INE R&S ATC087 ~ ATC103 - BGP

BGP Overview
• Open Standards Based
 – RFC 4271 “A Border Gateway Protocol 4 (BGP-4)”
• Classless path vector routing protocol
 – Uses multiple “attributes” for routing decision
 – Supports VLSM and summarization
 – Extensible
• IPv4 Multicast, IPv6, MPLS, etc.
 
BGP ASNs
• Autonomous System (AS)
 – “…a set of routers under a single technical administration, using an interior gateway protocol (IGP) and common metrics to determine how to route packets within the AS, and using an inter-AS routing protocol to determine how to route packets to other ASes.” (RFC 4271)
• ASNs are allocated by Internet Assigned Numbers Authority (IANA)
 – http://www.iana.org/numbers/
 
BGP ASN Values
• Originally 2-byte field
 – Values 0-65535
 – Public ASNs 1 -64511
 – Private ASNs 64512 -65535
• Currently 4-bytefield
 – RFC 4893 “BGP Support for Four-octet AS Number Space”
 – IOS support asof 12.4(24)T
 
4-ByteBGP ASNs
• 0.0 –65535.65535 notation
– 0.[0-65535] denote original 2-byte ASNs
• Requiresbackwards compatibility with old code
– 4 Byte ASN support negotiated during capability exchange
– “Old” BGP speakers are sent ASdotnumbers encoded as ASN “23456”
– Real AS-Path encoded with optional transitive attributes AS4_AGGREGATOR and AS4_PATH
 
Establishing BGP Peerings
• Like IGP, first step in BGP is to find neighbors to exchange information with
• Unlike IGP…
– BGP does not have its own transport
– BGP has different types of neighbors
– BGP neighbors are not discovered
– BGP neighbors do not have to be connected
 
BGP Transport
• BGP uses TCP port 179 for transport
– Implies that BGPneeds IGP first
• BGP neighborstatement tells process to…
– Listen for remote address via TCP 179
– Initiate a session to remote address via TCP 179
– If collision, higher router-id becomes TCP client
• TCP server must agree on where client’s session is coming from
– If server does not expect session it will refuse
• Client’s packet is sourced from outgoing interface in the routing table
– Can be modified with update-source per neighbor
 
BGP Peering Types
• External BGP (EBGP) Peers
 – Neighbors outside my Autonomous System
• Internal BGP (iBGP) Peers
 – Neighbors inside my Autonomous System
• Update and path selection rules change depending on what type of peer a route is being sent to/received from
 
EBGP Peering Rules
• EBGP packets default to TTL 1
 – Can be modified if neighbors are multiple hops away
• neighbor ebgp-multihop[ttl]
• neighbor ttl-security hops [ttl]
• Non multi-hop peers must be directly connected by default
 – Can be modified if connected neighbors peer via Loopbacks
• neighbor disable-connected-check
• Loop prevention via AS-Path
 – Local ASN is “prepended” to outbound updates
 – Inbound updates containing local ASN are discarded
 – Can be modified with neighbor allowas-in
• Next-hop Processing
 – Outbound EBGP updates have local update-source for neighbor set as next-hop
• E.g. if update-source is Loopback0, next-hop is Loopback0
 – Can be modified with route-map action set ip next-hop but typically shouldn’t
• E.g. “Third Party” next-hop
 
iBGP Peering Rules
• iBGP packets default to TTL 255
– Implies neighbors do not have to be connected as long as IGP reachability exists
• Loop prevention via route filtering
– iBGP learned routes cannot be advertised on to another iBGP neighbor
– Impliesneed for either…
• Fully meshed iBGP peerings
• Route reflection
• Confederation
• Next-hop Processing
– Outbound iBGP updates do not modify the next-hop attribute regardless of iBGP peer type
• iBGP peer
• Route Reflector’s client peer
• Route Reflector’s non-client peer
• Confederation EBGP peer
– Can be modified with neighbor next-hop-self or route-map action set ip next-hop

iBGP Route Reflection
• Eliminates need for full mesh
– Only need peering(s) to the RR(s)
• Like OSPF DR & IS-IS DIS, minimizes prefix replication
– Send one update to the RR
– RR sends the update to its “clients”
• Loop prevention through Cluster-ID
– RR discards routes received with its own Cluster-ID
– Does not modify other attributessuch as next-hop

Route Reflector Peerings
• Route reflector can have three types of peers
– EBGPpeers
• Neighbor in different AS
– Client peers
• iBGP peers with route-reflector-client
– Non-Client peers
• iBGP peers without route-reflector-client

Route Reflector Update Processing
• RR processes updates differently depending on what type of peer they came from
– EBGP learned routes…
• Can be advertised to EBGP peers, Clients, & Non-Clients
– Client learned routes…
• Can be advertised to EBGP peers, Clients, & Non-Clients
– Non-Client learned routes…
• Can be advertised to EBGP peers & Clients
• RR placement based upon theserules

Large Scale Route Reflection
• Larger scale BGP designs cannot be serviced by only a single RR
– Single RR is a single point of failure
• RR “clusters” allow redundancy and hierarchy
– Cluster is defined by the clients a RR serves
– RRs in the same cluster use the same Cluster-ID
• Inter-Cluster peerings between RRs can be client or non-client peerings
– Depends on redundancy design

BGP Confederation
• Reduces full mesh iBGP requirement by splitting AS into smaller Sub-ASes
– Inside Sub-AS full mesh or RR requirement remains
– Between Sub-AS acts like EBGP
• Devices outside the confederation do not know about the internal structure
– Sub-AS numbers are stripped from advertisements to “true” EBGP peers
• Typically uses ASNs in private range (64512 –65535)

BGP Confederation Configuration
• Enable the BGP process
– router bgp[sub-as]
• Specify the main AS number
– bgpconfederation-id [main-as]
• Specify other Sub-ASs that you peer with
– bgpconfederation-peers [sub-as1 sub-asn]
– Not all Sub-ASes, just those directly peered with

BGP NLRI Advertisements
• BGP NLRI can be originated by…
– networkstatement
• Requires exact match in the routing tablefirst
– redistributestatement
• Won’t include OSPF External by default
– aggregate-addressstatement
• Requires one subnet in BGP tablefirst
– bgp inject-map statement
• Opposite of aggregation

BGP Network Statement
• Originates prefixes with ORIGINof IGP (i)
• Requires exact match in the routing table
– Does not have to be a connected prefix, can be learnedvia IGP
• Withoutmaskkeyword assumes classful mask

BGP Redistribute Statement
• Originates prefixes with ORIGIN of INCOMPLETE(?)
• Originates classful summary if auto-summaryis enabled
• Automatically copies IGP metric to BGP MED
• Won’t include OSPF External by default
– redistribute ospf[pid] match internal external

BGP Aggregation
• Can be applied atany point in the network as long as one subnet is in the BGP table
• Configured as aggregate-address [network] [mask] [args]
• Arguments are…
– summary-only
– suppress-map
– attribute-map | route-map
– as-set
– advertise-map

BGP Conditional Route Injection
• Originates subnet(s) from aggregate for purpose of longest match traffic engineering
• Configured as bgpinject-map inject-mapexist-map exist-map[copy-attributes]
– Inject Map
• Subnet to be advertised
• set ip address prefix-list [list]
– Exist Map
• Aggregate to be originated from
• Match ip address prefix-list [list]
• Match ip route-source prefix-list [list]

BGP Best Path Selection
• Chooses which routes can be…
– Installed in the RIB/FIB
– Advertised to other BGP peers
• In general path selection is standardized
– RFC 4271 Section 9.1. “Decision Process”
– Cisco specific order at site:www.cisco.com BGP Best Path Selection Algorithm

Best Path Selection Prerequisites
• Next-hop value must be in the routing table
– Prevents route recursion failure
• Synchronization rule must be met or disabled
– Legacy black-hole prevention technique
• AS-Path must not contain Local-AS
– Normal EBGP loop prevention
• First ASN in path must be neighbor’s ASN
– bgpenforce-first-ascommand

Best Path Selection Order
• Weight
• Local Preference
• Locally Originated
• AS-Path
• Origin
• MED
• EBGP over iBGP
• IGP Metric to Next-Hop
• Tie breakers
– Oldest
– Lowest RID
– Shortest Cluster List
– Lowest Neighbor Address

Best Path Selection Exceptions
• AS-Path
– bgpbestpathas-path ignore
• MED
– bgpalways-compare-med
– bgpbestpathmed-confed
• Compares MED for routes locally originated in the Confederation
– bgpbestpathmed missing-as-worst
• Assign MED of 4,294,967,294 to NULL MED
– bgpdeterministic med
• Compare MED against all possible paths

Manipulating BestPath Selection
• Outbound routing policy affects inbound traffic
• Inbound routing policy affects outbound traffic
• Weight & Local-Preference
– Set inbound
– Affects outbound traffic
• AS-Path & MED
– Set outbound
– Affects inbound traffic

BGP Communities
• BGP’s implementation of a “route tag”
• Used to group prefixes together for…
– Advertisement policy
– Filtering policy
– Best Path Selection policy
• Community is an optional transitive attribute
– Not exchangedbetween peers by default
– neighbor [address] send-community

BGP Community Values
• Standard Community is 4-byte value
• Can be denoted as…
– Decimal (0 –4294967296)
– AA:NN (0:0 –65535:65535)
• ip bgp-community new-format
– Same binary value regardless of visual format
• Three “Well-Known” values are reserved
 
BGP Well-Known Communities
• No-Export (0xFFFFFF01)
– Don’t advertise to EBGP peers
• No-Advertise (0xFFFFFF02)
– Don’t advertise to any peers
• Local-AS (0xFFFFFF03)
– Don’t advertise to Confederation EBGP peers
– RFC defines as NO_EXPORT_SUBCONFED

Matching and Setting Communities
• Set occurs directly in route-map
– set community {community-number [additive] [well-known-community] | none}
– Not “additive” by default
• Match occurs via community list
– Define list
• Standard list matches community name or number
– ip community-list 1 standard permit no-export
• Expanded matches regular expression
– ip community-list expanded AS100 permit 100:[0-9]+
– Reference from route-map
• match community AS100

Regular Expressions
• Used for string matching in…
– Show command outputs
– TCL/EEM scripting
– BGP AS-Path Access Lists
– BGP Expanded Community Lists
• Documented in…
– Cisco IOS Terminal Services Configuration Guide
• Appendixes
– Regular Expressions

BGP Filtering
• BGP Update filtering occurs on a per peer basis with…
– neighbor [address] distribute-list
– neighbor [address] filter-list
– neighbor [address] prefix-list
– neighbor [address] route-map
• Using route-maps avoids order of operations issues

BGP Convergence
• Convergence based on timers and fallover
• Lowest timers are negotiated during peering establishment
• Timers bgp…
• Neighbor 1.2.3.4 timers…
• EBGP neighbor on connected interface
• By default if interface goes down peering is reset

BGP Conditional Advertisement
• Path selection order
• Weight
• Local-preference
• AS-Path
• MED
• Implies that inbound policy can always override outbound policy
• You have control over how traffic leaves your
• Conditional advertisement allows absolute control over inbound traffic flow through route suppression
• “advertise-map” & “non-exist-map”
• Advertise prefix matched in advertise-map if prefix matched in non-exist-map does not exist
• Typically used to track failure of a transit link

BGP Outbound Route Filtering
• In traditional filtering model upstream provider will send
• Full BGP table
• Default only
• Default plus local
• No complex view
• Inbound filtering on downstream neighbor
• Inefficient because full view must still be

Configuring BGP ORF
• Activate neighbor in IPv4 address family
• “address-family ipv4-unicast”
• “neighbor 1.2.3.4 activate”
• “bgpdefault ipv4-unicast” is default option
• Configure upstream neighbor to accept ORF prefix
• “neighbor 1.2.3.4 capability orfprefix-list receive”

BGP Local AS
• Local-AS feature used during AS number migration
• Neighbor 1.2.3.4 local-as 100
• Tell neighbor 1.2.3.4 that my AS number is 100
• No-Prepend
• Inbound updates should not contain the Local AS

BGP Allow AS In
• EBGP loop prevention
• Do not accept routes with your own AS in the path
• Allow-as-in permits the reception