ISPs or peers Destinations in VPN BGP community is fundamental to the operation of BGP VPNs RST _05_2003_c1 2

98 Problem: Scale Routing Policy Solution: COMMUNITY Communities: 1:100 Customer Routes 1:80 ISP Routes ISP 2 ISP 1 ISP 3 ISP Customer 1 (No Default, Wants Full Routes) RST _05_2003_c1 Customer 2 (Uses Default, Wants Your Routes) 3

99 Problem: Scale Routing Policy Solution: COMMUNITY Communities: 1:100 Customer Routes 1:80 ISP Routes Set Community 1:80 ISP 2 ISP 1 Match Community 1:100 Match Community 1:100 1:80 Match Community 1:100 ISP 3 Set Community 1: ISP 4 Customer 1 (No Default, Wants Full Routes) RST _05_2003_c1 Customer 2 (Uses Default, Wants Your Routes) 4

100 BGP Attributes: COMMUNITY Activated per neighbor/peer-group: neighbor {peer-address peer-group-name} send-community Carried across AS boundaries Common convention is string of four bytes: <AS>:[ ] RST _05_2003_c1 5

101 BGP Attributes: COMMUNITY (Cont.) Each destination can be a member of multiple communities Using a route-map: set community < > community number aa:nn community number in aa:nn format additive Add to the existing community none No community attribute local-as Do not send to EBGP peers (well-known community) no-advertise Do not advertise to any peer (well-known community) no-export Do not export outside AS/confed (well-known community) RST _05_2003_c1 6

102 Community Filters Filter based on Community Strings ip community-list <1-99> [permit deny] comm ip community-list < > [permit deny] regexp Per neighbor Inbound or outbound route-maps Match community <number> [exact-match] Exact match only for standard lists RST _05_2003_c1 7

103 Community Filters Example 1: Mark some prefixes as part of the 1:120 community (+remove existing community!) Configuration: router bgp 1 neighbor remote-as 2 RST _05_2003_c1 neighbor send-community neighbor route-map set_community out! route-map set_community 10 permit match ip address 1 set community 1:120! access-list 1 permit

104 Community Filters Example 2: Set LOCAL_PREF depending on the community that the prefix belongs to Configuration: router bgp 1 neighbor remote-as 2 neighbor route-map filter_on_community in! route-map filter_on_community 10 permit match community 1 set local-preference 150! ip community-list 1 permit 2:150 RST _05_2003_c1 9

105 RST _05_2003_c1 10

106 Deploying ibgp Cisco ISP Workshops 1

107 Guidelines for Stable IBGP Peer using loopback addresses neighbor { ip address peer-group} update-source loopback0 Independent of physical interface failure IGP performs any load-sharing Cisco ISP Workshops 2

108 Guidelines for Scaling IBGP Use peer groups and RRs Carry only next-hops in IGP Carry full routes in BGP only if necessary Do not redistribute BGP into IGP Cisco ISP Workshops 3

109 Using Peer Groups IBGP Peer Group AS1 router bgp 1 neighbor internal peer-group neighbor internal description ibgp peers neighbor internal remote-as 1 neighbor internal update-source Loopback0 neighbor internal next-hop-self neighbor internal send-community neighbor internal version 4 neighbor internal password A09 neighbor peer-group internal neighbor peer-group internal Cisco ISP Workshops 4

110 What Is a Peer Group? All peer-group members have a common outbound policy Updates generated once per peer group Simplifies configuration Members can have different inbound policy Cisco ISP Workshops 5

111 Why Route Reflectors? Avoid n(n-1)/2 IBGP mesh n=1000 => nearly half a million ibgp sessions! 13 Routers => 78 IBGP Sessions! Cisco ISP Workshops 6

112 Using Route Reflectors RR Backbone RR Golden Rule of RR Loop Avoidance: RR Topology Should Follow Physical Topology RRC RR Cluster A RR Cluster C RRC RR RRC Cluster B RR Cluster D RRC Cisco ISP Workshops 7

113 What Is a Route Reflector? Reflector receives path from clients and non clients If best path is from a client, reflect to clients and non-clients If best path is from a non-client, reflect to clients Cisco ISP Workshops 8

114 Configuration of RR Peer Groups router bgp 1 neighbor rr-client peer-group neighbor rr-client description RR clients neighbor rr-client remote-as 1 neighbor rr-client update-source Loopback0 neighbor rr-client route-reflector-client neighbor rr-client next-hop-self neighbor rr-client send-community group neighbor rr-client version 4 neighbor rr-client password A09 neighbor peer-group rr-client neighbor peer-group rr-client This line on RRs only RRCs use still use internal peer Cisco ISP Workshops 9

115 Deploying Route Reflectors Divide backbone into multiple clusters Each cluster contains at least one RR (multiple for redundancy), and multiple clients RRs are fully meshed via IBGP Still use single IGP next-hop unmodified by RR; unless via explicit inbound route-map Cisco ISP Workshops 10

116 Hierarchical Route Reflector Example: B RR A RouterB>sh ip bgp BGP routing table entry for / from ( ) Origin IGP, metric 0, localpref 100, valid, internal, best Originator: Cluster list: , Router id RRC Router id C Router id AS RR RRC D Cisco ISP Workshops 11

117 BGP Attributes: ORIGINATOR_ID ORIGINATOR_ID Router ID of IBGP speaker that reflects RR client routes to non-clients Overridden by: bgp cluster-id x.x.x.x Useful for troubleshooting and loop detection Cisco ISP Workshops 12

118 BGP Attributes: CLUSTER_LIST CLUSTER_LIST String of ORIGINATOR_IDs through which the route has passed Useful for troubleshooting and loop detection Cisco ISP Workshops 13

119 So Far Is IBGP peering Stable? Use loopbacks for peering Will it Scale? Use peer groups Use route reflectors Simple, hierarchical config? Cisco ISP Workshops 14

120 RST _05_2003_c1 15

121 Deploying ebgp Cisco ISP Workshops 1

122 Customer Issues Steps Configure BGP (use session passwords!) Generate a stable aggregate Set inbound policy Set output policy Configure loadsharing/multihoming Cisco ISP Workshops 2

123 Connecting to an ISP AS 100 is a customer of AS AS 2 Router B: router bgp 100 aggregate-address as-set summary-only neighbor external remote-as 2 neighbor external description ISP connection neighbor external remove-private-as neighbor external version 4 neighbor external prefix-list ispout out neighbor external route-map ispout out neighbor external route-map ispin in neighbor external password 7 020A0559 neighbor external maximum-prefix [warning-only] neighbor peer-group external /16 AS1 A B Cisco ISP Workshops 3

124 What Is Aggregation? Summarization based on specifics from the BGP routing table => Cisco ISP Workshops 4

125 How to Aggregate aggregate-address {asset} {summary-only} {route-map} Use as-set to include path and community info from specifics summary-only suppresses specifics route-map sets other attributes Cisco ISP Workshops 5

126 Why Aggregate? Reduce number of Internet prefixes Increase stability aggregate stays even specifics come and go Stable aggregate generation: router bgp 1 aggregate-address as-set summary-only network : ip route null0 254 Cisco ISP Workshops 6

127 BGP Attributes Atomic Aggregate Indicates loss of AS-PATH information Must not be removed once set Set by: aggregate-address x.x.x.x Not set if as-set keyword is used, however, AS-SET and COMMUNITY then carries information about specifics Cisco ISP Workshops 7

128 BGP Attributes: Aggregator AS number and IP address of router generating aggregate Useful for troubleshooting Cisco ISP Workshops 8

129 Aggregate Attributes NEXT_HOP = local ( ) WEIGHT = LOCAL_PREF = none (assume 100) AS_PATH = AS_SET or nothing ORIGIN = IGP MED = none Cisco ISP Workshops 9

130 Why Inbound Policy? Apply a recognizable community to use in outbound filters or other policy Possibly adjust local-preference to override default of 100 Multihoming loadsharing more later route-map ISPin permit 10 set local-preference 200 set community 1:2 ; routes from ISP Cisco ISP Workshops 10

131 Why Outbound Policy? Main filter based on communities Adding a prefix filter helps protect against mistakes (can apply as-path filters too) Send community based on agreements with ISP (remember to add sendcommunity line to config) Multihoming loadsharing policy Cisco ISP Workshops 11

132 Outgoing Policy Config ip prefix-list ISPout seq 5 permit : ip community-list 1 permit 1:1 ;all routes to send to ISP : route-map ISPout permit 10 match community 1 ; Internet transit community set community 1:3 [additive] ; something agreed with ISP Cisco ISP Workshops 12

133 Load-Sharing Single Path Router A: interface loopback 0 ip address ! router bgp 1 neighbor remote-as 2 neighbor update-source loopback0 neighbor ebgp-multi-hop 2 A AS1 AS2 Loopback Cisco ISP Workshops 13

134 Load-Sharing Multiple Paths from Same AS Router A: router bgp 1 neighbor remote-as 2 neighbor remote-as 2 maximum-paths 2 ; can configure up to 6 A AS 2 AS 1 Cisco ISP Workshops 14

135 What Is Multihoming? Connecting to two or more ISPs to increase: Reliability one ISP fails, still OK Performance better paths to common Internet destinations Cisco ISP Workshops 15

136 Types of Multihoming Three common cases: Default from all ISPs Customer+default routes from all ISPs Full routes from ISPs Cisco ISP Workshops 16

137 Default from All ISPs Low memory/cpu solution ISP sends BGP default => ISP decided by IGP metrics to reach default You send all your routes to ISP =>inbound path decided by Internet You can influence using AS-path prepend Cisco ISP Workshops 17

138 Default from All ISPs Customer AS /8 ISP ISP AS 2 AS 1 AS 3 D E A C B C Chooses Lowest IGP Metric to Default Cisco ISP Workshops 18

139 Customer+Default from All ISPs Medium memory and CPU Best path usually shortest AS-path Use local-preference to override based on prefix, as-path, or community IGP metric to default used for all other destinations Cisco ISP Workshops 19

140 Customer Routers from All ISPs Customer AS /8 ISP AS 2 ISP AS 3 D E C Chooses Shortest AS Path A AS 1 B C Cisco ISP Workshops 20

141 Customer Routes from All ISPs Customer AS /8 ISP AS 2 ISP AS 3 D 800 E C Chooses Highest Local-Preference A AS AS C B ip prefix-list AS4 permit /8 route-map AS3in permit 10 match ip address prefix-list AS4 set local-preference 800 Cisco ISP Workshops 21

142 Customer Routes from All ISPs Tier 1 ISP AS 4 Tier 1 ISP AS 5 AS 6 Tier 2 ISP AS 2 D E Tier 2 ISP AS3 A AS 1 B AS400 Takes Sub- Optimal AS Path C Cisco ISP Workshops 22

143 Full Routes from All ISPs Higher memory/cpu solution Reach all destinations by best path usually shortest AS path Can still manually tune using local-pref and as-path/community/prefix matches Cisco ISP Workshops 23

144 Full Routes from All ISPs Tier 1 ISP AS 4 Tier 1 ISP AS 5 AS 6 Tier 2 ISP AS 2 D E Tier 2 ISP AS3 A AS 1 B C Chooses Shortest AS Path C Cisco ISP Workshops 24

145 Controlling Inbound Traffic? Inbound is very difficult due to lack of transitive metric Can divide outgoing updates across providers, but what happens to redundancy? Cisco ISP Workshops 25

146 Controlling Inbound Traffic? (Cont.) Bad Internet citizen: Divide address space Set as-path prepend Good Internet citizen Divide address space Use advertise maps Cisco ISP Workshops 26

147 Using AS-PATH Prepend / to 10.1/16 Customer AS / (best) / (best) / ISP AS 2 ISP AS 3 D E A 10.1/16 AS 1 C B 10.2/16 router bgp 1 neighbor remote-as 3 neighbor route-map AS3out out ip prefix-list AS1 permit /16 route-map AS3out permit 10 match ip address prefix-list AS1 set as-path prepend 1 Cisco ISP Workshops 27

148 Using an Advertise-Map 1.10/ /24 auto-inject ISP1 R / /24 access-list 1 permit !Advertise when... access-list 2 permit ! this disappears neighbor <R1> advertise-map am non-exist-map bb route-map am permit 10 match ip address 1 route-map bb permit match ip address 2 ISP2 R / /24 R R /24 Cisco ISP Workshops 28

149 So Far Stability through: Aggregation Multihoming Inbound/outbound filtering Scalability of memory/cpu: Default, customer routes, full routes Simplicity using standard solutions Cisco ISP Workshops 29

150 Summary Scalability: Use attributes, especially community Use peer groups and route reflectors Stability: Use loopback addresses for IBGP Generate aggregates Apply passwords Always filter inbound and outbound Cisco ISP Workshops 30

151 Summary Simplicity standard solutions: Three multihoming options Group customers into communities Apply standard policy at the edge Avoid special configs Script your config generation Cisco ISP Workshops 31

152 RST _05_2003_c1 32

153 BGP Scaling Techniques Cisco ISP Workshops 1

154 BGP Scaling Techniques How to scale ibgp mesh beyond a few peers? How to implement new policy without causing flaps and route churning? How to reduce the overhead on the routers? Cisco ISP Workshops 2

155 BGP Scaling Techniques Dynamic reconfiguration Peer groups Route flap damping Route reflectors (Confederations) Cisco ISP Workshops 3

156 Dynamic Reconfiguration Route Refresh and Soft Reconfiguration Cisco ISP Workshops 4

157 Route Refresh Problem: Hard BGP peer reset required after every policy change because the router does not store prefixes that are rejected by policy Hard BGP peer reset: Consumes CPU Severely disrupts connectivity for all networks Solution: Route Refresh Cisco ISP Workshops 5

158 Route Refresh Capability Facilitates non-disruptive policy changes No configuration is needed No additional memory is used Requires peering routers to support route refresh capability RFC2918 clear ip bgp x.x.x.x in tells peer to resend full BGP announcement clear ip bgp x.x.x.x out resends full BGP announcement to peer Cisco ISP Workshops 6

159 Dynamic Reconfiguration Use Route Refresh capability if supported Find out from show ip bgp neighbor Non-disruptive, Good For the Internet Otherwise use Soft Reconfiguration IOS feature Only hard-reset a BGP peering as a last resort Consider the impact to be equivalent to a router reboot Cisco ISP Workshops 7

160 Soft Reconfiguration Router normally stores prefixes which have been received from peer after policy application Enabling soft-reconfiguration means router also stores prefixes/attributes received prior to any policy application New policies can be activated without tearing down and restarting the peering session Configured on a per-neighbour basis Uses more memory to keep prefixes whose attributes have been changed or have not been accepted Also advantageous when operator requires to know which prefixes have been sent to a router prior to the application of any inbound policy Cisco ISP Workshops 8

161 Soft Reconfiguration peer soft normal BGP in table received BGP in process received and used BGP table discarded accepted peer BGP out process Cisco ISP Workshops 9

162 Configuring Soft Reconfiguration router bgp 100 neighbor remote-as 101 neighbor route-map infilter in neighbor soft-reconfiguration inbound! Outbound does not need to be configured! Then when we change the policy, we issue an exec command clear ip bgp soft [in out] Cisco ISP Workshops 10

163 Managing Policy Changes Ability to clear the BGP sessions of groups of neighbours configured according to several criteria clear ip bgp <addr> [soft] [in out] <addr> may be any of the following x.x.x.x * all peers ASN external peer-group <name> IP address of a peer all peers in an AS all external peers all peers in a peer-group Cisco ISP Workshops 11

164 Peer Groups Cisco ISP Workshops 12

165 Peer Groups Problem how to scale ibgp Large ibgp mesh slow to build ibgp neighbours receive the same update Router CPU wasted on repeat calculations Solution peer-groups Group peers with the same outbound policy Updates are generated once per group Cisco ISP Workshops 13

166 Peer Groups Advantages Makes configuration easier Makes configuration less prone to error Makes configuration more readable Lower router CPU load ibgp mesh builds more quickly Members can have different inbound policy Can be used for ebgp neighbours too! Cisco ISP Workshops 14

167 Configuring a Peer Group router bgp 100 neighbor ibgp-peer peer-group neighbor ibgp-peer remote-as 100 neighbor ibgp-peer update-source loopback 0 neighbor ibgp-peer send-community neighbor ibgp-peer route-map outfilter out neighbor peer-group ibgp-peer neighbor peer-group ibgp-peer neighbor route-map infilter in neighbor peer-group ibgp-peer! note how has different inbound filter from peer-group! Cisco ISP Workshops 15

168 Configuring a Peer Group router bgp 100 neighbor external-peer peer-group neighbor external-peer send-community neighbor external-peer route-map set-metric out neighbor remote-as 200 neighbor peer-group external-peer neighbor remote-as 300 neighbor peer-group external-peer neighbor remote-as 400 neighbor peer-group external-peer neighbor filter-list infilter in Cisco ISP Workshops 16

169 Peer Groups Always configure peer-groups for ibgp Even if there are only a few ibgp peers Easier to scale network in the future Consider using peer-groups for ebgp Especially useful for multiple BGP customers using same AS (RFC2270) Also useful at Exchange Points where ISP policy is generally the same to each peer Cisco ISP Workshops 17

170 Route Flap Damping Stabilising the Network Cisco ISP Workshops 18

171 Route Flap Damping Route flap Going up and down of path or change in attribute BGP WITHDRAW followed by UPDATE = 1 flap ebgp neighbour going down/up is NOT a flap Ripples through the entire Internet Wastes CPU Damping aims to reduce scope of route flap propagation Cisco ISP Workshops 19

172 Route Flap Damping (continued) Requirements Fast convergence for normal route changes History predicts future behaviour Suppress oscillating routes Advertise stable routes Implementation described in RFC 2439 Cisco ISP Workshops 20

173 Operation Add penalty (1000) for each flap Change in attribute gets penalty of 500 Exponentially decay penalty half life determines decay rate Penalty above suppress-limit do not advertise route to BGP peers Penalty decayed below reuse-limit re-advertise route to BGP peers penalty reset to zero when it is half of reuse-limit Cisco ISP Workshops 21

174 Operation Suppress limit Penalty Reuse limit Time Network Announced Network Not Announced Network Re-announced Cisco ISP Workshops 22

175 Operation Only applied to inbound announcements from ebgp peers Alternate paths still usable Controlled by: Half-life (default 15 minutes) reuse-limit (default 750) suppress-limit (default 2000) maximum suppress time (default 60 minutes) Cisco ISP Workshops 23

176 Configuration Fixed damping router bgp 100 bgp dampening [<half-life> <reuse-value> <suppresspenalty> <maximum suppress time>] Selective and variable damping bgp dampening [route-map <name>] route-map <name> permit 10 match ip address prefix-list FLAP-LIST set dampening [<half-life> <reuse-value> <suppresspenalty> <maximum suppress time>] ip prefix-list FLAP-LIST permit /24 le 32 Cisco ISP Workshops 24

177 Operation Care required when setting parameters Penalty must be less than reuse-limit at the maximum suppress time Maximum suppress time and half life must allow penalty to be larger than suppress limit Cisco ISP Workshops 25

178 Configuration Examples bgp dampening reuse-limit of 750 means maximum possible penalty is 3000 no prefixes suppressed as penalty cannot exceed suppress-limit Examples bgp dampening reuse-limit of 2000 means maximum possible penalty is 8000 suppress limit is easily reached Cisco ISP Workshops 26

179 Configuration Examples bgp dampening reuse-limit of 500 means maximum possible penalty is 2000 no prefixes suppressed as penalty cannot exceed suppress-limit Examples bgp dampening reuse-limit of 750 means maximum possible penalty is 6000 suppress limit is easily reached Cisco ISP Workshops 27

180 Maths! Maximum value of penalty is Always make sure that suppress-limit is LESS than max-penalty otherwise there will be no route damping Cisco ISP Workshops 28

181 Enhancements Selective damping based on AS-path, Community, Prefix Variable damping recommendations for ISPs Flap statistics show ip bgp neighbor <x.x.x.x> [dampened-routes flap-statistics] Cisco ISP Workshops 29

182 Route Reflectors Scaling the ibgp mesh Cisco ISP Workshops 30

183 Scaling ibgp mesh Avoid ½ n(n-1) ibgp mesh n=1000 nearly half a million ibgp sessions! 13 Routers 78 ibgp Sessions! Two solutions Route reflector simpler to deploy and run Confederation more complex, has corner case advantages Cisco ISP Workshops 31

184 Route Reflector: Principle Route Reflector A AS 100 B C Cisco ISP Workshops 32

185 Route Reflector Reflector receives path from clients and non-clients Clients Selects best path If best path is from client, reflect to other clients and non-clients If best path is from non-client, reflect to clients only Non-meshed clients B A AS 100 Reflectors C Described in RFC2796 Cisco ISP Workshops 33

186 Route Reflector Topology Divide the backbone into multiple clusters At least one route reflector and few clients per cluster Route reflectors are fully meshed Clients in a cluster could be fully meshed Single IGP to carry next hop and local routes Cisco ISP Workshops 34

187 Route Reflectors: Loop Avoidance Originator_ID attribute Carries the RID of the originator of the route in the local AS (created by the RR) Cluster_list attribute The local cluster-id is added when the update is sent by the RR Cluster-id is router-id (address of loopback) Do NOT use bgp cluster-id x.x.x.x Cisco ISP Workshops 35

188 Route Reflectors: Redundancy Multiple RRs can be configured in the same cluster not advised! All RRs in the cluster must have the same cluster-id (otherwise it is a different cluster) A router may be a client of RRs in different clusters Common today in ISP networks to overlay two clusters redundancy achieved that way fi Each client has two RRs = redundancy Cisco ISP Workshops 36

189 Route Reflector: Benefits Solves ibgp mesh problem Packet forwarding is not affected Normal BGP speakers co-exist Multiple reflectors for redundancy Easy migration Multiple levels of route reflectors Cisco ISP Workshops 37

190 Route Reflectors: Migration Where to place the route reflectors? Follow the physical topology! This will guarantee that the packet forwarding won t be affected Configure one RR at a time Eliminate redundant ibgp sessions Place one RR per cluster Cisco ISP Workshops 38

191 Route Reflector: Migration A AS 300 B AS 100 D C AS 200 E F G Migrate small parts of the network, one part at a time. Cisco ISP Workshops 39

192 Configuring a Route Reflector router bgp 100 neighbor remote-as 100 neighbor route-reflector-client neighbor remote-as 100 neighbor route-reflector-client neighbor remote-as 100 neighbor route-reflector-client Cisco ISP Workshops 40