BGP Part-1 PDF

BGP Part-1
www.ine.com
Comparison between IGPs & BGP
» Similarities and differences between BGP and IGPs
(OSPF and EIGRP):
• BGP needs to form neighborship like IGPs.
• BGP needs to advertise prefixes, just like IGPs.
• BGP also advertises Next Hops for those prefixes.
• Neighbor IP address may not be on a common subnet for
BGP.
• BGP uses TCP (179) and unicast…IGPs do not.
Copyright © www.ine.com
Comparison between IGPs & BGP
» Neighbors versus Peers
• IGP routers are called “neighbors” which typically denotes a direct-
connection.
• BGP routers are called “peers” because there is no need for direct-
connection.
» Routes versus NLRI

• IGP protocols exchange unicast routes
• BGP also exchanges unicast routes, but can also exchange other
types of information.
• For this reason we say BGP exchanges NLRI (Network-Layer
Reachability Information)
Overview of iBGP and
eBGP
www.ine.com
Overview of iBGP and eBGP
» There are two types of neighbors in BGP: internal BGP
(iBGP) and external BGP (eBGP).
» A BGP router behaves differently in several ways
depending on whether the peer (neighbor) is an iBGP
or eBGP peer.
Router BGP 1 eBGP
neighbor 2.2.2.2 remote-as 2 Peering
Router BGP 1 iBGP

neighbor 2.2.2.2 remote-as 1 Peering
iBGP and eBGP Differences (Overview)
» Peer establishment
• eBGP imposes certain rules/restrictions not imposed by iBGP
» Prefix exchange
• BGP updates received from external peers can be forwarded on to
any other type of peer.
• BGP updates received from internal peers can ONLY be forwarded
on to external peers.
» Update modification
• Certain BGP Path Attributes may only be forwarded to external…or
internal peers.
BGP Neighborship
Requirements
www.ine.com
BGP Peering Overview
TCP Sync (179)
TCP Sync + Ack (179)
1.1.1.1 TCP ACK (179)

1.1.1.2
1 BGP Peering Establishment 2
router bgp 1 router bgp 2
AS# 1 neighbor 1.1.1.2 remote-as 2 BGP Update Exchange neighbor 1.1.1.1 remote-as 1 AS# 2
I’ve got better These are

paths for the best
these same paths I’ve
prefixes!! 1 Ensure BGP peers have IP reachability to each other.
seen so far!
2 Configure basic eBGP on each router.
3 TCP 3-Way Handshake must complete 4 BGP Peering must complete
5 BGP Update Exchange 6 BGP Bestpath Selection Process

eBGP Neighborship Overview
» To configure BGP Peers, use the following commands:
• router bgp asn (global command)
• neighbor ip-address remote-as remote-asn (BGP subcommand)
» The asn in the router bgp command is the local AS
number of the router.
BGP Peering Sanity Checks
TCP Sync (179)
1.1.1.1 TCP ACK (179)

1.1.1.2
1 BGP Peering Establishment 2
AS# 1 neighbor 1.1.1.2 remote-as 2 neighbor 1.1.1.1 remote-as 1 AS# 2
1 Source IP address of incoming TCP connection must be from an expected/configured

BGP peer.
2 Peer’s advertisement of his BGP AS# must be what we expect.
3 If BGP authentication is used, same password must be configured.
4 Peers must have unique BGP Router-IDs
5 Peers must use the same BGP version.

BGP Router-ID
» Just like any IGP, BGP elects a Router-ID.
» The BGP router-ID is elected as follows:
• Use the setting of the bgp router-id <x.x.x.x> router
subcommand.
• Choose the highest numeric IP address of any up/up loopback
interface, at the time the BGP process initializes.
• Choose the highest numeric IP address of any up/up non-
loopback interface, at the time the BGP process initializes.
BGP Authentication
» To configure authentication for BGP, use the following
command:
• neighbor neighbor-ip password key (BGP subcommand)
» This command must be configured on both routers.
» If keys do not match or this command is only
configured on one router, peer-establishment will not
be formed.
BGP Update-Source &
Multihop Requirement
www.ine.com
BGP Update-Source
» TCP Connection must first form between BGP peers.
» This TCP connection must form before BGP messages flow
over this TCP connection.
» Source IP address used in TCP connection usually must
match what your neighbor is expecting from you in his
“neighbor” command.
» The local router tries to form a TCP connection with the IP
address defined in the neighbor remote-as command.
BGP Update-Source
» When peers are directly-connected, source-IP
address of incoming BGP messages is trusted.
TCP Sync (src=1.1.1.1 dest port=179)
1.1.1.1
2
1.1.1.2
Fast0/0 Fast0/0 2
1 TCP Sync + Ack (src = 1.1.1.2 src port=179)
router bgp 1 4 router bgp 2
AS# 1 neighbor 1.1.1.2 remote-as 2
TCP ACK (179) neighbor 1.1.1.1 remote-as 1 AS# 2
5
How do I reach 1.1.1.2?
Oh…via FastEthernet0/ 0! I’ll Am I configured to expect/ trust BGP
1 from 1.1.1.1? Yes!! How do I reply
use that as my source IP.
back to 1.1.1.1? Oh…via
3 FastEthernet0/ 0! I’ll use that as my
source IP.
BGP Update-Source (2)
» What if peers are NOT directly connected?
IP Routing Table
D 3.3.3.0/24 via 1.2.1.2 (Fast0/0) TCP Sync (src=1.2.1.1 dest port=179)
2
AS# 1 1.2.1.1 3.3.3.3 AS# 1
Fast0/0 1.2.1.2 Fast0/0
Serial0/0 TCP Reset (src = 3.3.3.3 src port=179) 4 Serial0/0
1 2
router bgp 1
1.1.1.1
router bgp 1
neighbor 3.3.3.3 remote-as 1 neighbor 1.1.1.1 remote-as 1

Oh…via FastEthernet0/ 0! I’ll 1.2.1.1?? Who are you???
1 3 I don’t know you!!
BGP Update-Source (3)
» Redundant Links between connected peers
IP Routing Table
C 1.2.1.0/24 via Fast0/0
C 1.1.1.0/24 via 1.2.1.2
D Fast0/1(Fast0/10) TCP Sync (src=1.2.1.1 dest port=179)
4
TCP Reset (src = 3.3.3.3 src port=179) 6
AS# 1 AS# 1
Fast0/0 1.2.1.1 0/1 0/3 Fast0/0 1.2.1.2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
router bgp 1 TCP Sync (179) router bgp 1
TCP ACK (179)

Oh…via FastEthernet0/ 1! I’ll 1.1.1.1?
1.2.1.1?? Great…
Who I
are you???
1 5 3 was
I don’t expecting
know you!! you!
BGP Update-Source
» The failure in one link can cause BGP neighborship to
fail.
» There are two solutions to resolve this issue:
• Configure two neighbor commands on each router.
• Use loopback interfaces as the TCP connection endpoints.
» The use of two BGP Peerings between the same pair of
routers can consume bandwidth and more memory in
the BGP table.
BGP Update-Source (Fix# 1)
IP Routing Table
D 3.3.3.0/24 via 1.2.1.2 (Fast0/0) TCP Sync (src=1.1.1.1 dest port=179)
2
AS# 1 1.2.1.1 3.3.3.3 AS# 1
Fast0/0 1.2.1.2 Fast0/0
Serial0/0 Serial0/0
1 2
router bgp 1
1.1.1.1
router bgp 1
neighbor 3.3.3.3 update-source Serial0/0 neighbor 1.1.1.1 update-source FastEthernet0/0

1 Oh…via FastEthernet0/ 0! I’ll
I was waiting for you
use that as my source IP. 3 1.1.1.1!
BGP Parallel Links (Solution #1)
TCP Sync (179)

TCP ACK (179)
AS# 1 AS# 1
Fast0/0 1.2.1.1 0/1 0/3 Fast0/0 1.2.1.2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
neighbor 1.2.1.2 remote-as 1 TCP Sync + Ack (179) neighbor 1.2.1.1 remote-as 1
TCP ACK (179)
BGP Parallel Links (Solution# 2)
IP Routing Table IP Routing Table
C 1.2.1.0/24 via Fast0/0 C 1.2.1.0/24 via Fast0/0
S 12.12.12.12/32 S 11.11.11.11/32
via 1.1.1.2 TCP Sync (179) via 1.1.1.1
via 1.2.1.2 TCP Sync + Ack (179) via 1.2.1.1
TCP ACK (179)
Loop0 Loop0
11.11.11.11 / 32 12.12.12.12 / 32
AS# 1 AS# 1
Fast0/0 1.2.1.1 0/1 0/3 Fast0/0 1.2.1.2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
neighbor 12.12.12.12 update-source Loop0 neighbor 11.11.11.11 update-source Loop0
! !
ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.1.1.2
ip route 12.12.12.12 255.255.255.255 1.2.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
Case where “Update-Source” not needed
Loopback0
2.2.2.2
1.1.1.1 1.1.1.2
1 2
Router bgp <whatever> Router bgp <whatever>
neighbor 2.2.2.2 remote-as <whatever> neighbor 1.1.1.1 remote-as <whatever>
1
TCP Sync (Dest Port=179) Src=1.1.1.1 Dest = 2.2.2.2
2
TCP Sync+ACK (Source Port=179) Src=2.2.2.2 Dest = 1.1.1.1
• Notice that in this instance, Router-2 responds using it’s Loopback Interface
IP Address as a source IP…even without “update-source” configured.
eBGP Problem
C 1.1.1.0/24 via Fast0/1 I can’t even start the TCP
C 1.1.1.0/24 via Fast0/1
S 12.12.12.12/32 process because my peer is S 11.11.11.11/32
via 1.1.1.2 NOT directly-connected!! via 1.1.1.1
via 1.2.1.2 via 1.2.1.1
Loop0 Loop0
11.11.11.11 / 32 12.12.12.12 / 32
AS# 1 Fast0/0 1.2.1.1
AS# 2
0/1 0/3 Fast0/0 1.2.1.2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
! !
ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.1.1.2
ip route 12.12.12.12 255.255.255.255 1.2.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
eBGP Solution #1 - Multihop
S 12.12.12.12/32 S 11.11.11.11/32
via 1.1.1.2 via 1.1.1.1
via 1.2.1.2 via 1.2.1.1
Loop0 Loop0
11.11.11.11 / 32 TCP Sync (179) IP TTL = 255 12.12.12.12 / 32
AS# 1 AS# 2
Fast0/0 1.2.1.1 0/1 0/3 Fast0/0 1.2.1.2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
neighbor 12.12.12.12 ebgp-multihop neighbor 11.11.11.11 ebgp-multihop
! !
ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.1.1.2
ip route 12.12.12.12 255.255.255.255 1.2.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
eBGP Solution #2 – Disable Connected
S 12.12.12.12/32 S 11.11.11.11/32
via 1.1.1.2 via 1.1.1.1
via 1.2.1.2 via 1.2.1.1
Loop0 Loop0
11.11.11.11 / 32 TCP Sync (179) IP TTL = 1 12.12.12.12 / 32
AS# 1 AS# 2
Fast0/0 1.2.1.1 0/1 0/3 Fast0/0 1.2.1.2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
neighbor 12.12.12.12 disable-connected-check neighbor 11.11.11.11 disable-connected-check
! !
ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.1.1.2
ip route 12.12.12.12 255.255.255.255 1.2.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
BGP Message Types,
BGP Table, & BGP Routes
www.ine.com
BGP Message Header and Types
» All BGP messages carried within IP/TCP Headers
IP Header
TCP Header
Marker (All “Fs”) 16-bytes Length (2-bytes) Type (1 byte)
BGP Data
» BGP uses four types of messages for its operation:

• Open
• Update
• Keepalive
• Notification
BGP Message Types - Open
» BGP Open Message:
• Used in Neighbor Establishment
• BGP values and capabilities are exchanged.
Marker (All “Fs”) 16-bytes Length (2-bytes) Type = 1
Version = 4 My AS# Hold Time Router-ID
Optional Parameters Length BGP Capabilities
BGP Open Message (Sniffer Trace)
BGP Message Types - Update
» BGP Update Message:
• Informs neighbors about withdrawn routes, changed routes, and new
routes.
• Used to exchange PAs and the associated prefix/length (NLRI) that
use those attributes.
Unfeasible Routes
Withdrawn Routes (if any)
Length
Total Path Attributes
Path Attributes (TLV)
Length
NLRI Prefix Length NLRI Prefix
BGP Update Message (Sniffer Trace)
BGP Message Types - Notification
» BGP Notification message:
• Used to signal a BGP error; typically results in a reset to the neighbor
relationship

Error Code Error Subcode
Data
BGP Notification Message (Sniffer Trace)
BGP Message Types - Keepalive
» BGP Keepalive message:
• Sent on a periodic basis to maintain the neighbor relationship. The
lack of receipt of a Keepalive message within the negotiated Hold
timer causes BGP to bring down the neighbor connection.
IP Header
TCP Header
BGP Keepalive Message (Sniffer Trace)
Examining the BGP Table
» To verify the BGP table, use the command
show ip bgp.
» The output will list all the BGP learned routes, locally
injected plus learned from neighbors.
» With each prefix it will have multiple attributes that
can be examined and used for best path selection.
» Each prefix can have multiple paths with different next-
hops.
» Prefixes with ‘*’ are valid to be considered for best-path
algorithm.
» Best path is presented by ‘>’.
» The Path heading shows the AS_Path Attribute.
» The BGP show commands list the AS_Path with the
first-added ASN on the right and the last-added ASN on
the left.
Verification Commands for eBGP Learned Routes
» show ip bgp prefix [subnet-mask]

» show ip bgp neighbors ip-address received-rout es
» show ip bgp neighbors ip-address rout es
» show ip bgp neighbors ip-address advert ised-rout es
» show ip bgp summary
BGP Neighbor States
www.ine.com
BGP Neighbor States
» BGP goes to through the following neighborship states:
» Idle: The BGP process is either administratively down or
awaiting the next retry attempt.
» Connect : The BGP process has detected an incoming TCP

connection request and is waiting for the TCP connection to
be completed.
BGP Neighbor States
» Act ive: BGP has initiated an outbound TCP connection
request and is waiting for the 3-way handshake to complete.
BGP can enter this state either because:
• This router was the first router to initiate a connection (from Idle-to-Active)
• This router received an initial, inbound connnection request that failed to
complete the TCP handshake (Idle-Connect-Active)
» Opensent : The TCP connection exists, and a BGP Open
message has been sent to the peer, but the matching Open
message has not yet been received from the other router.
BGP Neighbor States
» Openconfirm: An Open message has been both sent to and
received from the other router.
» Est ablished: All neighbor parameters match, the neighbor

relationship works, and the peers can now exchange Update
messages.
State Transitions: TCP Handshake Failure
Possibility #1
ConnectRetry Timer
TCP Sync Received

Idle “Start event” Connect
“ Initiate TCP”
TCP
Sync+ACK
TCP
timeout
Active
“Initiate TCP”
TCP Sync Transmited
EXPIRED!
Copyright © www.ine.com ConnectRetry Timer

State Transitions: TCP Resets
BGP invokes/starts TCP Active

Idle “Start event”
“Initiate TCP”
TCP
Sync Sent
TCP Reset ConnectRetry Timer

Received
ConnectRetry Timer
(stopped)
Possibility #2
Moving to OpenSent
Idle “Start event” Active
“ Initiate TCP”
TCP
ConnectRetry Timer Sync Sent
TCP Sync+AcK
received
TCP AcK sent
Send BGP “Open”
OpenSent
Possibility #3
Moving from OpenSent (1)
Open Received but bad BGP header
or bad Open parameters
OpenSent
BGP Notification
Idle ACTIVE
“ Initiate TCP”
Moving from OpenSent (2)
Open Received …everything looks good!
OpenSent
BGP Keepalive sent
Open
Confirm BGP Keepalive received
I’m ready to send my

BGP Update(s) now!!
Established
BGP Peering Collisions
www.ine.com
Peering and Router-IDs
» When two routers are initially configured to
peer with each other, they don’t know each
other’s BGP Router-IDs.
» Normally, the router with highest Router-ID
will init iat e the TCP handshake with the router
that has lowest Router-ID.
» That can’t happen if Router-IDs are unknown.
BGP Collisions?
» If BGP Router-IDs are unknown, a peering collision may occur.
TCP Sync (179)
TCP ACK (179)
Hey, I’ve already got a
session with you! Hey, I’ve already got a
BGP Open (RiD=11.11.11.11)
session with you!
Loop0 BGP Notification (Cease!!) Loop0
11.11.11.11 / 32 12.12.12.12 / 32
AS# 1 AS# 2
Fast0/0 1.2.1.1 0/1 0/3 Fast0/0 1.2.1.2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
neighbor 12.12.12.12 update-source Loop0 TCP Sync + Ack (179) neighbor 11.11.11.11 update-source Loop0
neighbor 12.12.12.12 ebgp-multihop TCP ACK (179) neighbor 11.11.11.11 ebgp-multihop
bgp router-id 11.11.11.11 bgp router-id 12.12.12.12
! BGP Open (RiD=12.12.12.12) !
ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.1.1.2
ip route 12.12.12.12 255.255.255.255 1.2.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
How do we prevent collisions?
» Router can be configured to only accept inbound connections,
but not ACTIVELY initiate outbound connections.
TCP Sync (179)
TCP ACK (179)
BGP Open (RiD=12.12.12.12)
AS# 1 AS# 2
Fast0/0 1.2.1.1 0/1 0/3 Fast0/0 1.2.1.2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
neighbor 12.12.12.12 ebgp-multihop neighbor 11.11.11.11 ebgp-multihop
neighbor 12.12.12.12 transport connection-mode passive bgp router-id 12.12.12.12
bgp router-id 11.11.11.11 !
! ip route 11.11.11.11 255.255.255.255 1.1.1.2
ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
ip Copyright
route 12.12.12.12 255.255.255.255 1.2.1.2
© www.ine.com
Who initiated the connection?
If the “Local Port” is NOT 179 that means your local

router INITIATED the TCP connection.
Defeating BGP DoS
Attacks with TTL Security
www.ine.com
BGP DoS Example
eBGP’s reliance on TTL=1 leaves it open to attack.
Guess I need to kill my
BGP peering with
12.12.12.12!
AS# 2
BGP Notification= CEASE!! BGP Notification= CEASE!!
IP TTL=1 (RiD=12.12.12.12)
IP TTL=4 (RiD=12.12.12.12)
Dest=1.2.1.1 Source=1.2.1.2 Dest=1.2.1.1 Source=1.2.1.2
Fast0/0 1.2.1.1 Fast0/0 1.2.1.2
1 2
neighbor 1.2.1.2 remote-as 2 neighbor 1.2.1.1 remote-as 1 Evil Person
bgp router-id 11.11.11.11 bgp router-id 12.12.12.12 Destination 1.2.1.1?
! AS# 1 ! I can forward that!
TTL and eBGP Sessions
» eBGP sessions assume neighbor is directly-connected.
» TTL in eBGP sessions set to “1” if Connected route is found.
» If neighbor NOT directly connected, additional configuration
needed to start BGP peering process (which affects
outbound TTL)
• eBGP-multihop (sets TTL in outbound BGP packets to 255)
• Disable-connected-check (sets TTL to “1” in outbound BGP packets.
• TTL-Security (to be discussed next)
TTL-Security
» By default, any TTL value (>0) of received BGP
packets is accepted from eBGP peers.
» TTL-Security = Mechanism to enforce TTL values to
prevent DoS
• (config-rtr)#neighbor x.x.x.x ttl-security hops <1-254>
» How is “hops” used?
• 255 - <hops> = X
• All incoming BGP packets must have TTL ≥ X
TTL-Security with Direct-Connection Peering
BGP packets sent with TTL=255
1 R1 R2
BGP packets received-and-processed with TTL ≥ 254

2
R1 R2
3 BGP packets silently discarded with TTL < 254

R1 Attacker
TTL=252 TTL=253 TTL=254 TTL=255
Fast0/0 1.2.1.1 Fast0/0 1.2.1.2

x Y
1 2
neighbor 1.2.1.2 ttl-security hops 1 neighbor 1.2.1.1 ttl-security hops 1
Evil Person
AS# 1 (customer) AS# 2 (ISP)
TTL-Security with Multihop Peering
1 R1 R2

2
R1 R2

R1 Attacker
TTL=250 TTL=253 TTL=254 TTL=255
1.2.1.1 2.2.2.2
a b x Y
1 2
Evil Person
TTL-Security with Loopback Peering (Method #1)
1 R1 R2

2
R1 R2

R1
Loop0 1.2.1.1 1.2.1.2

11.11.11.11 /32 Loop0
1 2 22.22.22.22 /32
neighbor 22.22.22.22 update-source loop0 neighbor 22.22.22.22 update-source loop0


TTL-Security with Loopback Peering (Method #2)
1 R1 R2

2
R1 R2

R1
Loop0 1.2.1.1 1.2.1.2

11.11.11.11 /32 Loop0
1 2 22.22.22.22 /32
neighbor 22.22.22.22 update-source loop0 neighbor 11.11.11.11 update-source loop0

neighbor 22.22.22.22 disable-connected-check neighbor 11.11.11.11 disable-connected-check

BGP Neighbor Failure
Detection
www.ine.com
Neighbor Failures – Direct Connections
» BGP neighbors may be directly, or indirectly connected.
» Failures of direct-connection = immediate teardown of BGP
peer.
1.1.1.1 1.1.1.2
Fast0/0 Fast0/0 2
1
AS# 1 neighbor 1.1.1.2 remote-as 2 neighbor 1.1.1.1 remote-as 1 AS# 2
Neighbor Failures – Indirect Connections
» Indirect neighbor failures rely on BGP Holddown timer = 180-seconds.
Adjusting BGP Timers
» BGP Keepalives can be reduced to a minimum of 1-
second with a minimum holdtime of 3-secs.
Other ways of failure detection
» Several other options exist for neighbor failure
detection which don’t affect CPU:
• Neighbor Fall-Over
• Neighbor Fall-Over Route-Map
• Neighbor Fall-Over BFD
» All of the above are called, “BGP Fast Peering
Session Deact ivat ion”
Neighbor Fall-Over
» The “neighbor x.x.x.x fall-over” command has several options:
• Tracks IGP route to BGP peer (iBGP or eBGP). When route is lost,
peer immediately taken down.
• Does NOT work if router ALSO contains a default route.
Neighbor Fall-Over
Loopback0 Loopback0
11.11.11.11 1.1.1.1 22.22.22.2
1.1.1.2
Fast0/0 Fast0/0 2
AS# 1 1
router bgp 1 EIGRP router bgp 1
neighbor 22.22.22.2 fall-over neighbor 11.11.11.11 fall-over
Without “neighbor fall-over”, Holddown Timer must expire.
Neighbor Fall-Over – The Problem
Loop0 iBGP peering Loop0
199.10.1.1/ 32 199.11.1.3/ 32
ISP-A iBGP peering
iBGP peering ISP-C
1.1.1.2 2 7.7.7.2 Fast0/0
1 3
199.11.0.0/16
EIGRP AS 100 199.10.0.0 /16
via Rtr-X!!
A via Rtr-Y!!
199.10.x.x/16 199.11.x.x/16 C
X Y
Corporate
Intranet Routers
ISP-B: BGP AS# 1

neighbor 199.11.1.3 fall-over neighbor 199.10.1.1 fall-over
BGP Fast Peering Session Deactivation with Next-Hop
Address Tracking
» A Route-Map can be associated to the “neighbor x.x.x.x fall-over” command:
• Tracks IGP route to BGP peer (iBGP or eBGP). When route is lost,
peer immediately taken down.
• Doesn’t care if a default route (or aggregate) exists or not.
Neighbor Fall-Over – The Solution!
199.10.1.1/ 32 199.11.1.3/ 32
ISP-A iBGP peering
iBGP peering ISP-C
1.1.1.2 2 7.7.7.2 Fast0/0
1 3
199.11.0.0/16
EIGRP AS 100 199.10.0.0 /16
via Rtr-X!!
A via Rtr-Y!!
199.10.x.x/16 199.11.x.x/16 C
X Y
Corporate
Intranet Routers

neighbor 199.11.1.3 fall-over route-map FALLOVER neighbor 199.10.1.1 fall-over route-map FALLOVER
! !
access-list 1 permit 199.11.1.3 0.0.0.0 access-list 1 permit 199.10.1.1 0.0.0.0
! !
Route-map FALLOVER permit 10 Route-map FALLOVER permit 10
match ip address 1 match ip address 1
Indirect Link Failure
AS# 3 AS# 4
A B
AS# 1 AS# 2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
7.7.7.0/24
neighbor a.a.a.a remote-as 3 neighbor b.b.b.b remote-as 4
network 7.7.7.0 mask 255.255.255.0
• Previous two solutions will not work.

• Router-2 will continue to use path to Router-1 until holddown timer expires.
BFD…yes, it is a Big, Fantastic Deal!!
» BFD = Bi-Directional Forwarding Detection
» Utilizes UDP and CEF
» BFD session setup between BFD peers.
» Sub-second failover utilizing BFD/UDP “pings”
» Originally designed for directly-connected peers.
» Not just for BGP.
BFD Echo and Control Packets
» BFD can utilize two types of packets
• Echo
• Control
» Control packets are mandatory and processed by
CPU.
» Echo packets are optional (on by default).
• Echo packets are not received by CPU of peer, simply test forwarding
path of peer.
• Echo packets contain source-and-destination address of the sender.
BFD Basic Configuration
» Initial BFD timers configured on physical interface.
» Echo Mode on by default
• Router(config-if)#bfd interval 100 min_rx 200 multiplier 3
“I would like to transmit BFD Echo
“The fastest I can process incoming
packets every 100msecs”!
BFD ECHO packets is every
200msecs so please don’t send
them any faster”!
“If YOUR min_rx is LESS than my interval, I’ll respect

your value and transmit Echo packets at that rate. And
I’ll declare you dead after 3x that value”!
Indirect Link Failure with BFD
AS# 3 AS# 4
A B
AS# 1 AS# 2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
7.7.7.0/24
Interface FastEthernet0/1 Interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.252 ip address 1.1.1.2 255.255.255.252
bfd interval 100 min_rx 100 multiplier 3 bfd interval 100 min_rx 100 multiplier 3
! !
neighbor 1.1.1.2 fall-over bfd neighbor 1.1.1.1 fall-over bfd
neighbor a.a.a.a remote-as 3 neighbor b.b.b.b remote-as 4
network 7.7.7.0 mask 255.255.255.0
Indirect Link Failure with BFD (1)
AS# 3 A B
AS# 4
1.3.1.3 2.4.2.4
Loop0 Loop0
11.11.11.11 / 32 22.22.22.22/ 32
AS# 1 1.3.1.1 2.4.2.2 AS# 2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
7.7.7.0/24
!
router bgp 1 !
neighbor 22.22.22.22 remote-as 2 router bgp 2
neighbor 22.22.22.22 ebgp-multihop neighbor 11.11.11.11 remote-as 1
neighbor 22.22.22.22 update-source loopback0 neighbor 11.11.11.11 ebgp-multihop
neighbor 1.3.1.3 remote-as 3 neighbor 11.11.11.11 update-source loopback0
network 7.7.7.0 mask 255.255.255.0 neighbor 2.4.2.4 remote-as 4
! !
Ip route 22.22.22.22 255.255.255.255 1.1.1.2 Ip route 11.11.11.11 255.255.255.255 1.1.1.1
 Multihop peers can be reachable via several physical links.

 Upon which link should BFD be configured?
Indirect Link Failure with BFD (2)
Loop0
AS# 3 A B
AS# 4 Loop0
11.11.11.11 / 32 1.3.1.3 2.4.2.4 22.22.22.22/ 32
AS# 1 1.3.1.1 2.4.2.2 AS# 2
Fast0/1 1.1.1.1 0/2 0/4 Fast0/1 1.1.1.2
1 2
7.7.7.0/24
bfd-template multi-hop BGP
interval min-tx 200 min-rx 200 multiplier 3 bfd-template multi-hop BGP
! interval min-tx 200 min-rx 200 multiplier 3
bfd map ipv4 22.22.22.22/32 0.0.0.0/0 BGP !
! bfd map ipv4 11.11.11.11/32 0.0.0.0/0 BGP
router bgp 1 !
neighbor 22.22.22.22 remote-as 2 router bgp 2
neighbor 22.22.22.22 ebgp-multihop neighbor 11.11.11.11 remote-as 1
neighbor 22.22.22.22 update-source loopback0 neighbor 11.11.11.11 ebgp-multihop
neighbor 22.22.22.22 fall-over bfd multihop neighbor 11.11.11.11 update-source loopback0
neighbor 1.3.1.3 remote-as 3 neighbor 11.11.11.11 fall-over bfd multihop
network 7.7.7.0 mask 255.255.255.0 neighbor 2.4.2.4 remote-as 4
! !
Ip route 22.22.22.22 255.255.255.255 1.1.1.2 Ip route 11.11.11.11 255.255.255.255 1.1.1.2
Quiz!!!
Given the configurations shown above, answer these questions:

1. How often will Router-1 receive BFD Echo packets from Router-2? ____________
2. How long will it take for Router-2 to tear down the BGP peering session with
Router-1 when port 0/2 on the switch goes down? ____________
Answer
Given the configurations shown above, answer these questions:

1. How often will Router-1 receive BFD Echo packets from Router-2? Every
300mSecs
2. How long will it take for Router-2 to tear down the BGP peering session with
Router-1 when port 0/2 on the switch goes down? After roughly 900msecs.
Quiz!!!
11.11.11.11/ 32 33.33.33.33/ 32
ISP-A iBGP peering
iBGP peering ISP-C
1 Fast0/0 2 Fast0/0 3
0.0.0.0/0 via
EIGRP AS 100
Rtr-X (EIGRP)
A
C
X Y
Corporate
Intranet Routers
Which of the features that we’ve learned about in this series would quickly
teardown the iBGP Peering between Router-1 and Router-3 if FastEthernet0/0
on Router-1 went down…WITHOUT consuming any additional bandwidth on
any of the links shown here?
Answer
199.10.1.1/ 32 199.11.1.3/ 32
ISP-A iBGP peering
iBGP peering ISP-C
1.1.1.2 2 7.7.7.2 Fast0/0
1 3
199.11.0.0/16
EIGRP AS 100 199.10.0.0 /16
via Rtr-X!!
A via Rtr-Y!!
199.10.x.x/16 199.11.x.x/16 C
X Y
Corporate
Intranet Routers
BGP Fast Peering Session Deactivation with Next-Hop Address Tracking
Q&A
Copyright © www.ine.com All rights reserved.

BGP Part-1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BGP Part-1 PDF

Uploaded by

Copyright:

Available Formats

BGP Part-1

» Routes versus NLRI

Router BGP 1 iBGP

1.1.1.1 TCP ACK (179)

I’ve got better These are

3 TCP 3-Way Handshake must complete 4 BGP Peering must complete

5 BGP Update Exchange 6 BGP Bestpath Selection Process

1.1.1.1 TCP ACK (179)

1 Source IP address of incoming TCP connection must be from an expected/configured

3 If BGP authentication is used, same password must be configured.

4 Peers must have unique BGP Router-IDs

5 Peers must use the same BGP version.

How do I reach 3.3.3.3?

How do I reach 1.1.1.2?

How do I reach 3.3.3.3?

TCP Sync (179)

» BGP uses four types of messages for its operation:

Marker (All “Fs”) 16-bytes Length (2-bytes) Type = 3

» show ip bgp prefix [subnet-mask]

» Connect : The BGP process has detected an incoming TCP

» Est ablished: All neighbor parameters match, the neighbor

TCP Sync Received

Copyright © www.ine.com ConnectRetry Timer

BGP invokes/starts TCP Active

TCP Reset ConnectRetry Timer

TCP AcK sent

Send BGP “Open”

BGP Keepalive sent

I’m ready to send my

If the “Local Port” is NOT 179 that means your local

BGP packets received-and-processed with TTL ≥ 254

3 BGP packets silently discarded with TTL < 254

Fast0/0 1.2.1.1 Fast0/0 1.2.1.2

BGP packets received-and-processed with TTL ≥ 253

3 BGP packets silently discarded with TTL < 252

BGP packets received-and-processed with TTL ≥ 253

3 BGP packets silently discarded with TTL < 253

Loop0 1.2.1.1 1.2.1.2

neighbor 22.22.22.22 update-source loop0 neighbor 22.22.22.22 update-source loop0

AS# 1 (customer) AS# 2 (ISP)

BGP packets received-and-processed with TTL ≥ 254

3 BGP packets silently discarded with TTL < 254

Loop0 1.2.1.1 1.2.1.2

neighbor 22.22.22.22 update-source loop0 neighbor 11.11.11.11 update-source loop0

AS# 1 (customer) AS# 2 (ISP)

Without “neighbor fall-over”, Holddown Timer must expire.

ISP-B: BGP AS# 1

router bgp 1 router bgp 1

• Previous two solutions will not work.

“If YOUR min_rx is LESS than my interval, I’ll respect

 Multihop peers can be reachable via several physical links.

Given the configurations shown above, answer these questions:

Given the configurations shown above, answer these questions:

BGP Fast Peering Session Deactivation with Next-Hop Address Tracking

Copyright © www.ine.com All rights reserved.

You might also like