Professional Documents
Culture Documents
Torsten Neuber
tneuber@cisco.com
• Protocol Overview
• Using BGP Attributes
• Deploying IBGP
• Deploying EBGP
Connecting to an ISP
Being an ISP
• Focus on Stability, Scalability, and
Configuration Templates
Scalable
Stable
Simple
A C
AS 100 AS 101
B D
• 1: OPEN MESSAGE
Exchange AS, router ID, holdtime
Capability negotiation
• 2: NOTIFICATION
Example: “peer in wrong AS”
• 3: KEEPALIVE—when no updates
• 4: UPDATES (incremental)
1: ORIGIN 7: AGGREGATOR
2: AS-PATH 8: COMMUNITY
3: NEXT-HOP 9: ORIGINATOR_ID
4: MED 10: CLUSTER_LIST
5: LOCAL_PREF 14: MP_REACH_NLRI
6: ATOMIC_AGGREGATE 15: MP_UNREACH_NLRI
router bgp 1
bgp deterministic-med
no synchronization
no auto-summary
distance 200 200 200
• Configuration:
Router A 1.0.1.1 1.0.1.2
router bgp 1
neighbor 1.0.1.1 remote-as 1 If Redundant Paths Exist,
Router B Use Loopback Interfaces
router bgp 1 to Establish the Session
neighbor 1.0.1.2 remote-as 1
• Simplifies configuration
• All peer-group members have
a common outbound policy
• Updates generated once per peer group
• Members can have different
inbound policy
13 Routers =>
78 IBGP
Sessions!
n=1000 => Nearly
Half a Million
iBGP Sessions!
Backbone
RR
RRC RR
RR RRC
Cluster A RRC
RR
RR
Cluster C
Golden Rule Cluster B
of RR Loop Avoidance:
“RR Topology Should Follow RRC
Physical Topology”
RR
=> Be Careful with Loopback Peering!!!!
Cluster D
RST-243 © 2002, Cisco Systems, Inc. All rights reserved. 23
Route Reflectors
Clusters
Clients Clients
Lines Represent Both Physical Links and BGP Logical Connections
RST-243 © 2002, Cisco Systems, Inc. All rights reserved. 25
Route Reflectors—Terminology (Cont.)
• Route reflector
Router that reflects the iBGP information
• Client
Routers between which the RR reflects
updates (may be fully meshed among
themselves)
• Cluster
Set of one or more RRs and their clients
(may overlap)
• Non-client
iBGP neighbour outside the cluster
RST-243 © 2002, Cisco Systems, Inc. All rights reserved. 26
What Is a Route Reflector?
• Clusters may be
configured
hierarchically Level 1
Provides a
“natural”
method to limit routing
information sent to lower
levels
• Step 0:
full iBGP mesh A
B C
D
E
Logical Links
Physical AND Logical Links
• Step 1:
configure D A
as a RR; E
is the client
B C
D RR
E
Logical Links
Physical AND Logical Links
• Step 2:
eliminate A
unnecessary
iBGP links
B C
D RR
E
Logical Links
Physical AND Logical Links
• Step 3:
repeat for other A
clusters
and iBGP
links RR
B C
RR
D RR
E
Logical Links
Physical AND Logical Links
Router id
RR
1.3.1.1
• ORIGINATOR_ID
Router ID of IBGP speaker that injects
route into AS—applied by RR
• Useful for troubleshooting and
loop detection
• CLUSTER_LIST
String of CLUSTER_IDs through which the
route has passed
• Usually CLUSTER_ID=ROUTER_ID
• Overridden by: bgp cluster-id x.x.x.x—but
remember: don’t do this!!!!
• Useful for troubleshooting and
loop detection
cluster-id 3.0.0.1
1.0.0.1
Sub-AS
65530
AS 2
B Sub-AS
65531
Sub-AS
65532
• Example (cont.):
BGP table version is 78, local router ID is 141.153.17.1
Status codes: s suppressed, d damped, h history,
* valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0 141.153.14.3 0 100 0 (65531) 1 i
*> 141.153.0.0 141.153.30.2 0 100 0 (65530) i
*> 144.10.0.0 141.153.12.1 0 100 0 (65530) i
*> 199.10.10.0 141.153.29.2 0 100 0 (65530) 1 i
Anywhere
Medium
Confederations In the Yes Yes Medium
To High
Network
Route Anywhere
Reflectors In the Yes Yes Very High Very Low
Network
Communities:
1:100—Customer Routes
1:80— ISP Routes ISP 2
ISP 1
ISP 3 ISP 4
0.0.0.0
Customer 1 Customer 2
(no Default, (Uses Default,
Wants Full Routes) Wants Your Routes)
RST-243 © 2002, Cisco Systems, Inc. All rights reserved. 52
Problem: Scale Routing Policy
Solution: COMMUNITY
Match Community
1:100 1:80 Match Community
ISP 3 1:100 ISP 4
Customer 1 Customer 2
(no Default, (Uses Default,
Wants Full Routes) Wants Your Routes)
RST-243 © 2002, Cisco Systems, Inc. All rights reserved. 53
BGP Attributes: COMMUNITY
• Example 1:
Mark some prefixes as part of the 1:120 community
(+remove existing community!)
• Configuration:
router bgp 1
neighbor 10.0.0.1 remote-as 2
neighbor 10.0.0.1 send-community
neighbor 10.0.0.1 route-map set_community out
!
route-map set_community 10 permit
match ip address 1
set community 1:120
!
access-list 1 permit 10.10.0.0 0.0.255.255
RST-243 © 2002, Cisco Systems, Inc. All rights reserved. 57
Community Filters
• Example 2:
Set LOCAL_PREF depending on the community that
the prefix belongs to.
• Configuration:
router bgp 1
neighbor 10.0.0.1 remote-as 2
neighbor 10.0.0.1 route-map filter_on_community in
!
route-map filter_on_community 10 permit
match community 1
set local-preference 150
!
ip community-list 1 permit 2:150
• Steps
Configure neighbor
Advertise stable prefixes to your ISP
Set inbound policy
Set output policy
Configure loadsharing/multi-homing
AS 2
Router B:
router bgp 1 10.0.0.0
network 10.60.0.0 mask 255.255.0.0
.1 A
neighbor external peer-group
neighbor external remote-as 2
AS 1 Is a Customer
neighbor external description ISP connection
of ISP AS 2
neighbor external remove-private-AS
neighbor external version 4
neighbor external prefix-list ispout out ; “accident” filter 10.200.0.0
neighbor external route-map ispout out ; “real” filter
neighbor external route-map ispin in .2 B
neighbor external password 7 020A0559
10.60.0.0/16
neighbor external maximum-prefix 65000 [warning-only]
neighbor 10.200.0.1 peer-group external AS1
ip route 10.60.0.0 255.255.0.0 null0 254
• Sample logs:
The number of prefixes received from a peer
reaches 75% of the maximum configured:
%BGP-4-MAXPFX: No. of prefix received
from 44.1.1.2 reaches 3, max 4
The number of prefix exceeds the maximum
number of prefixes configured:
%BGP-3-MAXPFXEXCEED: No. of prefix
received from 44.1.1.2: 4 exceed limit 3
• Steps
Configure neighbor
Advertise stable prefixes to your ISP
Set inbound policy
Set output policy
Configure loadsharing/multi-homing
The first instinct for many people is to redistribute their IGP into BGP. This is a bad
idea for a couple of reasons:
First, IGPs tend to have a lot our routing activity as they route-around network
failures. This is the good an dproper behavior of an IGP. However, one of
primary goals of BGP is to hide “internal” rouring changes to your network
that have no impact on global routing. Remember it is common practice by
ISPs in the Internet to “dampen” unstable routes learned from the customers
of other ISPs.
Second, the subnetting used by an IGP is probably not of interest to the wider
Internet. As with good IGP design, you should attempt to “summarize” you
routes, so that you advertise the minimum number of routes to the Internet
routing tables. It’s everyone’s responsibility to try and minimize the size of the
Internet routing tables.
You can also use a route-map to adjust other BGP attributes. For example, you
may connect to your ISPs in two location, and generate two aggregates. You can
set the MEDs so that traffic for one aggregate will come into one link, and traffic to
the other will come in the other link (with both links providing a backup to the
other). Now I apply the routing policy.
• Steps
Configure neighbor
Advertise stable prefixes to your ISP
Set inbound policy
Set output policy
Configure loadsharing/multi-homing
Now let’s look at inbound policy. The roles of inbound policy are to protect you
against mistakes made by your ISP; to place routes into communities for
subsequent use in outbound policy; and to modify BGP attributes to allow us to
control which exit we use to send traffic to various destinations on the Internet.
To implement inbound policy I apply a route-map to the peer-group. Remember
than inbound-policy does NOT have to be the same for all peer-group members, so
I can apply different policies to different neighbors within a peer-group.
The route-map, which I’ve call ISPin does three things:
1) rejects any networks in prefix-list ISPout—this prefix lists contains the
prefixes I send to my ISP, so I should not expect to receive them back. I also
call a prefix list that rejects private address space and other “insane” or
“martian” (not on this planet!) routes.
2) applied a local-preference of 200 to all of the routes—perhaps because this
exist point is the primary exit point, and another connection to my ISP is the
backup, and uses the default local-preference of 100.
3) Put the routes in community 1:2, which signifies “routes I’ve learned from
my ISP”.
• Steps
Configure neighbor
Advertise stable prefixes to your ISP
Set inbound policy
Set output policy
Configure loadsharing/multi-homing
Now that inbound policy is set, I next setup the outbound policy. A common
mistake made by many enterprises that dual home it to take a full set of routes
from one ISP, and immediately send them up to the other ISP. This effectively says
the entire Internet is reachable through your network!!! Outbound policy prevents
this from occurring, so you can see why it’s critical.
I typically use primary outbound filter based on communities. I only send to my ISP
all of the routes originated in my network, which I identify with the community 1:1.
In smaller installations, where the number of prefixes in the network is small, I may
also use a prefix-list as a “backup” for the primary community filter. This does
nothing more than to help protect the world against my mistakes!!! :-)
I may also have configured some communities in agreement with my ISP. For
example, RFC1998 describes a way to indicate which of your ISPs is primary a
secondary for a particular set of routes.
Finally, you can configure any multihoming/loadsharing policy. You may want to
divide your address space, and make traffic to half of your network come in via one
ISP, and traffic for the other half come in through the other.
The previous slide shows my outbound policy. First, the prefix-list ISPout matches
all of the routes I intend to send to the Internet—in this case only one—life is
simple in the powerpoint world of network design :-) This prefix-list is my “backup”
in case I make a mistake with communities. I only used it on my connections to
my ISP.
The primary filter is based on communities. I match all communities in community-
list 1: ie, only community 1:1, corresponding to all the routes local to my network.
This assumes that on ingress to by BGP tables (either via EBGP sessions,
“network/aggregate-address”, or redistribution from an IGP, I have used a route-
map to set the community to 1:1.
Finally I add the outbound community to 1:3 community attribute. This is done to
meet some arbitrary agreement I’ve have made with my ISP on how it will treat
routes I put in this community.
• Steps
Configure neighbor
Advertise stable prefixes to your ISP
Set inbound policy
Set output policy
Configure loadsharing/multi-homing
Customer
AS 4
4.0.0.0/8
ISP ISP
AS 2 AS 3
D E
0.0.0.0 0.0.0.0
A B
AS 1
C Chooses Lowest
IGP Metric to Default
C
Customer
AS 4
4.0.0.0/8
ISP ISP
AS 2 AS 3
D E
A B
C Chooses AS 1
Shortest AS Path
C
RST-243 © 2002, Cisco Systems, Inc. All rights reserved. 90
Customer Routes from All ISPs
Customer
AS 4
4.0.0.0/8
ISP ISP
AS 2 AS 3
D 800 E
AS 2 AS3
D E
A B
AS 1
AS400 Takes Sub-
Optimal AS Path
C
AS 2 AS3
D E
A B
AS 1
C Chooses
Shortest AS Path
C
ISP
ISP
AS 2 AS 3
30.0.0.1
D E
router bgp 1
neighbor 30.0.0.1 remote-as 3
A B
neighbor 30.0.0.1 route-map AS3out out
AS 1 ip prefix-list AS1 permit 10.1.0.0/16
route-map AS3out permit 10
10.1/16 C 10.2/16
match ip address prefix-list AS1
set as-path prepend 1
• Stability through:
Aggregation/summary routes
Multihoming
Inbound/outbound policy
• Scalability of memory/CPU:
Default, customer routes, full routes
• Simplicity using “standard” solutions
Once you’ve configured the aggregate, the next step is to configure a stable MORE
SPECIFIC route in the BGP table. After all, your aggregate depends on the existing
of more specific routes, to you must ensure at least one of the more specific
routes is stable.
To do this, use the “network” command. Choose a more specific route than your
aggregate—a route that is used somewhere in route network. In the slide I’ve
chosen 10.60.1/24.
The network command will install a corresponding route in the BGP table, ONLY if
there is a matching route in the IP routing table. The third, and final step, is
therefore to generate a stable route in the IP routing table. To do this, I configure a
STATIC route for 10.60.1/24, pointing to the NULL0 interface. However, I do not
want this route to override any “real” route that I’m learning via an IGP for
10.60.1/24—so, I set the ADMIN DISTANCE of the static route to 254.
Note that if you do note want to generate AS-SET/community summary
information, you can omit the aggregate-address command. Use the network
command to generate the aggregate prefix, and then put a matching static route in
pointing to NULL0. Many, perhaps most, folks tend to do it this way, and do not
use the aggregate address command. Note that you need to be careful to filter out
more specific BGP routes if you use this technique, as the network command does
not provide any “summary-only” functionality.
Your AS CORE
CIDR Block: 10.0.0.0/8
Route Reflector
Aggregation Router
(RR Client)
Client Peer Group
• BGP bestpath
http://www.cisco.com/warp/public/459/25.shtml
• Case studies on www.cisco.com:
http://www.cisco.com/warp/public/459/18.html
• www.cisco.com—search “BGP <feature>”
• www.nanog.org